Compression-webpack-plugin is a valuable tool for web developers seeking to optimize website performance by pre-compressing assets. The latest version, 1.1.6, and its immediate predecessor, 1.1.5, share core functionalities, both designed to prepare compressed versions of assets for serving with Content-Encoding using webpack. Examining the metadata reveals subtle but potentially impactful changes between the two releases.
A key differentiator is the "releaseDate". Version 1.1.6 was published shortly after 1.1.5, suggesting a quick fix or minor update. Both versions share identical dependencies, including crucial packages like "async," "cacache," "find-cache-dir," "serialize-javascript," and "webpack-sources." Their devDependencies are identical, a suite of tools used for development, testing, and linting. This suggests the core build and test setup did not receive any updates between the releases.
The peerDependencies, specifying compatible webpack versions, remains "^2.0.0 || ^3.0.0" for both ensuring support for older webpack projects. Developers considering an upgrade should weigh the potential benefits of any bug fixes or minor improvements included in 1.1.6 against the comfort of a familiar and potentially stable 1.1.5 to balance risks. Given the close release dates, the modifications are likely minimal but worthwhile to investigate if encountering edge-case compression issues.
All the vulnerabilities related to the version 1.1.6 of the package
Regular Expression Denial of Service (ReDoS)
npm ssri 5.2.2-6.0.1 and 7.0.0-8.0.0, processes SRIs using a regular expression which is vulnerable to a denial of service. Malicious SRIs could take an extremely long time to process, leading to denial of service. This issue only affects consumers using the strict option.
Cross-Site Scripting in serialize-javascript
Versions of serialize-javascript prior to 2.1.1 are vulnerable to Cross-Site Scripting (XSS). The package fails to sanitize serialized regular expressions. This vulnerability does not affect Node.js applications.
Upgrade to version 2.1.1 or later.
Insecure serialization leading to RCE in serialize-javascript
serialize-javascript prior to 3.1.0 allows remote attackers to inject arbitrary code via the function "deleteFunctions" within "index.js".
An object such as {"foo": /1"/, "bar": "a\"@__R-<UID>-0__@"} was serialized as {"foo": /1"/, "bar": "a\/1"/}, which allows an attacker to escape the bar key. This requires the attacker to control the values of both foo and bar and guess the value of <UID>. The UID has a keyspace of approximately 4 billion making it a realistic network attack.
