node-webpack - Debian Package Tracker

general

source: node-webpack (main)
version: 5.106.2+dfsg1+~cs15.15.23-1
maintainer: Debian Javascript Maintainers (archive) (DMD)
uploaders: Pirate Praveen [DMD]
arch: all
std-ver: 4.7.4
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

o-o-stable: 4.43.0-6+deb11u1
oldstable: 5.75.0+dfsg+~cs17.16.14-1+deb12u1
stable: 5.97.1+dfsg1+~cs11.18.27-3
testing: 5.105.4+dfsg1+~cs15.13.23-3
unstable: 5.106.2+dfsg1+~cs15.15.23-1

versioned links

4.43.0-6+deb11u1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
5.75.0+dfsg+~cs17.16.14-1+deb12u1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
5.97.1+dfsg1+~cs11.18.27-3: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
5.105.4+dfsg1+~cs15.13.23-3: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
5.106.2+dfsg1+~cs15.15.23-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

webpack (1 bugs: 0, 1, 0, 0)

action needed

Does not build reproducibly during testing normal

A package building reproducibly enables third parties to verify that the source matches the distributed binaries. It has been identified that this source package produced different results, failed to build or had other issues in a test environment. Please read about how to improve the situation!

Created: 2026-04-06 Last update: 2026-05-21 15:00

version in VCS is newer than in repository, is it time to upload? normal

vcswatch reports that this package seems to have a new changelog entry (version 5.106.2+dfsg1+~cs15.15.23-2, distribution unstable) and new commits in its VCS. You should consider whether it's time to make an upload.

Here are the relevant commit messages:

commit 8cc6b0fe1f0078c029b310df8aa823f7e4ab9170
Author: Bastien Roucariès <rouca@debian.org>
Date:   Thu May 21 15:06:06 2026 +0200

    Update depends on tapable

commit 426fb0efa9804692f38c17e0093b13445840d403
Author: Bastien Roucariès <rouca@debian.org>
Date:   Thu May 21 15:00:56 2026 +0200

    Release

commit b5e7901bdd9415e78b7ef61102cc6eb3fd8d7320
Author: Xavier Guimard <yadd@debian.org>
Date:   Tue May 19 16:52:14 2026 +0200

    Embed local @types/estree

Created: 2026-05-19 Last update: 2026-05-21 14:32

The package has not entered testing even though the delay is over normal

The package has not entered testing even though the 5-day delay is over. Check why.

Created: 2026-05-12 Last update: 2026-05-21 14:32

lintian reports 12 warnings normal

Lintian reports 12 warnings about this package. You should make the package lintian clean getting rid of them.

Created: 2026-03-31 Last update: 2026-04-10 05:01

debian/patches: 1 patch to forward upstream low

Among the 6 debian patches available in version 5.106.2+dfsg1+~cs15.15.23-1 of the package, we noticed the following issues:

1 patch where the metadata indicates that the patch has not yet been forwarded upstream. You should either forward the patch upstream or update the metadata to document its real status.

Created: 2023-02-26 Last update: 2026-05-07 08:05

2 low-priority security issues in trixie low

There are 2 open security issues in trixie.

2 issues left for the package maintainer to handle:

CVE-2025-68157: (needs triaging) Webpack is a module bundler. From version 5.49.0 to before 5.104.0, when experiments.buildHttp is enabled, webpack’s HTTP(S) resolver (HttpUriPlugin) enforces allowedUris only for the initial URL, but does not re-validate allowedUris after following HTTP 30x redirects. As a result, an import that appears restricted to a trusted allow-list can be redirected to HTTP(S) URLs outside the allow-list. This is a policy/allow-list bypass that enables build-time SSRF behavior (requests from the build machine to internal-only endpoints, depending on network access) and untrusted content inclusion in build outputs (redirected content is treated as module source and bundled). This issue has been patched in version 5.104.0.
CVE-2025-68458: (needs triaging) Webpack is a module bundler. From version 5.49.0 to before 5.104.1, when experiments.buildHttp is enabled, webpack’s HTTP(S) resolver (HttpUriPlugin) can be bypassed to fetch resources from hosts outside allowedUris by using crafted URLs that include userinfo (username:password@host). If allowedUris enforcement relies on a raw string prefix check (e.g., uri.startsWith(allowed)), a URL that looks allow-listed can pass validation while the actual network request is sent to a different authority/host after URL parsing. This is a policy/allow-list bypass that enables build-time SSRF behavior (outbound requests from the build machine to internal-only endpoints, depending on network access) and untrusted content inclusion (the fetched response is treated as module source and bundled). This issue has been patched in version 5.104.1.

You can find information about how to handle these issues in the security team's documentation.

Created: 2026-02-06 Last update: 2026-05-07 00:00

3 low-priority security issues in bookworm low

There are 3 open security issues in bookworm.

3 issues left for the package maintainer to handle:

CVE-2024-43788: (needs triaging) Webpack is a module bundler. Its main purpose is to bundle JavaScript files for usage in a browser, yet it is also capable of transforming, bundling, or packaging just about any resource or asset. The webpack developers have discovered a DOM Clobbering vulnerability in Webpack’s `AutoPublicPathRuntimeModule`. The DOM Clobbering gadget in the module can lead to cross-site scripting (XSS) in web pages where scriptless attacker-controlled HTML elements (e.g., an `img` tag with an unsanitized `name` attribute) are present. Real-world exploitation of this gadget has been observed in the Canvas LMS which allows a XSS attack to happen through a javascript code compiled by Webpack (the vulnerable part is from Webpack). DOM Clobbering is a type of code-reuse attack where the attacker first embeds a piece of non-script, seemingly benign HTML markups in the webpage (e.g. through a post or comment) and leverages the gadgets (pieces of js code) living in the existing javascript code to transform it into executable code. This vulnerability can lead to cross-site scripting (XSS) on websites that include Webpack-generated files and allow users to inject certain scriptless HTML tags with improperly sanitized name or id attributes. This issue has been addressed in release version 5.94.0. All users are advised to upgrade. There are no known workarounds for this issue.
CVE-2025-68157: (needs triaging) Webpack is a module bundler. From version 5.49.0 to before 5.104.0, when experiments.buildHttp is enabled, webpack’s HTTP(S) resolver (HttpUriPlugin) enforces allowedUris only for the initial URL, but does not re-validate allowedUris after following HTTP 30x redirects. As a result, an import that appears restricted to a trusted allow-list can be redirected to HTTP(S) URLs outside the allow-list. This is a policy/allow-list bypass that enables build-time SSRF behavior (requests from the build machine to internal-only endpoints, depending on network access) and untrusted content inclusion in build outputs (redirected content is treated as module source and bundled). This issue has been patched in version 5.104.0.
CVE-2025-68458: (needs triaging) Webpack is a module bundler. From version 5.49.0 to before 5.104.1, when experiments.buildHttp is enabled, webpack’s HTTP(S) resolver (HttpUriPlugin) can be bypassed to fetch resources from hosts outside allowedUris by using crafted URLs that include userinfo (username:password@host). If allowedUris enforcement relies on a raw string prefix check (e.g., uri.startsWith(allowed)), a URL that looks allow-listed can pass validation while the actual network request is sent to a different authority/host after URL parsing. This is a policy/allow-list bypass that enables build-time SSRF behavior (outbound requests from the build machine to internal-only endpoints, depending on network access) and untrusted content inclusion (the fetched response is treated as module source and bundled). This issue has been patched in version 5.104.1.

You can find information about how to handle these issues in the security team's documentation.

