🚨 Cross-realm object access in Webpack 5

Webpack 5 before 5.76.0 does not avoid cross-realm object access. ImportParserPlugin.js mishandles the magic comment feature. An attacker who controls a property of an untrusted object can obtain access to the real global object.

5.76.2

Bugfixes

• Fix bug where a missing semicolon in generated bundle output for publicPathRuntime would cause concatenated runtime errors by @snitin315 in #16811
• Remove redundant semicolons generated in bundle runtime code after onScriptComplete function by @ahaoboy in #16347
• Fix bug where RealContentHashPlugin was not respecting output.hashSalt's ability to cause a force recalculation of [contenthash] for emitted assets by @dmichon-msft #16789

Performance

• Improve memory and runtime performance of sourcemaps via hoisting Regular Expression literals to stored variables by @TheLarkInn in #15722
• Correct v8 deoptimization in ModuleGraph due to instance property declarations occurring outside of constructor by @snitin315 in #16830

Developer Experience

• Improved internal typings to match webpack-sources typings for Source instances by @snitin315 in #16805
• Update repo examples to include missing quotation by @snitin315 in #16812

New Contributors

• @ahaoboy made their first contribution in #16347

Full Changelog: v5.76.1...v5.76.2

5.76.1

Fixed

• Added assert/strict built-in to NodeTargetPlugin

Revert

• Improve performance of hashRegExp lookup by @ryanwilsonperkin in #16759

5.76.0

Bugfixes

• Avoid cross-realm object access by @Jack-Works in #16500
• Improve hash performance via conditional initialization by @lvivski in #16491
• Serialize generatedCode info to fix bug in asset module cache restoration by @ryanwilsonperkin in #16703
• Improve performance of hashRegExp lookup by @ryanwilsonperkin in #16759

Features

• add target to LoaderContext type by @askoufis in #16781

Security

• CVE-2022-37603 fixed by @akhilgkrishnan in #16446

Repo Changes

• Fix HTML5 logo in README by @jakebailey in #16614
• Replace TypeScript logo in README by @jakebailey in #16613
• Update actions/cache dependencies by @piwysocki in #16493

New Contributors

• @Jack-Works made their first contribution in #16500
• @lvivski made their first contribution in #16491
• @jakebailey made their first contribution in #16614
• @akhilgkrishnan made their first contribution in #16446
• @ryanwilsonperkin made their first contribution in #16703
• @piwysocki made their first contribution in #16493
• @askoufis made their first contribution in #16781

Full Changelog: v5.75.0...v5.76.0

Does any of this look wrong? Please let us know.

See the full diff on Github. The new version differs by 54 commits:

• 5.76.2
• Merge pull request #16830 from snitin315/fix/module-graph
• fix: initialize `this._cacheStage` in ModuleGraph constructor
• Merge pull request #16805 from snitin315/fix/improve-source-types
• Merge pull request #16811 from snitin315/fix/add-missing-semicolon
• test: update StatsTestCases snapshots
• fix: add missing semicolon in `AutoPublicPathRuntimeModule`
• Merge pull request #15722 from webpack/feat/issue-15720
• Merge pull request #16347 from ahaoboy/main
• docs: fix typo in examples
• docs: update examples
• fix: improve types for `webpack-sources`
• Merge pull request #16804 from webpack/chore-patch-release
• chore(release): 5.76.1
• Merge pull request #16803 from ryanwilsonperkin/revert-16759-real-content-hash-regex-perf
• Revert "Improve performance of hashRegExp lookup"
• Merge pull request #16766 from piranna/patch-1
• Merge pull request #16789 from dmichon-msft/contenthash-hashsalt
• Merge pull request #16792 from webpack/update-version
• chore(release): 5.76.0
• Merge pull request #16781 from askoufis/loader-context-target-type
• Merge pull request #16759 from ryanwilsonperkin/real-content-hash-regex-perf
• Respect output.hashSalt in RealContentHashPlugin
• Merge pull request #16493 from piwysocki/patch-1
• feat: Add `target` to `LoaderContext` type
• Merge pull request #16703 from ryanwilsonperkin/ryanwilsonperkin/fix-16160
• Merge branch 'webpack:main' into patch-1
• Merge pull request #16446 from akhilgkrishnan/patch-1
• Merge pull request #16613 from jakebailey/ts-logo
• Merge pull request #16614 from jakebailey/html5-logo
• Added `assert/strict` built-in
• Improve performance of hashRegExp lookup
• Add test for behaviour of filesystem-cached assets with loaders
• lint: remove trailing comma
• Serialize code generator data to support generated assets
• Merge pull request #16491 from lvivski/main
• Fix formatting
• Fix formatting
• Fix HTML5 logo in README
• Replace TypeScript logo in README
• Merge branch 'webpack:main' into patch-1
• Merge pull request #16500 from Jack-Works/avoid-cross-realm-object
• fix: type error
• chore: revert breaking change
• update dts
• fix: test fail
• fix: remove extra change
• fix: avoid cross-realm objects
• ci: test workflow - bump actions/cache
• Initialize hash conditionally
• chore: Remove redundant semicolons after onScriptComplete function close: #16346add route match
• Yarn lint issue fix
• Yarn lock updated
• Merge branch 'webpack:main' into patch-1

@​depfu rebase

Rebases against your default branch and redoes this update

@​depfu recreate

Recreates this PR, overwriting any edits that you've made to it

@​depfu merge

Merges this PR once your tests are passing and conflicts are resolved

@​depfu close

Closes this PR and deletes the branch

@​depfu reopen

Restores the branch and reopens this PR (if it's closed)

@​depfu pause

Ignores all future updates for this dependency and closes this PR

@​depfu pause [minor|major]

Ignores all future minor/major updates for this dependency and closes this PR

@​depfu resume

Future versions of this dependency will create PRs again (leaves this PR as is)