Webpack version 0.4.18 represents a minor iteration over its predecessor, version 0.4.17, both designed for bundling CommonJs modules for browser use. The core functionality remains consistent: enabling developers to split codebases into manageable bundles that load on demand. This is especially helpful for optimizing website performance and improving user experience by serving only the necessary code for each page or interaction. Both versions provide out-of-the-box support for a wide array of file types including JavaScript, JSON, Jade (now Pug), CoffeeScript, and CSS. Furthermore, they enable extension through custom loaders, expanding the range of supported file formats and pre-processing capabilities, important for different project requirements.
The dependency lists are identical; both versions rely on the same set of tools like Esprima for JavaScript parsing, Uglify-js for code minification, and various loaders for CSS, raw files, files, Jade templates, JSON, LESS, styles, bundles, CoffeeScript, and scripts. Development dependencies like Mocha and Should.js remain consistent for testing.
The primary discernible difference between the two versions lies in their release dates. Version 0.4.18 was published on July 11, 2012, at 10:27:08.725Z, while version 0.4.17 was released only minutes earlier on the same day at 10:18:47.738Z. Given the very short time delta between the two versions, the changes between 0.4.17 and 0.4.18 were likely minor bug fixes or optimizations, mostly unnoticeable. Developers should always check the detailed changelog for specifics, although for such a small increment and old version checking the changelog might be difficult. Due to the minimal differences and the age of these versions, modern webpack users should consider migrating to the newest stable releases for the newest features.
All the vulnerabilities related to the version 0.4.18 of the package
Incorrect Handling of Non-Boolean Comparisons During Minification in uglify-js
Versions of uglify-js prior to 2.4.24 are affected by a vulnerability which may cause crafted JavaScript to have altered functionality after minification.
Upgrade UglifyJS to version >= 2.4.24.
Regular Expression Denial of Service in uglify-js
Versions of uglify-js prior to 2.6.0 are affected by a regular expression denial of service vulnerability when malicious inputs are passed into the parse() method.
var u = require('uglify-js');
var genstr = function (len, chr) {
var result = "";
for (i=0; i<=len; i++) {
result = result + chr;
}
return result;
}
u.parse("var a = " + genstr(process.argv[2], "1") + ".1ee7;");
$ time node test.js 10000
real 0m1.091s
user 0m1.047s
sys 0m0.039s
$ time node test.js 80000
real 0m6.486s
user 0m6.229s
sys 0m0.094s
Update to version 2.6.0 or later.
Regular Expression Denial of Service in clean-css
Version of clean-css prior to 4.1.11 are vulnerable to Regular Expression Denial of Service (ReDoS). Untrusted input may cause catastrophic backtracking while matching regular expressions. This can cause the application to be unresponsive leading to Denial of Service.
Upgrade to version 4.1.11 or higher.
Sandbox Bypass Leading to Arbitrary Code Execution in constantinople
Versions of constantinople prior to 3.1.1 are vulnerable to a sandbox bypass which can lead to arbitrary code execution.
Update to version 3.1.1 or later.