chore(deps): update dependency webpack-bundle-analyzer to v3 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
webpack-bundle-analyzer	^2.9.0 → ^3.0.0
webpack-bundle-analyzer	^2.9.0 → ^3.0.0

---

Cross-Site Scripting in webpack-bundle-analyzer

GHSA-pgr8-jg6h-8gw6

More information

Details

Versions of webpack-bundle-analyzer prior to 3.3.2 are vulnerable to Cross-Site Scripting. The package uses JSON.stringify() without properly escaping input which may lead to Cross-Site Scripting.

Recommendation

Upgrade to version 3.3.2 or later.

Severity

• CVSS Score: 6.3 / 10 (Medium)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L

References

• https://github.com/webpack-contrib/webpack-bundle-analyzer/issues/263
• https://github.com/webpack-contrib/webpack-bundle-analyzer/pull/264
• https://github.com/webpack-contrib/webpack-bundle-analyzer/commit/20f2b4c553ee343f491faf63e39427fba9908c7c
• https://snyk.io/vuln/SNYK-JS-WEBPACKBUNDLEANALYZER-174190
• https://www.npmjs.com/advisories/826

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

GitHub Vulnerability Alerts

GHSA-pgr8-jg6h-8gw6

Versions of webpack-bundle-analyzer prior to 3.3.2 are vulnerable to Cross-Site Scripting. The package uses JSON.stringify() without properly escaping input which may lead to Cross-Site Scripting.

Recommendation

Upgrade to version 3.3.2 or later.

---

Release Notes

webpack/webpack-bundle-analyzer (webpack-bundle-analyzer)

v3.3.2

Compare Source

• Bug Fix
  • Fix regression with escaping internal assets (#​264, fixes #​263)

v3.3.1

Compare Source

• Improvements

  • Use relative links for serving internal assets (#​261, fixes #​254)
  • Properly escape embedded JS/JSON (#​262)

• Bug Fix

  • Fix showing help message on -h flag (#​260, fixes #​239)

v3.3.0

Compare Source

• New Feature

  • Show/hide chunks using context menu (#​246, @​bregenspan)

• Internal

  • Updated dev dependencies

v3.2.0

Compare Source

• Improvements
  • Add support for .mjs output files (#​252, @​jlopezxs)

v3.1.0

Compare Source

• Bug Fix
  • Properly determine the size of the modules containing special characters (#​223, @​hulkish)
  • Update acorn to v6 (#​248, @​realityking)

v3.0.4

Compare Source

• Bug Fix
  • Make webpack's done hook wait until analyzer writes report or stat file (#​247, @​mareolan)

v3.0.3

Compare Source

• Bug Fix
  • Disable viewer websocket connection when report is generated in static mode (#​215, @​sebastianhaeni)

v3.0.2

Compare Source

• Improvements

  • Drop @babel/runtime dependency (#​209, @​realityking)
  • Properly specify minimal Node.js version in .babelrc (#​209, @​realityking)

• Bug Fix

  • Move some "dependencies" to "devDependencies" (#​209, @​realityking)

v3.0.1

Compare Source

• Bug Fix
  • Small UI fixes

v3.0.0

Compare Source

• Breaking change

  • Dropped support for Node.js v4. Minimal required version now is v6.14.4
  • Contents of concatenated modules are now hidden by default because of a number of related issues (details), but can be shown using a new checkbox in the sidebar.

• New Feature

  • Added modules search
  • Added ability to pin and resize the sidebar
  • Added button to toggle the sidebar
  • Added checkbox to show/hide contents of concatenated modules

• Improvements

  • Nested folders that contain only one child folder are now visually merged i.e. folder1 => folder2 => file1 is now shown like folder1/folder2 => file1 (thanks to @​varun-singh-1 for the idea)

• Internal

  • Dropped support for Node.js v4
  • Using MobX for state management
  • Updated dependencies

v2.13.1

Compare Source

• Improvement

  • Pretty-format the generated stats.json (#​180) @​edmorley)

• Bug Fix

  • Properly parse Webpack 4 async chunk with Array.concat optimization (#​184, fixes #​183)

• Internal

  • Refactor bundle parsing logic (#​184)

v2.13.0

Compare Source

• Improvement
  • Loosen bundle parsing logic (#​181). Now analyzer will still show parsed sizes even if:
    • It can't parse some bundle chunks. Those chunks just won't have content in the report. Fixes issues like #​160.
    • Some bundle chunks are missing (it couldn't find files to parse). Those chunks just won't be visible in the report for parsed/gzipped sizes.

v2.12.0

Compare Source

• New Feature
  • Add option that allows to exclude assets from the report (#​178)

v2.11.3

Compare Source

• Bug Fix
  • Filter out modules that weren't found during bundles parsing (#​177)

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Never, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.