Update all

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
@ampproject/rollup-plugin-closure-compiler	0.26.0 -> 0.27.0
@types/node	14.17.7 -> 14.17.15
acorn	8.4.1 -> 8.5.0
acorn-walk	8.1.1 -> 8.2.0
husky (source)	7.0.1 -> 7.0.2
lint-staged	11.1.1 -> 11.1.2
mini-css-extract-plugin	2.1.0 -> 2.2.2
node	14.17.4 -> 14.17.6
prettier (source)	2.3.2 -> 2.4.0
rollup (source)	2.55.1 -> 2.56.3
sirv	1.0.12 -> 1.0.17
typescript (source)	4.3.5 -> 4.4.2
webpack	5.48.0 -> 5.52.1
webpack-cli	4.7.2 -> 4.8.0

---

Release Notes

ampproject/rollup-plugin-closure-compiler

v0.27.0

Compare Source

This release adds support for M1 Macintoshes.

• Publish from any branch since main is now the default e99fae9
• Update to latest closure compiler (#​435) 85e3750
• Upgrade dependencies (#​393) bfb50ab
• Update dependency typescript to v3.9.5 (#​389) 318c883
• Update dependency rollup to v2.12.1 (#​384) 2d8c04f
• Update Node.js to v14.4.0 (#​385) 0fb576b
• Update dependency @​types/node to v14.0.9 (#​383) 3d96e36

acornjs/acorn

v8.5.0

Compare Source

typicode/husky

v7.0.2

Compare Source

Fix pre-commit hook in WebStorm (#​1023)

okonet/lint-staged

v11.1.2

Compare Source

Bug Fixes

• try to automatically fix and warn about invalid brace patterns (#​992) (b3d97cf)

webpack-contrib/mini-css-extract-plugin

v2.2.2

Compare Source

v2.2.1

Compare Source

v2.2.0

Compare Source

Features

• add link and description for options (#​786) (3c5a5b7)

Bug Fixes

• hmr in browser extension (3d09da1)

nodejs/node

v14.17.6

Compare Source

This is a security release.

Notable Changes

These are vulnerabilities in the node-tar, arborist, and npm cli modules which
are related to the initial reports and subsequent remediation of node-tar
vulnerabilities CVE-2021-32803
and CVE-2021-32804.
Subsequent internal security review of node-tar and additional external bounty
reports have resulted in another 5 CVE being remediated in core npm CLI
dependencies including node-tar, and npm arborist.

You can read more about it in:

• CVE-2021-37701
• CVE-2021-37712
• CVE-2021-37713
• CVE-2021-39134
• CVE-2021-39135

Commits

• [5b3f70bfb5] - deps: update archs files for OpenSSL-1.1.1l (Richard Lau) #​39868
• [71372625ae] - deps: upgrade openssl sources to 1.1.1l (Richard Lau) #​39868
• [4276984803] - deps: upgrade npm to 6.14.15 (Darcy Clarke) #​39856

v14.17.5

Compare Source

This is a security release.

Notable Changes

• CVE-2021-3672/CVE-2021-22931: Improper handling of untypical characters in domain names (High)
  • Node.js was vulnerable to Remote Code Execution, XSS, application crashes due to missing input validation of hostnames returned by Domain Name Servers in the Node.js DNS library which can lead to the output of wrong hostnames (leading to Domain Hijacking) and injection vulnerabilities in applications using the library. You can read more about it at https://nvd.nist.gov/vuln/detail/CVE-2021-22931.
• CVE-2021-22930: Use after free on close http2 on stream canceling (High)
  • Node.js was vulnerable to a use after free attack where an attacker might be able to exploit memory corruption to change process behavior. This release includes a follow-up fix for CVE-2021-22930 as the issue was not completely resolved by the previous fix. You can read more about it at https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22930.
• CVE-2021-22939: Incomplete validation of rejectUnauthorized parameter (Low)
  • If the Node.js HTTPS API was used incorrectly and "undefined" was in passed for the "rejectUnauthorized" parameter, no error was returned and connections to servers with an expired certificate would have been accepted. You can read more about it at https://nvd.nist.gov/vuln/detail/CVE-2021-22939.

