Webpack version 4.36.1 is a patch release following closely after 4.36.0, both versions continuing the evolution of this popular JavaScript module bundler. Developers migrating between these specific versions will find mostly bug fixes and very minor internal adjustments. The core functionality for bundling CommonJs, AMD modules, and other asset types remains consistent, so existing webpack configurations should largely remain compatible.
Both versions support modern features like code splitting, loaders for various file types (JSON, CSS, ESNext), and plugin integrations for tasks like optimization and code transformation. The dependency lists for both versions are almost identical, suggesting that the update primarily addresses stability and edge-case improvements rather than introducing new features or significantly altering existing ones. Key dependencies like terser-webpack-plugin for code minification and webpack-sources for source map generation remain consistent, ensuring that the core build pipeline functions as expected.
For developers, the upgrade from 4.36.0 to 4.36.1 is recommended to benefit from the latest stability improvements. Examining the changelog for webpack 4 on the official repository would give more precise insight into what specific bugs were addressed. The consistent feature set means that there are no new functionalities to learn or breaking changes to adapt to, making it a relatively painless upgrade that could improve the reliability of the Webpack build process.
All the vulnerabilities related to the version 4.36.1 of the package
Regular Expression Denial of Service (ReDoS) in micromatch
The NPM package micromatch prior to version 4.0.8 is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in micromatch.braces() in index.js because the pattern .* will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persisted prior to https://github.com/micromatch/micromatch/pull/266. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching.
Uncontrolled resource consumption in braces
The NPM package braces fails to limit the number of characters it can handle, which could lead to Memory Exhaustion. In lib/parse.js, if a malicious user sends "imbalanced braces" as input, the parsing will enter a loop, which will cause the program to start allocating heap memory without freeing it at any moment of the loop. Eventually, the JavaScript heap limit is reached, and the program will crash.
