Skip to content

Bump webpack from 5.94.0 to 5.104.1#18

Open
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/npm_and_yarn/webpack-5.104.1
Open

Bump webpack from 5.94.0 to 5.104.1#18
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/npm_and_yarn/webpack-5.104.1

Conversation

@dependabot
Copy link

@dependabot dependabot bot commented on behalf of github Mar 1, 2026

Bumps webpack from 5.94.0 to 5.104.1.

Release notes

Sourced from webpack's releases.

v5.104.1

5.104.1

Patch Changes

  • 2efd21b: Reexports runtime calculation should not accessing WEBPACK_IMPORT_KEY decl with var.
  • c510070: Fixed a user information bypass vulnerability in the HttpUriPlugin plugin.

v5.104.0

5.104.0

Minor Changes

  • d3dd841: Use method shorthand to render module content in __webpack_modules__ object.
  • d3dd841: Enhance import.meta.env to support object access.
  • 4baab4e: Optimize dependency sorting in updateParent: sort each module only once by deferring to finishUpdateParent(), and reduce traversal count in sortWithSourceOrder by caching WeakMap values upfront.
  • 04cd530: Handle more at-rules for CSS modules.
  • cafae23: Added options to control the renaming of at-rules and various identifiers in CSS modules.
  • d3dd841: Added base64url, base62, base58, base52, base49, base36, base32 and base25 digests.
  • 5983843: Provide a stable runtime function variable __webpack_global__.
  • d3dd841: Improved localIdentName hashing for CSS.

Patch Changes

  • 22c48fb: Added module existence check for informative error message in development mode.
  • 50689e1: Use the fully qualified class name (or export name) for [fullhash] placeholder in CSS modules.
  • d3dd841: Support universal lazy compilation.
  • d3dd841: Fixed module library export definitions when multiple runtimes.
  • d3dd841: Fixed CSS nesting and CSS custom properties parsing.
  • d3dd841: Don't write fragment from URL to filename and apply fragment to module URL.
  • aab1da9: Fixed bugs for css/global type.
  • d3dd841: Compatibility import.meta.filename and import.meta.dirname with eval devtools.
  • d3dd841: Handle nested __webpack_require__.
  • 728ddb7: The speed of identifier parsing has been improved.
  • 0f8b31b: Improve types.
  • d3dd841: Don't corrupt debugId injection when hidden-source-map is used.
  • 2179fdb: Re-validate HttpUriPlugin redirects against allowedUris, restrict to http(s) and add a conservative redirect limit to prevent SSRF and untrusted content inclusion. Redirects failing policy are rejected before caching/lockfile writes.
  • d3dd841: Serialize HookWebpackError.
  • d3dd841: Added ability to use built-in properties in dotenv and define plugin.
  • 3c4319f: Optimizing the regular expression character class by specifying ranges for runtime code.
  • d3dd841: Reduce collision for local indent name in CSS.
  • d3dd841: Remove CSS link tags when CSS imports are removed.

v5.103.0

Features

  • Added DotenvPlugin and top level dotenv option to enable this plugin
  • Added WebpackManifestPlugin
  • Added support the ignoreList option in devtool plugins
  • Allow to use custom javascript parse function

... (truncated)

Changelog

Sourced from webpack's changelog.

5.104.1

Patch Changes

  • 2efd21b: Reexports runtime calculation should not accessing WEBPACK_IMPORT_KEY decl with var.
  • c510070: Fixed a user information bypass vulnerability in the HttpUriPlugin plugin.

5.104.0

Minor Changes

  • d3dd841: Use method shorthand to render module content in __webpack_modules__ object.
  • d3dd841: Enhance import.meta.env to support object access.
  • 4baab4e: Optimize dependency sorting in updateParent: sort each module only once by deferring to finishUpdateParent(), and reduce traversal count in sortWithSourceOrder by caching WeakMap values upfront.
  • 04cd530: Handle more at-rules for CSS modules.
  • cafae23: Added options to control the renaming of at-rules and various identifiers in CSS modules.
  • d3dd841: Added base64url, base62, base58, base52, base49, base36, base32 and base25 digests.
  • 5983843: Provide a stable runtime function variable __webpack_global__.
  • d3dd841: Improved localIdentName hashing for CSS.

Patch Changes

  • 22c48fb: Added module existence check for informative error message in development mode.
  • 50689e1: Use the fully qualified class name (or export name) for [fullhash] placeholder in CSS modules.
  • d3dd841: Support universal lazy compilation.
  • d3dd841: Fixed module library export definitions when multiple runtimes.
  • d3dd841: Fixed CSS nesting and CSS custom properties parsing.
  • d3dd841: Don't write fragment from URL to filename and apply fragment to module URL.
  • aab1da9: Fixed bugs for css/global type.
  • d3dd841: Compatibility import.meta.filename and import.meta.dirname with eval devtools.
  • d3dd841: Handle nested __webpack_require__.
  • 728ddb7: The speed of identifier parsing has been improved.
  • 0f8b31b: Improve types.
  • d3dd841: Don't corrupt debugId injection when hidden-source-map is used.
  • 2179fdb: Re-validate HttpUriPlugin redirects against allowedUris, restrict to http(s) and add a conservative redirect limit to prevent SSRF and untrusted content inclusion. Redirects failing policy are rejected before caching/lockfile writes.
  • d3dd841: Serialize HookWebpackError.
  • d3dd841: Added ability to use built-in properties in dotenv and define plugin.
  • 3c4319f: Optimizing the regular expression character class by specifying ranges for runtime code.
  • d3dd841: Reduce collision for local indent name in CSS.
  • d3dd841: Remove CSS link tags when CSS imports are removed.
Commits
  • 24e3c2d chore(release): new release (#20253)
  • 2efd21b fix(re-exports): reexports runtime calculation should not accessing `__WEBPAC...
  • c510070 fix(security): userinfo bypass vulnerability in HttpUriPlugin allowedUris
  • 4b0501c ci: fix release (#20252)
  • 0c213ce ci: use \<@&1450591255485743204> over @here for discord notificationw
  • 5bf8bc5 refactor: types for benchmarks and tests
  • 505a5e7 chore(release): new release (#20188)
  • 0c06680 refactor: update eslint configuration
  • 2eb0d6a ci: release announcement (#20238)
  • b2b2459 ci: cancel in progress (#20239)
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    You can disable automated security fix PRs for this repo from the Security Alerts page.

@dependabot
Bump webpack from 5.94.0 to 5.104.1
cfc8079 
Bumps [webpack](https://github.com/webpack/webpack) from 5.94.0 to 5.104.1.
- [Release notes](https://github.com/webpack/webpack/releases)
- [Changelog](https://github.com/webpack/webpack/blob/main/CHANGELOG.md)
- [Commits](webpack/webpack@v5.94.0...v5.104.1)

---
updated-dependencies:
- dependency-name: webpack
  dependency-version: 5.104.1
  dependency-type: direct:development
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Mar 1, 2026
@socket-security
Copy link

socket-security bot commented Mar 1, 2026

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security		 Vulnerability Quality Maintenance License
Updatedwebpack@​5.94.0 ⏵ 5.104.189 +5100 +293 +197 -1100

View full report

@socket-security
Copy link

socket-security bot commented Mar 1, 2026

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action Severity Alert  (click "▶" to expand/collapse)
Warn Low
Embedded URLs or IPs: npm @types/eslint

URLs: https://eslint.org/docs/latest/use/configure/language-options-deprecated#specifying-parser-options, meta.name

Location: Package overview

From: ?npm/webpack@5.104.1npm/@types/eslint@9.6.1

ℹ Read more on: This package | This alert | What are URL strings?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Review all remote URLs to ensure they are intentional, pointing to trusted sources, and not being used for data exfiltration or loading untrusted code at runtime.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@types/eslint@9.6.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn Low
Embedded URLs or IPs: npm @webassemblyjs/ast

URLs: https://webassembly.github.io/spec/core/binary/modules.html#binary-module, https://webassembly.github.io/spec/core/text/modules.html#text-module, i32.store, i64.store, f32.store, f64.store, i32.ne, i64.ne, f32.ne, f32.lt, f32.gt, f32.ge, f64.ne, f64.lt, f64.gt, f64.ge

Location: Package overview

From: ?npm/webpack@5.104.1npm/@webassemblyjs/ast@1.14.1

ℹ Read more on: This package | This alert | What are URL strings?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Review all remote URLs to ensure they are intentional, pointing to trusted sources, and not being used for data exfiltration or loading untrusted code at runtime.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@webassemblyjs/ast@1.14.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn Low
Embedded URLs or IPs: npm @webassemblyjs/wasm-parser

URLs: https://webassembly.github.io/spec/binary/modules.html#binary-typesec, https://webassembly.github.io/spec/binary/modules.html#binary-importsec, https://webassembly.github.io/spec/binary/modules.html#function-section, https://webassembly.github.io/spec/binary/modules.html#export-section, https://webassembly.github.io/spec/binary/modules.html#code-section, https://webassembly.github.io/spec/core/binary/instructions.html#table-instructions, https://webassembly.github.io/spec/core/binary/types.html#limits, https://webassembly.github.io/spec/core/binary/types.html#binary-tabletype, https://webassembly.github.io/spec/binary/types.html#global-types, https://github.com/WebAssembly/design/blob/master/BinaryEncoding.md#name-section

Location: Package overview

From: ?npm/webpack@5.104.1npm/@webassemblyjs/wasm-parser@1.14.1

ℹ Read more on: This package | This alert | What are URL strings?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Review all remote URLs to ensure they are intentional, pointing to trusted sources, and not being used for data exfiltration or loading untrusted code at runtime.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@webassemblyjs/wasm-parser@1.14.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn Low
Potential code anomaly (AI signal): npm @webassemblyjs/wasm-parser is 100.0% likely to have a medium risk anomaly

Notes: The code is a legitimate WebAssembly binary decoder/AST builder. It decodes a WASM module into a rich AST representation without performing harmful actions, network activity, or data exfiltration. The primary security considerations are ensuring trust in the library's source and keeping dependencies current, as with any third-party tool. If kept updated and used with proper input validation, the component poses no immediate malicious risk based on this fragment.

Confidence: 1.00

Severity: 0.60

From: ?npm/webpack@5.104.1npm/@webassemblyjs/wasm-parser@1.14.1

ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@webassemblyjs/wasm-parser@1.14.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn Low
Embedded URLs or IPs: npm ajv-formats

URLs: https://gist.github.com/dperini/729294, https://mathiasbynens.be/demo/url-regex, https://www.safaribooksonline.com/library/view/regular-expressions-cookbook/9780596802837/ch07s16.html, http://tools.ietf.org/html/rfc4122, https://tools.ietf.org/html/rfc6901, https://tools.ietf.org/html/rfc3986#appendix-A, http://tools.ietf.org/html/draft-luff-relative-json-pointer-00, https://spec.openapis.org/oas/v3.0.0#data-types, https://github.com/miguelmota/is-base64, https://github.com/mafintosh/is-my-json-valid/blob/master/formats.js, http://stackoverflow.com/questions/201323/using-a-regular-expression-to-validate-an-email-address#answer-8829363, http://www.w3.org/TR/html5/forms.html#valid-e-mail-address, https://tools.ietf.org/html/rfc3339#appendix-C, http://tools.ietf.org/html/rfc3339#section-5.6, http://jmrware.com/articles/2009/uri_regexp/URI_regex.html

Location: Package overview

From: ?npm/webpack@5.104.1npm/ajv-formats@2.1.1

ℹ Read more on: This package | This alert | What are URL strings?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Review all remote URLs to ensure they are intentional, pointing to trusted sources, and not being used for data exfiltration or loading untrusted code at runtime.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/ajv-formats@2.1.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn Low
Embedded URLs or IPs: npm ajv-keywords

URLs: http://json-schema.org/schema

Location: Package overview

From: ?npm/webpack@5.104.1npm/ajv-keywords@5.1.0

ℹ Read more on: This package | This alert | What are URL strings?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Review all remote URLs to ensure they are intentional, pointing to trusted sources, and not being used for data exfiltration or loading untrusted code at runtime.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/ajv-keywords@5.1.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn Low
Embedded URLs or IPs: npm ajv

URLs: http://json-schema.org/draft-07/schema, http://json-schema.org/schema, https://json-schema.org/draft/2020-12/schema, https://json-schema.org/draft/2019-09/schema, https://raw.githubusercontent.com/ajv-validator/ajv/master/lib/refs/data.json#

Location: Package overview

From: ?npm/webpack@5.104.1npm/ajv@8.18.0

ℹ Read more on: This package | This alert | What are URL strings?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Review all remote URLs to ensure they are intentional, pointing to trusted sources, and not being used for data exfiltration or loading untrusted code at runtime.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/ajv@8.18.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn Low
Potential code anomaly (AI signal): npm ajv is 100.0% likely to have a medium risk anomaly

Notes: The code implements a standard AJV-like dynamic parser generator for JTD schemas. There are no explicit malware indicators in this fragment. The primary security concern is the dynamic code generation and execution from external schemas, which introduces a medium risk if schemas are untrusted. With trusted schemas and proper schema management, the risk is typically acceptable within this pattern.

