chore(deps): update dependency webpack to v5.76.0 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
webpack	5.50.0 -> 5.76.0

GitHub Vulnerability Alerts

CVE-2023-28154

Webpack 5 before 5.76.0 does not avoid cross-realm object access. ImportParserPlugin.js mishandles the magic comment feature. An attacker who controls a property of an untrusted object can obtain access to the real global object.

---

Release Notes

webpack/webpack (webpack)

v5.76.0

Compare Source

Bugfixes

• Avoid cross-realm object access by @​Jack-Works in https://github.com/webpack/webpack/pull/16500
• Improve hash performance via conditional initialization by @​lvivski in https://github.com/webpack/webpack/pull/16491
• Serialize generatedCode info to fix bug in asset module cache restoration by @​ryanwilsonperkin in https://github.com/webpack/webpack/pull/16703
• Improve performance of hashRegExp lookup by @​ryanwilsonperkin in https://github.com/webpack/webpack/pull/16759

Features

• add target to LoaderContext type by @​askoufis in https://github.com/webpack/webpack/pull/16781

Security

• CVE-2022-37603 fixed by @​akhilgkrishnan in https://github.com/webpack/webpack/pull/16446

Repo Changes

• Fix HTML5 logo in README by @​jakebailey in https://github.com/webpack/webpack/pull/16614
• Replace TypeScript logo in README by @​jakebailey in https://github.com/webpack/webpack/pull/16613
• Update actions/cache dependencies by @​piwysocki in https://github.com/webpack/webpack/pull/16493

New Contributors

• @​Jack-Works made their first contribution in https://github.com/webpack/webpack/pull/16500
• @​lvivski made their first contribution in https://github.com/webpack/webpack/pull/16491
• @​jakebailey made their first contribution in https://github.com/webpack/webpack/pull/16614
• @​akhilgkrishnan made their first contribution in https://github.com/webpack/webpack/pull/16446
• @​ryanwilsonperkin made their first contribution in https://github.com/webpack/webpack/pull/16703
• @​piwysocki made their first contribution in https://github.com/webpack/webpack/pull/16493
• @​askoufis made their first contribution in https://github.com/webpack/webpack/pull/16781

Full Changelog: webpack/webpack@v5.75.0...v5.76.0

v5.75.0

Compare Source

Bugfixes

• experiments.* normalize to false when opt-out
• avoid NaN%
• show the correct error when using a conflicting chunk name in code
• HMR code tests existance of window before trying to access it
• fix eval-nosources-* actually exclude sources
• fix race condition where no module is returned from processing module
• fix position of standalong semicolon in runtime code

Features

• add support for @import to extenal CSS when using experimental CSS in node
• add i64 support to the deprecated WASM implementation

Developer Experience

• expose EnableWasmLoadingPlugin
• add more typings
• generate getters instead of readonly properties in typings to allow overriding them

v5.74.0

Compare Source

Features

• add resolve.extensionAlias option which allows to alias extensions
  • This is useful when you are forced to add the .js extension to imports when the file really has a .ts extension (typescript + "type": "module")
• add support for ES2022 features like static blocks
• add Tree Shaking support for ProvidePlugin

Bugfixes

• fix persistent cache when some build dependencies are on a different windows drive
• make order of evaluation of side-effect-free modules deterministic between concatenated and non-concatenated modules
• remove left-over from debugging in TLA/async modules runtime code
• remove unneeded extra 1s timestamp offset during watching when files are actually untouched
  • This sometimes caused an additional second build which are not really needed
• fix shareScope option for ModuleFederationPlugin
• set "use-credentials" also for same origin scripts

Performance

• Improve memory usage and performance of aggregating needed files/directories for watching
  • This affects rebuild performance

Extensibility

• export HarmonyImportDependency for plugins

v5.73.0

Compare Source

Features

• add options for default dynamicImportMode and prefetch and preload
• add support for import { createRequire } from "module" in source code

Bugfixes

• fix code generation of e. g. return"field"in Module
• fix performance of large JSON modules
• fix performance of async modules evaluation

Developer Experience

• export PathData in typings
• improve error messages with more details

v5.72.1

Compare Source

Bugfixes

• fix __webpack_nonce__ with HMR
• fix in operator in some cases
• fix json parsing error messages
• fix module concatenation with using this.importModule
• upgrade enhanced-resolve

v5.72.0

Compare Source

Features

• make cache warnings caused by build errors less verbose
• Allow banner to be placed as a footer with the BannerPlugin
• allow to concatenate asset modules

Bugfixes

• fix RemoteModules when using HMR (Module Federation + HMR)
• throw error when using module concatenation and cacheUnaffected
• fix in operator with nested exports

v5.71.0

Compare Source

Features

• choose smarter default for uniqueName when using a output.library which includes placeholders
• add support for expressions with in of a imported binding
• generate UMD code with arrow functions when possible

