Skip to content

[Security] Bump webpack from 5.72.1 to 5.76.2 in /frontend

Bumps webpack from 5.72.1 to 5.76.2. This update includes a security fix.

Vulnerabilities fixed

Cross-realm object access in Webpack 5 Webpack 5 before 5.76.0 does not avoid cross-realm object access. ImportParserPlugin.js mishandles the magic comment feature. An attacker who controls a property of an untrusted object can obtain access to the real global object.

Patched versions: 5.76.0 Affected versions: >= 5.0.0, < 5.76.0

Release notes

Sourced from webpack's releases.

v5.76.2

Bugfixes

  • Fix bug where a missing semicolon in generated bundle output for publicPathRuntime would cause concatenated runtime errors by @​snitin315 in webpack/webpack#16811
  • Remove redundant semicolons generated in bundle runtime code after onScriptComplete function by @​ahaoboy in webpack/webpack#16347
  • Fix bug where RealContentHashPlugin was not respecting output.hashSalt's ability to cause a force recalculation of [contenthash] for emitted assets by @​dmichon-msft #16789

Performance

Developer Experience

New Contributors

Full Changelog: https://github.com/webpack/webpack/compare/v5.76.1...v5.76.2

v5.76.1

Fixed

  • Added assert/strict built-in to NodeTargetPlugin

Revert

v5.76.0

Bugfixes

Features

Security

Repo Changes

New Contributors

... (truncated)

Commits
  • dbf7bf3 5.76.2
  • 125449f Merge pull request #16830 from snitin315/fix/module-graph
  • 3943cce fix: initialize this._cacheStage in ModuleGraph constructor
  • 796b511 Merge pull request #16805 from snitin315/fix/improve-source-types
  • be54e43 Merge pull request #16811 from snitin315/fix/add-missing-semicolon
  • 976320d test: update StatsTestCases snapshots
  • 44256c2 fix: add missing semicolon in AutoPublicPathRuntimeModule
  • 9ca77a3 Merge pull request #15722 from webpack/feat/issue-15720
  • 8f1b5ff Merge pull request #16347 from ahaoboy/main
  • 0f82297 docs: fix typo in examples
  • Additional commits viewable in compare view
Maintainer changes

This version was pushed to npm by evilebottnawi, a new releaser for webpack since your current version.



Dependabot commands
You can trigger Dependabot actions by commenting on this MR
  • $dependabot rebase will rebase this MR
  • $dependabot recreate will recreate this MR rewriting all the manual changes and resolving conflicts

Merge request reports

Loading