🚨 [security] Update webpack 4.41.5 → 4.44.2 (minor)

[depfu]

---

🚨 Your current dependencies have known security vulnerabilities 🚨

This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!

---

Here is everything you need to know about this update. Please take a good look at what changed and the test results before merging this pull request.

What changed?

✳️ webpack (4.41.5 → 4.44.2) · Repo

Release Notes

4.44.2

Bugfixes

• make sure to generate correct chunk connection for blocks that are only connected in some runtimes
  • fixes a bug where filename contains undefined hash at runtime

4.44.1

Bugfixes

• fix bug in sideEffects optimization when using export * from "non-esm" and a default export.
• add missing optional peerDependencies for webpack-cli and webpack-command to support Yarn 2

4.44.0

Features

• Improve sideEffects flag behavior when dynamic modules are part of the tree
  • Fixes a bug which causes empty modules (or type-only modules) to "break" Tree Shaking
• add splitChunks.enforceSizeThreshold to allow enfore splitting larger chunks unrelated from other limiations
  • Not set by default to avoid breaking change
  • It will be set by default to 50k in webpack 5
  • It's recommended to set it in webpack 4 too
• add support for resolve.roots and default resolve.roots: [context]
  • This allows to resolve server-relative urls (e.g. /src/abc) to the project root (or other locations when configured)
  • This allows to use loaders that rely on that behavior

Bugfixes

• fix bug where splitChunks produced non-optimal results when minSize is set to 0
  • This lead to NaNs in some places which breaks ordering
• Fix bug which lead to HMR not working for splitChunks in entrypoints
• force update watchpack and chokidar for chokidar bugfix which causes files to stop being watched

4.43.0

Features

• add module.hot.invalidate() to HMR API

Dependencies

• push versions for forced security updates

4.42.1

Bugfixes

• update webassemblyjs dependencies for instruction update
• update mkdirp dependency for security reasons

4.42.0

Bugfixes

• Disable constant replacements in "use asm" scope
• Update schema to disallow functions for output.hotUpdateChunkFilename as this doesn't work
• Hoist exports in concatenated module to handle circular references with non-concatenated modules correctly
• Flag all modules as used in DLLs to fix missing exports

4.41.6

Bugfixes

• Windows network paths are considered as absolute paths
• fix hanging of FlagDependencyExportsPlugin when using export * in a circular matter

Does any of this look wrong? Please let us know.

Sorry, we couldn't find anything useful about this release.

↗️ acorn (indirect, 6.4.0 → 6.4.2) · Repo

Security Advisories 🚨

🚨 Regular Expression Denial of Service in Acorn

Affected versions of acorn are vulnerable to Regular Expression Denial of Service.
A regex in the form of /[x-\ud800]/u causes the parser to enter an infinite loop.
The string is not valid UTF16 which usually results in it being sanitized before reaching the parser.
If an application processes untrusted input and passes it directly to acorn,
attackers may leverage the vulnerability leading to Denial of Service.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ assert (indirect, 1.5.0 → 1.5.1) · Repo · Changelog

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ bn.js (indirect, 4.11.8 → 5.2.1) · Repo · Changelog

Release Notes

5.2.1

• fix: serious issue in .toString(16) (#295)

5.2.0 (from changelog)

• fix: Buffer not using global in browser (#260)
• Fix LE constructor for HEX (#265)

5.1.3

• Add support for defined but not implemented Symbol.for (#252)

5.1.2

• Fix BN v5/v4 interoperability issue (#249)

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ browserify-rsa (indirect, 4.0.1 → 4.1.0) · Repo

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ browserify-sign (indirect, 4.0.4 → 4.2.3) · Repo · Changelog

Security Advisories 🚨

🚨 browserify-sign upper bound check issue in `dsaVerify` leads to a signature forgery attack

Summary

An upper bound check issue in dsaVerify function allows an attacker to construct signatures that can be successfully verified by any public key, thus leading to a signature forgery attack.

