Compression-webpack-plugin version 2.0.0 brings several updates and changes compared to the previous stable version 1.1.12. Notably, it introduces schema-utils as a direct dependency, likely for improved options validation and configuration management, enhancing the developer experience. This update ensures that configurations passed to the plugin adhere to a defined schema, reducing potential errors and misconfigurations. The newer version also updates some development dependencies, like @commitlint/cli, @commitlint/config-conventional, @gfx/zopfli, @webpack-contrib/eslint-config-webpack, eslint, eslint-plugin-import, eslint-plugin-prettier, prettier, and standard-version, suggesting improvements in code quality, linting rules, and commit conventions. A key highlight is the change in peer dependency for webpack, shifting from supporting webpack versions ^2.0.0 || ^3.0.0 || ^4.0.0 to specifically ^4.3.0. This change might impact users still using older webpack versions, so it is important to review if their webpack configuration aligns with the new peer dependency requirements.
Furthermore, the find-cache-dir dependency saw a version bump from ^1.0.0 to ^2.0.0. While both versions focus on finding suitable cache directories, updates typically indicate bug fixes or improved functionality that can indirectly affect the project's performance and how efficiently assets can be compressed and cached. The update replaced webpack-defaults with several other packages (@commitlint/cli, @commitlint/config-conventional, @gfx/zopfli, @webpack-contrib/eslint-config-webpack), showing a move towards more granular control over development dependencies. In addition, the unpacked size reported differs slightly between the versions, indicating some changes in included files and plugin code. For developers looking to leverage Content-Encoding using these packages, the key focus should be on the Webpack peer dependency and validating that their configuration aligns with the updated version.
All the vulnerabilities related to the version 2.0.0 of the package
Cross-Site Scripting in serialize-javascript
Versions of serialize-javascript prior to 2.1.1 are vulnerable to Cross-Site Scripting (XSS). The package fails to sanitize serialized regular expressions. This vulnerability does not affect Node.js applications.
Upgrade to version 2.1.1 or later.
Insecure serialization leading to RCE in serialize-javascript
serialize-javascript prior to 3.1.0 allows remote attackers to inject arbitrary code via the function "deleteFunctions" within "index.js".
An object such as {"foo": /1"/, "bar": "a\"@__R-<UID>-0__@"} was serialized as {"foo": /1"/, "bar": "a\/1"/}, which allows an attacker to escape the bar key. This requires the attacker to control the values of both foo and bar and guess the value of <UID>. The UID has a keyspace of approximately 4 billion making it a realistic network attack.
