Skip to content

Bump webpack from 5.100.2 to 5.105.0 in /documentation#877

Closed
dependabot[bot] wants to merge 1 commit into
masterfrom
dependabot/npm_and_yarn/documentation/webpack-5.105.0
Closed

Bump webpack from 5.100.2 to 5.105.0 in /documentation#877
dependabot[bot] wants to merge 1 commit into
masterfrom
dependabot/npm_and_yarn/documentation/webpack-5.105.0

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Feb 7, 2026

Copy link
Copy Markdown
Contributor

Bumps webpack from 5.100.2 to 5.105.0.

Release notes

Sourced from webpack's releases.

v5.105.0

Minor Changes

  • Allow resolving worker module by export condition name when using new Worker() (by @​hai-x in #20353)

  • Detect conditional imports to avoid compile-time linking errors for non-existent exports. (by @​hai-x in #20320)

  • Added the tsconfig option for the resolver options (replacement for tsconfig-paths-webpack-plugin). Can be false (disabled), true (use the default tsconfig.json file to search for it), a string path to tsconfig.json, or an object with configFile and references options. (by @​alexander-akait in #20400)

  • Support import.defer() for context modules. (by @​ahabhgk in #20399)

  • Added support for array values ​​to the devtool option. (by @​hai-x in #20191)

  • Improve rendering node built-in modules for ECMA module output. (by @​hai-x in #20255)

  • Unknown import.meta properties are now determined at runtime instead of being statically analyzed at compile time. (by @​xiaoxiaojx in #20312)

Patch Changes

  • Fixed ESM default export handling for .mjs files in Module Federation (by @​y-okt in #20189)

  • Optimized import.meta.env handling in destructuring assignments by using cached stringified environment definitions. (by @​xiaoxiaojx in #20313)

  • Respect the stats.errorStack option in stats output. (by @​samarthsinh2660 in #20258)

  • Fixed a bug where declaring a module variable in module scope would conflict with the default moduleArgument. (by @​xiaoxiaojx in #20265)

  • Fix VirtualUrlPlugin to set resourceData.context for proper module resolution. Previously, when context was not set, it would fallback to the virtual scheme path (e.g., virtual:routes), which is not a valid filesystem path, causing subsequent resolve operations to fail. (by @​xiaoxiaojx in #20390)

  • Fixed Worker self-import handling to support various URL patterns (e.g., import.meta.url, new URL(import.meta.url), new URL(import.meta.url, import.meta.url), new URL("./index.js", import.meta.url)). Workers that resolve to the same module are now properly deduplicated, regardless of the URL syntax used. (by @​xiaoxiaojx in #20381)

  • Reuse the same async entrypoint for the same Worker URL within a module to avoid circular dependency warnings when multiple Workers reference the same resource. (by @​xiaoxiaojx in #20345)

  • Fixed a bug where a self-referencing dependency would have an unused export name when imported inside a web worker. (by @​samarthsinh2660 in #20251)

  • Fix missing export generation when concatenated modules in different chunks share the same runtime in module library bundles. (by @​hai-x in #20346)

  • Fixed import.meta.env.xxx behavior: when accessing a non-existent property, it now returns empty object instead of full object at runtime. (by @​xiaoxiaojx in #20289)

  • Improved parsing error reporting by adding a link to the loader documentation. (by @​gaurav10gg in #20244)

  • Fix typescript types. (by @​alexander-akait in #20305)

  • Add declaration for unused harmony import specifier. (by @​hai-x in #20286)

  • Fix compressibility of modules while retaining portability. (by @​dmichon-msft in #20287)

  • Optimize source map generation: only include ignoreList property when it has content, avoiding empty arrays in source maps. (by @​xiaoxiaojx in #20319)

  • Preserve star exports for dependencies in ECMA module output. (by @​hai-x in #20293)

... (truncated)

Changelog

Sourced from webpack's changelog.

5.105.0

Minor Changes

  • Allow resolving worker module by export condition name when using new Worker() (by @​hai-x in #20353)

  • Detect conditional imports to avoid compile-time linking errors for non-existent exports. (by @​hai-x in #20320)

  • Added the tsconfig option for the resolver options (replacement for tsconfig-paths-webpack-plugin). Can be false (disabled), true (use the default tsconfig.json file to search for it), a string path to tsconfig.json, or an object with configFile and references options. (by @​alexander-akait in #20400)

  • Support import.defer() for context modules. (by @​ahabhgk in #20399)

  • Added support for array values ​​to the devtool option. (by @​hai-x in #20191)

  • Improve rendering node built-in modules for ECMA module output. (by @​hai-x in #20255)

  • Unknown import.meta properties are now determined at runtime instead of being statically analyzed at compile time. (by @​xiaoxiaojx in #20312)

Patch Changes

  • Fixed ESM default export handling for .mjs files in Module Federation (by @​y-okt in #20189)

  • Optimized import.meta.env handling in destructuring assignments by using cached stringified environment definitions. (by @​xiaoxiaojx in #20313)

  • Respect the stats.errorStack option in stats output. (by @​samarthsinh2660 in #20258)

