Skip to content

Bump webpack from 5.107.2 to 5.108.3#920

Merged
github-actions[bot] merged 1 commit into
masterfrom
dependabot/npm_and_yarn/webpack-5.108.3
Jul 3, 2026
Merged

Bump webpack from 5.107.2 to 5.108.3#920
github-actions[bot] merged 1 commit into
masterfrom
dependabot/npm_and_yarn/webpack-5.108.3

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jul 1, 2026

Copy link
Copy Markdown
Contributor

Bumps webpack from 5.107.2 to 5.108.3.

Release notes

Sourced from webpack's releases.

v5.108.3

Patch Changes

v5.108.2

Patch Changes

v5.108.1

Patch Changes

  • Fix invalid property access for escaped namespace imports with multi-character mangled export names. (by @​xiaoxiaojx in #21280)

  • Add frames to ProfilingPlugin TracingStartedInBrowser event so the trace loads in Chrome DevTools. (by @​alexander-akait in #21269)

v5.108.0

Minor Changes

  • Treat top-level await and import.meta as ES module markers, matching Node.js syntax detection so no explicit module type is needed. (by @​alexander-akait in #21218)

  • Add a bun target that emits ESM and externalizes bun:* and node.js built-in modules. (by @​alexander-akait in #21248)

  • Support CommonJS reexports via Object.defineProperty value and getter descriptors. (by @​alexander-akait in #21129)

  • Support JSON Schema const when generating CLI flags from a schema. (by @​alexander-akait in #21087)

  • Support JSON Schema if/then/else when generating CLI flags from a schema. (by @​alexander-akait in #21087)

  • Skip import specifiers, require() and import() calls in dead conditional branches gated by inlined imported constants (isDEV ? A : B), evaluated via getCondition. (by @​hai-x in #21136)

  • CSS localIdentName [hash] now resolves to the local ident hash (matching css-loader); use [modulehash] for the module hash. (by @​alexander-akait in #21259)

  • Add CSS parser as option and resolve url() inside HTML style attributes. (by @​alexander-akait in #21157)

  • Add dedicated module classes for all built-in module types. (by @​alexander-akait in #21164)

  • Support .html/.css for the default ./src entry under the html/css experiments. (by @​alexander-akait in #21039)

  • Add defineConfig helper for typed configuration files. (by @​alexander-akait in #21169)

  • Add a deno target (with versions, e.g. deno, deno2, deno1.40) that emits ESM, resolves node.js built-ins via the required node: specifier, and keeps Deno's own import protocols (npm:, jsr:, node:, http(s)://) external. (by @​alexander-akait in #21247)

... (truncated)

Changelog

Sourced from webpack's changelog.

5.108.3

Patch Changes

5.108.2

Patch Changes

5.108.1

Patch Changes

  • Fix invalid property access for escaped namespace imports with multi-character mangled export names. (by @​xiaoxiaojx in #21280)

  • Add frames to ProfilingPlugin TracingStartedInBrowser event so the trace loads in Chrome DevTools. (by @​alexander-akait in #21269)

5.108.0

Minor Changes

  • Treat top-level await and import.meta as ES module markers, matching Node.js syntax detection so no explicit module type is needed. (by @​alexander-akait in #21218)

  • Add a bun target that emits ESM and externalizes bun:* and node.js built-in modules. (by @​alexander-akait in #21248)

  • Support CommonJS reexports via Object.defineProperty value and getter descriptors. (by @​alexander-akait in #21129)

  • Support JSON Schema const when generating CLI flags from a schema. (by @​alexander-akait in #21087)

  • Support JSON Schema if/then/else when generating CLI flags from a schema. (by @​alexander-akait in #21087)

  • Skip import specifiers, require() and import() calls in dead conditional branches gated by inlined imported constants (isDEV ? A : B), evaluated via getCondition. (by @​hai-x in #21136)

  • CSS localIdentName [hash] now resolves to the local ident hash (matching css-loader); use [modulehash] for the module hash. (by @​alexander-akait in #21259)

  • Add CSS parser as option and resolve url() inside HTML style attributes. (by @​alexander-akait in #21157)

  • Add dedicated module classes for all built-in module types. (by @​alexander-akait in #21164)

  • Support .html/.css for the default ./src entry under the html/css experiments. (by @​alexander-akait in #21039)

... (truncated)

Commits

@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update Javascript code labels Jul 1, 2026
@dependabot dependabot Bot requested a review from ikuwow as a code owner July 1, 2026 20:02
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update Javascript code labels Jul 1, 2026
@github-actions github-actions Bot enabled auto-merge (squash) July 1, 2026 20:03
@socket-security

socket-security Bot commented Jul 1, 2026

Copy link
Copy Markdown

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security
Vulnerability Quality Maintenance License
Updatednpm/​webpack@​5.107.2 ⏵ 5.108.380 -11009399 +1100

View full report

@socket-security

socket-security Bot commented Jul 1, 2026

Copy link
Copy Markdown

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action Severity Alert  (click "▶" to expand/collapse)
Warn High
Obfuscated code: npm webpack is 90.0% likely obfuscated

Confidence: 0.90

Location: Package overview

From: package-lock.jsonnpm/[email protected]

ℹ Read more on: This package | This alert | What is obfuscated code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at [email protected].

Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/[email protected]. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

@dependabot dependabot Bot force-pushed the dependabot/npm_and_yarn/webpack-5.108.3 branch from 460a2de to c101488 Compare July 1, 2026 20:06
ikuwow added a commit that referenced this pull request Jul 3, 2026
Webpack production mode already minifies bundles with Terser. The
extra Middleman-side minify_javascript pass fed the webpack output
back into uglifier (4.2.1), which cannot parse the modern JS syntax
(optional chaining etc.) that webpack 5.108.x emits in its runtime.
That triggered "Unexpected token: punc (.)" on
build/bundle-critical-*.js and failed the CircleCI build for
#920 (webpack 5.107.2 -> 5.108.3).

Uglifier gem itself is unmaintained (last release 2020-03) and the
underlying UglifyJS does not support modern JS, so keeping the pass
would only defer the problem.

Co-authored-by: Claude Opus 4.7 (1M context) <[email protected]>
@ikuwow

ikuwow commented Jul 3, 2026

Copy link
Copy Markdown
Owner

@dependabot rebase

Bumps [webpack](https://github.com/webpack/webpack) from 5.107.2 to 5.108.3.
- [Release notes](https://github.com/webpack/webpack/releases)
- [Changelog](https://github.com/webpack/webpack/blob/main/CHANGELOG.md)
- [Commits](webpack/webpack@v5.107.2...v5.108.3)

---
updated-dependencies:
- dependency-name: webpack
  dependency-version: 5.108.3
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
@dependabot dependabot Bot force-pushed the dependabot/npm_and_yarn/webpack-5.108.3 branch from c101488 to 9b9e77a Compare July 3, 2026 04:37
@github-actions github-actions Bot merged commit 6489e3c into master Jul 3, 2026
6 checks passed
@github-actions github-actions Bot deleted the dependabot/npm_and_yarn/webpack-5.108.3 branch July 3, 2026 04:38
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update Javascript code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant