[Snyk] Upgrade webpack from 5.82.1 to 5.95.0

[X-oss-byte]

Snyk has created this PR to upgrade webpack from 5.82.1 to 5.95.0.

ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.

---

• The recommended version is 22 versions ahead of your current version.

• The recommended version was released on a month ago.

Issues fixed by the recommended upgrade:

	Issue	Score	Exploit Maturity
	Cross-site Scripting (XSS) SNYK-JS-SERIALIZEJAVASCRIPT-6147607	412	Proof of Concept
	Cross-site Scripting (XSS) SNYK-JS-WEBPACK-7840298	412	Proof of Concept

Release notes

Package name: webpack

• 5.95.0 - 2024-09-25
  

  Bug Fixes

  • Fixed hanging when attempting to read a symlink-like file that it can't read
  • Handle default for import context element dependency
  • Merge duplicate chunks call after split chunks
  • Generate correctly code for dynamically importing the same file twice and destructuring
  • Use content hash as [base] and [name] for extracted DataURI's
  • Distinguish module and import in module-import for externals import's
  • [Types] Make EnvironmentPlugin default values types less strict
  • [Types] Typescript 5.6 compatibility

  New Features

  • Add new optimization.avoidEntryIife option (true by default for the production mode)
  • Pass output.hash* options to loader context

  Performance

  • Avoid unneeded re-visit in build chunk graph
• 5.94.0 - 2024-08-22
  

  Bug Fixes

  • Added runtime condition for harmony reexport checked
  • Handle properly data/http/https protocols in source maps
  • Make bigint optimistic when browserslist not found
  • Move @ types/eslint-scope to dev deps
  • Related in asset stats is now always an array when no related found
  • Handle ASI for export declarations
  • Mangle destruction incorrect with export named default properly
  • Fixed unexpected asi generation with sequence expression
  • Fixed a lot of types

  New Features

  • Added new external type "module-import"
  • Support webpackIgnore for new URL() construction
  • [CSS] @ import pathinfo support

  Security

  • Fixed DOM clobbering in auto public path
• 5.93.0 - 2024-07-11
  

  Bug Fixes

  • Generate correct relative path to runtime chunks
  • Makes DefinePlugin quieter under default log level
  • Fixed mangle destructuring default in namespace import
  • Fixed consumption of eager shared modules for module federation
  • Strip slash for pretty regexp
  • Calculate correct contenthash for CSS generator options

  New Features

  • Added the binary generator option for asset modules to explicitly keep source maps produced by loaders
  • Added the modern-module library value for tree shakable output
  • Added the overrideStrict option to override strict or non-strict mode for javascript modules
• 5.92.1 - 2024-06-19
  

  Bug Fixes

  • Doesn't crash with an error when the css experiment is enabled and contenthash is used
• 5.92.0 - 2024-06-11
  

  Bug Fixes

  • Correct tidle range's comutation for module federation
  • Consider runtime for pure expression dependency update hash
  • Return value in the subtractRuntime function for runtime logic
  • Fixed failed to resolve promise when eager import a dynamic cjs
  • Avoid generation extra code for external modules when remapping is not required
  • The css/global type now handles the exports name
  • Avoid hashing for @ keyframe and @ property at-rules in css/global type
  • Fixed mangle with destructuring for JSON modules
  • The stats.hasWarnings() method now respects the ignoreWarnings option
  • Fixed ArrayQueue iterator
  • Correct behavior of __webpack_exports_info__.a.b.canMangle
  • Changed to the correct plugin name for the CommonJsChunkFormatPlugin plugin
  • Set the chunkLoading option to the import when environment is unknown and output is module
  • Fixed when runtimeChunk has no exports when module chunkFormat used
  • [CSS] Fixed parsing minimized CSS import
  • [CSS] URLs in CSS files now have correct public path
  • [CSS] The css module type should not allow parser to switch mode
  • [Types] Improved context module types

  New Features

  • Added platform target properties to compiler
  • Improved multi compiler cache location and validating it
  • Support import attributes spec (with keyword)
  • Support node: prefix for Node.js core modules in runtime code
  • Support prefetch/preload for module chunk format
  • Support "..." in the importsFields option for resolver
  • Root module is less prone to be wrapped in IIFE
  • Export InitFragment class for plugins
  • Export compileBooleanMatcher util for plugins
  • Export InputFileSystem and OutputFileSystem types
  • [CSS] Support the esModule generator option for CSS modules
  • [CSS] Support CSS when chunk format is module
• 5.91.0 - 2024-03-20
  

  Bug Fixes

  • Deserializer for ignored modules doesn't crash
  • Allow the unsafeCache option to be a proxy object
  • Normalize the snapshot.unmanagedPaths option
  • Fixed fs types
  • Fixed resolve's plugins types
  • Fixed wrongly calculate postOrderIndex
  • Fixed watching types
  • Output import attrbiutes/import assertions for external JS imports
  • Throw an error when DllPlugin needs to generate multiple manifest files, but the path is the same
  • [CSS] Output layer/supports/media for external CSS imports

  New Features

  • Allow to customize the stage of BannerPlugin
  • [CSS] Support CSS exports convention
  • [CSS] support CSS local ident name
  • [CSS] Support __webpack_nonce__ for CSS chunks
  • [CSS] Support fetchPriority for CSS chunks
  • [CSS] Allow to use LZW to compress css head meta (enabled in the production mode by default)
  • [CSS] Support prefetch/preload for CSS chunks
• 5.90.3 - 2024-02-19
  

  Bug Fixes

  • don't mangle when destructuring a reexport
  • types for Stats.toJson() and Stats.toString()
  • many internal types
  • [CSS] clean up export css local vars