  • Fixed a bug where declaring a module variable in module scope would conflict with the default moduleArgument. (by @​xiaoxiaojx in #20265)

  • Fix VirtualUrlPlugin to set resourceData.context for proper module resolution. Previously, when context was not set, it would fallback to the virtual scheme path (e.g., virtual:routes), which is not a valid filesystem path, causing subsequent resolve operations to fail. (by @​xiaoxiaojx in #20390)

  • Fixed Worker self-import handling to support various URL patterns (e.g., import.meta.url, new URL(import.meta.url), new URL(import.meta.url, import.meta.url), new URL("./index.js", import.meta.url)). Workers that resolve to the same module are now properly deduplicated, regardless of the URL syntax used. (by @​xiaoxiaojx in #20381)

  • Reuse the same async entrypoint for the same Worker URL within a module to avoid circular dependency warnings when multiple Workers reference the same resource. (by @​xiaoxiaojx in #20345)

  • Fixed a bug where a self-referencing dependency would have an unused export name when imported inside a web worker. (by @​samarthsinh2660 in #20251)

  • Fix missing export generation when concatenated modules in different chunks share the same runtime in module library bundles. (by @​hai-x in #20346)

  • Fixed import.meta.env.xxx behavior: when accessing a non-existent property, it now returns empty object instead of full object at runtime. (by @​xiaoxiaojx in #20289)

  • Improved parsing error reporting by adding a link to the loader documentation. (by @​gaurav10gg in #20244)

  • Fix typescript types. (by @​alexander-akait in #20305)

  • Add declaration for unused harmony import specifier. (by @​hai-x in #20286)

  • Fix compressibility of modules while retaining portability. (by @​dmichon-msft in #20287)

  • Optimize source map generation: only include ignoreList property when it has content, avoiding empty arrays in source maps. (by @​xiaoxiaojx in #20319)

... (truncated)

Commits
  • 1486f9a chore(release): new release
  • 1a517f6 feat: added the tsconfig option for the resolver options (#20400)
  • 7b3b0f7 feat: support import.defer() for context modules
  • c4a6a92 refactor: more types and increase types coverage
  • 5ecc58d feat: consider asset module as side-effect-free (#20352)
  • cce0f69 test: avoid comma operator in BinaryMiddleware test (#20398)
  • cd4793d feat: support import specifier guard (#20320)
  • fe48655 docs: update examples (#20397)
  • de107f8 fix(VirtualUrlPlugin): set resourceData.context to avoid invalid fallback (#2...
  • a656ab1 test: add self-import test case for dynamic import (#20389)
  • Additional commits viewable in compare view
Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for webpack since your current version.


Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    You can disable automated security fix PRs for this repo from the Security Alerts page.

Bumps [webpack](https://github.com/webpack/webpack) from 5.100.2 to 5.105.0.
- [Release notes](https://github.com/webpack/webpack/releases)
- [Changelog](https://github.com/webpack/webpack/blob/main/CHANGELOG.md)
- [Commits](webpack/webpack@v5.100.2...v5.105.0)

---
updated-dependencies:
- dependency-name: webpack
  dependency-version: 5.105.0
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update Javascript code labels Feb 7, 2026
@netlify

netlify Bot commented Feb 7, 2026

Copy link
Copy Markdown

Deploy Preview for opal-docs ready!

Name Link
🔨 Latest commit b6ab300
🔍 Latest deploy log https://app.netlify.com/projects/opal-docs/deploys/6987609e2b01d3000870248a
😎 Deploy Preview https://deploy-preview-877--opal-docs.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify project configuration.

@zeevmoney

Copy link
Copy Markdown
Contributor

Superseded by #925, which consolidates all six open Dependabot updates for the /documentation site into a single PR — and upgrades the security-relevant deps (axios, node-forge, lodash) past the proposed versions to fully clear their advisories. Closing in favor of #925.

@zeevmoney zeevmoney closed this Jun 24, 2026
@dependabot @github

dependabot Bot commented on behalf of github Jun 24, 2026

Copy link
Copy Markdown
Contributor Author

OK, I won't notify you again about this release, but will get in touch when a new version is available. If you'd rather skip all updates until the next major or minor version, let me know by commenting @dependabot ignore this major version or @dependabot ignore this minor version.

If you change your mind, just re-open this PR and I'll resolve any conflicts on it.

