🚨 [security] Update webpack: 5.75.0 → 5.79.0 (minor)

[depfu]

---

🚨 Your current dependencies have known security vulnerabilities 🚨

This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!

---

Here is everything you need to know about this update. Please take a good look at what changed and the test results before merging this pull request.

What changed?

✳️ webpack (5.75.0 → 5.79.0) · Repo

Security Advisories 🚨

🚨 Cross-realm object access in Webpack 5

Webpack 5 before 5.76.0 does not avoid cross-realm object access. ImportParserPlugin.js mishandles the magic comment feature. An attacker who controls a property of an untrusted object can obtain access to the real global object.

Release Notes

5.79.0

New Features

• webpack will now support simple destructuring scenarios for treeshaking namespaced imports and DefinePlugin by @vankop in #16941

Bugfixes

• Truncate extremely long module names in DefaultStatsPrinter by @snitin315 in #16882
• Add [contenthash] template support in DllPlugin's name option by @snitin315 in #16935
• Fixed a bug where readRecords compiler hook was causing hangs in conjunction with the ReadRecordsPlugin by @snitin315 & @zookatron in #16944
• webpack can now consume ESM bundles generated by webpack's esm output support by @vankop in #15608
• [CSS] - webpack now respects CSS's case-insensitivity with atTags like @MEDIA by @alexander-akait in #16915
• [CSS] - Fixes a bug where crossOriginLoading anonymous would not work when loading styles by @chenjiahan in #16925

Developer Experience

• Fix broken links and typos found in examples by @snitin315 in #16937
• Export more Externals Option types by @snitin315 in #12774

Contributor Experience

• Add new test case for ModuleFederationPlugin usage with shareScope option by @snitin315 in #16943
• Bump core-js from 3.20.3 to 3.30.0 by @dependabot in #16905
• Update all applicable local dependencies and devDependencies by @alexander-akait in #16919, #16924, #16936, #16968
• Update to Jest 29 by @alexander-akait in #16947

New Contributors

• @chenjiahan made their first contribution in #16925
• @karlhorky made their first contribution in #16419
• @zookatron made their first contribution in #16301

Full Changelog: v5.78.0...v5.79.0

5.78.0

Features

• Implement amdContainer support for AMD libraries (Fixes #16561) by @long76 in #16562

Bugfixes

• [CSS] - Nested atRule's @media or @supports now properly are replaced with unique identifiers by @noreiller in #15812
• [CSS] - Fix bug where closing parenthesis in CSS were not properly parsed and compiled by @janlent1 in #16864
• Fix an issue where oneOf rule has been picked multiple times by @xiaoxiaojx in #16477
• Add createRequire support for node:module prefix by @alexander-akait in #16904
• Fix bug where self-referencing a package in a shared module failed by @weareoutman in #16685

Performance

• Make ErrorHelpers named functions; Add types by @TheLarkInn in #16893
• Introduce ModuleTypeConstants for plugins by @TheLarkInn in #16896
• Refactor memory footprint in string usages for multiple plugins by @TheLarkInn in #16894
• Add more module type constants, use them across codebase by @TheLarkInn in #16898

Contributor Experience

• Implement default PR Template to use GitHub Copilot for PR's integration and fix template name usage by @geromegrignon in #16890
• ci: update actions/cache to v3 by @armujahid in #16462
• webpack org Collaborators and Members now have funded GitHub Codespaces!

