Uglifyjs-webpack-plugin is a vital tool for web developers using Webpack, designed to minify JavaScript code and reduce bundle sizes for faster website loading times. Comparing versions 1.1.7 and 1.1.8 reveals subtle differences that can be important for optimization and stability. Both versions share the same core dependencies, including cacache for caching, find-cache-dir for locating cache directories, serialize-javascript for safe JavaScript serialization, schema-utils for validation, source-map for debugging, uglify-es for ES6+ code minification, webpack-sources for source code manipulation, and worker-farm for parallel processing. The peer dependencies also remain consistent, requiring Webpack versions 2 or 3.
The development dependencies are identical, suggesting no significant changes in the build or testing processes between the two versions. These include tools like Babel for code transpilation, Jest for testing, ESLint for code linting, and standard-version for version management.
The main difference lies in the releaseDate. Version 1.1.8 was released just a couple of hours after 1.1.7, this could indicate a quick fix related to some minor bug. Developers using this plugin profit from its ability to significantly shrink JavaScript bundle sizes, leveraging UglifyJS to remove whitespace, comments, and shorten variable names, improving website performance and user experience. Choosing the latest (or a specific) version hinges on individual project requirements. If the previous version works flawlessly, upgrading might not be immediately necessary, but it's generally recommended to stay updated for security patches and enhancements or bug fixes.
All the vulnerabilities related to the version 1.1.8 of the package
Regular Expression Denial of Service (ReDoS)
npm ssri 5.2.2-6.0.1 and 7.0.0-8.0.0, processes SRIs using a regular expression which is vulnerable to a denial of service. Malicious SRIs could take an extremely long time to process, leading to denial of service. This issue only affects consumers using the strict option.
Cross-Site Scripting in serialize-javascript
Versions of serialize-javascript prior to 2.1.1 are vulnerable to Cross-Site Scripting (XSS). The package fails to sanitize serialized regular expressions. This vulnerability does not affect Node.js applications.
Upgrade to version 2.1.1 or later.
Insecure serialization leading to RCE in serialize-javascript
serialize-javascript prior to 3.1.0 allows remote attackers to inject arbitrary code via the function "deleteFunctions" within "index.js".
An object such as {"foo": /1"/, "bar": "a\"@__R-<UID>-0__@"} was serialized as {"foo": /1"/, "bar": "a\/1"/}, which allows an attacker to escape the bar key. This requires the attacker to control the values of both foo and bar and guess the value of <UID>. The UID has a keyspace of approximately 4 billion making it a realistic network attack.
