Workbox webpack plugin has evolved from version 3.6.3 to 4.0.0, bringing notable modifications for developers leveraging webpack for service worker integration. The primary function remains consistent: generating a manifest of local files for precaching within a service worker context. However, under the hood differences are evident.
A crucial shift involves dependency management. Version 4.0.0 embraces @babel/runtime (version ^7.0.0), replacing babel-runtime (^6.26.0) used in version 3.6.3. This change signifies a move towards more modern Babel runtime support. Both rely on workbox-build for core functionalities, but are kept in sync with their major versions, indicating potentially new APIs or adapted behaviours. The usage of json-stable-stringify remains consistent for both versions however.
Beyond dependencies, the licensing transitions from Apache-2.0 in version 3.6.3 to MIT in version 4.0.0, a point worth noting for projects with specific licensing requirements. The unpacked size of the plugin has been considerably reduced from 64462 to 38472 bytes.
Finally, developers should note the release dates, roughly four months apart. Updating to version 4.0.0 means adopting the newer APIs and improvements delivered with it, while also evaluating the impact of the Babel runtime upgrade on the overall build process. Given the peer dependency of webpack (^2.0.0 || ^3.0.0 || ^4.0.0) that is consistent across either version they should work well in existing projects.
All the vulnerabilities related to the version 4.0.0 of the package
Command Injection in lodash
lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.