Commits

• [4923b59e0b] - deps: update c-ares to 1.17.2 (Beth Griggs) #​39724
• [847a4c6a8a] - deps: reflect c-ares source tree (Beth Griggs) #​39653
• [33208e2f89] - deps: apply missed updates from c-ares 1.17.1 (Beth Griggs) #​39653
• [af5c1af9a4] - http2: add tests for cancel event while client is paused reading (Akshay K) #​39622
• [434872e838] - http2: update handling of rst_stream with error code NGHTTP2_CANCEL (Akshay K) #​39622
• [35b86110e4] - tls: validate "rejectUnauthorized: undefined" (Matteo Collina) nodejs-private/node-private#​276

prettier/prettier

v2.4.0

Compare Source

diff

🔗 Release Notes

rollup/rollup

v2.56.3

Compare Source

2021-08-23

Bug Fixes

• Make sure moduleInfo contains complete information about imported ids in the moduleParsed hook (#​4208)

Pull Requests

• #​4208: ModuleInfo.importedIds will return null if resolvedIds[source] is undefined (@​FoxDaxian and @​lukastaegert)

v2.56.2

Compare Source

2021-08-10

Bug Fixes

• Check if after simplification, an object pattern would become an expression statement or arrow function return value (#​4204)

Pull Requests

• #​4204: Do not create invalid code when simplifying object pattern assignments (@​lukastaegert)

v2.56.1

Compare Source

2021-08-08

Bug Fixes

• Fix rendering of SystemJS export declarations initialized with a simplifiable expression (#​4202)

Pull Requests

• #​4202: Fix incorrect rendering of export declarations in SystemJS (@​lukastaegert)

v2.56.0

Compare Source

2021-08-05

Features

• Create more efficient code for SystemJS exports (#​4199)
• Extend maxParallelFileReads option to also throttle plugin load hooks (#​4200)

Bug Fixes

• Return correct value for postfix update expressions of exported variables (#​4194)

Pull Requests

• #​4199: Refine SystemJS export rendering (@​lukastaegert)
• #​4200: Restrict parallel execution of load hook (@​schummar)

lukeed/sirv

v1.0.17

Compare Source

v1.0.16

Compare Source

v1.0.15

Compare Source

v1.0.14

Compare Source

Chores

• (sirv): Bump @polka/url to take advantage of this fix

v1.0.13

Compare Source

Patches

• (sirv) Only use req.path if has req._decoded flag exists (#​82):

  The req._decoded check was added & should have always been in there, since this was sirv's way of preventing duplicate decodeURIComponent calls. However, this was only true when it received a request from a polka@next app, since Polka was previously writing the decoded value to req.path – this changed with [email protected]

  Now that the latest polka@next (and Express) doesn't decode automatically anymore, req.path isn't trustworthy on its own. It needs req._decoded to be there too in order to trust it.

  This combo-check is backwards compatible for polka@next users who don't upgrade and will unblock Express users for the first time, who have always had a "raw" req.path value set.

Microsoft/TypeScript

v4.4.2

Compare Source

For release notes, check out the release announcement.

For the complete list of fixed issues, check out the

• fixed issues query for Typescript 4.4.0 (Beta).
• fixed issues query for Typescript 4.4.1 (RC).
• fixed issues query for Typescript 4.4.2.

Downloads are available on:

• npm
• Visual Studio 2017/2019 (Select new version in project options)
• NuGet package

webpack/webpack

v5.52.1

Compare Source

Performance

• split fresh created persistent cache files by time to avoid creating very large files

v5.52.0

Compare Source

Feature

• experiments.executeModule is enabled by default and the option is removed
  • loaders are now free to use this.importModule

Bugfixes

• fix generated __WEBPACK_EXTERNAL_MODULE_null__, which leads to merged externals
• .webpack[...] extension is not part of matching and module name

v5.51.2

Compare Source

Bugfixes

• fix crash in FileSystemInfo when errors occur
• avoid property access of reserved properties
• fix reexports from async modules
• automatically close an active watching when closing the compiler
• when filenames of other runtimes are referenced that need a full hash, upgrade referencing runtime moduel to full hash mode too
  • fixes a bug where [contenthash] is undefined when using new Worker

v5.51.1

Compare Source

Bugfixes

• library: "module" propages top-level-await correctly
• fix crash in filesystem snapshotting when trying to snapshot a non-existing directory
• fix some context-dependent logic in concatenated modules and source url handling

v5.51.0

Compare Source

Bugfixes

• correctly keep chunk loading state when the chunk loading logic is HMR updated
  • This fixes some edge cases that e. g. occur when using lazy compilation for entrypoints. It is now able to HMR update that instead of needing a manual reload. Also see fixes in webpack-dev-server@4.
• track and resolve symlinks for filesystem snapshotting
  • This fixes some cases of circular yarn linking of dependencies.
  • It also fixes some problems when using package managers that use symlinks to deduplicate (e. g. cnpm or pnpm)
• pass the resulting module in the callbacks of Compilation.addModuleChain and Compilation.addModuleTree

v5.50.0

Compare Source

Features

• hashbangs (#! ...) are now handled by webpack
  • https://github.com/tc39/proposal-hashbang

