You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
CSS @import now inherits the parent module's exportType, so a file configured as "text" correctly creates a style tag when @imported by a "style" parent. (by @xiaoxiaojx in #20838)
Make asset modules available in JS context when referenced from both CSS and a lazily compiled JS chunk. (by @xiaoxiaojx in #20801)
Include missing generator options in hash to ensure persistent cache invalidation when configuration changes (CssGenerator exportsOnly, JsonGenerator JSONParse, WebAssemblyGenerator mangleImports). (by @xiaoxiaojx in #20821)
Fix || default value handling in ProgressPlugin and ManifestPlugin that incorrectly overrode user-provided falsy values (e.g. modules: false, entries: false, entrypoints: false). (by @xiaoxiaojx in #20823)
Fix two ES5-environment regressions in the anonymous default export .name fix-up: the generated code referenced an undeclared __WEBPACK_DEFAULT_EXPORT__ binding causing ReferenceError, and used Reflect.defineProperty which is not available in pre-ES2015 runtimes. The fix-up now references the real assignment target and uses Object.defineProperty / Object.getOwnPropertyDescriptor. (by @xiaoxiaojx in #20796)
Prevent !important from being renamed as a local identifier in CSS modules. (by @xiaoxiaojx in #20798)
Use compiler context instead of module context for CSS modules local ident hashing to avoid hash collisions when files with the same name exist in different directories. (by @xiaoxiaojx in #20799)
Add exportType: "style" for CSS modules to inject styles into DOM via HTMLStyleElement, similar to style-loader functionality. (by @xiaoxiaojx in #20579)
Add context option support for VirtualUrlPlugin (by @xiaoxiaojx in #20449)
The context for the virtual module. A string path. Defaults to 'auto', which will try to resolve the context from the module id.
Support custom context path for resolving relative imports in virtual modules
Add examples demonstrating context usage and filename customization
Generate different CssModule instances for different exportType values. (by @xiaoxiaojx in #20590)
Added the localIdentHashFunction option to configure the hash function to be used for hashing. (by @alexander-akait in #20694)
Additionally, the localIdentName option can now be a function.
Added support for destructuring assignment require in cjs, allowing for tree shaking. (by @ahabhgk in #20548)
Added the validate option to enable/disable validation in webpack/plugins/loaders, also implemented API to make it inside plugins. (by @xiaoxiaojx in #20275)
Allow external modules place in async chunks when output ECMA module. (by @hai-x in #20662)
Implement deprecate flag in schema for better TypeScript support to show which options are already deprecated by the configuration (by @bjohansebas in #20432)
Set .name to "default" for anonymous default export functions and classes per ES spec (by @xiaoxiaojx in #20773)
Hash entry chunks after runtime chunks to prevent stale content hash references in watch mode (by @xiaoxiaojx in #20724)
Fix multiple bugs and optimizations in CSS modules: correct third code point position in walkCssTokens number detection, fix multiline CSS comment regex, fix swapped :import/:export error message, fix comma callback incorrectly popping balanced stack, fix cache comparison missing array length check, fix match.index mutation side effect, move publicPathAutoRegex to module scope, precompute merged callbacks in consumeUntil, simplify redundant ternary in CssGenerator, fix typo GRID_TEMPLATE_ARES, remove duplicate grid-column-start, and merge duplicate getCompilationHooks calls. (by @xiaoxiaojx in #20648)
Correct url() path resolution and preserve source maps for non-link CSS export types (style, text, css-style-sheet) (by @xiaoxiaojx in #20717)
Emit error when proxy server returns non-200 status code in HttpUriPlugin instead of silently failing. (by @xiaoxiaojx in #20646)
import.meta as standalone expression now returns a complete object with known properties (url, webpack, main, env) instead of an empty object ({}), and hoists it as a module-level variable to ensure import.meta === import.meta identity. In preserve-unknown mode (ESM output), the hoisted object merges runtime import.meta properties via Object.assign. (by @xiaoxiaojx in #20658)
Fix incorrect condition in FileSystemInfo that always evaluated to false, preventing trailing slash removal from directory paths during build dependency resolution. (by @xiaoxiaojx in #20649)
fix: VirtualUrlPlugin absolute path virtual module IDs getting concatenated with compiler context (by @xiaoxiaojx in #20656)
When a virtual module ID is an absolute path (e.g. virtual:C:/project/user.js), the auto-derived context was incorrectly joined with compiler.context, producing a concatenated path like C:\cwd\C:\project. Now absolute-path contexts are used directly.
All deprecated methods and options now have @deprecated flag in types. (by @alexander-akait in #20707)
Fix CompatibilityPlugin to correctly rename __webpack_require__ when it appears as an arrow function parameter (e.g. (__webpack_module, __webpack_exports, __webpack_require__) => { ... }). (by @hai-x in #20661)
Configuration
📅 Schedule: (UTC)
Branch creation
At any time (no schedule defined)
Automerge
At any time (no schedule defined)
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
If you want to rebase/retry this PR, check this box
renovateBot
changed the title
chore(deps): update dependency webpack to v5.105.2
chore(deps): update dependency webpack to v5.105.2 - autoclosed
Feb 20, 2026
renovateBot
changed the title
chore(deps): update dependency webpack to v5.105.2 - autoclosed
chore(deps): update dependency webpack to v5.105.3
Feb 26, 2026
Next steps: Take a moment to review the security alert above. Review
the linked package source code to understand the potential risk. Ensure the
package is not malicious before proceeding. If you're unsure how to proceed,
reach out to your security team or ask the Socket team for help at
support@socket.dev.
Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.
Mark the package as acceptable risk. To ignore this alert only
in this pull request, reply with the comment
@SocketSecurity ignore npm/webpack@5.106.2. You can
also ignore all packages with @SocketSecurity ignore-all.
To ignore an alert for all future pull requests, use Socket's Dashboard to
change the triage state of this alert.
renovateBot
changed the title
chore(deps): update dependency webpack to v5.106.2
chore(deps): update dependency webpack to v5.106.2 - autoclosed
May 12, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
renovate
Bot
changed the title
This PR contains the following updates:
5.105.4→5.106.2Release Notes
webpack/webpack (webpack)
v5.106.2Compare Source
Patch Changes
CSS @import now inherits the parent module's exportType, so a file configured as "text" correctly creates a style tag when @imported by a "style" parent. (by @xiaoxiaojx in #20838)
Make asset modules available in JS context when referenced from both CSS and a lazily compiled JS chunk. (by @xiaoxiaojx in #20801)
Include missing generator options in hash to ensure persistent cache invalidation when configuration changes (CssGenerator
exportsOnly, JsonGeneratorJSONParse, WebAssemblyGeneratormangleImports). (by @xiaoxiaojx in #20821)Fix
||default value handling in ProgressPlugin and ManifestPlugin that incorrectly overrode user-provided falsy values (e.g.modules: false,entries: false,entrypoints: false). (by @xiaoxiaojx in #20823)Migrate from
mime-typestomime-db. (by @alexander-akait in #20812)Handle
@charsetat-rules in CSS modules. (by @alexander-akait in #20831)Marked all experimental options in types. (by @alexander-akait in #20814)
v5.106.1Compare Source
Patch Changes
Fix two ES5-environment regressions in the anonymous default export
.namefix-up: the generated code referenced an undeclared__WEBPACK_DEFAULT_EXPORT__binding causingReferenceError, and usedReflect.definePropertywhich is not available in pre-ES2015 runtimes. The fix-up now references the real assignment target and usesObject.defineProperty/Object.getOwnPropertyDescriptor. (by @xiaoxiaojx in #20796)Prevent
!importantfrom being renamed as a local identifier in CSS modules. (by @xiaoxiaojx in #20798)Use compiler context instead of module context for CSS modules local ident hashing to avoid hash collisions when files with the same name exist in different directories. (by @xiaoxiaojx in #20799)
v5.106.0Compare Source
Minor Changes
Add
exportType: "style"for CSS modules to inject styles into DOM via HTMLStyleElement, similar to style-loader functionality. (by @xiaoxiaojx in #20579)Add