Bugfixes

• fix source map source names for ContextModule to be relative
• fix chunkLoading option in module module
• fix edge case where evaluateExpression returns null
• retain optional chaining in imported bindings
• include runtime code for the base URI even if not using chunk loading
• don't throw errors in persistent caching when importing node.js builtin modules via ESM
• fix crash when using lazy-once Context modules
• improve handling of context modules with multiple contexts
• fix race condition HMR chunk loading when importing chunks during HMR updating
• handle errors in runAsChild callback

v5.70.0

Compare Source

Features

• update node.js version constraints for ESM support
• add baseUri to entry options to configure a static base uri (the base of new URL())
• alphabetically sort exports in namespace objects when possible
• add __webpack_exports_info__.name.canMangle
• add proxy support to experiments.buildHttp
• import.meta.webpackContext as ESM alternative to require.context
• handle multiple alternative directories (e. g. due to resolve.alias or resolve.modules) when creating an context module

Bugfixes

• fix problem when assigning global to a variable
• fix crash when using experiments.outputModule and loaderContext.importModule with multiple chunks
• avoid generating progress output before the compilation has started (ProgressPlugin)
• fix handling of non-static-ESM dependencies with using TLA and HMR in the same module
• include the asset module filename in hashing
• output.clean will keep HMR assets for at least 10s to allow HMR to access them even when compilation is faster then the browser

Performance

• fix asset caching when using the BannerPlugin

Developer Experience

• improve typings

Contributing

• capture caching errors when running the test suite

v5.69.1

Compare Source

Revert

• revert "handle multiple alternative directories (e. g. due to resolve.alias or resolve.modules) when creating an context module"

v5.69.0

Compare Source

Features

• automatically switch to an ESM compatible environment when enabling ESM output mode
• handle multiple alternative directories (e. g. due to resolve.alias or resolve.modules) when creating an context module
• add util/types to node.js built-in modules
• add __webpack_exports_info__.<name>.canMangle api

Bugfixes

• fix bug in chunk graph generation which leads to modules being included in chunk desprite them being already included in parent chunks
• avoid writing more than 2GB at once during cache serialization (as workaround for node.js/libuv bug on MacOS)
• fix handling of whitespaces in semver ranges when using Module Federation
• avoid generating hashes which contain only numbers as they likely conflict with module ids
• fix resource name based placeholders for data uris
• fix cache serialization for context elements
• fix passing of stage option when instrumenting plugins for the ProfilingPlugin
• fix tracking of declarations in concatenated modules to avoid conflicts
• fix unstable mangling of exports
• fix handling of # in paths of loaders
• avoid unnecessary cache update when using experiments.buildHttp

Contributing

• update typescript and jest

Developer Experience

• expose some additional typings for usage in webpack-cli

v5.68.0

Compare Source

Features

• allow to disable compile time evaluation of import.meta.url
• add __webpack_module__ and __webpack_module__.id to the api

Bugfixes

• fix handling of errors thrown in async modules

v5.67.0

Compare Source

Features

• add 'outputPath' configuration option for resource asset modules
• support Trusted Types in eval source maps
• experiments.css
  • allow to generate only exports for css in node
  • add SyncModuleIdsPlugin to sync module ids between server and client compilation
  • add more options to the DeterministicModuleIdsPlugin to allow to generate equal ids

Developer Experience

• limit data url module name in stats printer
• allow specific description for CLI options
• improve space limiting algorithm in stats printing to show partial lists
• add null to errors in callbacks
• fix call signature types of addChunkInGroup

Bugfixes

• avoid reporting non-existant package.jsons as dependencies
• experiments.css
  • fix missing css runtime when only initial css is used
  • fix css hmr support
  • bugfixes to css modules
• fix cache serialization for CreateScriptUrlDependency
• fix data url content when processed by a loader
• fix regexp in identifiers that include |
• fix ProfilingPlugin for watch scenarios
• add layer to module names and identifiers
  • this avoid random module id changes when additional modules are added to another layer
• provide hashFunction parameter to DependencyTemplates to allow customizing it there
• fix HMR when experiments.lazyCompilation is enabled
• store url as Buffer to avoid serialization warnings
• exclude webpack-hot-middleware/client from lazy compilation

Contributing

• remove travis configuration
• improve spell checking

v5.66.0

Compare Source

Features

• add output.library.type: "commonjs-static" to emit a statically analyse-able commonjs module (for node.js esm interop support)
• add experiments.css (very experimental)
  • see https://github.com/webpack/webpack/issues/14893

