[Snyk] Security upgrade webpack from 5.30.0 to 5.76.0

[jydmyk]

This PR was automatically created by Snyk using the credentials of a real user.

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

• Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
  • package.json
  • package-lock.json

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	736/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 8.3	Sandbox Bypass SNYK-JS-WEBPACK-3358798	No	Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: webpack

The new version differs by 250 commits.

• 5d64468 Merge pull request repo sync github/docs#16792 from webpack/update-version
• 67af5ec chore(release): 5.76.0
• 97b1718 Merge pull request net.kdt.pojavlaunch.kiet github/docs#16781 from askoufis/loader-context-target-type
• b84efe6 Merge pull request Update viewing-workflow-run-history.md github/docs#16759 from ryanwilsonperkin/real-content-hash-regex-perf
• c98e9e0 Merge pull request Add TOTP Apps Google Authenticator. github/docs#16493 from piwysocki/patch-1
• 5f34acf feat: Add `target` to `LoaderContext` type
• b7fc4d8 Merge pull request Update and rename managing-your-profile-readme.md to robots-managing-… github/docs#16703 from ryanwilsonperkin/ryanwilsonperkin/fix-16160
• 63ea82d Merge branch 'webpack:main' into patch-1
• 4ba2252 Merge pull request Managing disruptive comments is overly prescriptive github/docs#16446 from akhilgkrishnan/patch-1
• 1acd635 Merge pull request Update githubs-products.md github/docs#16613 from jakebailey/ts-logo
• 302eb37 Merge pull request Update projects-filters.md github/docs#16614 from jakebailey/html5-logo
• cfdb1df Improve performance of hashRegExp lookup
• 4d561a6 Add test for behaviour of filesystem-cached assets with loaders
• dfaa3b4 lint: remove trailing comma
• dcc3e71 Serialize code generator data to support generated assets
• b67626c Merge pull request Fix spelling mistakes github/docs#16491 from lvivski/main
• d957cdf Fix formatting
• 6011163 Fix formatting
• ea5e864 Fix HTML5 logo in README
• 2112f9b Replace TypeScript logo in README
• 5513dd6 Merge branch 'webpack:main' into patch-1
• 4b4ca3b Merge pull request Update and rename content/support/contacting-github-support/creating-… github/docs#16500 from Jack-Works/avoid-cross-realm-object
• 4f39c9f fix: type error
• c922ee1 chore: revert breaking change

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Learn about vulnerability in an interactive lesson of Snyk Learn.

[socket-security]

New dependency changes detected. Learn more about Socket for GitHub ↗︎

---

🚨 Potential security issues found in this pull request. To accept the risk, merge this PR and you will not be notified again.

Bot Commands

To ignore an alert, reply with a comment starting with @SocketSecurity ignore followed by a space separated list of package-name@version specifiers. e.g. @SocketSecurity ignore [email protected] bar@* or ignore all packages with @SocketSecurity ignore-all

• @SocketSecurity ignore [email protected]
• @SocketSecurity ignore [email protected]

📜 Install scripts

Install scripts are run when the package is installed. The majority of malware in npm is hidden in install scripts.

Packages should not be running non-essential scripts during install and there are often solutions to problems people solve with install scripts that can be run at publish time instead.

Package	Script field	Source
[email protected] (upgraded)	postinstall	package.json via [email protected]

🧌 Protestware/Troll package

This package is a joke, parody, or includes undocumented or hidden behavior unrelated to its primary function.

