🚨 [security] Update webpack 5.62.1 → 5.106.2 (minor) by depfu[bot] · Pull Request #276 · https-quantumblockchainai-atlassian-net/crystal-ai-nextjs-planetscale-starter

depfu · 2026-04-16T12:55:44Z

Welcome to Depfu 👋

This is one of the first three pull requests with dependency updates we've sent your way. We tried to start with a few easy patch-level updates. Hopefully your tests will pass and you can merge this pull request without too much risk. This should give you an idea how Depfu works in general.

After you merge your first pull request, we'll send you a few more. We'll never open more than seven PRs at the same time so you're not getting overwhelmed with updates.

Let us know if you have any questions. Thanks so much for giving Depfu a try!

🚨 Your current dependencies have known security vulnerabilities 🚨

This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!

Here is everything you need to know about this update. Please take a good look at what changed and the test results before merging this pull request.

What changed?

✳️ webpack (5.62.1 → 5.106.2) · Repo · Changelog

Security Advisories 🚨

🚨 webpack buildHttp HttpUriPlugin allowedUris bypass via HTTP redirects → SSRF + cache persistence

More info than we can show here.

🚨 webpack buildHttp: allowedUris allow-list bypass via URL userinfo (@) leading to build-time SSRF behavior

More info than we can show here.

🚨 Webpack's AutoPublicPathRuntimeModule has a DOM Clobbering Gadget that leads to XSS

More info than we can show here.

🚨 Cross-realm object access in Webpack 5

More info than we can show here.

Release Notes

Too many releases to show here. View the full release notes.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.

All Depfu comment commands

@depfu rebase
Rebases against your default branch and redoes this update

@depfu recreate
Recreates this PR, overwriting any edits that you've made to it

@depfu merge
Merges this PR once your tests are passing and conflicts are resolved

@depfu cancel merge
Cancels automatic merging of this PR

@depfu close
Closes this PR and deletes the branch

@depfu reopen
Restores the branch and reopens this PR (if it's closed)

@depfu pause
Ignores all future updates for this dependency and closes this PR

@depfu pause [minor|major]
Ignores all future minor/major updates for this dependency and closes this PR

@depfu resume
Future versions of this dependency will create PRs again (leaves this PR as is)

changeset-bot · 2026-04-16T12:55:49Z

⚠️ No Changeset found

Latest commit: f3cf7d3

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

guardrails · 2026-04-16T12:56:05Z

⚠️ We detected 54 security issues in this pull request:

Vulnerable Libraries (54)

Severity	Details
N/A	pkg:npm/ajv@6.12.6 (t) upgrade to: 8.18.0
N/A	pkg:npm/ajv@8.6.3 (t) upgrade to: 8.18.0
Medium	pkg:npm/bn.js@4.12.0 (t) upgrade to: 5.2.3
Medium	pkg:npm/bn.js@5.2.0 (t) upgrade to: 5.2.3
Medium	pkg:npm/brace-expansion@1.1.11 (t) upgrade to: 5.0.5
High	pkg:npm/braces@3.0.2 (t) upgrade to: 3.0.3
High	pkg:npm/browserify-sign@4.2.1 (t) upgrade to: 4.2.2
Critical	pkg:npm/cipher-base@1.0.4 (t) upgrade to: 1.0.5
Medium	pkg:npm/cookiejar@2.1.3 (t) upgrade to: 2.1.4
High	pkg:npm/cross-spawn@6.0.5 (t) upgrade to: 7.0.5
High	pkg:npm/cross-spawn@7.0.3 (t) upgrade to: 7.0.5
High	pkg:npm/debug@2.6.9 (t) upgrade to: 3.1.0
High	pkg:npm/defu@5.0.0 (t) upgrade to: 6.1.5
N/A	pkg:npm/diff@4.0.2 (t) upgrade to: 8.0.3,5.2.2,4.0.4
N/A	pkg:npm/elliptic@6.5.4 (t) upgrade to: 6.6.1
Medium	pkg:npm/eslint@7.32.0 (t) upgrade to: 9.26.0
Critical	pkg:npm/flatted@3.2.2 (t) upgrade to: 3.4.2
N/A	pkg:npm/form-data@3.0.1 (t) upgrade to: 4.0.4,2.5.4,3.0.4
Critical	pkg:npm/formidable@1.2.2 (t) upgrade to: 3.2.4
High	pkg:npm/h3@0.2.12 (t) upgrade to: 2.0.1-rc.15,1.15.6
Critical	pkg:npm/ipx@0.7.2 (t) upgrade to: 1.3.2,2.1.1,3.1.1
Medium	pkg:npm/jose@4.1.4 (t) upgrade to: 4.15.5,2.0.7
Medium	pkg:npm/js-yaml@3.14.1 (t) upgrade to: 4.1.1
High	pkg:npm/json5@1.0.1 (t) upgrade to: 2.2.2
High	pkg:npm/json5@2.2.0 (t) upgrade to: 2.2.2
High	pkg:npm/loader-utils@1.2.3 (t) upgrade to: 2.0.4,3.2.1,1.4.2
High	pkg:npm/lodash@4.17.21 (t) upgrade to: 4.18.0
Medium	pkg:npm/micromatch@4.0.4 (t) - no patch available
High	pkg:npm/minimatch@3.0.4 (t) upgrade to: 7.4.8,6.2.2,5.1.8,4.2.5,3.1.3,10.2.3,9.0.7,8.0.6
Critical	pkg:npm/minimist@1.2.5 (t) upgrade to: 1.2.6
N/A	pkg:npm/nanoid@3.1.30 (t) upgrade to: 5.0.9,3.3.8
N/A	pkg:npm/next-auth@4.0.0-beta.6 (t) upgrade to: 4.24.12,5.0.0-beta.30
Medium	pkg:npm/next@12.0.5 (t) upgrade to: 16.1.7,15.5.13
High	pkg:npm/node-fetch@2.6.1 (t) upgrade to: 3.1.1,2.6.7
High	pkg:npm/node-fetch@2.6.6 (t) upgrade to: 3.1.1,2.6.7
High	pkg:npm/node-forge@0.10.0 (t) upgrade to: 1.4.0
N/A	pkg:npm/pbkdf2@3.1.2 (t) upgrade to: 3.1.3
Medium	pkg:npm/picomatch@2.3.0 (t) upgrade to: 2.3.2,4.0.4,3.0.2
Medium	pkg:npm/postcss@8.2.15 (t) upgrade to: 8.4.31
Medium	pkg:npm/postcss@8.3.11 (t) upgrade to: 8.4.31
Low	pkg:npm/qs@6.10.1 (t) upgrade to: 6.14.2
Medium	pkg:npm/semver@5.7.1 (t) upgrade to: 7.5.2
Medium	pkg:npm/semver@6.3.0 (t) upgrade to: 7.5.2
Medium	pkg:npm/semver@7.3.5 (t) upgrade to: 7.5.2
Critical	pkg:npm/sha.js@2.4.11 (t) upgrade to: 2.4.12
High	pkg:npm/sharp@0.28.3 (t) upgrade to: 0.32.6
High	pkg:npm/simple-get@3.1.0 (t) upgrade to: 4.0.1,3.1.1,2.8.2
N/A	pkg:npm/tar-fs@2.1.1 (t) upgrade to: 1.16.5,2.1.3,3.0.9
Low	pkg:npm/tmp@0.2.1 (t) upgrade to: 0.2.4
Medium	pkg:npm/tough-cookie@4.0.0 (t) upgrade to: 4.1.3
Medium	pkg:npm/word-wrap@1.2.3 (t) - no patch available
High	pkg:npm/ws@7.5.5 (t) upgrade to: 5.2.4,6.2.3,7.5.10,8.17.1
High	pkg:npm/ws@8.2.3 (t) upgrade to: 8.17.1,5.2.4,6.2.3,7.5.10
Medium	pkg:npm/yaml@1.10.2 (t) upgrade to: 2.8.3,1.10.3

