Compression-webpack-plugin streamlines asset compression during webpack builds, optimizing website performance through Content-Encoding. Version 3.0.0, released in June 2019, refines the developer experience and tooling compared to version 2.0.0 from September 2018.
Key updates revolve around development dependencies, reflecting advancements in the JavaScript ecosystem. Version 3.0.0 upgrades Babel, ESLint, and Jest configurations to newer major versions, aligning the plugin with current best practices for code transpilation, linting, and testing. Specifically, it adopts @babel/cli, @babel/core, and @babel/preset-env for Babel, and @webpack-contrib/eslint-config-webpack for ESLint as well as introducing commitlint configuration. These updates enhance code quality, maintainability, and developer workflow.
Several packages were updated considerably, likely to address bug fixes, performance improvements, and new features in the underlying libraries. Notably, find-cache-dir was updated from version 2.0.0 to 3.0.0. Some packages have been removed like babel-polyfill, babel-plugin-transform-object-rest-spread, conventional-github-releaser and pre-commit, likely because they were integrated in other packages or not needed anymore.
The core functionality remains consistent: both versions rely on libraries like cacache, neo-async, schema-utils, serialize-javascript, and webpack-sources for caching, asynchronous operations, schema validation, and webpack integration. Both versions also maintain a peer dependency on webpack 4, ensuring compatibility within the webpack ecosystem. Developers migrating should review changes related to find-cache-dir for potential caching behavior adjustments but overall the upgrade is expected to provide improvements in the development environment.
All the vulnerabilities related to the version 3.0.0 of the package
Cross-Site Scripting in serialize-javascript
Versions of serialize-javascript prior to 2.1.1 are vulnerable to Cross-Site Scripting (XSS). The package fails to sanitize serialized regular expressions. This vulnerability does not affect Node.js applications.
Upgrade to version 2.1.1 or later.
Insecure serialization leading to RCE in serialize-javascript
serialize-javascript prior to 3.1.0 allows remote attackers to inject arbitrary code via the function "deleteFunctions" within "index.js".
An object such as {"foo": /1"/, "bar": "a\"@__R-<UID>-0__@"} was serialized as {"foo": /1"/, "bar": "a\/1"/}, which allows an attacker to escape the bar key. This requires the attacker to control the values of both foo and bar and guess the value of <UID>. The UID has a keyspace of approximately 4 billion making it a realistic network attack.