@dependabot dependabot Bot deleted the dependabot/npm_and_yarn/documentation/webpack-5.105.0 branch June 24, 2026 11:20
zeevmoney added a commit that referenced this pull request Jun 24, 2026
…latest (PER-15242) (#925)

* chore(deps): consolidate dependabot bumps for documentation site

Consolidate the six open Dependabot updates for the /documentation Docusaurus
site into one change, upgrading the security-relevant deps past the
Dependabot-proposed versions to fully clear their known advisories:

- axios              1.12.2  -> 1.18.1  (direct; clears proxy MITM, proxy
                                         credential leak, SSRF, ReDoS)
- node-forge         1.3.1   -> 1.4.0   (resolutions; clears RSA/Ed25519
                                         signature forgery, basicConstraints
                                         chain bypass)
- lodash             4.17.21 -> 4.18.1  (resolutions; clears _.template code
                                         injection)
- webpack            5.100.2 -> 5.105.0 (clears buildHttp SSRF)
- altcha-lib         1.3.0   -> 1.4.1   (clears PoW challenge replay)
- mdast-util-to-hast 13.1.0  -> 13.2.1  (clears unsanitized class attribute)

Supersedes #879, #877, #868, #854, #851, #849. node-forge and lodash are
transitive deps, pinned via yarn resolutions. yarn.lock regenerated with
yarn 1.22.22; validated with --frozen-lockfile and a successful `yarn build`.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

* chore(deps): update remaining documentation deps to latest

Bring the rest of the /documentation Docusaurus site dependencies up to
latest, on top of the Dependabot security consolidation:

- @docusaurus/*            3.9.1   -> 3.10.1
- react / react-dom        18.3.1  -> 19.2.7  (major; Docusaurus 3.10 supports React 19)
- @inkeep/cxkit-docusaurus 0.5.100 -> 0.5.119
- prism-react-renderer     2.3.1   -> 2.4.1
- sass                     1.93.2  -> 1.101.0
- webpack                  5.105.0 -> 5.107.2 (transitive)

axios (1.18.1), node-forge (1.4.0) and lodash (4.18.1) are already at latest
from the prior commit. altcha-lib stays at 1.4.1: its consumer @inkeep
declares ^1.2.0, so 2.x cannot be forced without overriding @inkeep.

Validated with yarn install --frozen-lockfile, yarn build, and a local
docusaurus dev server (compiles with webpack 5.107.2, serves HTTP 200).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

* chore(deps): migrate documentation site from yarn to pnpm

Replace yarn 1.22.22 with pnpm 11.9.0 as the documentation site's package
manager:

- packageManager -> pnpm@11.9.0 (with corepack integrity hash)
- yarn.lock removed; pnpm-lock.yaml generated
- yarn `resolutions` (node-forge 1.4.0, lodash 4.18.1) moved to
  pnpm-workspace.yaml `overrides` (pnpm v11 no longer reads the package.json
  `pnpm` field). The stale npm-style `overrides` block (got/trim) is dropped:
  it never applied under yarn (got resolves to 12.x) and trim is not in the tree.
- pnpm-workspace.yaml `allowBuilds` permits @parcel/watcher (native file
  watcher) and blocks core-js (funding-only postinstall), since pnpm blocks
  dependency build scripts by default.
- Makefile `docs-dev` target and documentation/.gitignore updated for pnpm.

Validated: pnpm install, pnpm build (Docusaurus 3.10 + React 19 compile
cleanly) and pnpm start (dev server serves HTTP 200, webpack 5.107.2).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

* docs(contributing): update docs-site setup instructions for pnpm

The CONTRIBUTING guide told contributors to use `npm install` / `npm run
start` for the documentation site. Update it to pnpm (via Corepack) to match
the package-manager migration, and fix the step that said "docs directory"
while the command navigates to `documentation`.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

* ci: exclude pnpm-lock.yaml from codespell

The codespell hook skipped *.json and *.lock, which covered yarn.lock but not
the new pnpm-lock.yaml. codespell then tripped on false positives inside
package hashes/metadata (e.g. "devlop", "trough"). Add *pnpm-lock.yaml to the
skip list (wildcard prefix so it matches the nested documentation/ path, the
same way *.lock did).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

* ci(netlify): pin docs site build to pnpm via netlify.toml

Netlify deploy previews are disabled for the repo, so the pnpm migration was
never exercised on Netlify; the production deploy relied on the dashboard
build command, which still referenced the old (yarn) setup. Add a netlify.toml
that pins the build in-repo: base=documentation, command="pnpm build",
publish=build. Netlify auto-runs `pnpm install` from the lockfile and
provisions pnpm@11.9.0 via the packageManager field. COREPACK_INTEGRITY_KEYS=0
works around Corepack's signature-fetch failure for newer pnpm on Netlify's
build image (the version is still hash-pinned by packageManager).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

* fix(make): use corepack pnpm in docs-dev target

The docs-dev target called `pnpm` directly, which fails on machines that have
Corepack but no globally installed pnpm (and haven't run `corepack enable`).
Use `corepack pnpm start` so the target runs the pnpm version pinned in
documentation/package.json without prior setup.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

* ci: add docs-build workflow for the pnpm/Docusaurus site

Nothing in CI built or installed the documentation site; the only build was
Netlify's production deploy (previews disabled), so docs build breakage was
not caught on PRs. This matters now that the site uses pnpm and React 19.

Add a documentation/**-scoped workflow that runs on pull requests and pushes
to the default branch: corepack enable -> pnpm install --frozen-lockfile ->
pnpm build. The frozen install also catches lockfile drift. Actions are
SHA-pinned to their release tags, checkout uses persist-credentials: false,
and permissions are contents: read.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update Javascript code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant