Update dependency webpack to v5.76.0 [SECURITY]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
webpack	5.72.1 → 5.76.0

---

Cross-realm object access in Webpack 5

CVE-2023-28154 / GHSA-hc6q-2mpp-qw7j

More information

Details

Webpack 5 before 5.76.0 does not avoid cross-realm object access. ImportParserPlugin.js mishandles the magic comment feature. An attacker who controls a property of an untrusted object can obtain access to the real global object.

Severity

• CVSS Score: 9.8 / 10 (Critical)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References

• https://nvd.nist.gov/vuln/detail/CVE-2023-28154
• https://github.com/webpack/webpack/pull/16500
• https://github.com/webpack/webpack/compare/v5.75.0...v5.76.0
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AU7BOXTBK3KDYSWH67ASZ22TUIOZ3X5G/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PPSAXUTXBCCTAHTCX5BUR4YVP25XALQ3/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/U2AFCM6FFE3LRYI6KNEQWKMXMQOBZQ2D/
• https://github.com/advisories/GHSA-hc6q-2mpp-qw7j

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

webpack/webpack (webpack)

v5.76.0

Compare Source

Bugfixes

• Avoid cross-realm object access by @​Jack-Works in #​16500
• Improve hash performance via conditional initialization by @​lvivski in #​16491
• Serialize generatedCode info to fix bug in asset module cache restoration by @​ryanwilsonperkin in #​16703
• Improve performance of hashRegExp lookup by @​ryanwilsonperkin in #​16759

Features

• add target to LoaderContext type by @​askoufis in #​16781

Security

• CVE-2022-37603 fixed by @​akhilgkrishnan in #​16446

Repo Changes

• Fix HTML5 logo in README by @​jakebailey in #​16614
• Replace TypeScript logo in README by @​jakebailey in #​16613
• Update actions/cache dependencies by @​piwysocki in #​16493

New Contributors

• @​Jack-Works made their first contribution in #​16500
• @​lvivski made their first contribution in #​16491
• @​jakebailey made their first contribution in #​16614
• @​akhilgkrishnan made their first contribution in #​16446
• @​ryanwilsonperkin made their first contribution in #​16703
• @​piwysocki made their first contribution in #​16493
• @​askoufis made their first contribution in #​16781

Full Changelog: webpack/webpack@v5.75.0...v5.76.0

v5.75.0

Compare Source

Bugfixes

• experiments.* normalize to false when opt-out
• avoid NaN%
• show the correct error when using a conflicting chunk name in code
• HMR code tests existance of window before trying to access it
• fix eval-nosources-* actually exclude sources
• fix race condition where no module is returned from processing module
• fix position of standalong semicolon in runtime code

Features

• add support for @import to extenal CSS when using experimental CSS in node
• add i64 support to the deprecated WASM implementation

Developer Experience

• expose EnableWasmLoadingPlugin
• add more typings
• generate getters instead of readonly properties in typings to allow overriding them

v5.74.0

Compare Source

Features

• add resolve.extensionAlias option which allows to alias extensions
  • This is useful when you are forced to add the .js extension to imports when the file really has a .ts extension (typescript + "type": "module")
• add support for ES2022 features like static blocks
• add Tree Shaking support for ProvidePlugin

Bugfixes

• fix persistent cache when some build dependencies are on a different windows drive
• make order of evaluation of side-effect-free modules deterministic between concatenated and non-concatenated modules
• remove left-over from debugging in TLA/async modules runtime code
• remove unneeded extra 1s timestamp offset during watching when files are actually untouched
  • This sometimes caused an additional second build which are not really needed
• fix shareScope option for ModuleFederationPlugin
• set "use-credentials" also for same origin scripts

Performance

• Improve memory usage and performance of aggregating needed files/directories for watching
  • This affects rebuild performance

Extensibility

• export HarmonyImportDependency for plugins

v5.73.0

Compare Source

Features

• add options for default dynamicImportMode and prefetch and preload
• add support for import { createRequire } from "module" in source code

Bugfixes

• fix code generation of e. g. return"field"in Module
• fix performance of large JSON modules
• fix performance of async modules evaluation

Developer Experience

• export PathData in typings
• improve error messages with more details

---

Configuration

📅 Schedule: (in timezone Japan)

• Branch creation
  • ""
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.