Details

In dsaVerify function, it checks whether the value of the signature is legal by calling function checkValue, namely, whether r and s are both in the interval [1, q - 1]. However, the second line of the checkValue function wrongly checks the upper bound of the passed parameters, since the value of b.cmp(q) can only be 0, 1 and -1, and it can never be greater than q.

In this way, although the values of s cannot be 0, an attacker can achieve the same effect as zero by setting its value to q, and then send (r, s) = (1, q) to pass the verification of any public key.

Impact

All places in this project that involve DSA verification of user-input signatures will be affected by this vulnerability.

Fix PR:

Since the temporary private fork was deleted, here's a webarchive of the PR discussion and diff pages: PR webarchive.zip

Release Notes

4.2.3 (from changelog)

Commits

• [patch] widen support to 0.12 9247adf
• [patch] drop minimum node support to v1 4d0ee49
• [Dev Deps] update aud, npmignore, tape 87f3a35
• [actions] remove redundant finisher 37a4758
• [Deps] pin hash-base to ~3.0, due to a breaking change 9e2bf12
• [Deps] update parse-asn1 [f427270`](f427270)
• [Deps] update elliptic fb261ce
• [Deps] pin elliptic due to a breaking change 168e16f

4.2.2 (from changelog)

Fixed

• [Tests] log when openssl doesn't support cipher #37

Commits

• Only apps should have lockfiles 09a8995
• [eslint] switch to eslint 83fe463
• [meta] add npmignore and auto-changelog 4418183
• [meta] fix package.json indentation 9ac5a5e
• [Tests] migrate from travis to github actions d845d85
• [Fix] sign: throw on unsupported padding scheme 8767739
• [Fix] properly check the upper bound for DSA signatures 85994cd
• [Tests] handle openSSL not supporting a scheme f5f17c2
• [Deps] update bn.js, browserify-rsa, elliptic, parse-asn1, readable-stream, safe-buffer a67d0eb
• [Dev Deps] update nyc, standard, tape cc5350b
• [Tests] always run coverage; downgrade nyc 75ce1d5
• [meta] add safe-publish-latest dcf49ce
• [Tests] add npm run posttest 75dd8fd
• [Dev Deps] update tape 3aec038
• [Tests] skip unsupported schemes 703c83e
• [Tests] node < 6 lacks array includes 3aa43cf
• [Dev Deps] fix eslint range 98d4e0d

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ cacache (indirect, 12.0.3 → 12.0.4) · Repo · Changelog

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ chownr (indirect, 1.1.3 → 1.1.4) · Repo

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ create-ecdh (indirect, 4.0.3 → 4.0.4) · Repo

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ des.js (indirect, 1.0.1 → 1.1.0) · Repo

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ elliptic (indirect, 6.5.2 → 6.5.7) · Repo

Security Advisories 🚨

🚨 Elliptic allows BER-encoded signatures

In the Elliptic package 6.5.6 for Node.js, ECDSA signature malleability occurs because BER-encoded signatures are allowed.

🚨 Elliptic's ECDSA missing check for whether leading bit of r and s is zero

In the Elliptic package 6.5.6 for Node.js, ECDSA signature malleability occurs because there is a missing check for whether the leading bit of r and s is zero.

🚨 Elliptic's EDDSA missing signature length check

In the Elliptic package 6.5.6 for Node.js, EDDSA signature malleability occurs because there is a missing signature length check, and thus zero-valued bytes can be removed or appended.

🚨 Elliptic Uses a Broken or Risky Cryptographic Algorithm

The npm package elliptic before version 6.5.4 are vulnerable to Cryptographic Issues via the secp256k1 implementation in elliptic/ec/key.js. There is no check to confirm that the public key point passed into the derive function actually exists on the secp256k1 curve. This results in the potential for the private key used in this implementation to be revealed after a number of ECDH operations are performed.