Confidence: 1.00

Severity: 0.60

From: ?npm/webpack@5.104.1npm/ajv@8.18.0

ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/ajv@8.18.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn Low
Potential code anomaly (AI signal): npm ajv is 100.0% likely to have a medium risk anomaly

Notes: The code implements standard timestamp validation with clear logic for normal and leap years and leap seconds. There is no network, file, or execution of external code within this isolated fragment. The only anomalous aspect is assigning a string to validTimestamp.code, which could enable external tooling to inject behavior in certain environments, but this does not constitute active malicious behavior in this isolated snippet. Overall, low to moderate security risk in typical usage; no malware detected within the shown code.

Confidence: 1.00

Severity: 0.60

From: ?npm/webpack@5.104.1npm/ajv@8.18.0

ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/ajv@8.18.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn Low
Potential code anomaly (AI signal): npm ajv is 100.0% likely to have a medium risk anomaly

Notes: This module generates JavaScript code at runtime via standaloneCode(...) and then immediately executes it with require-from-string. Because the generated code can incorporate user-supplied schemas or custom keywords without sanitization or sandboxing, an attacker who controls those inputs could inject arbitrary code and achieve remote code execution in the Node process. Users should audit and lock down the standaloneCode output or replace dynamic evaluation with a safer, static bundling approach.

Confidence: 1.00

Severity: 0.60

From: ?npm/webpack@5.104.1npm/ajv@8.18.0

ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/ajv@8.18.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn Low
Environment variable access: npm baseline-browser-mapping

Location: Package overview

From: ?npm/webpack@5.104.1npm/baseline-browser-mapping@2.10.0

ℹ Read more on: This package | This alert | What is environment variable access?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should be clear about which environment variables they access, and care should be taken to ensure they only access environment variables they claim to.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/baseline-browser-mapping@2.10.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn Low
Environment variable access: npm baseline-browser-mapping

Env Vars: BROWSERSLIST_IGNORE_OLD_DATA

Location: Package overview

From: ?npm/webpack@5.104.1npm/baseline-browser-mapping@2.10.0

ℹ Read more on: This package | This alert | What is environment variable access?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should be clear about which environment variables they access, and care should be taken to ensure they only access environment variables they claim to.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/baseline-browser-mapping@2.10.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn Low
Environment variable access: npm baseline-browser-mapping

Env Vars: BASELINE_BROWSER_MAPPING_IGNORE_OLD_DATA

Location: Package overview

From: ?npm/webpack@5.104.1npm/baseline-browser-mapping@2.10.0

ℹ Read more on: This package | This alert | What is environment variable access?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should be clear about which environment variables they access, and care should be taken to ensure they only access environment variables they claim to.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/baseline-browser-mapping@2.10.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn Low
Embedded URLs or IPs: npm fast-uri

