node-webpack - Debian Package Tracker

general

source: node-webpack (main)
version: 5.106.2+dfsg1+~cs15.15.23-3
maintainer: Debian Javascript Maintainers (archive) (DMD)
uploaders: Pirate Praveen [DMD]
arch: all
std-ver: 4.7.4
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

o-o-stable: 4.43.0-6+deb11u1
oldstable: 5.75.0+dfsg+~cs17.16.14-1+deb12u1
stable: 5.97.1+dfsg1+~cs11.18.27-3
testing: 5.106.2+dfsg1+~cs15.15.23-3
unstable: 5.106.2+dfsg1+~cs15.15.23-3

versioned links

4.43.0-6+deb11u1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
5.75.0+dfsg+~cs17.16.14-1+deb12u1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
5.97.1+dfsg1+~cs11.18.27-3: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
5.106.2+dfsg1+~cs15.15.23-3: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

webpack (1 bugs: 0, 1, 0, 0)

action needed

A new upstream version is available: 5.107.2+~cs15.16.25 high

A new upstream version 5.107.2+~cs15.16.25 is available, you should consider packaging it.

Created: 2026-05-23 Last update: 2026-06-17 09:02

version in VCS is newer than in repository, is it time to upload? normal

vcswatch reports that this package seems to have a new changelog entry (version 5.107.2+dfsg1+~cs15.16.25-1, distribution UNRELEASED) and new commits in its VCS. You should consider whether it's time to make an upload.

Here are the relevant commit messages:

commit 3b0ba2d207136b5abbb21f772c4234eca5fc09be
Author: Xavier Guimard <yadd@debian.org>
Date:   Tue Jun 16 12:12:44 2026 +0200

    Require @types/interpret during build

commit 3e273f0a2e1745e20c271450e4d41b9a8da611e1
Author: Xavier Guimard <yadd@debian.org>
Date:   Tue Jun 16 12:12:27 2026 +0200

    Refresh patches
    
    Gbp-Dch: ignore

commit c4f9e8d294f8d1602ada9915de6deee803f78c08
Author: Xavier Guimard <yadd@debian.org>
Date:   Tue Jun 16 11:34:56 2026 +0200

    Update d/ch

commit f824ab40f1f97755ea87309901dde6a3f5f97131
Author: Xavier Guimard <yadd@debian.org>
Date:   Tue Jun 16 11:34:37 2026 +0200

    Refresh patches

commit a3ba4c42b5a15bd76b97ac4156aae4b9829d0bb5
Merge: baa9ff2 c41aa60
Author: Xavier Guimard <yadd@debian.org>
Date:   Tue Jun 16 11:27:28 2026 +0200

    Update upstream source from tag 'upstream/5.107.2+dfsg1+_cs15.16.25'
    
    Update to upstream version '5.107.2+dfsg1+~cs15.16.25'
    with Debian dir 539a5a5e6b4d133ea893463c5fc004092910dc41

commit c41aa6071ea01857e87992a12b50d60c28435609
Author: Xavier Guimard <yadd@debian.org>
Date:   Tue Jun 16 11:27:21 2026 +0200

    New upstream version 5.107.2+dfsg1+~cs15.16.25

Created: 2026-06-16 Last update: 2026-06-16 12:31

lintian reports 14 warnings normal

Lintian reports 14 warnings about this package. You should make the package lintian clean getting rid of them.

Created: 2026-05-22 Last update: 2026-05-22 20:31

2 low-priority security issues in trixie low

There are 2 open security issues in trixie.

2 issues left for the package maintainer to handle:

CVE-2025-68157: (needs triaging) Webpack is a module bundler. From version 5.49.0 to before 5.104.0, when experiments.buildHttp is enabled, webpack’s HTTP(S) resolver (HttpUriPlugin) enforces allowedUris only for the initial URL, but does not re-validate allowedUris after following HTTP 30x redirects. As a result, an import that appears restricted to a trusted allow-list can be redirected to HTTP(S) URLs outside the allow-list. This is a policy/allow-list bypass that enables build-time SSRF behavior (requests from the build machine to internal-only endpoints, depending on network access) and untrusted content inclusion in build outputs (redirected content is treated as module source and bundled). This issue has been patched in version 5.104.0.
CVE-2025-68458: (needs triaging) Webpack is a module bundler. From version 5.49.0 to before 5.104.1, when experiments.buildHttp is enabled, webpack’s HTTP(S) resolver (HttpUriPlugin) can be bypassed to fetch resources from hosts outside allowedUris by using crafted URLs that include userinfo (username:password@host). If allowedUris enforcement relies on a raw string prefix check (e.g., uri.startsWith(allowed)), a URL that looks allow-listed can pass validation while the actual network request is sent to a different authority/host after URL parsing. This is a policy/allow-list bypass that enables build-time SSRF behavior (outbound requests from the build machine to internal-only endpoints, depending on network access) and untrusted content inclusion (the fetched response is treated as module source and bundled). This issue has been patched in version 5.104.1.

