[Snyk] Upgrade webpack from 5.82.1 to 5.96.1

[X-oss-byte]

Snyk has created this PR to upgrade webpack from 5.82.1 to 5.96.1.

ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.

---

• The recommended version is 24 versions ahead of your current version.

• The recommended version was released 2 months ago.

Issues fixed by the recommended upgrade:

	Issue	Score	Exploit Maturity
	Cross-site Scripting (XSS) SNYK-JS-SERIALIZEJAVASCRIPT-6147607	412	Proof of Concept
	Cross-site Scripting (XSS) SNYK-JS-WEBPACK-7840298	412	Proof of Concept

Release notes

Package name: webpack

• 5.96.1 - 2024-11-01
  

  Bug Fixes

  • [Types] Add @ types/eslint-scope to dependencieS
  • [Types] Fixed regression in validate
• 5.96.0 - 2024-10-31
  

  Bug Fixes

  • Fixed Module Federation should track all referenced chunks
  • Handle Data URI without base64 word
  • HotUpdateChunk have correct runtime when modified with new runtime
  • Order of chunks ids in generated chunk code
  • No extra Javascript chunks when using asset module as an entrypoint
  • Use optimistically logic for output.environment.dynamicImport to determine chunk format when no browserslist or target
  • Collision with global variables for optimization.avoidEntryIife
  • Avoid through variables in inlined module
  • Allow chunk template strings in output.devtoolNamespace
  • No extra runtime for get javascript/css chunk filename
  • No extra runtime for prefetch and preload in JS runtime when it was unsed in CSS
  • Avoid cache invalidation using ProgressPlugin
  • Increase parallelism when using importModule on the execution stage
  • Correctly parsing string in export and import
  • Typescript types
  • [CSS] css/auto considers a module depending on its filename as css (pure CSS) or css/local, before it was css/global and css/local
  • [CSS] Always interpolate classes even if they are not involved in export
  • [CSS] No extra runtime in Javascript runtime chunks for asset modules used in CSS
  • [CSS] No extra runtime in Javascript runtime chunks for external asset modules used in CSS
  • [CSS] No extra runtime for the node target
  • [CSS] Fixed url()s and @ import parsing
  • [CSS] Fixed - emit a warning on broken :local and :global

  New Features

  • Export CSS and ESM runtime modules
  • Single Runtime Chunk and Federation eager module hoisting
  • [CSS] Support /* webpackIgnore: true */ for CSS files
  • [CSS] Support src() support
  • [CSS] CSS nesting in CSS modules
• 5.95.0 - 2024-09-25
  

  Bug Fixes

  • Fixed hanging when attempting to read a symlink-like file that it can't read
  • Handle default for import context element dependency
  • Merge duplicate chunks call after split chunks
  • Generate correctly code for dynamically importing the same file twice and destructuring
  • Use content hash as [base] and [name] for extracted DataURI's
  • Distinguish module and import in module-import for externals import's
  • [Types] Make EnvironmentPlugin default values types less strict
  • [Types] Typescript 5.6 compatibility

  New Features

  • Add new optimization.avoidEntryIife option (true by default for the production mode)
  • Pass output.hash* options to loader context

  Performance

  • Avoid unneeded re-visit in build chunk graph
• 5.94.0 - 2024-08-22
  

  Bug Fixes

  • Added runtime condition for harmony reexport checked
  • Handle properly data/http/https protocols in source maps
  • Make bigint optimistic when browserslist not found
  • Move @ types/eslint-scope to dev deps
  • Related in asset stats is now always an array when no related found
  • Handle ASI for export declarations
  • Mangle destruction incorrect with export named default properly
  • Fixed unexpected asi generation with sequence expression
  • Fixed a lot of types

  New Features

  • Added new external type "module-import"
  • Support webpackIgnore for new URL() construction
  • [CSS] @ import pathinfo support

  Security

  • Fixed DOM clobbering in auto public path
• 5.93.0 - 2024-07-11
  

  Bug Fixes

  • Generate correct relative path to runtime chunks
  • Makes DefinePlugin quieter under default log level
  • Fixed mangle destructuring default in namespace import
  • Fixed consumption of eager shared modules for module federation
  • Strip slash for pretty regexp
  • Calculate correct contenthash for CSS generator options

  New Features

  • Added the binary generator option for asset modules to explicitly keep source maps produced by loaders
  • Added the modern-module library value for tree shakable output
  • Added the overrideStrict option to override strict or non-strict mode for javascript modules
• 5.92.1 - 2024-06-19
  

  Bug Fixes

  • Doesn't crash with an error when the css experiment is enabled and contenthash is used
• 5.92.0 - 2024-06-11
  

  Bug Fixes

  • Correct tidle range's comutation for module federation
  • Consider runtime for pure expression dependency update hash
  • Return value in the subtractRuntime function for runtime logic
  • Fixed failed to resolve promise when eager import a dynamic cjs
  • Avoid generation extra code for external modules when remapping is not required
  • The css/global type now handles the exports name
  • Avoid hashing for @ keyframe and @ property at-rules in css/global type
  • Fixed mangle with destructuring for JSON modules
  • The stats.hasWarnings() method now respects the ignoreWarnings option
  • Fixed ArrayQueue iterator
  • Correct behavior of __webpack_exports_info__.a.b.canMangle
  • Changed to the correct plugin name for the CommonJsChunkFormatPlugin plugin
  • Set the chunkLoading option to the import when environment is unknown and output is module
  • Fixed when runtimeChunk has no exports when module chunkFormat used
  • [CSS] Fixed parsing minimized CSS import
  • [CSS] URLs in CSS files now have correct public path
  • [CSS] The css module type should not allow parser to switch mode
  • [Types] Improved context module types

  New Features

  • Added platform target properties to compiler
  • Improved multi compiler cache location and validating it
  • Support import attributes spec (with keyword)
  • Support node: prefix for Node.js core modules in runtime code
  • Support prefetch/preload for module chunk format
  • Support "..." in the importsFields option for resolver
  • Root module is less prone to be wrapped in IIFE
  • Export InitFragment class for plugins
  • Export compileBooleanMatcher util for plugins
  • Export InputFileSystem and OutputFileSystem types
  • [CSS] Support the esModule generator option for CSS modules
  • [CSS] Support CSS when chunk format is module
• 5.91.0 - 2024-03-20
  

  Bug Fixes

  • Deserializer for ignored modules doesn't crash
  • Allow the unsafeCache option to be a proxy object
  • Normalize the snapshot.unmanagedPaths option
  • Fixed fs types
  • Fixed resolve's plugins types
  • Fixed wrongly calculate postOrderIndex
  • Fixed watching types
  • Output import attrbiutes/import assertions for external JS imports
  • Throw an error when DllPlugin needs to generate multiple manifest files, but the path is the same
  • [CSS] Output layer/supports/media for external CSS imports

  New Features

  • Allow to customize the stage of BannerPlugin
  • [CSS] Support CSS exports convention
  • [CSS] support CSS local ident name
  • [CSS] Support __webpack_nonce__ for CSS chunks
  • [CSS] Support fetchPriority for CSS chunks
  • [CSS] Allow to use LZW to compress css head meta (enabled in the production mode by default)
  • [CSS] Support prefetch/preload for CSS chunks
• 5.90.3 - 2024-02-19
  

  Bug Fixes

  • don't mangle when destructuring a reexport
  • types for Stats.toJson() and Stats.toString()
  • many internal types
  • [CSS] clean up export css local vars

  Perf

  • simplify and optimize chunk graph creation
• 5.90.2 - 2024-02-15
  

  Bug Fixes

  • use Math.imul in fnv1a32 to avoid loss of precision, directly hash UTF16 values
  • the setStatus() of the HMR module should not return an array, which may cause infinite recursion
  • __webpack_exports_info__.xxx.canMangle shouldn't always same as default
  • mangle export with destructuring
  • use new runtime to reconsider skipped connections activeState
  • make dynamic import optional in try/catch
  • improve auto publicPath detection

  Dependencies & Maintenance

  • improve CI setup and include Node.js@21
• 5.90.1 - 2024-02-01
• 5.90.0 - 2024-01-24
• 5.89.0 - 2023-10-13
• 5.88.2 - 2023-07-18
• 5.88.1 - 2023-06-28
• 5.88.0 - 2023-06-21
• 5.87.0 - 2023-06-14
• 5.86.0 - 2023-06-07
• 5.85.1 - 2023-06-05
• 5.85.0 - 2023-05-31
• 5.84.1 - 2023-05-25
• 5.84.0 - 2023-05-24
• 5.83.1 - 2023-05-17
• 5.83.0 - 2023-05-17
• 5.82.1 - 2023-05-10

from webpack GitHub release notes

---

Important

• Check the changes in this PR to ensure they won't cause issues with your project.
• This PR was automatically created by Snyk using the credentials of a real user.
• Max score is 1000. Note that the real score may have changed since the PR was raised.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open upgrade PRs.

For more information:

• 🧐 View latest project report
• 📜 Customise PR templates
• 🛠 Adjust upgrade PR settings
• 🔕 Ignore this dependency or unsubscribe from future upgrade PRs

Summary by Sourcery

Upgrade webpack to version 5.96.1 to address security vulnerabilities.

Bug Fixes:

• Fixed two Cross-site Scripting (XSS) vulnerabilities.

Enhancements:

• Update webpack to 5.96.1, which includes several bug fixes and performance improvements.

[vercel]

The latest updates on your projects. Learn more about Vercel for Git ↗︎

Name	Status	Preview	Comments	Updated (UTC)
requirejs-babel-czv5	❌ Failed (Inspect)			Dec 19, 2024 2:21pm

[stackblitz]

Run & review this pull request in StackBlitz Codeflow.

[changeset-bot]

⚠️ No Changeset found

Latest commit: a1e5dfe

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[sourcery-ai]

Reviewer's Guide by Sourcery

This PR upgrades webpack from version 5.82.1 to 5.96.1. This upgrade fixes two medium-severity Cross-site Scripting (XSS) vulnerabilities, SNYK-JS-SERIALIZEJAVASCRIPT-6147607 and SNYK-JS-WEBPACK-7840298.

No diagrams generated as the changes look simple and do not need a visual representation.

File-Level Changes

Change	Details	Files
Upgrade webpack dependency	Updated the webpack dependency version from 5.82.1 to 5.96.1 in package.json. Updated package-lock.json to reflect the changes in package.json.	package.json package-lock.json

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time. You can also use
  this command to specify where the summary should be inserted.

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[sourcery-ai]

We have skipped reviewing this pull request. It seems to have been created by a bot ('[Snyk]' found in title). We assume it knows what it's doing!