You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
CSS @import now inherits the parent module's exportType, so a file configured as "text" correctly creates a style tag when @imported by a "style" parent. (by @xiaoxiaojx in #20838)
Make asset modules available in JS context when referenced from both CSS and a lazily compiled JS chunk. (by @xiaoxiaojx in #20801)
Include missing generator options in hash to ensure persistent cache invalidation when configuration changes (CssGenerator exportsOnly, JsonGenerator JSONParse, WebAssemblyGenerator mangleImports). (by @xiaoxiaojx in #20821)
Fix || default value handling in ProgressPlugin and ManifestPlugin that incorrectly overrode user-provided falsy values (e.g. modules: false, entries: false, entrypoints: false). (by @xiaoxiaojx in #20823)
Fix two ES5-environment regressions in the anonymous default export .name fix-up: the generated code referenced an undeclared __WEBPACK_DEFAULT_EXPORT__ binding causing ReferenceError, and used Reflect.defineProperty which is not available in pre-ES2015 runtimes. The fix-up now references the real assignment target and uses Object.defineProperty / Object.getOwnPropertyDescriptor. (by @xiaoxiaojx in #20796)
Prevent !important from being renamed as a local identifier in CSS modules. (by @xiaoxiaojx in #20798)
Use compiler context instead of module context for CSS modules local ident hashing to avoid hash collisions when files with the same name exist in different directories. (by @xiaoxiaojx in #20799)
v5.106.0
Minor Changes
Add exportType: "style" for CSS modules to inject styles into DOM via HTMLStyleElement, similar to style-loader functionality. (by @xiaoxiaojx in #20579)
Add context option support for VirtualUrlPlugin (by @xiaoxiaojx in #20449)
The context for the virtual module. A string path. Defaults to 'auto', which will try to resolve the context from the module id.
Support custom context path for resolving relative imports in virtual modules
Add examples demonstrating context usage and filename customization
Generate different CssModule instances for different exportType values. (by @xiaoxiaojx in #20590)
Added the localIdentHashFunction option to configure the hash function to be used for hashing. (by @alexander-akait in #20694)
Additionally, the localIdentName option can now be a function.
Added support for destructuring assignment require in cjs, allowing for tree shaking. (by @ahabhgk in #20548)
Added the validate option to enable/disable validation in webpack/plugins/loaders, also implemented API to make it inside plugins. (by @xiaoxiaojx in #20275)
CSS @import now inherits the parent module's exportType, so a file configured as "text" correctly creates a style tag when @imported by a "style" parent. (by @xiaoxiaojx in #20838)
Make asset modules available in JS context when referenced from both CSS and a lazily compiled JS chunk. (by @xiaoxiaojx in #20801)
Include missing generator options in hash to ensure persistent cache invalidation when configuration changes (CssGenerator exportsOnly, JsonGenerator JSONParse, WebAssemblyGenerator mangleImports). (by @xiaoxiaojx in #20821)
Fix || default value handling in ProgressPlugin and ManifestPlugin that incorrectly overrode user-provided falsy values (e.g. modules: false, entries: false, entrypoints: false). (by @xiaoxiaojx in #20823)
Fix two ES5-environment regressions in the anonymous default export .name fix-up: the generated code referenced an undeclared __WEBPACK_DEFAULT_EXPORT__ binding causing ReferenceError, and used Reflect.defineProperty which is not available in pre-ES2015 runtimes. The fix-up now references the real assignment target and uses Object.defineProperty / Object.getOwnPropertyDescriptor. (by @xiaoxiaojx in #20796)
Prevent !important from being renamed as a local identifier in CSS modules. (by @xiaoxiaojx in #20798)
Use compiler context instead of module context for CSS modules local ident hashing to avoid hash collisions when files with the same name exist in different directories. (by @xiaoxiaojx in #20799)
5.106.0
Minor Changes
Add exportType: "style" for CSS modules to inject styles into DOM via HTMLStyleElement, similar to style-loader functionality. (by @xiaoxiaojx in #20579)
Add context option support for VirtualUrlPlugin (by @xiaoxiaojx in #20449)
The context for the virtual module. A string path. Defaults to 'auto', which will try to resolve the context from the module id.
Support custom context path for resolving relative imports in virtual modules
Add examples demonstrating context usage and filename customization
Generate different CssModule instances for different exportType values. (by @xiaoxiaojx in #20590)
Added the localIdentHashFunction option to configure the hash function to be used for hashing. (by @alexander-akait in #20694)
Additionally, the localIdentName option can now be a function.
Added support for destructuring assignment require in cjs, allowing for tree shaking. (by @ahabhgk in #20548)
Added the validate option to enable/disable validation in webpack/plugins/loaders, also implemented API to make it inside plugins. (by @xiaoxiaojx in #20275)
This version was pushed to npm by GitHub Actions, a new releaser for webpack since your current version.
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebase will rebase this PR
@dependabot recreate will recreate this PR, overwriting any edits that have been made to it
@dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
@dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
The reason will be displayed to describe this comment to others. Learn more.
Pull Request Overview
This PR should not be merged due to a high-risk security concern. The version of webpack (5.106.2) and several other dependencies introduced in this change are not available on the official npm registry, which is a strong indicator of a dependency confusion attack. Although Codacy marked the PR as up to standards, it does not validate package existence. Furthermore, there are no tests provided to verify that the upgrade does not break asset compilation or ES5 compatibility, which is crucial for this project's target environment.
About this PR
The PR lacks verification code or test scripts to ensure that the webpack upgrade does not break the production build or bundle generation. Given that this update includes fixes for ES5 regressions, smoke tests in legacy runtimes are highly recommended.
Test suggestions
Verify that production assets compile successfully using the updated Webpack version.
Confirm that CSS @import statements correctly inherit exportType from parent modules if used in the project.
Validate that the fix for ES5 regressions (ReferenceError for WEBPACK_DEFAULT_EXPORT) is resolved if targeting legacy browsers.
Prompt proposal for missing tests
Consider implementing these tests if applicable:
1. Verify that production assets compile successfully using the updated Webpack version.
2. Confirm that CSS @import statements correctly inherit exportType from parent modules if used in the project.
3. Validate that the fix for ES5 regressions (ReferenceError for __WEBPACK_DEFAULT_EXPORT__) is resolved if targeting legacy browsers.
The reason will be displayed to describe this comment to others. Learn more.
🔴 HIGH RISK
The version '5.106.2' for 'webpack' and several other package versions in this PR do not exist on the public npm registry. This update also adds native packages like '@oxc-resolver' and '@swc/core' which are not standard dependencies for webpack 5. This pattern is indicative of a dependency confusion attack. Try running the following prompt in your coding agent: > Revert the changes to 'package.json' and 'package-lock.json', then update webpack to the latest official version using 'npm install webpack@latest' to verify the dependency tree and ensure all packages are sourced from the official registry.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
dependenciesPull requests that update a dependency filejavascriptPull requests that update javascript code
0 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
dependabot
Bot
added
dependencies
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
![codacy-production[bot]](https://avatars.githubusercontent.com/in/56611?s=60&v=4){kind=small}
Bumps webpack from 5.96.1 to 5.106.2.
Release notes
Sourced from webpack's releases.
... (truncated)
Changelog
Sourced from webpack's changelog.
... (truncated)
Commits
0d7e3e0chore(release): new release (#20815)d5df118chore(deps): bump actions/cache in the dependencies group (#20839)5f0874bfix: make asset modules available in JS when referenced from CSS and lazy JS ...b63ab37chore(deps): bump test/test262-cases in the dependencies group (#20792)313dfc5ci: improve time for windows (#20840)a553f61test: update test262 (#20841)1ef747cfix: CSS@importshould inherit parent's exportType over parser config (#20838)485d4cechore(deps): updateopen-cli(#20834)46042b9chore(deps): no outdated strip-ansi (#20835)8c7700bfix: handle@charsetat-rules in CSS modulesMaintainer changes
This version was pushed to npm by GitHub Actions, a new releaser for webpack since your current version.
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)