🚨 Cross-realm object access in Webpack 5

Webpack 5 before 5.76.0 does not avoid cross-realm object access. ImportParserPlugin.js mishandles the magic comment feature. An attacker who controls a property of an untrusted object can obtain access to the real global object.

5.76.1

Fixed

• Added assert/strict built-in to NodeTargetPlugin

Revert

• Improve performance of hashRegExp lookup by @ryanwilsonperkin in #16759

5.76.0

Bugfixes

• Avoid cross-realm object access by @Jack-Works in #16500
• Improve hash performance via conditional initialization by @lvivski in #16491
• Serialize generatedCode info to fix bug in asset module cache restoration by @ryanwilsonperkin in #16703
• Improve performance of hashRegExp lookup by @ryanwilsonperkin in #16759

Features

• add target to LoaderContext type by @askoufis in #16781

Security

• CVE-2022-37603 fixed by @akhilgkrishnan in #16446

Repo Changes

• Fix HTML5 logo in README by @jakebailey in #16614
• Replace TypeScript logo in README by @jakebailey in #16613
• Update actions/cache dependencies by @piwysocki in #16493

New Contributors

• @Jack-Works made their first contribution in #16500
• @lvivski made their first contribution in #16491
• @jakebailey made their first contribution in #16614
• @akhilgkrishnan made their first contribution in #16446
• @ryanwilsonperkin made their first contribution in #16703
• @piwysocki made their first contribution in #16493
• @askoufis made their first contribution in #16781

Full Changelog: v5.75.0...v5.76.0

Does any of this look wrong? Please let us know.

See the full diff on Github. The new version differs by 41 commits:

• Merge pull request #16804 from webpack/chore-patch-release
• chore(release): 5.76.1
• Merge pull request #16803 from ryanwilsonperkin/revert-16759-real-content-hash-regex-perf
• Revert "Improve performance of hashRegExp lookup"
• Merge pull request #16766 from piranna/patch-1
• Merge pull request #16789 from dmichon-msft/contenthash-hashsalt
• Merge pull request #16792 from webpack/update-version
• chore(release): 5.76.0
• Merge pull request #16781 from askoufis/loader-context-target-type
• Merge pull request #16759 from ryanwilsonperkin/real-content-hash-regex-perf
• Respect output.hashSalt in RealContentHashPlugin
• Merge pull request #16493 from piwysocki/patch-1
• feat: Add `target` to `LoaderContext` type
• Merge pull request #16703 from ryanwilsonperkin/ryanwilsonperkin/fix-16160
• Merge branch 'webpack:main' into patch-1
• Merge pull request #16446 from akhilgkrishnan/patch-1
• Merge pull request #16613 from jakebailey/ts-logo
• Merge pull request #16614 from jakebailey/html5-logo
• Added `assert/strict` built-in
• Improve performance of hashRegExp lookup
• Add test for behaviour of filesystem-cached assets with loaders
• lint: remove trailing comma
• Serialize code generator data to support generated assets
• Merge pull request #16491 from lvivski/main
• Fix formatting
• Fix formatting
• Fix HTML5 logo in README
• Replace TypeScript logo in README
• Merge branch 'webpack:main' into patch-1
• Merge pull request #16500 from Jack-Works/avoid-cross-realm-object
• fix: type error
• chore: revert breaking change
• update dts
• fix: test fail
• fix: remove extra change
• fix: avoid cross-realm objects
• ci: test workflow - bump actions/cache
• Initialize hash conditionally
• Yarn lint issue fix
• Yarn lock updated
• Merge branch 'webpack:main' into patch-1

@​depfu rebase

Rebases against your default branch and redoes this update

@​depfu recreate

Recreates this PR, overwriting any edits that you've made to it

@​depfu merge

Merges this PR once your tests are passing and conflicts are resolved

@​depfu close

Closes this PR and deletes the branch

@​depfu reopen

Restores the branch and reopens this PR (if it's closed)

@​depfu pause

Ignores all future updates for this dependency and closes this PR

@​depfu pause [minor|major]

Ignores all future minor/major updates for this dependency and closes this PR

@​depfu resume

Future versions of this dependency will create PRs again (leaves this PR as is)