Performance

• disable cache compression by default as it tend to make performance worse
  • I could still be enabled again for specific scenarios
• reduce the number of allocations during cache serialization
  • This improves performance and memory usage

v5.49.0

Compare Source

Features

• add experiments.buildHttp to build http(s):// imports instead of keeping them external
  • keeps a webpack.lock file with integrity and webpack.lock.data with cached content that should be committed
  • Automatically upgrades lockfile during development when remote resources change
    (might be disabled with experiments.buildHttp.upgrade: false)
  • Lockfile is frozen during production builds and usually no network requests are made
    (exception: Cache-Control: no-cache).
  • The webpack.lock.data persisting can be disabled with experiments.buildHttp.cacheLocation: false.
    That will will introduce a availability risk.
    (webpack cache will be used to cache network responses)

Bugfixes

• fix HMR infinite loop (again)
• fix rare non-determinism with splitChunks.maxSize introduces in the last release
• optional modules no longer cause the module to fail when bail is set
• fix typo in records format: chunkHashs -> chunkHashes

Performance

• limit the number of parallel generated chunks for memory reasons

webpack/webpack-cli

v4.8.0

Compare Source

Bug Fixes

• show default value in help output if available (#​2814) (7f50948)
• support top multi compiler options (#​2874) (82b1fb7)

Features

• show possible values for option in help output (#​2819) (828e5c9)
• init-generator: add ability to specify a package manager of choice (#​2769) (e53f164)

4.7.2 (2021-06-07)

Note: Version bump only for package webpack-cli (due @webpack-cli/serve)

4.7.1 (2021-06-07)

Bug Fixes

• not found module after ask installation (#​2761) (557ad05)
• prettier config (#​2719) (181295f)

---

Configuration

📅 Schedule: "before 3am on Monday" (UTC).

🚦 Automerge: Enabled.

♻ Rebasing: Renovate will not automatically rebase this PR, because other commits have been found.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box.

---

This PR has been generated by WhiteSource Renovate. View repository job log here.

[samouri]

One of the package updates is increasing size. Will investigate this within the next ~mo, but this does not seem urgent.

[samouri]

Closure compiler upgrade caused this change:

before

s.addGlobalEventListener("message", ({ data: s }) => {	
              if (1 === s[12]) {	
                var i = t((s = s[39])[7]);	
                null !== i &&	
                  i.dispatchEvent(	
                    Object.assign(	
                      new W(s[12], { bubbles: s[25], cancelable: s[26] }),	
                      {	
                        cancelBubble: s[27],	
                        defaultPrevented: s[29],	
                        eventPhase: s[30],	
                        isTrusted: s[31],	
                        returnValue: s[32],	
                        target: X(e.document, s),	
                        timeStamp: s[33],	
                        scoped: s[34],	
                        keyCode: s[35],	
                        pageX: s[60],	
                        pageY: s[61],	
                        offsetX: s[65],	
                        offsetY: s[66],	
                        touches: Q(e.document, s, 62),	
                        changedTouches: Q(e.document, s, 63),	
                      }	
                    )	
                  );

after

s.addGlobalEventListener("message", ({ data: s }) => {
              if (1 === s[12]) {
                var i = t((s = s[39])[7]);
                if (null !== i) {
                  var r = i.dispatchEvent,
                    n = Object,
                    a = n.assign,
                    l = new W(s[12], { bubbles: s[25], cancelable: s[26] }),
                    o = s[27],
                    h = s[29],
                    d = s[30],
                    u = s[31],
                    c = s[32];
                  if (null !== s[13]) {
                    var g = s[13][0];
                    g = t(0 !== g ? g : e.document[7]);
                  } else g = null;
                  r.call(
                    i,
                    a.call(n, l, {
                      cancelBubble: o,
                      defaultPrevented: h,
                      eventPhase: d,
                      isTrusted: u,
                      returnValue: c,
                      target: g,
                      timeStamp: s[33],
                      scoped: s[34],
                      keyCode: s[35],
                      pageX: s[60],
                      pageY: s[61],
                      offsetX: s[65],
                      offsetY: s[66],
                      touches: X(e.document, s, 62),
                      changedTouches: X(e.document, s, 63),
                    })
                  );