Webpack-cli version 3.1.2 represents a minor update over the previous stable version 3.1.1, primarily focusing on refinements and improvements to the developer experience. A key difference between the two versions lies in their development dependencies. Version 3.1.2 introduces cz-customizable and @commitlint/config-lerna-scopes as new dev dependencies. The husky version also upgrades from ^0.14.3 to ^1.0.0.
Both versions share the same core dependencies, essential for the CLI's functionality, including chalk for stylized console output, yargs for command-line argument parsing, and cross-spawn for cross-platform process execution. The peer dependency on webpack remains consistent at ^4.x.x, ensuring compatibility with webpack version 4 and highlighting its role as an extension to the core webpack library.
For developers using webpack-cli, this update signifies a continued commitment to stability and enhancement of the command-line tool. While not a major feature release, version 3.1.2 demonstrates the project's ongoing efforts to refine the build process and development workflow, ensuring a smooth and efficient experience for webpack users. The newer version also has a slight jump in the unpacked size (160435 vs 156361) and was released on 2018-09-29, whereas the previous one on 2018-09-23. These changes reflect the project's evolution and iterative improvements based on community feedback and development needs.
All the vulnerabilities related to the version 3.1.2 of the package
yargs-parser Vulnerable to Prototype Pollution
Affected versions of yargs-parser are vulnerable to prototype pollution. Arguments are not properly sanitized, allowing an attacker to modify the prototype of Object, causing the addition or modification of an existing property that will exist on all objects.
Parsing the argument --foo.__proto__.bar baz' adds a bar property with value baz to all objects. This is only exploitable if attackers have control over the arguments being passed to yargs-parser.
Upgrade to versions 13.1.2, 15.0.1, 18.1.1 or later.
global-modules-path Command Injection vulnerability
Versions of the package global-modules-path before 3.0.0 are vulnerable to Command Injection due to missing input sanitization or other checks and sandboxes being employed to the getPath function.