URLs: www.g.com/, www.g.com/adf%0Agf, www.g.com/error%0A/, 10.10.000.10, https://datatracker.ietf.org/doc/html/rfc5954#section-4.1, http://example.org/~user, http://example.org/%7euser, http://abc.com:80/~smith/home.html, http://abc.com/~smith/home.html, abc.com, http://ABC.com/%7Esmith/home.html, http://ABC.com:/%7esmith/home.html, HTTP://ABC.COM, http://abc.com/, http://example.com:/, http://example.com:80/, https://example.com, https://example.com:443/, https://example.com:/, WS://ABC.COM:80/chat#one, ws://abc.com/chat, WSS://ABC.COM:443/chat#one, wss://abc.com/chat, example.com, example.com:1/path?query#fragment, uri://example.com:9000, 10.10.10.10, 10.10.10.10.example.com, 129.144.52.38, ws://example.com, ws://example.com/foo, ws://example.com/foo?bar, wss://example.com, wss://example.com/foo?bar, wss://example.com/foo, https://example.com/foo#bar, mple.com, gary.court@gmail.com, example.com:123/one/two.three?q1=a1&q2=a2#body, uri://10.10.10.10.example.com/en/process, uri://www.example.org/red%09ros, uri://www.example.org/red%09ros%C3%A9#red, 192.068.001.000, 192.68.1.0, xE9.example.org, uri://xn--rsum-bpad.example.org, uri://www.example.org/D%C3%BCrst, uri://www.example.org/D, uri://www.example.org/D%FCrst, uri://xn--99zt52a.example.org/%e2%80%ae, uri://xn--99zt52a.example.org/%E2%80%AE, example.com?subject=current-issue, example.com?body=send%20current-issue, example.com?body=send%20current-issue%0D%0Asend%20index, example.org?In-Reply-To=%3C3469A91.D10AF4C@example.com%3E, example.org, example.com?body=subscribe%20bamboo-l, example.com?cc=bob@example.com&body=hello, example.com?cc=bob@example.com?body=hello, example.com?blat=foop, example.org?subject=caf%C3%A9, example.org?subject=%3D%3Futf-8%3FQ%3Fcaf%3DC3%3DA9%3F%3D, example.org?subject=%3D%3Fiso-8859-1%3FQ%3Fcaf%3DE9%3F%3D, example.org?subject=caf%C3%A9&body=caf%C3%A9, 86.example.org?subject=Test&body=NATTO, xn--99zt52a.example.org, example.com?body=current-issue, https://datatracker.ietf.org/doc/html/rfc3986#section-5.2.4, http://example.com/, http://example.com/foo, http://example.com/foo/, example.com:123, 01.01.01.01

Location: Package overview

From: ?npm/webpack@5.104.1npm/fast-uri@3.1.0

ℹ Read more on: This package | This alert | What are URL strings?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Review all remote URLs to ensure they are intentional, pointing to trusted sources, and not being used for data exfiltration or loading untrusted code at runtime.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/fast-uri@3.1.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn Low
Publisher changed: npm loader-runner is now published by evilebottnawi instead of sokra

New Author: evilebottnawi

Previous Author: sokra

From: ?npm/webpack@5.104.1npm/loader-runner@4.3.1

ℹ Read more on: This package | This alert | What is new author?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Scrutinize new collaborator additions to packages because they now have the ability to publish code into your dependency tree. Packages should avoid frequent or unnecessary additions or changes to publishing rights.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/loader-runner@4.3.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn Low
Embedded URLs or IPs: npm terser-webpack-plugin

URLs: https://github.com/terser/terser/issues/366, https://github.com/webpack/webpack/issues/16135

Location: Package overview

From: ?npm/webpack@5.104.1npm/terser-webpack-plugin@5.3.16

ℹ Read more on: This package | This alert | What are URL strings?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Review all remote URLs to ensure they are intentional, pointing to trusted sources, and not being used for data exfiltration or loading untrusted code at runtime.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/terser-webpack-plugin@5.3.16. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn Low
Potential code anomaly (AI signal): npm terser-webpack-plugin is 100.0% likely to have a medium risk anomaly

Notes: The code contains an explicit arbitrary code execution primitive: transform evaluates a provided string via new Function with full access to require/module/exports and path context, then uses the result to call an implementation. This creates a high-impact RCE/config injection vector if the options string is untrusted. The file itself does not include embedded malicious payloads, but the pattern is dangerous and should be treated as a serious security risk in any environment where the options string could be influenced externally. Recommended remediation: avoid executing strings as code; accept structured data (JSON), validate/whitelist returned keys and types, or run evaluation inside a restricted sandbox (Node VM with whitelisted globals and no require), and do not expose require/module/exports to evaluated code. If transform is unnecessary, remove it. Treat use of transform with untrusted inputs as unacceptable.

Confidence: 1.00

Severity: 0.60

From: ?npm/webpack@5.104.1npm/terser-webpack-plugin@5.3.16

ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/terser-webpack-plugin@5.3.16. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn Low
Embedded URLs or IPs: npm terser

URLs: https://bugs.webkit.org/show_bug.cgi?id=123506, https://github.com/mishoo/UglifyJS/issues/60, https://github.com/terser/terser/issues/1019#issuecomment-877642607, https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS, https://github.com/terser/terser/issues/724#issuecomment-643655656, https://github.com/mishoo/UglifyJS/issues/287, a.foo, https://tc39.es/ecma262/multipage/additional-ecmascript-features-for-web-browsers.html#sec-block-level-function-declarations-web-legacy-compatibility-semantics, https://github.com/mishoo/UglifyJS/issues/242, https://github.com/mishoo/UglifyJS/issues/979

Location: Package overview

From: ?npm/webpack@5.104.1npm/terser@5.46.0

ℹ Read more on: This package | This alert | What are URL strings?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Review all remote URLs to ensure they are intentional, pointing to trusted sources, and not being used for data exfiltration or loading untrusted code at runtime.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/terser@5.46.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn Low
Embedded URLs or IPs: npm webpack

URLs: Cache.hooks.store, webpack_module.id, https://github.com/webpack/webpack-cli, https://github.com/webpack/compression-webpack-plugin/issues/390, https://webpack.js.org/configuration/output/, https://webpack.js.org/configuration/devtool/, https://webpack.js.org/configuration/mode/, https://webpack.js.org/plugins/environment-plugin, module.hot, https://github.com/nodejs/node/issues/59868, Module.id, https://github.com/motdotla/dotenv-expand, cache.name, https://webpack.js.org/migrate/3/#automatic-loader-module-name-extension-removed, webpack_require.aD, webpack_require.aE, webpack_require.cn, webpack_require.hk, webpack_require.hu, webpack_require.tt, module.id, webpack_require.nc, https://webpack.js.org/concepts#loaders, cache.store, pack.br, https://drafts.csswg.org/css-syntax/#consume-token, https://drafts.csswg.org/css-syntax/#consume-escaped-code-point, https://drafts.csswg.org/css-syntax/#maximum-allowed-code-point, https://github.com/postcss/postcss-selector-parser/commit/268c9a7656fb53f543dc620aa5b73a30ec3ff20e, https://github.com/postcss/postcss-selector-parser/commit/01a6b346e3612ce1ab20219acc26abdc259ccefb, https://github.com/browserslist/browserslist#queries, https://node.green/, https://github.com/electron/releases, https://github.com/nwjs/nw.js/blob/nw48/CHANGELOG.md, 0.0.0.0, https://webpack.js.org/guides/code-splitting/, ModuleFederationPlugin.name, https://webpack.js.org/plugins/, https://attacker.controlled.server/, https://github.com/estree/estree/blob/master/es5.md#binaryexpression, chunk.origins, github.com, gitlab.com, bitbucket.org, gist.github.com, asset.info, asset.name, module.name, moduleIssuer.id, moduleIssuer.profile.total, module.profile.total, chunkGroup.is, chunkGroupChild.name, chunkGroup.name, chunkGroupAsset.name, chunk.id, loggingGroup.name, https://github.com/webpack-contrib/source-map-loader/issues/51, http://www.w3.org/2000/svg, https://github.com/tc39/proposal-defer-import-eval., https://nodejs.org/api/crypto.html#crypto_hash_update_data_inputencoding, https://nodejs.org/api/crypto.html#crypto_hash_digest_encoding, https://github.com/webpack/loader-runner

Location: Package overview

From: package.jsonnpm/webpack@5.104.1

ℹ Read more on: This package | This alert | What are URL strings?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Review all remote URLs to ensure they are intentional, pointing to trusted sources, and not being used for data exfiltration or loading untrusted code at runtime.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/webpack@5.104.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn Low
Potential code anomaly (AI signal): npm webpack is 100.0% likely to have a medium risk anomaly

Notes: This is a straightforward wasm-based hash wrapper. There is no evident malware behavior, external data leakage, or suspicious network/activity. The usage pattern is benign: loading a precompiled wasm blob and exposing a hashing function through a wrapper. No hardcoded secrets, no environment-variable use, and no dynamic code evaluation observed. However, the embedded wasm payload represents a potential supply chain risk if the binary is tampered in distribution; integrity verification (hashes/signatures) is essential.

Confidence: 1.00

Severity: 0.60

From: package.jsonnpm/webpack@5.104.1

ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/webpack@5.104.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants