Update dependency webpack to v5.94.0 [SECURITY]#12478
Open
renovate[bot] wants to merge 1 commit intomasterfrom
Open
Update dependency webpack to v5.94.0 [SECURITY]#12478renovate[bot] wants to merge 1 commit intomasterfrom
renovate[bot] wants to merge 1 commit intomasterfrom
Conversation
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Author
|
Review or Edit in CodeSandboxOpen the branch in Web Editor • VS Code • Insiders |
🤖 Augment PR SummarySummary: Updates Webpack to Changes:
Technical Notes / Checks:
🤖 Was this summary useful? React with 👍 or 👎 |
EntelligenceAI PR SummaryLockfile update for Storybook to align transitive dependencies with webpack 5.106.2.
Confidence Score: 4/5 - Mostly SafeSafe to merge — this is a security-focused dependency update that bumps webpack from 5.88.1 to 5.106.2 along with its transitive dependency tree, addressing known vulnerabilities. The changes are confined to lockfile and dependency manifest updates with no application logic modified. The removal of Key Findings:
Files requiring special attention
|
![augmentcode[bot]](https://avatars.githubusercontent.com/in/1027498?s=60&v=4){kind=small}
WalkthroughThis PR updates the Storybook lockfile with a broad set of dependency upgrades, centering on a major webpack bump from 5.88.1 to 5.106.2. Associated ecosystem packages are updated accordingly, including WebAssembly tooling, source-map utilities, acorn, terser, and resolve libraries. Several packages are added, replaced, or removed to align with the new webpack 5.106.2 dependency graph. Changes
Sequence DiagramThis diagram shows the interactions between components: sequenceDiagram
title Webpack Dependency Tree Upgrade (5.88.1 to 5.106.2)
participant WEBPACK as "webpack"
participant ACORN as "acorn"
participant PHASES as "acorn-import-phases"
participant SCHEMA as "schema-utils"
participant AJV as "ajv"
participant AJVF as "ajv-formats"
participant TERSER as "terser-webpack-plugin"
participant WASM as "webassemblyjs"
participant BROWSE as "browserslist"
participant ENHANCED as "enhanced-resolve"
participant TAPABLE as "tapable"
Note over WEBPACK: Upgrade: 5.88.1 to 5.106.2
WEBPACK->>ACORN: requires acorn 8.16.0 (was 8.8.0)
WEBPACK->>PHASES: requires acorn-import-phases 1.0.4
Note over PHASES: Replaces acorn-import-assertions 1.9.0
WEBPACK->>SCHEMA: requires schema-utils 4.3.3 (was 3.x)
SCHEMA->>AJV: requires ajv 8.18.0 (was 6.x)
SCHEMA->>AJVF: requires ajv-formats 2.1.1 (new)
Note over AJV: Major version bump: v6 to v8
WEBPACK->>TERSER: requires terser-webpack-plugin 5.4.0
TERSER->>SCHEMA: requires schema-utils 4.3.0
Note over TERSER: Dropped serialize-javascript dependency
WEBPACK->>WASM: requires webassemblyjs 1.14.1 (was 1.11.6)
WEBPACK->>BROWSE: requires browserslist 4.28.2 (was 4.21.3)
BROWSE->>BROWSE: caniuse-lite, electron-to-chromium, node-releases updated
WEBPACK->>ENHANCED: requires enhanced-resolve 5.20.1 (was 5.15.0)
ENHANCED->>TAPABLE: requires tapable 2.3.2 (was 2.2.1)
Note over WEBPACK, TAPABLE: Key removals: serialize-javascript, json-parse-even-better-errors (narrowed)
Note over WEBPACK: Now uses mime-db directly instead of mime-types
🔗 Cross-Repository Impact AnalysisEnable automatic detection of breaking changes across your dependent repositories. → Set up now Learn more about Cross-Repository AnalysisWhat It Does
How to Enable
Benefits
|
|
Review the following changes in direct dependencies. Learn more about Socket for GitHub. |
|
Warning Review the following alerts detected in dependencies. According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
5.88.1→5.94.0Webpack's AutoPublicPathRuntimeModule has a DOM Clobbering Gadget that leads to XSS
CVE-2024-43788 / GHSA-4vvj-4cpr-p986
More information
Details
Summary
We discovered a DOM Clobbering vulnerability in Webpack’s
AutoPublicPathRuntimeModule. The DOM Clobbering gadget in the module can lead to cross-site scripting (XSS) in web pages where scriptless attacker-controlled HTML elements (e.g., animgtag with an unsanitizednameattribute) are present.We found the real-world exploitation of this gadget in the Canvas LMS which allows XSS attack happens through an javascript code compiled by Webpack (the vulnerable part is from Webpack). We believe this is a severe issue. If Webpack’s code is not resilient to DOM Clobbering attacks, it could lead to significant security vulnerabilities in any web application using Webpack-compiled code.
Details
Backgrounds
DOM Clobbering is a type of code-reuse attack where the attacker first embeds a piece of non-script, seemingly benign HTML markups in the webpage (e.g. through a post or comment) and leverages the gadgets (pieces of js code) living in the existing javascript code to transform it into executable code. More for information about DOM Clobbering, here are some references:
[1] https://scnps.co/papers/sp23_domclob.pdf
[2] https://research.securitum.com/xss-in-amp4email-dom-clobbering/
Gadgets found in Webpack
We identified a DOM Clobbering vulnerability in Webpack’s
AutoPublicPathRuntimeModule. When theoutput.publicPathfield in the configuration is not set or is set toauto, the following code is generated in the bundle to dynamically resolve and load additional JavaScript files:However, this code is vulnerable to a DOM Clobbering attack. The lookup on the line with
document.currentScriptcan be shadowed by an attacker, causing it to return an attacker-controlled HTML element instead of the current script element as intended. In such a scenario, thesrcattribute of the attacker-controlled element will be used as thescriptUrland assigned to__webpack_require__.p. If additional scripts are loaded from the server,__webpack_require__.pwill be used as the base URL, pointing to the attacker's domain. This could lead to arbitrary script loading from the attacker's server, resulting in severe security risks.PoC
Please note that we have identified a real-world exploitation of this vulnerability in the Canvas LMS. Once the issue has been patched, I am willing to share more details on the exploitation. For now, I’m providing a demo to illustrate the concept.
Consider a website developer with the following two scripts,
entry.jsandimport1.js, that are compiled using Webpack:The webpack.config.js is set up as follows:
When the developer builds these scripts into a bundle and adds it to a webpage, the page could load the
import1.jsfile from the attacker's domain,attacker.controlled.server. The attacker only needs to insert animgtag with thenameattribute set tocurrentScript. This can be done through a website's feature that allows users to embed certain script-less HTML (e.g., markdown renderers, web email clients, forums) or via an HTML injection vulnerability in third-party JavaScript loaded on the page.Impact
This vulnerability can lead to cross-site scripting (XSS) on websites that include Webpack-generated files and allow users to inject certain scriptless HTML tags with improperly sanitized name or id attributes.
Patch
A possible patch to this vulnerability could refer to the Google Closure project which makes itself resistant to DOM Clobbering attack: https://github.com/google/closure-library/blob/b312823ec5f84239ff1db7526f4a75cba0420a33/closure/goog/base.js#L174
Please note that if we do not receive a response from the development team within three months, we will disclose this vulnerability to the CVE agent.
Severity
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Release Notes
webpack/webpack (webpack)
v5.94.0Compare Source
Bug Fixes
data/http/httpsprotocols in source mapsbigintoptimistic when browserslist not foundNew Features
webpackIgnorefornew URL()construction@importpathinfo supportSecurity
v5.93.0Compare Source
Bug Fixes
DefinePluginquieter under default log levelNew Features
binarygenerator option for asset modules to explicitly keep source maps produced by loadersmodern-modulelibrary value for tree shakable outputoverrideStrictoption to override strict or non-strict mode for javascript modulesv5.92.1Compare Source
Bug Fixes
v5.92.0Compare Source
Bug Fixes
subtractRuntimefunction for runtime logiccss/globaltype now handles the exports name@keyframeand@propertyat-rules incss/globaltypestats.hasWarnings()method now respects theignoreWarningsoptionArrayQueueiterator__webpack_exports_info__.a.b.canMangleCommonJsChunkFormatPluginpluginchunkLoadingoption to theimportwhen environment is unknown and output is modulemodulechunkFormat usedcssmodule type should not allow parser to switch modeNew Features
import attributesspec (withkeyword)node:prefix for Node.js core modules in runtime codeimportsFieldsoption for resolverInitFragmentclass for pluginscompileBooleanMatcherutil for pluginsInputFileSystemandOutputFileSystemtypesesModulegenerator option for CSS modulesv5.91.0Compare Source
Bug Fixes
unsafeCacheoption to be a proxy objectsnapshot.unmanagedPathsoptionfstypeslayer/supports/mediafor external CSS importsNew Features
__webpack_nonce__for CSS chunksfetchPriorityfor CSS chunksproductionmode by default)v5.90.3Compare Source
Bug Fixes
Stats.toJson()andStats.toString()Perf
v5.90.2Compare Source
Bug Fixes
Math.imulinfnv1a32to avoid loss of precision, directly hash UTF16 valuessetStatus()of the HMR module should not return an array, which may cause infinite recursion__webpack_exports_info__.xxx.canMangleshouldn't always same as defaultactiveStatetry/catchDependencies & Maintenance
v5.90.1Compare Source
Bug Fixes
unmanagedPathsin defaultspreOrderIndexandpostOrderIndexPerformance
compareStringsNumericnumberHashusing 32-bit FNV1a for small ranges, 64-bit for largerv5.90.0Compare Source
Bug Fixes
RemoveParentModulesPluginvia bigint arithmeticServerandDirentfetchPriorityto hmr runtime'sensureChunkfunctionoutput.environment.arrowFunctionoption/*#__PURE__*/to generatedJSON.parse()amdexternals andamdlibrarySideEffectsFlagPluginwith namespace re-exportsorstrictModuleErrorHandlingis now workingNew Features
falsefor dev server inwebpack.config.jsnode-moduleoption for thenode.__filename/__dirnameand enable it by default for ESM targetsnapshot.unmanagedPathsoptionMultiCompilerOptionstypeexportsOnlyoption to CSS generator optionsDependencies & Maintenance
Full Changelog: webpack/webpack@v5.89.0...v5.90.0
v5.89.0Compare Source
New Features
Dependencies & Maintenance
Full Changelog: webpack/webpack@v5.88.2...v5.89.0
v5.88.2Compare Source
Bug Fixes
Full Changelog: webpack/webpack@v5.88.1...v5.88.2
Configuration
📅 Schedule: (UTC)
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about these updates again.
This PR was generated by Mend Renovate. View the repository job log.