More info on how to fix Vulnerable Libraries in JavaScript.

👉 Go to the dashboard for detailed results.

📥 Happy? Share your feedback with us.

socket-security · 2026-04-16T12:56:38Z

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	webpack@5.62.1 ⏵ 5.106.2	^-9	⁺⁷⁵	^-1	⁺⁴

View full report

socket-security · 2026-04-16T12:56:39Z

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action	Severity	Alert (click "▶" to expand/collapse)
Warn		License policy violation: npm `caniuse-lite` under CC-BY-4.0 License: CC-BY-4.0 - The applicable license policy does not permit this license (5) (npm metadata) License: CC-BY-4.0 - The applicable license policy does not permit this license (5) (package/package.json) License: CC-BY-4.0 - The applicable license policy does not permit this license (5) (package/LICENSE) From: `?` → `npm/webpack@5.106.2` → `npm/caniuse-lite@1.0.30001788` ℹ Read more on: This package \| This alert \| What is a license policy violation? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/caniuse-lite@1.0.30001788`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

Update webpack to version 5.106.2

f3cf7d3

depfu Bot added the depfu label Apr 16, 2026

depfu Bot mentioned this pull request Apr 16, 2026

🚨 [security] Update webpack 5.62.1 → 5.106.1 (minor) #274

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

🚨 [security] Update webpack 5.62.1 → 5.106.2 (minor)#276

🚨 [security] Update webpack 5.62.1 → 5.106.2 (minor)#276
depfu[bot] wants to merge 1 commit intomainfrom
depfu/update/yarn/webpack-5.106.2

depfu Bot commented Apr 16, 2026

Uh oh!

changeset-bot Bot commented Apr 16, 2026

Uh oh!

guardrails Bot commented Apr 16, 2026

Uh oh!

socket-security Bot commented Apr 16, 2026

Uh oh!

socket-security Bot commented Apr 16, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

Conversation

depfu Bot commented Apr 16, 2026

What changed?

✳️ webpack (5.62.1 → 5.106.2) · Repo · Changelog

🚨 webpack buildHttp HttpUriPlugin allowedUris bypass via HTTP redirects → SSRF + cache persistence

🚨 webpack buildHttp: allowedUris allow-list bypass via URL userinfo (@) leading to build-time SSRF behavior

🚨 Webpack's AutoPublicPathRuntimeModule has a DOM Clobbering Gadget that leads to XSS

🚨 Cross-realm object access in Webpack 5

Uh oh!

changeset-bot Bot commented Apr 16, 2026

⚠️ No Changeset found

Uh oh!

guardrails Bot commented Apr 16, 2026

Uh oh!

socket-security Bot commented Apr 16, 2026

Uh oh!

socket-security Bot commented Apr 16, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants