Compression-webpack-plugin version 1.1.0 introduces several updates and refinements compared to version 1.0.1, making it a more robust and efficient tool for webpack users. Key improvements center around enhanced caching and dependency updates. The newer version incorporates cacache for improved caching mechanisms, ensuring faster build times and reduced resource consumption during repetitive webpack compilations. This is a significant upgrade for developers seeking to optimize their webpack workflows.
Furthermore, version 1.1.0 includes updates to various development dependencies, reflecting advancements in the JavaScript ecosystem. Most notably is the addition of serialize-javascript, find-cache-dir, babel 7 support and updates to eslint and jest. While these mostly affect the development environment for the plugin itself, they often translate to more reliable and maintainable code, indirectly benefiting users. The core functionality of preparing compressed asset versions remains consistent, allowing developers to serve optimized content with Content-Encoding. Both versions maintain peer dependency support for webpack versions 2 and 3. Overall, version 1.1.0 offers a more refined and efficient experience, particularly for projects with frequent builds, by leveraging improved caching strategies and updated tooling. The changes are focused on performance and maintainability, solidifying the plugin's position as a valuable asset optimization tool for webpack-based projects.
All the vulnerabilities related to the version 1.1.0 of the package
Prototype Pollution in async
A vulnerability exists in Async through 3.2.1 for 3.x and through 2.6.3 for 2.x (fixed in 3.2.2 and 2.6.4), which could let a malicious user obtain privileges via the mapValues() method.
Regular Expression Denial of Service (ReDoS)
npm ssri 5.2.2-6.0.1 and 7.0.0-8.0.0, processes SRIs using a regular expression which is vulnerable to a denial of service. Malicious SRIs could take an extremely long time to process, leading to denial of service. This issue only affects consumers using the strict option.
Cross-Site Scripting in serialize-javascript
Versions of serialize-javascript prior to 2.1.1 are vulnerable to Cross-Site Scripting (XSS). The package fails to sanitize serialized regular expressions. This vulnerability does not affect Node.js applications.
Upgrade to version 2.1.1 or later.
Insecure serialization leading to RCE in serialize-javascript
serialize-javascript prior to 3.1.0 allows remote attackers to inject arbitrary code via the function "deleteFunctions" within "index.js".
An object such as {"foo": /1"/, "bar": "a\"@__R-<UID>-0__@"} was serialized as {"foo": /1"/, "bar": "a\/1"/}, which allows an attacker to escape the bar key. This requires the attacker to control the values of both foo and bar and guess the value of <UID>. The UID has a keyspace of approximately 4 billion making it a realistic network attack.
