UglifyJS Webpack Plugin empowers developers to seamlessly integrate UglifyJS, a powerful JavaScript minifier, into their webpack build processes. Version 1.2.1 builds upon the foundation of version 1.2.0, offering subtle improvements and refinements. Both versions share identical core dependencies, including cacache for efficient caching, uglify-es for ES6+ JavaScript minification, and webpack-sources for manipulating webpack assets. The development dependencies, crucial for testing and development, also remain consistent, featuring tools like babel for code transformation, eslint for code linting, and jest for unit testing.
The key distinction lies in the dist metadata, specifically, the unpackedSize, slightly increased from 49577 bytes in version 1.2.0 to 50256 bytes in 1.2.1. This suggests that version 1.2.1 likely includes minor bug fixes, performance enhancements, or internal code adjustments that contribute to the slightly larger package size. Developers upgrading from 1.2.0 to 1.2.1 can anticipate a smoother, more reliable experience, especially in complex webpack configurations. The shared peerDependencies on webpack versions 2 and 3 highlight the plugin's compatibility with established webpack projects. Both versions are licensed under the MIT license, providing developers with the freedom to use and modify the plugin as needed. The author field is "webpack Contrib Team" in both packages, and the repository is the same.
All the vulnerabilities related to the version 1.2.1 of the package
Regular Expression Denial of Service (ReDoS)
npm ssri 5.2.2-6.0.1 and 7.0.0-8.0.0, processes SRIs using a regular expression which is vulnerable to a denial of service. Malicious SRIs could take an extremely long time to process, leading to denial of service. This issue only affects consumers using the strict option.
Cross-Site Scripting in serialize-javascript
Versions of serialize-javascript prior to 2.1.1 are vulnerable to Cross-Site Scripting (XSS). The package fails to sanitize serialized regular expressions. This vulnerability does not affect Node.js applications.
Upgrade to version 2.1.1 or later.
Insecure serialization leading to RCE in serialize-javascript
serialize-javascript prior to 3.1.0 allows remote attackers to inject arbitrary code via the function "deleteFunctions" within "index.js".
An object such as {"foo": /1"/, "bar": "a\"@__R-<UID>-0__@"} was serialized as {"foo": /1"/, "bar": "a\/1"/}, which allows an attacker to escape the bar key. This requires the attacker to control the values of both foo and bar and guess the value of <UID>. The UID has a keyspace of approximately 4 billion making it a realistic network attack.