  Perf

  • simplify and optimize chunk graph creation
• 5.90.2 - 2024-02-15
  

  Bug Fixes

  • use Math.imul in fnv1a32 to avoid loss of precision, directly hash UTF16 values
  • the setStatus() of the HMR module should not return an array, which may cause infinite recursion
  • __webpack_exports_info__.xxx.canMangle shouldn't always same as default
  • mangle export with destructuring
  • use new runtime to reconsider skipped connections activeState
  • make dynamic import optional in try/catch
  • improve auto publicPath detection

  Dependencies & Maintenance

  • improve CI setup and include Node.js@21
• 5.90.1 - 2024-02-01
  

  Bug Fixes

  • set unmanagedPaths in defaults
  • correct preOrderIndex and postOrderIndex
  • add fallback for MIME mismatch error in async wasm loading
  • browsers versions of ECMA features

  Performance

  • optimize compareStringsNumeric
  • optimize numberHash using 32-bit FNV1a for small ranges, 64-bit for larger
  • reuse VM context across webpack magic comments
• 5.90.0 - 2024-01-24
  

  Bug Fixes

  • Fixed inner graph for classes
  • Optimized RemoveParentModulesPlugin via bigint arithmetic
  • Fixed worklet detection in production mode
  • Fixed an error for cyclic importModule
  • Fixed types for Server and Dirent
  • Added the fetchPriority to hmr runtime's ensureChunk function
  • Don't warn about dynamic import for build dependencies
  • External module generation respects the output.environment.arrowFunction option
  • Fixed consumimng shared runtime module logic
  • Fixed a runtime logic of multiple chunks
  • Fixed destructing assignment of dynamic import json file
  • Passing errors array for a module hash
  • Added /*#__PURE__*/ to generated JSON.parse()
  • Generated a library manifest after clean plugin
  • Fixed non amd externals and amd library
  • Fixed a bug in SideEffectsFlagPlugin with namespace re-exports
  • Fixed an error message for condition or
  • The strictModuleErrorHandling is now working
  • Clean up child compilation chunk graph to avoid memory leak
  • [CSS] - Fixed CSS import prefer relative resolution
  • [CSS] - Fixed CSS runtime chunk loading error message

  New Features

  • Allow to set false for dev server in webpack.config.js
  • Added a warning for async external when not supported
  • Added a warning for async module when not supported
  • Added the node-module option for the node.__filename/__dirname and enable it by default for ESM target
  • Added the snapshot.unmanagedPaths option
  • Exposed the MultiCompilerOptions type
  • [CSS] - Added CSS parser options to enable/disable named exports
  • [CSS] - Moved CSS the exportsOnly option to CSS generator options

  Dependencies & Maintenance

  • use node.js LTS version for lint
  • bump actions/cache from 3 to 4
  • bump prettier from 3.2.1 to 3.2.3
  • bump assemblyscript
  • bump actions/checkout from 3 to 4

  Full Changelog: v5.89.0...v5.90.0

• 5.89.0 - 2023-10-13
• 5.88.2 - 2023-07-18
• 5.88.1 - 2023-06-28
• 5.88.0 - 2023-06-21
• 5.87.0 - 2023-06-14
• 5.86.0 - 2023-06-07
• 5.85.1 - 2023-06-05
• 5.85.0 - 2023-05-31
• 5.84.1 - 2023-05-25
• 5.84.0 - 2023-05-24
• 5.83.1 - 2023-05-17
• 5.83.0 - 2023-05-17
• 5.82.1 - 2023-05-10

from webpack GitHub release notes

---

Important

• Check the changes in this PR to ensure they won't cause issues with your project.
• This PR was automatically created by Snyk using the credentials of a real user.
• Max score is 1000. Note that the real score may have changed since the PR was raised.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open upgrade PRs.

For more information:

• 🧐 View latest project report
• 📜 Customise PR templates
• 🛠 Adjust upgrade PR settings
• 🔕 Ignore this dependency or unsubscribe from future upgrade PRs

Summary by Sourcery

Build:

• Upgrade webpack from version 5.82.1 to 5.95.0 to address security vulnerabilities and improve performance.

[vercel]

The latest updates on your projects. Learn more about Vercel for Git ↗︎

Name	Status	Preview	Comments	Updated (UTC)
requirejs-babel-czv5	❌ Failed (Inspect)			Nov 5, 2024 5:10pm

[stackblitz]

Run & review this pull request in StackBlitz Codeflow.

[changeset-bot]

⚠️ No Changeset found

Latest commit: cdc4dcd

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[sourcery-ai]

Reviewer's Guide by Sourcery

This PR upgrades webpack from version 5.82.1 to 5.95.0 to address two medium severity Cross-site Scripting (XSS) vulnerabilities. The upgrade includes multiple bug fixes, performance improvements, and new features across 22 versions.

No diagrams generated as the changes look simple and do not need a visual representation.

File-Level Changes

Change	Details	Files
Security vulnerabilities patched	Fixed Cross-site Scripting (XSS) vulnerability in serialize-javascript Fixed Cross-site Scripting (XSS) vulnerability in webpack	package.json package-lock.json
Bug fixes and stability improvements	Fixed hanging when reading symlink-like files Fixed code generation for duplicate dynamic imports Improved handling of import context dependencies Fixed TypeScript 5.6 compatibility issues Fixed DOM clobbering in auto public path	package.json package-lock.json
New features and optimizations	Added optimization.avoidEntryIife option Added support for import attributes spec Improved CSS module handling and exports Added support for prefetch/preload in module chunk format Enhanced performance in chunk graph creation	package.json package-lock.json

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time. You can also use
  this command to specify where the summary should be inserted.

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[sourcery-ai]

We have skipped reviewing this pull request. It seems to have been created by a bot ('[Snyk]' found in title). We assume it knows what it's doing!