Created: 2024-08-28 Last update: 2026-05-07 00:00

testing migrations

excuses:
- Migration status for node-webpack (5.105.4+dfsg1+~cs15.13.23-3 to 5.106.2+dfsg1+~cs15.15.23-1): BLOCKED: Rejected/violates migration policy/introduces a regression
- Issues preventing migration:
- ∙ ∙ Autopkgtest for jekyll/4.4.1+dfsg-3: amd64: Pass, arm64: Pass, i386: Pass, ppc64el: Pass, riscv64: Test triggered, s390x: Pass
- ∙ ∙ Autopkgtest for node-copy-webpack-plugin/11.0.0-6: amd64: Regression ♻ (reference ♻), arm64: Regression ♻ (reference ♻), i386: Regression ♻ (reference ♻), ppc64el: Regression ♻ (reference ♻), riscv64: Failed (not a regression) ♻ (reference ♻), s390x: Regression ♻ (reference ♻)
- ∙ ∙ Autopkgtest for node-jschardet/3.0.0+dfsg+~1.4.0-3: amd64: Pass, arm64: Pass, i386: Pass, ppc64el: Pass, riscv64: Test triggered, s390x: Pass
- ∙ ∙ Autopkgtest for node-less-loader/11.1.0+~2.0.5-4: amd64: Pass, arm64: Pass, i386: Pass, ppc64el: Pass, riscv64: Regression ♻ (reference ♻), s390x: Pass
- ∙ ∙ Autopkgtest for node-raw-loader/4.0.2-4: amd64: Pass, arm64: Pass, i386: Pass, ppc64el: Pass, riscv64: Test triggered, s390x: Pass
- ∙ ∙ Autopkgtest for node-speech-rule-engine/4.0.7+~0.1.31-2: i386: No tests, superficial or marked flaky ♻, riscv64: No tests, superficial or marked flaky ♻
- ∙ ∙ Autopkgtest for node-webpack/5.106.2+dfsg1+~cs15.15.23-1: amd64: Pass, arm64: Pass, i386: Pass, ppc64el: Pass, riscv64: Pass, s390x: Pass
- ∙ ∙ Autopkgtest for pydata-sphinx-theme/0.17.1+dfsg-1: amd64: Pass, arm64: Pass, i386: Pass, ppc64el: Pass, riscv64: Test triggered, s390x: Pass
- ∙ ∙ Autopkgtest for ruby-task-list/2.3.2-2: amd64: Pass, arm64: Pass, i386: Pass, ppc64el: Pass, riscv64: Test triggered, s390x: Pass
- Additional info (not blocking):
- ∙ ∙ Piuparts tested OK - https://piuparts.debian.org/sid/source/n/node-webpack.html
- ∙ ∙ Reproduced on amd64 - info
- ∙ ∙ Reproduced on arm64 - info
- ∙ ∙ Reproduced on armhf - info
- ∙ ∙ Reproduced on i386 - info
- ∙ ∙ 14 days old (needed 5 days)
- Not considered

news

[rss feed]