You can find information about how to handle these issues in the security team's documentation.

Created: 2026-02-06 Last update: 2026-05-29 05:30

3 low-priority security issues in bookworm low

There are 3 open security issues in bookworm.

3 issues left for the package maintainer to handle:

CVE-2024-43788: (needs triaging) Webpack is a module bundler. Its main purpose is to bundle JavaScript files for usage in a browser, yet it is also capable of transforming, bundling, or packaging just about any resource or asset. The webpack developers have discovered a DOM Clobbering vulnerability in Webpack’s `AutoPublicPathRuntimeModule`. The DOM Clobbering gadget in the module can lead to cross-site scripting (XSS) in web pages where scriptless attacker-controlled HTML elements (e.g., an `img` tag with an unsanitized `name` attribute) are present. Real-world exploitation of this gadget has been observed in the Canvas LMS which allows a XSS attack to happen through a javascript code compiled by Webpack (the vulnerable part is from Webpack). DOM Clobbering is a type of code-reuse attack where the attacker first embeds a piece of non-script, seemingly benign HTML markups in the webpage (e.g. through a post or comment) and leverages the gadgets (pieces of js code) living in the existing javascript code to transform it into executable code. This vulnerability can lead to cross-site scripting (XSS) on websites that include Webpack-generated files and allow users to inject certain scriptless HTML tags with improperly sanitized name or id attributes. This issue has been addressed in release version 5.94.0. All users are advised to upgrade. There are no known workarounds for this issue.
CVE-2025-68157: (needs triaging) Webpack is a module bundler. From version 5.49.0 to before 5.104.0, when experiments.buildHttp is enabled, webpack’s HTTP(S) resolver (HttpUriPlugin) enforces allowedUris only for the initial URL, but does not re-validate allowedUris after following HTTP 30x redirects. As a result, an import that appears restricted to a trusted allow-list can be redirected to HTTP(S) URLs outside the allow-list. This is a policy/allow-list bypass that enables build-time SSRF behavior (requests from the build machine to internal-only endpoints, depending on network access) and untrusted content inclusion in build outputs (redirected content is treated as module source and bundled). This issue has been patched in version 5.104.0.
CVE-2025-68458: (needs triaging) Webpack is a module bundler. From version 5.49.0 to before 5.104.1, when experiments.buildHttp is enabled, webpack’s HTTP(S) resolver (HttpUriPlugin) can be bypassed to fetch resources from hosts outside allowedUris by using crafted URLs that include userinfo (username:password@host). If allowedUris enforcement relies on a raw string prefix check (e.g., uri.startsWith(allowed)), a URL that looks allow-listed can pass validation while the actual network request is sent to a different authority/host after URL parsing. This is a policy/allow-list bypass that enables build-time SSRF behavior (outbound requests from the build machine to internal-only endpoints, depending on network access) and untrusted content inclusion (the fetched response is treated as module source and bundled). This issue has been patched in version 5.104.1.

You can find information about how to handle these issues in the security team's documentation.

Created: 2024-08-28 Last update: 2026-05-29 05:30

debian/patches: 1 patch to forward upstream low

Among the 6 debian patches available in version 5.106.2+dfsg1+~cs15.15.23-3 of the package, we noticed the following issues:

1 patch where the metadata indicates that the patch has not yet been forwarded upstream. You should either forward the patch upstream or update the metadata to document its real status.

Created: 2023-02-26 Last update: 2026-05-22 12:00

news

[rss feed]

[2026-05-29] node-webpack 5.106.2+dfsg1+~cs15.15.23-3 MIGRATED to testing (Debian testing watch)
[2026-05-22] Accepted node-webpack 5.106.2+dfsg1+~cs15.15.23-3 (source) into unstable (Bastien Roucariès) (signed by: Bastien ROUCARIÈS)
[2026-05-21] Accepted node-webpack 5.106.2+dfsg1+~cs15.15.23-2 (source) into unstable (Bastien Roucariès) (signed by: Bastien ROUCARIÈS)
[2026-05-06] Accepted node-webpack 5.106.2+dfsg1+~cs15.15.23-1 (source) into unstable (Xavier Guimard)
[2026-04-06] node-webpack 5.105.4+dfsg1+~cs15.13.23-3 MIGRATED to testing (Debian testing watch)
[2026-04-01] Accepted node-webpack 5.105.4+dfsg1+~cs15.13.23-3 (source) into unstable (Xavier Guimard)
[2026-03-31] Accepted node-webpack 5.105.4+dfsg1+~cs15.13.23-2 (source) into unstable (Xavier Guimard)
[2026-03-29] Accepted node-webpack 5.105.4+dfsg1+~cs15.13.23-1 (source) into experimental (Xavier Guimard)
[2026-03-29] Accepted node-webpack 5.97.1+dfsg1+~cs11.18.27-4 (source) into unstable (Xavier Guimard)
[2025-06-13] node-webpack 5.97.1+dfsg1+~cs11.18.27-3 MIGRATED to testing (Debian testing watch)
[2025-05-23] Accepted node-webpack 5.97.1+dfsg1+~cs11.18.27-3 (source) into unstable (Jérémy Lal)
[2025-03-24] node-webpack 5.97.1+dfsg1+~cs11.18.27-2 MIGRATED to testing (Debian testing watch)
[2025-03-21] Accepted node-webpack 5.97.1+dfsg1+~cs11.18.27-2 (source) into unstable (Jérémy Lal)
[2024-12-24] node-webpack 5.97.1+dfsg1+~cs11.18.27-1 MIGRATED to testing (Debian testing watch)
[2024-12-18] Accepted node-webpack 5.97.1+dfsg1+~cs11.18.27-1 (source) into unstable (Yadd) (signed by: Xavier Guimard)
[2024-11-08] node-webpack 5.96.1+dfsg1+~cs11.18.26-1 MIGRATED to testing (Debian testing watch)
[2024-11-03] Accepted node-webpack 5.96.1+dfsg1+~cs11.18.26-1 (source) into unstable (Yadd) (signed by: Xavier Guimard)
[2024-11-02] node-webpack 5.95.0+dfsg1+~cs11.18.26-1 MIGRATED to testing (Debian testing watch)
[2024-10-28] Accepted node-webpack 5.95.0+dfsg1+~cs11.18.26-1 (source) into unstable (Yadd) (signed by: Xavier Guimard)
[2024-09-21] node-webpack 5.94.0+dfsg1+~cs11.18.26-2 MIGRATED to testing (Debian testing watch)
[2024-09-16] Accepted node-webpack 5.94.0+dfsg1+~cs11.18.26-2 (source) into unstable (Yadd) (signed by: Xavier Guimard)
[2024-08-28] Accepted node-webpack 5.94.0+dfsg1+~cs11.18.26-1 (source) into experimental (Yadd) (signed by: Xavier Guimard)
[2024-02-18] node-webpack 5.76.1+dfsg2+~cs10.8.15-3 MIGRATED to testing (Debian testing watch)
[2024-02-12] Accepted node-webpack 5.76.1+dfsg2+~cs10.8.15-3 (source) into unstable (Bastien Roucariès) (signed by: Bastien ROUCARIÈS)
[2024-01-06] Accepted node-webpack 5.76.1+dfsg2+~cs10.8.15-2 (source) into experimental (Bastien Roucariès) (signed by: Bastien ROUCARIÈS)
[2023-07-12] Accepted node-webpack 5.75.0+dfsg+~cs17.16.14-1+deb12u1 (source) into proposed-updates (Debian FTP Masters) (signed by: Xavier Guimard)
[2023-06-13] node-webpack 5.76.1+dfsg1+~cs17.16.16-1 MIGRATED to testing (Debian testing watch)
[2023-04-07] Accepted node-webpack 4.43.0-6+deb11u1 (source) into proposed-updates (Debian FTP Masters) (signed by: Xavier Guimard)
[2023-03-14] Accepted node-webpack 5.76.1+dfsg1+~cs17.16.16-1 (source) into unstable (Yadd) (signed by: Xavier Guimard)
[2022-11-24] node-webpack 5.75.0+dfsg+~cs17.16.14-1 MIGRATED to testing (Debian testing watch)

bugs [bug history graph]

all: 2
RC: 0
I&N: 2
M&W: 0
F&P: 0
patch: 0

links

homepage
lintian (0, 14)
buildd: logs, reproducibility
popcon
browse source code
other distros
security tracker
debian patches
debci

ubuntu

[Information about Ubuntu for Debian Developers]

version: 5.105.4+dfsg1+~cs15.13.23-2