Bugfixes

• fix CORS headers for experiments.lazyCompilation
• fix [absolute-resource-path] for SourceMap module naming
• avoid stack overflow when accessing many memory cached cache values in series

Performance

• reduce default watchOptions.aggregateTimeout to 20ms

v5.65.0

Compare Source

Features

• static evaluation understands undefined now
• reduce container entry code by a few chars
• use template literals when available and they make sense

Bugfixes

• handle singleton flag without requiredVersion in Module Federation
• upgrade watchpack for context time info bugfix

Performance

• improve RegExp in error message formating for non-quadratic performance

Developer Experience

• automatically insert brackets when output.globalObject contains a non-trival expression
• show error when using script type external with invalid syntax
• expose types for Resolver, StatsOptions and ResolvePluginInstance

Preparations for the future

• hashDigestLength will default to 16 in webpack 6 (experiments.futureDefaults)

v5.64.4

Compare Source

Bugfixes

• fix tagged template literal evaluation
• fix ModuleFederation with ESM
• fix outputModule with intial splitChunks

Performance

• upgrade watchpack for faster watcher updating
• track file and directory timestamps separately in watchpack and webpack

Developer Experience

• show origin of singleton shared module in mismatch warning

v5.64.3

Compare Source

Performance

• allow to use pre-compiled schema when Infinity is used in configuration
• allow to use pre-compiled schema for configuration arrays

v5.64.2

Compare Source

Bugfixes

• avoid double initial compilation due to invalid dependencies with managedPaths

v5.64.1

Compare Source

Bugfixes

• fix regexp in managedPaths to exclude additional slash
• make module.accept errorHandler optional in typings
• correctly create an async chunk when using a require(...).property in require.ensure
• fix cleaning of symlinks in output.clean: true
• fix change detection with unsafeCache within managedPaths (node_modules)
• bump webpack-sources for Stack Overflow bugfix

v5.64.0

Compare Source

Features

• add asyncChunks: boolean option to disable creation of async chunks

Bugfixes

• fix ProfilingPlugin for experiments.backCompat: false

Performance

• avoid running regexp twice over the file list

v5.63.0

Compare Source

Features

• allow passing chunkLoading: false to disable on-demand loading

Bugfixes

• fix import 'single-quote' in esm build dependencies

v5.62.2

Compare Source

Bugfixes

• fix __system_context__ injection when using the library option on entrypoint
• enable exportsPresence: "error" by default in futureDefaults
• fix bad performance for a RegExp in Stats printing (with large error messages)
• fix exportPresence -> exportsPresence typo
• fix a bug with module invalidation when only module id changes with experiments.cacheUnaffected

v5.62.1

Compare Source

Bugfix

• fix invalid generated code when omitting ;

v5.62.0

Compare Source

Features

• add options to configure export presence checking
  • parser.javascript.reexportExportsPresence: false allows to disable warnings for non-existing exports during the migration from export ... from "..." to export type ... from "..." for type reexports in TypeScript
• add experiments.backCompat: false to disable some expensive deprecations for better performance

Bugfixes

• use ['catch'] instead of .catch for better ES3 support
• fix removed parentheses when using new (require("...")).Something()
• fix { require } object literals
• splitChunks.chunks option is now correctly used for splitChunks.fallbackCacheGroup.maxSize too
• fix schema of listen option, allow to omit port
• add better support for Promises from different isolates

Developer Experience

• add typings for the webpack API that is available within modules
  • use /// <reference types="webpack/module" /> to use the typings in typescript modules
  • or "types": [..., "webpack/module"] in tsconfig

v5.61.0

Compare Source

Bugfixes

• use a wasm md4 implementation for node 17 support
• include the path submodules in the node.js default externals

Performance

• improve string to binary conversion performance for hashing

Contribution

• CI runs on node.js 17

v5.60.0

Compare Source

Features

• Allow to pass more options to experiments.lazyCompilation. e. g. port, https stuff

Bugfixes

• fix output.hashFunction used to persistent caching too
• Initialize buildDependencies Set correctly when loaders are added in beforeLoaders hook

v5.59.1

Compare Source

Bugfixes

• fix regexp in managedPaths
• fix hanging when trying to write lockfile for experiments.buildHttp

v5.59.0

Compare Source

Features

• add /*#__PURE__*/ for Object() in generated code
• add RegExp and function support for managed/immutablePaths
• add hooks for multiple phases in module build
• improvements to experiments.buildHttp
  • allow to share cache
  • add allowlist
• add splitChunks.minSizeReduction option

Bugfixes

• fix memory caching for Data URLs
• fix crash in waitFor when modules are unsafe cached
• fix bug in build cycle detection

v5.58.2

Compare Source

Bugfixes

• fix serialization context passed
• fix a bug which caused module duplication when using persistent caching, unsafe cache and memory cache with GC
• fix validation of snapshots of non-existing directories

