Compression-webpack-plugin streamlines asset compression within webpack workflows, enhancing web application performance by delivering optimized, smaller files to users. Comparing versions 1.1.12 and 1.1.11 reveals subtle yet significant updates that impact developers. Both versions share core dependencies such as cacache, find-cache-dir, neo-async, serialize-javascript and webpack-sources. However, a standout difference lies in the devDependencies, specifically the jump in jest from version 21.2.1 to 23.5.0 in version 1.1.12, implying considerable updates in testing infrastructure. Another relevant difference is the webpack dependency; version 1.1.11 lists webpack version 3.8.1, while 1.1.12 bumps this to 4.17.1 suggesting improvements in webpack 4 compatibility. The lint-staged dependency is also updated from 4.3.0 to 7.2.2 between both versions, which means that the updated version has improved linting. Also, nsp gets bumped from 2.8.1 to 3.2.1. Finally, it's important to note the unpackedSize; 1.1.12 occupies 28230 bytes while 1.1.11 occupies 27709 bytes, implying the newer version has an increase in overall size because of the additional functionality. Developers should evaluate these changes alongside their project's specific webpack and testing configurations when upgrading. The peer dependency declaration remains consistent, ensuring compatibility with webpack versions 2, 3, and 4.
All the vulnerabilities related to the version 1.1.12 of the package
Regular Expression Denial of Service (ReDoS)
npm ssri 5.2.2-6.0.1 and 7.0.0-8.0.0, processes SRIs using a regular expression which is vulnerable to a denial of service. Malicious SRIs could take an extremely long time to process, leading to denial of service. This issue only affects consumers using the strict option.
Cross-Site Scripting in serialize-javascript
Versions of serialize-javascript prior to 2.1.1 are vulnerable to Cross-Site Scripting (XSS). The package fails to sanitize serialized regular expressions. This vulnerability does not affect Node.js applications.
Upgrade to version 2.1.1 or later.
Insecure serialization leading to RCE in serialize-javascript
serialize-javascript prior to 3.1.0 allows remote attackers to inject arbitrary code via the function "deleteFunctions" within "index.js".
An object such as {"foo": /1"/, "bar": "a\"@__R-<UID>-0__@"} was serialized as {"foo": /1"/, "bar": "a\/1"/}, which allows an attacker to escape the bar key. This requires the attacker to control the values of both foo and bar and guess the value of <UID>. The UID has a keyspace of approximately 4 billion making it a realistic network attack.
