Compression-webpack-plugin versions 1.1.8 and 1.1.7 offer developers a straightforward solution for preparing compressed versions of their webpack assets, leveraging Content-Encoding to optimize delivery and improve website performance. Both versions share a similar core, providing the functionality to automatically generate compressed files (like .gzip or .br) during the webpack build process. The primary intention behind this process is to allow web servers to efficiently serve pre-compressed assets to supporting browsers, reducing the size of transferred data and speeding up page load times.
While the fundamental functionality remains consistent between the two versions, version 1.1.8 introduces a subtle increase in unpacked size, growing to 26530 bytes compared to 1.1.7's 25954 bytes. This increase, while minimal, could potentially indicate internal adjustments, bug fixes, or tiny feature refinements. Developers upgrading from 1.1.7 should experience a smooth transition, but monitoring build times and compressed file sizes after the upgrade is advisable in a very specific cases. Both versions rely on a set of dependencies, including async, cacache, find-cache-dir, serialize-javascript, and webpack-sources, ensuring compatibility and efficient operation within the webpack ecosystem. The peer dependency on webpack versions 2 or 3 remains unchanged, solidifying the plugin's target environment. Developers should be aware of the release dates when choosing which version to install, although the dates refers only to the release in npm and not significant conceptual changes between versions.
All the vulnerabilities related to the version 1.1.8 of the package
Regular Expression Denial of Service (ReDoS)
npm ssri 5.2.2-6.0.1 and 7.0.0-8.0.0, processes SRIs using a regular expression which is vulnerable to a denial of service. Malicious SRIs could take an extremely long time to process, leading to denial of service. This issue only affects consumers using the strict option.
Cross-Site Scripting in serialize-javascript
Versions of serialize-javascript prior to 2.1.1 are vulnerable to Cross-Site Scripting (XSS). The package fails to sanitize serialized regular expressions. This vulnerability does not affect Node.js applications.
Upgrade to version 2.1.1 or later.
Insecure serialization leading to RCE in serialize-javascript
serialize-javascript prior to 3.1.0 allows remote attackers to inject arbitrary code via the function "deleteFunctions" within "index.js".
An object such as {"foo": /1"/, "bar": "a\"@__R-<UID>-0__@"} was serialized as {"foo": /1"/, "bar": "a\/1"/}, which allows an attacker to escape the bar key. This requires the attacker to control the values of both foo and bar and guess the value of <UID>. The UID has a keyspace of approximately 4 billion making it a realistic network attack.