[2026-05-21] Accepted node-webpack 5.106.2+dfsg1+~cs15.15.23-2 (source) into unstable (Bastien Roucariès) (signed by: Bastien ROUCARIÈS)
[2026-05-06] Accepted node-webpack 5.106.2+dfsg1+~cs15.15.23-1 (source) into unstable (Xavier Guimard)
[2026-04-06] node-webpack 5.105.4+dfsg1+~cs15.13.23-3 MIGRATED to testing (Debian testing watch)
[2026-04-01] Accepted node-webpack 5.105.4+dfsg1+~cs15.13.23-3 (source) into unstable (Xavier Guimard)
[2026-03-31] Accepted node-webpack 5.105.4+dfsg1+~cs15.13.23-2 (source) into unstable (Xavier Guimard)
[2026-03-29] Accepted node-webpack 5.105.4+dfsg1+~cs15.13.23-1 (source) into experimental (Xavier Guimard)
[2026-03-29] Accepted node-webpack 5.97.1+dfsg1+~cs11.18.27-4 (source) into unstable (Xavier Guimard)
[2025-06-13] node-webpack 5.97.1+dfsg1+~cs11.18.27-3 MIGRATED to testing (Debian testing watch)
[2025-05-23] Accepted node-webpack 5.97.1+dfsg1+~cs11.18.27-3 (source) into unstable (Jérémy Lal)
[2025-03-24] node-webpack 5.97.1+dfsg1+~cs11.18.27-2 MIGRATED to testing (Debian testing watch)
[2025-03-21] Accepted node-webpack 5.97.1+dfsg1+~cs11.18.27-2 (source) into unstable (Jérémy Lal)
[2024-12-24] node-webpack 5.97.1+dfsg1+~cs11.18.27-1 MIGRATED to testing (Debian testing watch)
[2024-12-18] Accepted node-webpack 5.97.1+dfsg1+~cs11.18.27-1 (source) into unstable (Yadd) (signed by: Xavier Guimard)
[2024-11-08] node-webpack 5.96.1+dfsg1+~cs11.18.26-1 MIGRATED to testing (Debian testing watch)
[2024-11-03] Accepted node-webpack 5.96.1+dfsg1+~cs11.18.26-1 (source) into unstable (Yadd) (signed by: Xavier Guimard)
[2024-11-02] node-webpack 5.95.0+dfsg1+~cs11.18.26-1 MIGRATED to testing (Debian testing watch)
[2024-10-28] Accepted node-webpack 5.95.0+dfsg1+~cs11.18.26-1 (source) into unstable (Yadd) (signed by: Xavier Guimard)
[2024-09-21] node-webpack 5.94.0+dfsg1+~cs11.18.26-2 MIGRATED to testing (Debian testing watch)
[2024-09-16] Accepted node-webpack 5.94.0+dfsg1+~cs11.18.26-2 (source) into unstable (Yadd) (signed by: Xavier Guimard)
[2024-08-28] Accepted node-webpack 5.94.0+dfsg1+~cs11.18.26-1 (source) into experimental (Yadd) (signed by: Xavier Guimard)
[2024-02-18] node-webpack 5.76.1+dfsg2+~cs10.8.15-3 MIGRATED to testing (Debian testing watch)
[2024-02-12] Accepted node-webpack 5.76.1+dfsg2+~cs10.8.15-3 (source) into unstable (Bastien Roucariès) (signed by: Bastien ROUCARIÈS)
[2024-01-06] Accepted node-webpack 5.76.1+dfsg2+~cs10.8.15-2 (source) into experimental (Bastien Roucariès) (signed by: Bastien ROUCARIÈS)
[2023-07-12] Accepted node-webpack 5.75.0+dfsg+~cs17.16.14-1+deb12u1 (source) into proposed-updates (Debian FTP Masters) (signed by: Xavier Guimard)
[2023-06-13] node-webpack 5.76.1+dfsg1+~cs17.16.16-1 MIGRATED to testing (Debian testing watch)
[2023-04-07] Accepted node-webpack 4.43.0-6+deb11u1 (source) into proposed-updates (Debian FTP Masters) (signed by: Xavier Guimard)
[2023-03-14] Accepted node-webpack 5.76.1+dfsg1+~cs17.16.16-1 (source) into unstable (Yadd) (signed by: Xavier Guimard)
[2022-11-24] node-webpack 5.75.0+dfsg+~cs17.16.14-1 MIGRATED to testing (Debian testing watch)
[2022-11-19] node-webpack 5.74.0+repack1+~cs9.13.6-1 MIGRATED to testing (Debian testing watch)
[2022-11-18] Accepted node-webpack 5.75.0+dfsg+~cs17.16.14-1 (source) into unstable (Yadd) (signed by: Xavier Guimard)

bugs [bug history graph]

all: 2
RC: 0
I&N: 2
M&W: 0
F&P: 0
patch: 0

links

homepage
lintian (0, 12)
buildd: logs, reproducibility
popcon
browse source code
other distros
security tracker
debian patches
debci

ubuntu

[Information about Ubuntu for Debian Developers]

version: 5.105.4+dfsg1+~cs15.13.23-2
2 bugs