Package	Note	Source
[email protected] (upgraded)	This package prints a protestware console message regarding Ukraine for users with Russian language locale	package.json via @primer/[email protected], [email protected]

Pull request alert summary

Issue	Status
Install scripts	⚠️ 1 issue
Native code	✅ 0 issues
Bin script shell injection	✅ 0 issues
Unresolved require	✅ 0 issues
Invalid package.json	✅ 0 issues
HTTP dependency	✅ 0 issues
Git dependency	✅ 0 issues
Potential typo squat	✅ 0 issues
Known Malware	✅ 0 issues
Telemetry	✅ 0 issues
Protestware/Troll package	⚠️ 1 issue

---

📊 Modified Dependency Overview:

➕ Added Package	Capability Access	+/- Transitive Count	Publisher
[email protected]	None	+4	node-fetch-bot
[email protected]	None	+1	sindresorhus
[email protected]	None	+0	dcousens

⬆️ Updated Package	Version Diff	Added Capability Access	+/- Transitive Count	Publisher
[email protected]	1.1.0...1.4.0	network	+35/-28	zeke
[email protected]	10.2.0...10.2.3	None	+58/-121	zeit-bot
[email protected]	1.4.0...1.12.0	None	+0/-0	mihaivalentin
[email protected]	3.14.0...3.14.1	None	+0/-0	vitaly
[email protected]	3.12.0...3.13.0	None	+2/-2	bobby-brennan
[email protected]	1.0.2...1.0.3	None	+3/-1	cschleiden
[email protected]	2.21.3...2.30.0	None	+2/-0	kossnocorp
[email protected]	1.2.1...1.5.0	None	+0/-1	wooorm
[email protected]	8.3.0...8.3.2	None	+0/-0	ctavan
[email protected]	4.2.1...4.3.1	None	+0/-0	xjamundx
[email protected]	2.0.0...2.0.2	None	+2/-0	brandonocasey
[email protected]	9.0.2...9.0.3	None	+12/-65	evilebottnawi
[email protected]	2.5.2...2.6.0	None	+0/-0	broofa
[email protected]	2.4.0...2.4.2	None	+37/-25	joseluisbolos
[email protected]	4.2.1...4.3.8	None	+19/-19	typicode
[email protected]	7.1.6...7.2.3	None	+2/-3	isaacs
[email protected]	4.2.4...4.9.5	None	+0/-0	typescript-bot
[email protected]	2.0.1...2.2.0	None	+0/-0	addaleax
@primer/[email protected]	28.0.1...28.5.0	None	+41/-35	primer-css
[email protected]	7.0.2...7.0.3	None	+0/-1	kentcdodds
[email protected]	4.8.8...4.16.3	environment	+0/-0	david
[email protected]	2.2.0...2.2.2	None	+0/-0	hilleer
[email protected]	1.2.0...1.2.2	None	+8/-8	almaclaine
[email protected]	4.2.0...4.2.3	None	+23/-21	s0ph1e
[email protected]	1.12.0...1.15.5	environment	+20/-27	bahmutov
[email protected]	4.1.0...4.1.2	None	+0/-2	sindresorhus
[email protected]	2.2.6...2.4.0	None	+0/-0	mihneadb
[email protected]	2.0.4...2.0.22	network	+10/-41	remy
[email protected]	3.0.2...3.0.5	None	+0/-0	boblauer
[email protected]	1.9.1...1.10.0	None	+0/-1	dougwilson
[email protected]	1.4.5...1.4.6	None	+1/-0	dougwilson
[email protected]	2.22.1...2.27.5	None	+103/-94	ljharb
[email protected]	3.1.2...3.1.5	None	+14/-13	bholloway
[email protected]	1.0.2...1.1.3	None	+0/-0	mattphillips
@types/[email protected]	17.0.4...17.0.60	None	+3/-3	types
[email protected]	2.1.1...2.4.0	None	+0/-0	samclarke
[email protected]	1.2.1...1.4.0	None	+0/-0	mdevils
[email protected]	2.0.1...2.1.0	None	+0/-0	blakeembrey
