Webpack Manifest Plugin versions 0.2.0 and 0.3.0, both MIT-licensed, serve as essential tools for webpack users needing asset manifest generation. They streamline the process of mapping compiled asset filenames to their original source files, crucial for cache busting and efficient asset management in production environments. Both versions share core dependencies like Lodash for utility functions and development dependencies including Rimraf for file removal, Jasmine for testing, and various webpack loaders (css-loader, style-loader) alongside ExtractTextWebpackPlugin for advanced CSS handling.
The key difference lies in their release dates and potentially in minor internal improvements or bug fixes implemented between version 0.2.0 (released June 7, 2015) and version 0.3.0 (released July 2, 2015). While the provided data doesn't explicitly detail functional changes, upgrading to version 0.3.0 is generally recommended to benefit from any enhancements or corrections made since the previous stable release.
For developers, this plugin simplifies integration into webpack workflows. It automatically creates a manifest.json file containing a mapping of asset filenames to their actual output names. This file can then be used in server-side code to dynamically include the correct asset URLs, ensuring that updated assets are always served and that browser caches are effectively invalidated. Specifically useful for projects using techniques like long-term caching, these versions enable robust asset management in web applications. Choose version 0.3.0 for the most up-to-date experience, and ensure Lodash v3.5.0 or higher is available in your project.
All the vulnerabilities related to the version 0.3.0 of the package
Command Injection in lodash
lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.
Prototype Pollution in lodash
Versions of lodash before 4.17.11 are vulnerable to prototype pollution.
The vulnerable functions are 'defaultsDeep', 'merge', and 'mergeWith' which allow a malicious user to modify the prototype of Object via {constructor: {prototype: {...}}} causing the addition or modification of an existing property that will exist on all objects.
Update to version 4.17.11 or later.
Prototype Pollution in lodash
Versions of lodash before 4.17.5 are vulnerable to prototype pollution.
The vulnerable functions are 'defaultsDeep', 'merge', and 'mergeWith' which allow a malicious user to modify the prototype of Object via __proto__ causing the addition or modification of an existing property that will exist on all objects.
Update to version 4.17.5 or later.
Prototype Pollution in lodash
Versions of lodash before 4.17.12 are vulnerable to Prototype Pollution. The function defaultsDeep allows a malicious user to modify the prototype of Object via {constructor: {prototype: {...}}} causing the addition or modification of an existing property that will exist on all objects.
Update to version 4.17.12 or later.
Prototype Pollution in lodash
Versions of lodash prior to 4.17.19 are vulnerable to Prototype Pollution. The functions pick, set, setWith, update, updateWith, and zipObjectDeep allow a malicious user to modify the prototype of Object if the property identifiers are user-supplied. Being affected by this issue requires manipulating objects based on user-provided property values or arrays.
This vulnerability causes the addition or modification of an existing property that will exist on all objects and may lead to Denial of Service or Code Execution under specific circumstances.