New Contributors

• @geromegrignon made their first contribution in #16890
• @armujahid made their first contribution in #16462
• @long76 made their first contribution in #16562
• @weareoutman made their first contribution in #16685

Full Changelog: v5.77.0...v5.78.0

5.77.0

New Features

• Add a new output option, output.workerPublicPath by @thomastay in #16671

Developer Experience

• Improve resolve.extensions error message to suggest when "." is missing before the extension by @snitin315 in #16807

Contributor Experience

• Enable GitHub Copilot for PR's into default Pull Request Template by @TheLarkInn in #16881

New Contributors

• @thomastay made their first contribution in #16671

Full Changelog: v5.76.3...v5.77.0

5.76.3

Bugfixes

• Non-javascript files will correctly not be imported when using experiments.outputModule (ES Module Output) by @snitin315 in #16809
• Limit console output progress bar length to 40 when no columns provided by @snitin315 in #16810
• Add missing NodeJS Builtin Modules support for inspector/promises, readline/promises, and stream/consumers by @ShenHongFei in #16841
• webpack bin/cli now properly respects NODE_PATH env variable by @snitin315 in #16808
• Improve typos in resolveResourceErrorHints by @snitin315 in #16806
• Add missing loaders token support to moduleFilenameTemplate function call by @pgoldberg in #16756
• Add gaurd condition for enabledLibraryTypes in internal ContainerPlugin by @PengBoUESTC in #16635

New Contributors

• @ShenHongFei made their first contribution in #16841
• @pgoldberg made their first contribution in #16756
• @PengBoUESTC made their first contribution in #16635

Full Changelog: v5.76.2...v5.76.3

5.76.2

Bugfixes

• Fix bug where a missing semicolon in generated bundle output for publicPathRuntime would cause concatenated runtime errors by @snitin315 in #16811
• Remove redundant semicolons generated in bundle runtime code after onScriptComplete function by @ahaoboy in #16347
• Fix bug where RealContentHashPlugin was not respecting output.hashSalt's ability to cause a force recalculation of [contenthash] for emitted assets by @dmichon-msft #16789

Performance

• Improve memory and runtime performance of sourcemaps via hoisting Regular Expression literals to stored variables by @TheLarkInn in #15722
• Correct v8 deoptimization in ModuleGraph due to instance property declarations occurring outside of constructor by @snitin315 in #16830

Developer Experience

• Improved internal typings to match webpack-sources typings for Source instances by @snitin315 in #16805
• Update repo examples to include missing quotation by @snitin315 in #16812

New Contributors

• @ahaoboy made their first contribution in #16347

Full Changelog: v5.76.1...v5.76.2

5.76.1

Fixed

• Added assert/strict built-in to NodeTargetPlugin

Revert

• Improve performance of hashRegExp lookup by @ryanwilsonperkin in #16759

5.76.0

Bugfixes

• Avoid cross-realm object access by @Jack-Works in #16500
• Improve hash performance via conditional initialization by @lvivski in #16491
• Serialize generatedCode info to fix bug in asset module cache restoration by @ryanwilsonperkin in #16703
• Improve performance of hashRegExp lookup by @ryanwilsonperkin in #16759

Features

• add target to LoaderContext type by @askoufis in #16781

Security

• CVE-2022-37603 fixed by @akhilgkrishnan in #16446

Repo Changes

• Fix HTML5 logo in README by @jakebailey in #16614
• Replace TypeScript logo in README by @jakebailey in #16613
• Update actions/cache dependencies by @piwysocki in #16493

New Contributors

• @Jack-Works made their first contribution in #16500
• @lvivski made their first contribution in #16491
• @jakebailey made their first contribution in #16614
• @akhilgkrishnan made their first contribution in #16446
• @ryanwilsonperkin made their first contribution in #16703
• @piwysocki made their first contribution in #16493
• @askoufis made their first contribution in #16781

Full Changelog: v5.75.0...v5.76.0

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

---

Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.

All Depfu comment commands

@​depfu rebase

Rebases against your default branch and redoes this update

@​depfu recreate

Recreates this PR, overwriting any edits that you've made to it

@​depfu merge

Merges this PR once your tests are passing and conflicts are resolved

@​depfu close

Closes this PR and deletes the branch

@​depfu reopen

Restores the branch and reopens this PR (if it's closed)

@​depfu pause

Ignores all future updates for this dependency and closes this PR

@​depfu pause [minor|major]

Ignores all future minor/major updates for this dependency and closes this PR

@​depfu resume

Future versions of this dependency will create PRs again (leaves this PR as is)