Performance

• store a hash in first bits of bigint to workaround v8 hashing: https://github.com/v8/v8/blob/b704bc0958e2e26305a68e89d215af1aee011148/src/objects/bigint.h#L192-L195

v5.58.1

Compare Source

Bugfixes

• fix .webpack[] suffix to not execute rules
• revert performance optimization that has too large memory usage in large builds

v5.58.0

Compare Source

Features

• add hook for readResource
• add diagnostics_channel to node builtins

Performance

• improve chunk graph creation performance
  • add cacheUnaffected cache support
• remove some caching that makes not difference
• improve splitChunks performance
• improve chunk conditions performance

v5.57.1

Compare Source

Bugfix

• fix experiments.cacheUnaffected which broke by last release

v5.57.0

Compare Source

Performance

• reduce number of hash.update calls
• allow ExternalModules to be unsafe cached
• improve hashing performance of module lists (StringXor)

Bugfixes

• experiments.cacheUnaffected
  • handle module/chunk id changes correctly
  • cache modules with async blocks
  • show errors when using incompatible options

v5.56.1

Compare Source

Bugfix

• DefinePlugin: fix conflict with older variants of the plugin

v5.56.0

Compare Source

Performance

• make DefinePlugin rebuild check more efficient performance and memory wise

v5.55.1

Compare Source

Bugfixes

• fixes for experiments.cacheUnaffected
  • fix accidentically shared mem caches
  • avoid RuntimeSpecMap in favor of directly setting on memCache
  • compare references modules when restoring mem cache

v5.55.0

Compare Source

Performance

• experiments.cacheUnaffected
  • reduce cache memory usage
  • make memCache per module
  • cache ESM reexport computation
• module.unsafeCache
  • make it faster by moving it to Compilation-level instead of in NormalModuleFactory
  • omit tracking resolve dependencies since they are not used when unsafe cache is enabled
• module graph
  • lazy assign ModuleGraphConnections to Dependencies since that is only accessed when uncached

v5.54.0

Compare Source

Features

• improve constant folding to allow to skip more branches for && || and ??
• allow all hashing using in webpack to be configured with output.hashFunction
• no longer bailout completely from inner graph analysis when eval is used in a module

Bugfixes

• force bump enhanced-resolve for bugfixes

Performance

• reduce number of allocation when creating snapshots
• add output.hashFunction: "xxhash64" for a super fast wasm based hash function
• improve utf-8 conversion when serializing short strings
• improve hashing performance for dependencies
• add experiments.cacheUnaffected which caches computations for modules that are unchanged and reference only unchanged modules

v5.53.0

Compare Source

Features

• add node.__dirname/__filename: "warn-mock" which warns on usage (will be enabled in webpack 6 by default)

Bugfixes

• add stream/web to Node.js externals
• fix IgnorePluginSchema
• fix builds with persistent caching taking 1 minute to build at least

Experiments

• add experiments.futureDefaults to enable defaults for webpack 6

v5.52.1

Compare Source

Performance

• split fresh created persistent cache files by time to avoid creating very large files

v5.52.0

Compare Source

Feature

• experiments.executeModule is enabled by default and the option is removed
  • loaders are now free to use this.importModule

Bugfixes

• fix generated __WEBPACK_EXTERNAL_MODULE_null__, which leads to merged externals
• .webpack[...] extension is not part of matching and module name

v5.51.2

Compare Source

Bugfixes

• fix crash in FileSystemInfo when errors occur
• avoid property access of reserved properties
• fix reexports from async modules
• automatically close an active watching when closing the compiler
• when filenames of other runtimes are referenced that need a full hash, upgrade referencing runtime moduel to full hash mode too
  • fixes a bug where [contenthash] is undefined when using new Worker

v5.51.1

Compare Source

Bugfixes

• library: "module" propages top-level-await correctly
• fix crash in filesystem snapshotting when trying to snapshot a non-existing directory
• fix some context-dependent logic in concatenated modules and source url handling

v5.51.0

Compare Source

Bugfixes

• correctly keep chunk loading state when the chunk loading logic is HMR updated
  • This fixes some edge cases that e. g. occur when using lazy compilation for entrypoints. It is now able to HMR update that instead of needing a manual reload. Also see fixes in webpack-dev-server@4.
• track and resolve symlinks for filesystem snapshotting
  • This fixes some cases of circular yarn linking of dependencies.
  • It also fixes some problems when using package managers that use symlinks to deduplicate (e. g. cnpm or pnpm)
• pass the resulting module in the callbacks of Compilation.addModuleChain and Compilation.addModuleTree

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate. View repository job log here.