contextoption support for VirtualUrlPlugin (by @xiaoxiaojx in #20449)Generate different
CssModuleinstances for differentexportTypevalues. (by @xiaoxiaojx in #20590)Added the
localIdentHashFunctionoption to configure the hash function to be used for hashing. (by @alexander-akait in #20694)Additionally, the
localIdentNameoption can now be a function.Added support for destructuring assignment
requirein cjs, allowing for tree shaking. (by @ahabhgk in #20548)Added the
validateoption to enable/disable validation in webpack/plugins/loaders, also implemented API to make it inside plugins. (by @xiaoxiaojx in #20275)Added
sourcesupport for async WASM modules. (by @magic-akari in #20364)Patch Changes
Add a static getSourceBasicTypes method to the Module class to prevent errors across multiple versions. (by @xiaoxiaojx in #20614)
Included fragment groups in the conflicting order warning for CSS. (by @aryanraj45 in #20660)
Avoid rendering unused top-level
__webpack_exports__declaration when output ECMA module library. (by @hai-x in #20669)Fixed resolving in CSS modules. (by @alexander-akait in #20771)
Allow external modules place in async chunks when output ECMA module. (by @hai-x in #20662)
Implement
deprecateflag in schema for better TypeScript support to show which options are already deprecated by the configuration (by @bjohansebas in #20432)Set
.nameto"default"for anonymous default export functions and classes per ES spec (by @xiaoxiaojx in #20773)Hash entry chunks after runtime chunks to prevent stale content hash references in watch mode (by @xiaoxiaojx in #20724)
Fix multiple bugs and optimizations in CSS modules: correct third code point position in walkCssTokens number detection, fix multiline CSS comment regex, fix swapped :import/:export error message, fix comma callback incorrectly popping balanced stack, fix cache comparison missing array length check, fix match.index mutation side effect, move publicPathAutoRegex to module scope, precompute merged callbacks in consumeUntil, simplify redundant ternary in CssGenerator, fix typo GRID_TEMPLATE_ARES, remove duplicate grid-column-start, and merge duplicate getCompilationHooks calls. (by @xiaoxiaojx in #20648)
Correct url() path resolution and preserve source maps for non-link CSS export types (style, text, css-style-sheet) (by @xiaoxiaojx in #20717)
Emit error when proxy server returns non-200 status code in HttpUriPlugin instead of silently failing. (by @xiaoxiaojx in #20646)
import.metaas standalone expression now returns a complete object with known properties (url,webpack,main,env) instead of an empty object({}), and hoists it as a module-level variable to ensureimport.meta === import.metaidentity. Inpreserve-unknownmode (ESM output), the hoisted object merges runtimeimport.metaproperties viaObject.assign. (by @xiaoxiaojx in #20658)Fix incorrect condition in FileSystemInfo that always evaluated to false, preventing trailing slash removal from directory paths during build dependency resolution. (by @xiaoxiaojx in #20649)
fix: VirtualUrlPlugin absolute path virtual module IDs getting concatenated with compiler context (by @xiaoxiaojx in #20656)
When a virtual module ID is an absolute path (e.g.
virtual:C:/project/user.js), the auto-derived context was incorrectly joined withcompiler.context, producing a concatenated path likeC:\cwd\C:\project. Now absolute-path contexts are used directly.All deprecated methods and options now have
@deprecatedflag in types. (by @alexander-akait in #20707)Fix
CompatibilityPluginto correctly rename__webpack_require__when it appears as an arrow function parameter (e.g.(__webpack_module, __webpack_exports, __webpack_require__) => { ... }). (by @hai-x in #20661)Configuration
📅 Schedule: (UTC)
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.