node-webpack - Debian Package Tracker

general

source: node-webpack (main)
version: 5.107.2+dfsg1+~cs15.16.25-2
maintainer: Debian Javascript Maintainers (archive) (DMD)
uploaders: Pirate Praveen [DMD]
arch: all
std-ver: 4.7.4
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

o-o-stable: 4.43.0-6+deb11u1
oldstable: 5.75.0+dfsg+~cs17.16.14-1+deb12u1
stable: 5.97.1+dfsg1+~cs11.18.27-3
testing: 5.107.2+dfsg1+~cs15.16.25-2
unstable: 5.107.2+dfsg1+~cs15.16.25-2

versioned links

4.43.0-6+deb11u1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
5.75.0+dfsg+~cs17.16.14-1+deb12u1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
5.97.1+dfsg1+~cs11.18.27-3: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
5.107.2+dfsg1+~cs15.16.25-2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

webpack (1 bugs: 0, 1, 0, 0)

action needed

A new upstream version is available: 5.108.1+~cs15.17.22 high

A new upstream version 5.108.1+~cs15.17.22 is available, you should consider packaging it.

Created: 2026-06-28 Last update: 2026-06-29 19:03

version in VCS is newer than in repository, is it time to upload? normal

vcswatch reports that this package seems to have a new changelog entry (version 5.108.0+dfsg1+~cs14.7.20-1, distribution UNRELEASED) and new commits in its VCS. You should consider whether it's time to make an upload.

Here are the relevant commit messages:

commit e80513018dbb43623da4d166bd4001d32689c890
Author: Bastien Roucariès <rouca@debian.org>
Date:   Fri Jun 26 20:08:54 2026 +0200

    Fix watchpack depend

commit fdbf2b89677b1858bc5470c879d31e9b66268706
Author: Bastien Roucariès <rouca@debian.org>
Date:   Fri Jun 26 16:54:59 2026 +0200

    Use newer watchpack

commit e1012bcf6f3a97e6165c6a937ef87da98c83bc75
Author: Bastien Roucariès <rouca@debian.org>
Date:   Fri Jun 26 01:07:38 2026 +0200

    Refresh patches

commit 70a9a7da8630d19a33def6466252d0832b82c1a0
Author: Bastien Roucariès <rouca@debian.org>
Date:   Fri Jun 26 00:38:07 2026 +0200

    Fix version

commit 055ed40c3f38def7032bdb009a5fe0aa18e1fcc3
Author: Bastien Roucariès <rouca@debian.org>
Date:   Thu Jun 25 23:52:22 2026 +0200

    New upstream version

commit ace2195e07a24d4276232d6bd86beb5b9ad9c2e2
Merge: 67ddcb8 892a6dc
Author: Bastien Roucariès <rouca@debian.org>
Date:   Fri Jun 26 00:29:00 2026 +0200

    Update upstream source from tag 'upstream/5.108.0+dfsg1+_cs14.7.20'
    
    Update to upstream version '5.108.0+dfsg1+~cs14.7.20'
    with Debian dir ec2bc91528bff521d34b32a833d7242d164fa0f4

commit 892a6dc022545f51be2f9483953858ab9656b264
Author: Bastien Roucariès <rouca@debian.org>
Date:   Fri Jun 26 00:29:00 2026 +0200

    New upstream version 5.108.0+dfsg1+~cs14.7.20

commit 67ddcb851056a8a7ff01c343ecaf24a93343bdb0
Author: Bastien Roucariès <rouca@debian.org>
Date:   Thu Jun 25 22:49:18 2026 +0200

    Drop acorn package

Created: 2026-06-26 Last update: 2026-06-26 20:01

lintian reports 12 warnings normal

Lintian reports 12 warnings about this package. You should make the package lintian clean getting rid of them.

Created: 2026-06-24 Last update: 2026-06-24 23:17

2 low-priority security issues in trixie low

There are 2 open security issues in trixie.

2 issues left for the package maintainer to handle:

CVE-2025-68157: (needs triaging) Webpack is a module bundler. From version 5.49.0 to before 5.104.0, when experiments.buildHttp is enabled, webpack’s HTTP(S) resolver (HttpUriPlugin) enforces allowedUris only for the initial URL, but does not re-validate allowedUris after following HTTP 30x redirects. As a result, an import that appears restricted to a trusted allow-list can be redirected to HTTP(S) URLs outside the allow-list. This is a policy/allow-list bypass that enables build-time SSRF behavior (requests from the build machine to internal-only endpoints, depending on network access) and untrusted content inclusion in build outputs (redirected content is treated as module source and bundled). This issue has been patched in version 5.104.0.
CVE-2025-68458: (needs triaging) Webpack is a module bundler. From version 5.49.0 to before 5.104.1, when experiments.buildHttp is enabled, webpack’s HTTP(S) resolver (HttpUriPlugin) can be bypassed to fetch resources from hosts outside allowedUris by using crafted URLs that include userinfo (username:password@host). If allowedUris enforcement relies on a raw string prefix check (e.g., uri.startsWith(allowed)), a URL that looks allow-listed can pass validation while the actual network request is sent to a different authority/host after URL parsing. This is a policy/allow-list bypass that enables build-time SSRF behavior (outbound requests from the build machine to internal-only endpoints, depending on network access) and untrusted content inclusion (the fetched response is treated as module source and bundled). This issue has been patched in version 5.104.1.

You can find information about how to handle these issues in the security team's documentation.

Created: 2026-02-06 Last update: 2026-06-28 07:00

3 low-priority security issues in bookworm low

There are 3 open security issues in bookworm.

3 issues left for the package maintainer to handle:

CVE-2024-43788: (needs triaging) Webpack is a module bundler. Its main purpose is to bundle JavaScript files for usage in a browser, yet it is also capable of transforming, bundling, or packaging just about any resource or asset. The webpack developers have discovered a DOM Clobbering vulnerability in Webpack’s `AutoPublicPathRuntimeModule`. The DOM Clobbering gadget in the module can lead to cross-site scripting (XSS) in web pages where scriptless attacker-controlled HTML elements (e.g., an `img` tag with an unsanitized `name` attribute) are present. Real-world exploitation of this gadget has been observed in the Canvas LMS which allows a XSS attack to happen through a javascript code compiled by Webpack (the vulnerable part is from Webpack). DOM Clobbering is a type of code-reuse attack where the attacker first embeds a piece of non-script, seemingly benign HTML markups in the webpage (e.g. through a post or comment) and leverages the gadgets (pieces of js code) living in the existing javascript code to transform it into executable code. This vulnerability can lead to cross-site scripting (XSS) on websites that include Webpack-generated files and allow users to inject certain scriptless HTML tags with improperly sanitized name or id attributes. This issue has been addressed in release version 5.94.0. All users are advised to upgrade. There are no known workarounds for this issue.
CVE-2025-68157: (needs triaging) Webpack is a module bundler. From version 5.49.0 to before 5.104.0, when experiments.buildHttp is enabled, webpack’s HTTP(S) resolver (HttpUriPlugin) enforces allowedUris only for the initial URL, but does not re-validate allowedUris after following HTTP 30x redirects. As a result, an import that appears restricted to a trusted allow-list can be redirected to HTTP(S) URLs outside the allow-list. This is a policy/allow-list bypass that enables build-time SSRF behavior (requests from the build machine to internal-only endpoints, depending on network access) and untrusted content inclusion in build outputs (redirected content is treated as module source and bundled). This issue has been patched in version 5.104.0.
CVE-2025-68458: (needs triaging) Webpack is a module bundler. From version 5.49.0 to before 5.104.1, when experiments.buildHttp is enabled, webpack’s HTTP(S) resolver (HttpUriPlugin) can be bypassed to fetch resources from hosts outside allowedUris by using crafted URLs that include userinfo (username:password@host). If allowedUris enforcement relies on a raw string prefix check (e.g., uri.startsWith(allowed)), a URL that looks allow-listed can pass validation while the actual network request is sent to a different authority/host after URL parsing. This is a policy/allow-list bypass that enables build-time SSRF behavior (outbound requests from the build machine to internal-only endpoints, depending on network access) and untrusted content inclusion (the fetched response is treated as module source and bundled). This issue has been patched in version 5.104.1.

You can find information about how to handle these issues in the security team's documentation.

Created: 2024-08-28 Last update: 2026-06-28 07:00

debian/patches: 1 patch to forward upstream low

Among the 6 debian patches available in version 5.107.2+dfsg1+~cs15.16.25-2 of the package, we noticed the following issues:

1 patch where the metadata indicates that the patch has not yet been forwarded upstream. You should either forward the patch upstream or update the metadata to document its real status.

Created: 2023-02-26 Last update: 2026-06-24 20:02

news

[rss feed]

[2026-06-28] node-webpack 5.107.2+dfsg1+~cs15.16.25-2 MIGRATED to testing (Debian testing watch)
[2026-06-24] Accepted node-webpack 5.107.2+dfsg1+~cs15.16.25-2 (source) into unstable (Bastien Roucariès) (signed by: Bastien ROUCARIÈS)
[2026-06-24] Accepted node-webpack 5.107.2+dfsg1+~cs15.16.25-1.1 (source) into unstable (Bastien Roucariès) (signed by: Bastien ROUCARIÈS)
[2026-06-21] node-webpack 5.107.2+dfsg1+~cs15.16.25-1 MIGRATED to testing (Debian testing watch)
[2026-06-17] Accepted node-webpack 5.107.2+dfsg1+~cs15.16.25-1 (source) into unstable (Xavier Guimard)
[2026-05-29] node-webpack 5.106.2+dfsg1+~cs15.15.23-3 MIGRATED to testing (Debian testing watch)
[2026-05-22] Accepted node-webpack 5.106.2+dfsg1+~cs15.15.23-3 (source) into unstable (Bastien Roucariès) (signed by: Bastien ROUCARIÈS)
[2026-05-21] Accepted node-webpack 5.106.2+dfsg1+~cs15.15.23-2 (source) into unstable (Bastien Roucariès) (signed by: Bastien ROUCARIÈS)
[2026-05-06] Accepted node-webpack 5.106.2+dfsg1+~cs15.15.23-1 (source) into unstable (Xavier Guimard)
[2026-04-06] node-webpack 5.105.4+dfsg1+~cs15.13.23-3 MIGRATED to testing (Debian testing watch)
[2026-04-01] Accepted node-webpack 5.105.4+dfsg1+~cs15.13.23-3 (source) into unstable (Xavier Guimard)
[2026-03-31] Accepted node-webpack 5.105.4+dfsg1+~cs15.13.23-2 (source) into unstable (Xavier Guimard)
[2026-03-29] Accepted node-webpack 5.105.4+dfsg1+~cs15.13.23-1 (source) into experimental (Xavier Guimard)
[2026-03-29] Accepted node-webpack 5.97.1+dfsg1+~cs11.18.27-4 (source) into unstable (Xavier Guimard)
[2025-06-13] node-webpack 5.97.1+dfsg1+~cs11.18.27-3 MIGRATED to testing (Debian testing watch)
[2025-05-23] Accepted node-webpack 5.97.1+dfsg1+~cs11.18.27-3 (source) into unstable (Jérémy Lal)
[2025-03-24] node-webpack 5.97.1+dfsg1+~cs11.18.27-2 MIGRATED to testing (Debian testing watch)
[2025-03-21] Accepted node-webpack 5.97.1+dfsg1+~cs11.18.27-2 (source) into unstable (Jérémy Lal)
[2024-12-24] node-webpack 5.97.1+dfsg1+~cs11.18.27-1 MIGRATED to testing (Debian testing watch)
[2024-12-18] Accepted node-webpack 5.97.1+dfsg1+~cs11.18.27-1 (source) into unstable (Yadd) (signed by: Xavier Guimard)
[2024-11-08] node-webpack 5.96.1+dfsg1+~cs11.18.26-1 MIGRATED to testing (Debian testing watch)
[2024-11-03] Accepted node-webpack 5.96.1+dfsg1+~cs11.18.26-1 (source) into unstable (Yadd) (signed by: Xavier Guimard)
[2024-11-02] node-webpack 5.95.0+dfsg1+~cs11.18.26-1 MIGRATED to testing (Debian testing watch)
[2024-10-28] Accepted node-webpack 5.95.0+dfsg1+~cs11.18.26-1 (source) into unstable (Yadd) (signed by: Xavier Guimard)
[2024-09-21] node-webpack 5.94.0+dfsg1+~cs11.18.26-2 MIGRATED to testing (Debian testing watch)
[2024-09-16] Accepted node-webpack 5.94.0+dfsg1+~cs11.18.26-2 (source) into unstable (Yadd) (signed by: Xavier Guimard)
[2024-08-28] Accepted node-webpack 5.94.0+dfsg1+~cs11.18.26-1 (source) into experimental (Yadd) (signed by: Xavier Guimard)
[2024-02-18] node-webpack 5.76.1+dfsg2+~cs10.8.15-3 MIGRATED to testing (Debian testing watch)
[2024-02-12] Accepted node-webpack 5.76.1+dfsg2+~cs10.8.15-3 (source) into unstable (Bastien Roucariès) (signed by: Bastien ROUCARIÈS)
[2024-01-06] Accepted node-webpack 5.76.1+dfsg2+~cs10.8.15-2 (source) into experimental (Bastien Roucariès) (signed by: Bastien ROUCARIÈS)

bugs [bug history graph]

all: 2
RC: 0
I&N: 2
M&W: 0
F&P: 0
patch: 0

links

homepage
lintian (0, 12)
buildd: logs, reproducibility
popcon
browse source code
other distros
security tracker
debian patches
debci

ubuntu

[Information about Ubuntu for Debian Developers]

version: 5.105.4+dfsg1+~cs15.13.23-2