fix: dedupe extracted comments in linear time

claude · claude · commit 552d1e47dd3e · 2026-05-27T15:43:28.000Z
The default comment-extraction path checked each preserved comment with Array.prototype.includes against a growing array, making deduplication O(n^2) in the number of distinct preserved comments. A crafted asset with many distinct comments could cause superlinear, CPU-bound build slowdown (GHSA-8cjx-vvr8-p635). Track membership with a Set for O(1) lookups while preserving output order. https://claude.ai/code/session_01XE82o4oLA4FdUP8r7yGd4r
diff --git a/.changeset/dedupe-extracted-comments-linear.md b/.changeset/dedupe-extracted-comments-linear.md
@@ -0,0 +1,5 @@
+---
+"minimizer-webpack-plugin": patch
+---
+
+fix quadratic slowdown when deduplicating extracted comments (GHSA-8cjx-vvr8-p635); membership is now tracked with a `Set` so build time scales linearly with the number of distinct preserved comments
diff --git a/.cspell.json b/.cspell.json
@@ -46,7 +46,8 @@
     "lightningcss",
     "sourcefile",
     "stringifier",
-    "sourcesContent"
+    "sourcesContent",
+    "GHSA"
   ],
   "ignorePaths": [
     "CHANGELOG.md",
diff --git a/src/utils.js b/src/utils.js
@@ -223,6 +223,8 @@ async function terserMinify(
 
     // Redefine the comments function to extract and preserve
     // comments according to the two conditions
+    const seenComments = new Set(extractedComments);
+
     return (astNode, comment) => {
       if (
         /** @type {{ extract: ExtractCommentsFunction }} */
@@ -234,7 +236,8 @@ async function terserMinify(
             : `//${comment.value}`;
 
         // Don't include duplicate comments
-        if (!extractedComments.includes(commentText)) {
+        if (!seenComments.has(commentText)) {
+          seenComments.add(commentText);
           extractedComments.push(commentText);
         }
       }
@@ -477,6 +480,8 @@ async function uglifyJsMinify(
 
     // Redefine the comments function to extract and preserve
     // comments according to the two conditions
+    const seenComments = new Set(extractedComments);
+
     return (astNode, comment) => {
       if (
         /** @type {{ extract: ExtractCommentsFunction }} */
@@ -488,7 +493,8 @@ async function uglifyJsMinify(
             : `//${comment.value}`;
 
         // Don't include duplicate comments
-        if (!extractedComments.includes(commentText)) {
+        if (!seenComments.has(commentText)) {
+          seenComments.add(commentText);
           extractedComments.push(commentText);
         }
       }

-Original file line number
+Diff line change
@@ @@ -0,0 +1,5 @@ @@
 +---
 +"minimizer-webpack-plugin": patch
 +---
++
 +fix quadratic slowdown when deduplicating extracted comments (GHSA-8cjx-vvr8-p635); membership is now tracked with a `Set` so build time scales linearly with the number of distinct preserved comments