[email protected]	5.1.3...5.5.1	None	+0/-0	nfriedly
[email protected]	4.17.1...4.18.2	network	+29/-17	dougwilson
[email protected]	8.2.0...8.5.2	None	+2/-2	bdeitte
[email protected]	5.0.0...5.0.2	None	+0/-1	timoxley
[email protected]	6.0.3...6.4.1	None	+35/-83	evilebottnawi
[email protected]	4.0.2...4.0.3	None	+1/-1	rmassaioli
[email protected]	2.3.3...2.3.5	None	+2/-3	trysound
@babel/[email protected]	7.12.13...7.18.6	shell	+47/-24	nicolo-ribaudo
[email protected]	9.22.1...9.43.0	None	+0/-0	harttle
@types/[email protected]	17.0.3...17.0.20	None	+4/-4	types
[email protected]	2.610.0...2.1390.0	eval, environment	+18/-6	aws-sdk-bot
@babel/[email protected]	7.11.0...7.22.4	shell	+51/-29	nicolo-ribaudo
[email protected]	13.0.4...13.3.1	None	+1/-1	nockbot
[email protected]	8.1.0...8.3.0	shell	+48/-88	nicolo-ribaudo
[email protected]	1.4.1...1.6.2	None	+7/-54	evilebottnawi
[email protected]	5.3.0...5.3.11	None	+31/-23	probablyup
[email protected]	1.0.0-rc.3...1.0.0-rc.12	network	+12/-4	feedic
@babel/[email protected]	7.12.13...7.21.5	shell	+41/-23	nicolo-ribaudo
[email protected]	7.13.0...7.32.0	eval	+42/-46	eslintbot
[email protected]	16.0.1...16.0.3	None	+106/-97	linusu
@graphql-inspector/[email protected]	2.3.0...2.9.0	None	+3/-2	kamilkisiela
@babel/[email protected]	7.12.13...7.22.3	shell	+47/-29	nicolo-ribaudo
@actions/[email protected]	1.2.6...1.10.0	environment	+2/-0	thboop
[email protected]	6.2.0...6.2.1	None	+0/-0	abetomo
[email protected]	3.21.2...3.23.3	None	+2/-2	evanhahn
[email protected]	4.6.0...4.10.0	environment	+16/-71	evilebottnawi
[email protected]	4.1.0...4.3.0	environment	+11/-54	evilebottnawi
[email protected]	3.2.0...3.2.4	None	+0/-0	hargasinski
@babel/[email protected]	7.12.13...7.22.1	shell	+39/-21	nicolo-ribaudo
[email protected]	2.13.6...2.16.2	None	+65/-68	justinbeckwith
[email protected]	1.12.0...1.13.3	None	+31/-23	probablyup
[email protected]	2.1.2...2.8.8	environment	+0/-0	prettier-bot
@babel/[email protected]	7.12.13...7.20.11	shell	+41/-23	nicolo-ribaudo
@babel/[email protected]	7.12.13...7.22.4	shell	+132/-88	nicolo-ribaudo
[email protected]	0.16.1...0.16.13	None	+53/-46	alisowski
[email protected]	17.0.1...17.0.2	None	+2/-2	gaearon
@babel/[email protected]	7.12.13...7.22.3	shell	+43/-25	nicolo-ribaudo
[email protected]	3.1.1...3.1.2	None	+1/-1	leibale
[email protected]	1.2.1...1.3.0	None	+6/-56	evilebottnawi
[email protected]	17.0.1...17.0.2	None	+0/-0	gaearon
[email protected]	14.6.0...14.7.0	None	+0/-0	i1g
[email protected]	1.26.3...1.62.1	filesystem	+4/-7	sassbot
@types/[email protected]	4.14.168...4.14.195	None	+0/-0	types
[email protected]	8.2.0...8.6.0	None	+0/-0	motdotla
@babel/[email protected]	7.11.2...7.22.3	None	+1/-1	nicolo-ribaudo
@graphql-tools/[email protected]	6.2.5...6.2.8	None	+26/-23	ardatan
@primer/[email protected]	16.2.0...16.3.0	None	+1/-2	primer-css

🚮 Removed packages: [email protected], [email protected], [email protected], [email protected]