UglifyJS Webpack Plugin streamlines JavaScript code optimization within Webpack builds. Version 2.0.1 follows closely on the heels of version 2.0.0, offering subtle yet potentially important refinements. Developers should note that the key difference lies in the uglify-js dependency. Version 2.0.0 relies on uglify-js version 3.4.9, whereas version 2.0.1 advances to version 3.0.0. Yes, it is going back to an older version, but likely it contains some crucial fix for it to be bumped. It's crucial for developers to check uglify-js release notes to learn about possible differences.
Both versions share a common foundation, utilizing dependencies like cacache for robust caching, find-cache-dir for efficient cache directory location, and webpack-sources for source manipulation. These dependencies ensure optimal performance and compatibility within the Webpack ecosystem. The consistent peerDependencies on Webpack version "^4.3.0" emphasizes the plugin's specific compatibility, guaranteeing seamless integration with supported Webpack setups.
For development workflows, both versions offer a comprehensive suite of devDependencies, including tools for linting (eslint), commit standardization (@commitlint), testing (jest), and code formatting (prettier). This robust toolchain simplifies contribution and ensures code quality, making it easier to maintain and extend the plugin. When upgrading, thoroughly test your Webpack builds to confirm that the updated uglify-js dependency does not introduce any unintended side effects or compatibility regressions in your project.
All the vulnerabilities related to the version 2.0.1 of the package
Cross-Site Scripting in serialize-javascript
Versions of serialize-javascript prior to 2.1.1 are vulnerable to Cross-Site Scripting (XSS). The package fails to sanitize serialized regular expressions. This vulnerability does not affect Node.js applications.
Upgrade to version 2.1.1 or later.
Insecure serialization leading to RCE in serialize-javascript
serialize-javascript prior to 3.1.0 allows remote attackers to inject arbitrary code via the function "deleteFunctions" within "index.js".
An object such as {"foo": /1"/, "bar": "a\"@__R-<UID>-0__@"} was serialized as {"foo": /1"/, "bar": "a\/1"/}, which allows an attacker to escape the bar key. This requires the attacker to control the values of both foo and bar and guess the value of <UID>. The UID has a keyspace of approximately 4 billion making it a realistic network attack.
