UglifyJS Webpack Plugin version 2.2.0 introduces several updates compared to its predecessor, version 2.1.3, impacting developers utilizing the plugin for code minification within their Webpack builds. A notable change lies in the updated dependencies. Version 2.2.0 adopts newer versions of key packages, including "cacache" (v12.0.2 vs v11.3.2), "uglify-js" (v3.6.0 vs v3.5.12), and "webpack-sources" (v1.4.0 vs v1.3.0). These upgrades potentially bring performance improvements, bug fixes, and new features from the respective underlying libraries.
Furthermore, the development dependencies see significant updates. Developers should note upgrades in Babel-related packages (@babel/cli, @babel/core, @babel/preset-env), ESLint, Prettier, and Terser. The adoption of Terser v4.1.2 in the newer version, replacing v3.17.0 in the older one, could impact minification behavior and compatibility with modern JavaScript syntax. Webpack is also upgraded to v4.38.0 from v4.31.0.
Other enhancements visible in the changelog encompass improvements to cache invalidation, more reliable handling of edge cases, and better error reporting. The release dates indicate a substantial time gap between the versions, implying accumulated bug fixes and feature enhancements in the newer iteration. Developers are encouraged to review the complete changelog for a comprehensive understanding of all modifications. For those prioritizing stability, thoroughly testing the updated version with their specific Webpack configuration is always advisable before deployment.
All the vulnerabilities related to the version 2.2.0 of the package
Cross-Site Scripting in serialize-javascript
Versions of serialize-javascript prior to 2.1.1 are vulnerable to Cross-Site Scripting (XSS). The package fails to sanitize serialized regular expressions. This vulnerability does not affect Node.js applications.
Upgrade to version 2.1.1 or later.
Insecure serialization leading to RCE in serialize-javascript
serialize-javascript prior to 3.1.0 allows remote attackers to inject arbitrary code via the function "deleteFunctions" within "index.js".
An object such as {"foo": /1"/, "bar": "a\"@__R-<UID>-0__@"} was serialized as {"foo": /1"/, "bar": "a\/1"/}, which allows an attacker to escape the bar key. This requires the attacker to control the values of both foo and bar and guess the value of <UID>. The UID has a keyspace of approximately 4 billion making it a realistic network attack.
