Compression webpack plugin version 1.1.1 represents a minor update over the preceding 1.1.0, both aiming to streamline asset compression for web serving with Content-Encoding. The core functionality, centered around preparing compressed versions of your webpack assets, remains consistent between the two releases. Both versions share the same dependencies, including async, cacache, find-cache-dir, serialize-javascript, and webpack-sources, ensuring feature parity in foundational compression operations. Similarly, the development dependencies are identical, suggesting no alterations in the testing or building processes. Peer dependencies on webpack versions 2 and 3 also remain unchanged, indicating continued compatibility with those webpack versions.
Crucially, upgrading from 1.1.0 to 1.1.1 appears to be a low-risk operation. A key difference lies on the release date: version 1.1.1 was released shortly after 1.1.0. Since the direct code changes are very minimal or non-existent, version 1.1.1 is likely to contain very targeted bug fixes or very minor adjustments which typically translate to enhanced stability. For developers, this means that a simple version bump is probably enough to get this enhancement. Both versions are licensed under MIT and originate from the webpack-contrib repository, underscoring their open-source nature. When choosing between them, opting for 1.1.1 presents a more reliable setup with no breaking changes.
All the vulnerabilities related to the version 1.1.1 of the package
Prototype Pollution in async
A vulnerability exists in Async through 3.2.1 for 3.x and through 2.6.3 for 2.x (fixed in 3.2.2 and 2.6.4), which could let a malicious user obtain privileges via the mapValues() method.
Regular Expression Denial of Service (ReDoS)
npm ssri 5.2.2-6.0.1 and 7.0.0-8.0.0, processes SRIs using a regular expression which is vulnerable to a denial of service. Malicious SRIs could take an extremely long time to process, leading to denial of service. This issue only affects consumers using the strict option.
Cross-Site Scripting in serialize-javascript
Versions of serialize-javascript prior to 2.1.1 are vulnerable to Cross-Site Scripting (XSS). The package fails to sanitize serialized regular expressions. This vulnerability does not affect Node.js applications.
Upgrade to version 2.1.1 or later.
Insecure serialization leading to RCE in serialize-javascript
serialize-javascript prior to 3.1.0 allows remote attackers to inject arbitrary code via the function "deleteFunctions" within "index.js".
An object such as {"foo": /1"/, "bar": "a\"@__R-<UID>-0__@"} was serialized as {"foo": /1"/, "bar": "a\/1"/}, which allows an attacker to escape the bar key. This requires the attacker to control the values of both foo and bar and guess the value of <UID>. The UID has a keyspace of approximately 4 billion making it a realistic network attack.
