UglifyJS Webpack Plugin streamlines JavaScript code minification within Webpack builds, optimizing website performance by reducing file sizes. Version 2.0.0 brings significant updates compared to the previous stable version 1.3.0. Notably, the core minification engine shifts from uglify-es and uglify-js to uglify-js only (upgraded to version 3.4.9), indicating a focus on ES5 compatibility and potentially enhanced performance for standard JavaScript codebases.
The peer dependency on Webpack is refined, with version 2.0.0 explicitly requiring Webpack "^4.3.0", whereas version 1.3.0 supported a broader range ("^2.0.0 || ^3.0.0 || ^4.0.0"). This signals a tighter integration with Webpack 4 and leverages its specific features. Development dependencies see considerable changes, incorporating tools like @commitlint/cli, @commitlint/config-conventional, @webpack-contrib/eslint-config-webpack, husky, lint-staged, and prettier, suggesting improved code quality, linting, and commit message standardization.
Other key differences can be found in the updated dependencies, such as cacache, schema-utils, and the removal of nsp. While terser remains a dev dependency in both, its function differs. Version 2.0.0's enhancements offer developers a more robust and maintainable minification process, particularly for Webpack 4 projects, ensuring more performant web applications through efficient code compression. The updated toolchain fosters better collaboration and code consistency within development teams.
All the vulnerabilities related to the version 2.0.0 of the package
Cross-Site Scripting in serialize-javascript
Versions of serialize-javascript prior to 2.1.1 are vulnerable to Cross-Site Scripting (XSS). The package fails to sanitize serialized regular expressions. This vulnerability does not affect Node.js applications.
Upgrade to version 2.1.1 or later.
Insecure serialization leading to RCE in serialize-javascript
serialize-javascript prior to 3.1.0 allows remote attackers to inject arbitrary code via the function "deleteFunctions" within "index.js".
An object such as {"foo": /1"/, "bar": "a\"@__R-<UID>-0__@"} was serialized as {"foo": /1"/, "bar": "a\/1"/}, which allows an attacker to escape the bar key. This requires the attacker to control the values of both foo and bar and guess the value of <UID>. The UID has a keyspace of approximately 4 billion making it a realistic network attack.
