Uglifyjs-webpack-plugin is a crucial tool for web developers using Webpack, designed to minify JavaScript code, ultimately leading to smaller file sizes and improved website loading times. Comparing versions 1.2.6 and 1.2.5, we see that both share identical dependencies and devDependencies, indicating a focus on stability and consistent tooling. Core dependencies like uglify-es (for ES6+ code minification), webpack-sources which allows interaction with Webpack's asset system, and cacache for efficient caching remain the same, ensuring consistent performance. The peer dependency on webpack versions 2, 3 and 4 is also the same, so no breaking changes in supported webpack version, and you can upgrade safely without changing your webpack workflow.
The primary difference between the two versions lies in the release date and the unpacked size of the package. Version 1.2.6 was released on June 20, 2018, after version 1.2.5, release on April 18, 2018. Additionally, version 1.2.6 has a slightly larger unpacked size 55663 vs 54135, hinting at potential bug fixes, performance improvements, or minor feature enhancements within the plugin's core logic.
For developers, upgrading from 1.2.5 to 1.2.6 is likely a safe and recommended move. While the changes may not be drastic judging from similar dependencies, the updated version could bring stability improvements and address potential edge cases encountered in the previous release. Always consult the changelog and documentation to verify specific changes and potential migration considerations.
All the vulnerabilities related to the version 1.2.6 of the package
Regular Expression Denial of Service (ReDoS)
npm ssri 5.2.2-6.0.1 and 7.0.0-8.0.0, processes SRIs using a regular expression which is vulnerable to a denial of service. Malicious SRIs could take an extremely long time to process, leading to denial of service. This issue only affects consumers using the strict option.
Cross-Site Scripting in serialize-javascript
Versions of serialize-javascript prior to 2.1.1 are vulnerable to Cross-Site Scripting (XSS). The package fails to sanitize serialized regular expressions. This vulnerability does not affect Node.js applications.
Upgrade to version 2.1.1 or later.
Insecure serialization leading to RCE in serialize-javascript
serialize-javascript prior to 3.1.0 allows remote attackers to inject arbitrary code via the function "deleteFunctions" within "index.js".
An object such as {"foo": /1"/, "bar": "a\"@__R-<UID>-0__@"} was serialized as {"foo": /1"/, "bar": "a\/1"/}, which allows an attacker to escape the bar key. This requires the attacker to control the values of both foo and bar and guess the value of <UID>. The UID has a keyspace of approximately 4 billion making it a realistic network attack.