🚨 Signature Malleabillity in elliptic

The Elliptic package before version 6.5.3 for Node.js allows ECDSA signature malleability via variations in encoding, leading '\0' bytes, or integer overflows. This could conceivably have a security-relevant impact if an application relied on a single canonical signature.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ events (indirect, 3.0.0 → 3.3.0) · Repo · Changelog

Release Notes

3.3.0

• Support EventTarget emitters in events.once from Node.js 12.11.0.

  Now you can use the events.once function with objects that implement the EventTarget interface. This interface is used widely in
  the DOM and other web APIs.

  var events = require('events');
  var assert = require('assert');
  async function connect() {
  
  var ws = new WebSocket('wss://example.com');
  
  await events.once(ws, 'open');
  
  assert(ws.readyState === WebSocket.OPEN);
  
  }
  async function onClick() {
  
  await events.once(document.body, 'click');
  
  alert('you clicked the page!');
  
  }

3.2.0 (from changelog)

• Add events.once from Node.js 11.13.0.

  To use this function, Promises must be supported in the environment. Use a polyfill like es6-promise if you support older browsers.

3.1.0

events now matches the Node.js 11.12.0 API.

• pass through return value in wrapped emitter.once() listeners

  Now, this works:

  emitter.once('myevent', function () { return 1; });
  var listener = emitter.rawListeners('myevent')[0]
  assert(listener() === 1);

  Previously, listener() would return undefined regardless of the implementation.

  Ported from nodejs/node@acc506c

• Reduce code duplication in listener type check (#67 by @friederbluemle).

• Improve emitter.once() performance in some engines

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ figgy-pudding (indirect, 3.5.1 → 3.5.2) · Repo · Changelog

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ hash-base (indirect, 3.0.4 → 3.1.0) · Repo

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ pako (indirect, 1.0.10 → 1.0.11) · Repo · Changelog

Release Notes

1.0.11 (from changelog)

Fixed

• Fix tests in node.js v12+, #179.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ parse-asn1 (indirect, 5.1.5 → 5.1.7) · Repo · Changelog

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ pbkdf2 (indirect, 3.0.17 → 3.1.2) · Repo

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ serialize-javascript (indirect, 2.1.2 → 4.0.0) · Repo

Security Advisories 🚨

🚨 Insecure serialization leading to RCE in serialize-javascript

serialize-javascript prior to 3.1.0 allows remote attackers to inject arbitrary code via the function "deleteFunctions" within "index.js".

An object such as {"foo": /1"/, "bar": "a\"@__R-<UID>-0__@"} was serialized as {"foo": /1"/, "bar": "a\/1"/}, which allows an attacker to escape the bar key. This requires the attacker to control the values of both foo and bar and guess the value of <UID>. The UID has a keyspace of approximately 4 billion making it a realistic network attack.

Release Notes

4.0.0

Changelog

• Bump nyc from 15.0.1 to 15.1.0 (#85)
• support for bigint (#80)

Behavior changes for BigInt

It serializes BigInt values as follows since this version. The result of serialization may be changed if you are passing BigInt values into the serialize-javascript.

v4.x:

const serialize = require('serialize-javascript');
serialize({big: BigInt('10')}); // '{"big":BigInt("10")}'

v3.x:

const serialize = require('serialize-javascript');
serialize({big: BigInt('10')}); // throws error

---

Thank you @mum-never-proud for this release.

3.1.0

• Bump mocha from 7.1.2 to 7.2.0 (#83)
• Bump mocha from 7.1.1 to 7.1.2 (#82)
• Bump nyc from 15.0.0 to 15.0.1 (#81)
• Don't replace regex / function placeholders within string literals (#79)
• [Security] Bump minimist from 1.2.0 to 1.2.5 (#78)
• Bump mocha from 7.1.0 to 7.1.1 (#77)
• Bump mocha from 7.0.1 to 7.1.0 (#74)
• Update example in README (#73)

Note: the randombytes has been added to the dependency package to improve the generation of UIDs. Check the #22 for more information. Thanks to @JordanMilne and @Siebes for this change.

3.0.0

• Introduce support for Infinity (@vthibault, #72)
• Bump mocha from 7.0.0 to 7.0.1 (#71)
• Test on Node.js v12 (@okuryu, #70)
• Bump mocha from 6.2.2 to 7.0.0 (#69)
• Bump nyc from 14.1.1 to 15.0.0 (#68)

Behavior changes for Infinity

It serializes Infinity values as follows since this version. The result of serialization may be changed if you are passing Infinity values into the serialize-javascript.

v3.x

const serialize = require('serialize-javascript');
serialize({inf: Infinity}); // '{"inf":Infinity}'

v2.x

const serialize = require('serialize-javascript');
serialize({inf: Infinity}); // '{"inf":null}'

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ source-map-support (indirect, 0.5.16 → 0.5.21) · Repo

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ ssri (indirect, 6.0.1 → 6.0.2) · Repo · Changelog

Security Advisories 🚨

🚨 Regular Expression Denial of Service (ReDoS)

npm ssri 5.2.2-6.0.1 and 7.0.0-8.0.0, processes SRIs using a regular expression which is vulnerable to a denial of service. Malicious SRIs could take an extremely long time to process, leading to denial of service. This issue only affects consumers using the strict option.

↗️ stream-shift (indirect, 1.0.1 → 1.0.3) · Repo

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ terser (indirect, 4.4.3 → 4.8.1) · Repo · Changelog

Security Advisories 🚨

🚨 Terser insecure use of regular expressions leads to ReDoS

The package terser before 4.8.1, from 5.0.0 and before 5.14.2 are vulnerable to Regular Expression Denial of Service (ReDoS) due to insecure usage of regular expressions.

Release Notes

Too many releases to show here. View the full release notes.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ terser-webpack-plugin (indirect, 1.4.3 → 1.4.6) · Repo · Changelog

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ timers-browserify (indirect, 2.0.11 → 2.0.12) · Repo · Changelog

Release Notes

2.0.12 (from changelog)

Fixed

• Remove .DS_Store from published package
• Upgrade connect dev dependency

Does any of this look wrong? Please let us know.

↗️ url (indirect, 0.11.0 → 0.11.4) · Repo

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ watchpack (indirect, 1.6.0 → 1.7.5) · Repo

Release Notes

1.7.5

Bugfixes

• removed watchpack-chokidar2 notsup warning

1.7.4

Bugfixes

• remove unneeded files from package

1.6.1

• force upgrade chokidar for security reasons

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

🆕 call-bind (added, 1.0.7)

🆕 define-data-property (added, 1.1.4)

🆕 es-define-property (added, 1.0.0)

🆕 es-errors (added, 1.3.0)

🆕 get-intrinsic (added, 1.2.4)

🆕 gopd (added, 1.0.1)

🆕 has-property-descriptors (added, 1.0.2)

🆕 has-proto (added, 1.0.3)

🆕 hasown (added, 2.0.2)

🆕 picomatch (added, 2.3.1)

🆕 set-function-length (added, 1.2.2)

🆕 side-channel (added, 1.0.6)

🆕 watchpack-chokidar2 (added, 2.0.1)

🗑️ mamacro (removed)

🗑️ querystring (removed)

---

Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.

All Depfu comment commands

@​depfu rebase

Rebases against your default branch and redoes this update

@​depfu recreate

Recreates this PR, overwriting any edits that you've made to it

@​depfu merge

Merges this PR once your tests are passing and conflicts are resolved

@​depfu cancel merge

Cancels automatic merging of this PR

@​depfu close

Closes this PR and deletes the branch

@​depfu reopen

Restores the branch and reopens this PR (if it's closed)

@​depfu pause

Ignores all future updates for this dependency and closes this PR

@​depfu pause [minor|major]

Ignores all future minor/major updates for this dependency and closes this PR

@​depfu resume

Future versions of this dependency will create PRs again (leaves this PR as is)