Bump the build group across 1 directory with 12 updates

[dependabot]

Bumps the build group with 12 updates in the / directory:

Package	From	To
core-js	3.48.0	3.49.0
css-loader	7.1.3	7.1.4
sass	1.97.3	1.100.0
sass-loader	16.0.7	17.0.0
terser	5.46.0	5.48.0
typescript	5.9.3	6.0.3
webpack	5.105.2	5.107.2
@babel/preset-env	7.29.0	7.29.7
@babel/preset-typescript	7.28.5	7.29.7
ts-loader	9.5.4	9.6.0
webpack-cli	6.0.1	7.0.3
webpack-dev-server	5.2.3	5.2.4

Updates core-js from 3.48.0 to 3.49.0

Changelog

Sourced from core-js's changelog.

3.49.0 - 2026.03.16

• Changes v3.48.0...v3.49.0 (373 commits)
• Iterator.range updated following the actual spec version
  • Throw a RangeError on NaN start / end / step
  • Allow null as optionOrStep
• Improved accuracy of Math.{ asinh, atanh } polyfills with big and small values
• Improved accuracy of Number.prototype.toExponential polyfills with big and small values
• Improved performance of atob, btoa, Uint8Array.fromHex, Uint8Array.prototype.setFromHex, and Uint8Array.prototype.toHex, #1503, #1464, #1510, thanks @​johnzhou721
• Minor performance optimization polyfills of methods from Map upsert proposal
• Polyfills of methods from Map upsert proposal from the pure version made generic to make it work with polyfilled and native collections
• Wrap Symbol.for in Symbol.prototype.description polyfill for correct handling of empty string descriptions
• Fixed a modern Safari bug in Array.prototype.includes with sparse arrays and fromIndex
• Fixed one more case (Iterator.prototype.take) of a V8 ~ Chromium < 126 bug
• Forced replacement of Iterator.{ concat, zip, zipKeyed } in the pure version for ensuring proper wrapped Iterator instances as the result
• Fixed proxying .return() on exhausted iterator from some methods of iterator helpers polyfill to the underlying iterator
• Fixed double .return() calling in case of throwing error in this method in the internal iterate helper that affected some polyfills
• Fixed closing iterator on IteratorValue errors in the internal iterate helper that affected some polyfills
• Fixed iterator closing in Array.from polyfill on failure to create array property
• Fixed order of arguments validation in Array.fromAsync polyfill
• Fixed a lack of counter validation on MAX_SAFE_INTEGER in Array.fromAsync polyfill
• Fixed order of arguments validation in Array.prototype.flat polyfill
• Fixed handling strings as iterables in Iterator.{ zip, zipKeyed } polyfills
• Fixed some cases of iterators closing in Iterator.{ zip, zipKeyed } polyfills
• Fixed validation of iterators .next() results an objects in Iterator.{ zip, zipKeyed } polyfills
• Fixed a lack of early error in Iterator.concat polyfill on primitive as an iterator
• Fixed buffer mutation exposure in Iterator.prototype.windows polyfill
• Fixed iterator closing in Set.prototype.{ isDisjointFrom, isSupersetOf } polyfill
• Fixed (updated following the final spec) one more case Set.prototype.difference polyfill with updating this
• Fixed DataView.prototype.setFloat16 polyfill in (0, 1) range
• Fixed order of arguments validation in String.prototype.{ padStart, padEnd } polyfills
• Fixed order of arguments validation in String.prototype.{ startsWith, endsWith } polyfills
• Fixed some cases of Infinity handling in String.prototype.substr polyfill
• Fixed String.prototype.repeat polyfill with a counter exceeding 2 ** 32
• Fixed some cases of chars case in escape polyfill
• Fixed named backreferences in RegExp NCG polyfill
• Fixed some cases of RegExp NCG polyfill in combination with other types of groups
• Fixed some cases of RegExp NCG polyfill in combination with dotAll
• Fixed String.prototype.replace with sticky polyfill, #810, #1514
• Fixed RegExp sticky polyfill with alternation
• Fixed handling of some line terminators in case of multiline + sticky mode in RegExp polyfill
• Fixed .input slicing on result object with RegExp sticky mode polyfill
• Fixed handling of empty groups with global and unicode modes in polyfills
• Fixed URLSearchParam.prototype.delete polyfill with duplicate key-value pairs
• Fixed possible removal of unnecessary entries in URLSearchParam.prototype.delete polyfill with second argument
• Fixed an error in some cases of non-special URLs without a path in the URL polyfill
• Fixed some percent encode cases / character sets in the URL polyfill
• Fixed parsing of non-IPv4 hosts ends in a number in the URL polyfill
• Fixed some cases of '' and null host handling in the URL polyfill
• Fixed host parsing with hostname = host:port in the URL polyfill
• Fixed host inheritance in some cases of file scheme in the URL polyfill

... (truncated)

Commits

• 80adfc4 v3.49.0
• 0ad3e00 fix a modern Safari bug in Array.prototype.includes with sparse arrays and ...
• 853bfa4 update some links
• b4d723f fix a lack of counter validation on MAX_SAFE_INTEGER in Array.fromAsync p...
• e276676 fix parsing of non-IPv4 hosts ends in a number in the URL polyfill
• dd1cfba fix order of arguments validation in String.prototype.{ padStart, padEnd } ...
• b952c5f add an extra protection to configurator
• e490caf Fix for #810 (#1514)
• 10b4e86 drop an unneeded comment
• 28cf2e9 feat: Improve performance of Uint8Array Hex functions (#1510)
• Additional commits viewable in compare view

Updates css-loader from 7.1.3 to 7.1.4

Release notes

Sourced from css-loader's releases.

v7.1.4

7.1.4 (2026-02-16)

Bug Fixes

• update peer dependency for @​rspack/core v2 (#1652) (aeddefe)

Changelog

Sourced from css-loader's changelog.

7.1.4 (2026-02-16)

Bug Fixes

• update peer dependency for @​rspack/core v2 (#1652) (aeddefe)

Commits

• 5b795af chore(release): 7.1.4
• aeddefe fix: update peer dependency for @​rspack/core v2 (#1652)
• See full diff in compare view

Updates sass from 1.97.3 to 1.100.0

Release notes

Sourced from sass's releases.

Dart Sass 1.100.0

To install Sass 1.100.0, download one of the packages below and add it to your PATH, or see the Sass website for full installation instructions.

Changes

• Writing two compound selectors adjacent to one another without any whitespace between them, such as [class]a, is now deprecated. This was always an error in CSS and Sass only supported it by mistake.

  See the Sass website for details.

See the full changelog for changes in earlier releases.

Dart Sass 1.99.0

To install Sass 1.99.0, download one of the packages below and add it to your PATH, or see the Sass website for full installation instructions.

Changes

• Add support for parent selectors (&) at the root of the document. These are emitted as-is in the CSS output, where they're interpreted as the scoping root.

• User-defined functions named calc or clamp are no longer forbidden. If such a function exists without a namespace in the current module, it will be used instead of the built-in calc() or clamp() function.

• User-defined functions whose names begin with - and end with -expression, -url, -and, -or, or -not are no longer forbidden. These were originally intended to match vendor prefixes, but in practice no vendor prefixes for these functions ever existed in real browsers.

• User-defined functions named EXPRESSION, URL, and ELEMENT, those that begin with - and end with -ELEMENT, as well as the same names with some lowercase letters are now deprecated, These are names conflict with plain CSS functions that have special syntax.

  See the Sass website for details.

• In a future release, calls to functions whose names begin with - and end with -expression and -url will no longer have special parsing. For now, these calls are deprecated if their behavior will change in the future.

  See the Sass website for details.

• Calls to functions whose names begin with - and end with -progid:... are deprecated.

  See the Sass website for details.

See the full changelog for changes in earlier releases.

Dart Sass 1.98.0

To install Sass 1.98.0, download one of the packages below and add it to your PATH, or see the Sass website for full installation instructions.

... (truncated)

Changelog

Sourced from sass's changelog.

1.100.0

• Writing two compound selectors adjacent to one another without any whitespace between them, such as [class]a, is now deprecated. This was always an error in CSS and Sass only supported it by mistake.

  See the Sass website for details.

1.99.0

• Add support for parent selectors (&) at the root of the document. These are emitted as-is in the CSS output, where they're interpreted as the scoping root.

• User-defined functions named calc or clamp are no longer forbidden. If such a function exists without a namespace in the current module, it will be used instead of the built-in calc() or clamp() function.

• User-defined functions whose names begin with - and end with -expression, -url, -and, -or, or -not are no longer forbidden. These were originally intended to match vendor prefixes, but in practice no vendor prefixes for these functions ever existed in real browsers.

• User-defined functions named EXPRESSION, URL, and ELEMENT, those that begin with - and end with -ELEMENT, as well as the same names with some lowercase letters are now deprecated, These are names conflict with plain CSS functions that have special syntax.

  See the Sass website for details.

• In a future release, calls to functions whose names begin with - and end with -expression and -url will no longer have special parsing. For now, these calls are deprecated if their behavior will change in the future.

  See the Sass website for details.

• Calls to functions whose names begin with - and end with -progid:... are deprecated.

  See the Sass website for details.

1.98.0

Command-Line Interface

• Gracefully handle dependency loops in --watch mode.

... (truncated)

Commits

• 5fd18c7 Bump node engine requirement to >=20.19.0 and chokidar requirement to ^5.0.0 ...
• 8c1d984 Deprecate adjacent compound selectors (#2765)
• 8e5f718 Bump postcss from 8.5.12 to 8.5.13 in /pkg/sass-parser (#2767)
• 1447f9b Bump postcss from 8.5.8 to 8.5.12 in /pkg/sass-parser (#2766)
• 83c39fe Support the top-level parent selector (#2758)
• ec85871 Bump EndBug/add-and-commit from 9 to 10 (#2756)
• a604acd [Function Name] Implement changes (#2731)
• 5a81ae3 Bump version to 1.98.0 (#2754)
• e25e71d Update immutable to v5.1.5 (#2753)
• 43fac1a Bump actions/upload-artifact from 6 to 7 (#2747)
• Additional commits viewable in compare view

Updates sass-loader from 16.0.7 to 17.0.0

Release notes

Sourced from sass-loader's releases.

v17.0.0

Major Changes

• Add "auto" to the api option and make it the default. When the Sass implementation supports the modern compiler, "auto" enables it and reuses a single long-running compiler across files, which significantly improves build performance; otherwise it falls back to the modern API. (by @​alexander-akait in #1319)

• Remove node-sass support. (by @​alexander-akait in #1316)

• Minimum supported NodeJS version is 22.11.0. (by @​alexander-akait in #1318)

• Convert source to native ECMAScript modules. The package now declares "type": "module" and exposes both an ESM and a CommonJS build via the exports field. CommonJS consumers continue to work via require, and ESM consumers can now import the loader directly. (by @​alexander-akait in #1322)

• Remove legacy Sass JS API support. (by @​alexander-akait in #1316)

Minor Changes

• Added types. (by @​alexander-akait in #1312)

All notable changes to this project will be documented in this file. See standard-version for commit guidelines.

v16.0.8

16.0.8 (2026-05-08)

Bug Fixes

• normalize separators in getPossibleRequests for Windows (#1308) (#1309) (90e349d)

Changelog

Sourced from sass-loader's changelog.

17.0.0

Major Changes

• Add "auto" to the api option and make it the default. When the Sass implementation supports the modern compiler, "auto" enables it and reuses a single long-running compiler across files, which significantly improves build performance; otherwise it falls back to the modern API. (by @​alexander-akait in #1319)

• Remove node-sass support. (by @​alexander-akait in #1316)

• Minimum supported NodeJS version is 22.11.0. (by @​alexander-akait in #1318)

• Convert source to native ECMAScript modules. The package now declares "type": "module" and exposes both an ESM and a CommonJS build via the exports field. CommonJS consumers continue to work via require, and ESM consumers can now import the loader directly. (by @​alexander-akait in #1322)

• Remove legacy Sass JS API support. (by @​alexander-akait in #1316)

Minor Changes

• Added types. (by @​alexander-akait in #1312)

All notable changes to this project will be documented in this file. See standard-version for commit guidelines.

16.0.8 (2026-05-08)

Bug Fixes

• normalize separators in getPossibleRequests for Windows (#1308) (#1309) (90e349d)

Commits

• 3b00be7 chore(release): new release (#1317)
• 8e7c6bd chore(deps): update (#1323)
• a4e28f3 feat: add JSDoc type-checking and declaration emission (#1312)
• a3db95b feat!: convert source to native ES modules with dual ESM/CJS build (#1322)
• 8ac53f9 test: migrate from jest to node:test runner (#1321)
• 90a9170 feat: add api "auto" and use it by default (#1319)
• 07c921b feat!: minimum supported NodeJS version is 22.11.0 (#1318)
• cf34e2b feat!: minimum supported NodeJS version is 22.11.0
• ce46d50 ci: add changelog release action
• 6fddce2 ci: lock actions (#1315)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for sass-loader since your current version.

Updates terser from 5.46.0 to 5.48.0

Changelog

Sourced from terser's changelog.

v5.48.0

• Support import source ... and import defer ... (#1682)

v5.47.1

• Fix crash when using mangle.keep_fnames with destructuring

v5.47.0

• Add builtins_ecma and builtins_pure options
• Add Intl options to domprops (#1680)

v5.46.2

• unused option: delete computed keys of concise methods and getters/setters.
• Error.cause added to DOM properties list
• Don't consider foo.bar and foo["bar"] to be equivalent when property mangler is enabled with keep_quoted=strict option.

v5.46.1

• Fix extremely slow (seemed like a freeze) evaluate of method chains
• Parse extremely large floating-point number literals as Infinity
• Remove parens from comma expressions in computed property access (foo[(1, 2)])

Commits

• 794a474 5.48.0
• 9778373 update changelog
• 7f77594 do not fuzz test in questionable OS
• 702926f Support source-phase imports (import source / import defer and dynamic `i...
• bf949e7 5.47.1
• 23bb72e update changelog
• 1fd2134 fix crash when using mangle.keep_fnames with destructuring. Closes #1681
• 7cbd24d 5.47.0
• b1bc6bd update changelog
• be36c87 add "builtins" and "builtins_pure" options (#1651)
• Additional commits viewable in compare view

Updates typescript from 5.9.3 to 6.0.3

Release notes

Sourced from typescript's releases.

TypeScript 6.0.3

For release notes, check out the release announcement blog post.

• fixed issues query for TypeScript 6.0.0 (Beta).
• fixed issues query for TypeScript 6.0.1 (RC).
• fixed issues query for TypeScript 6.0.2 (Stable).
• fixed issues query for TypeScript 6.0.3 (Stable).

Downloads are available on:

• npm

TypeScript 6.0

For release notes, check out the release announcement blog post.

• fixed issues query for TypeScript 6.0.0 (Beta).
• fixed issues query for TypeScript 6.0.1 (RC).
• fixed issues query for TypeScript 6.0.2 (Stable).

Downloads are available on:

• npm

TypeScript 6.0 Beta

For release notes, check out the release announcement.

• fixed issues query for Typescript 6.0.0 (Beta).

Downloads are available on:

• npm

Commits

• 050880c Bump version to 6.0.3 and LKG
• eeae9dd 🤖 Pick PR #63401 (Also check package name validity in...) into release-6.0 (#...
• ad1c695 🤖 Pick PR #63368 (Harden ATA package name filtering) into release-6.0 (#63372)
• 0725fb4 🤖 Pick PR #63310 (Mark class property initializers as...) into release-6.0 (#...
• 607a22a Bump version to 6.0.2 and LKG
• 9e72ab7 🤖 Pick PR #63239 (Fix missing lib files in reused pro...) into release-6.0 (#...
• 35ff23d 🤖 Pick PR #63163 (Port anyFunctionType subtype fix an...) into release-6.0 (#...
• e175b69 Bump version to 6.0.1-rc and LKG
• af4caac Update LKG
• 8efd7e8 Merge remote-tracking branch 'origin/main' into release-6.0
• Additional commits viewable in compare view

Updates webpack from 5.105.2 to 5.107.2

Release notes

Sourced from webpack's releases.

v5.107.2

Patch Changes

• Reduce per-file overhead in ContextModuleFactory.resolveDependencies by batching alternativeRequests hook calls. Previously the hook was invoked once per file in the context (with a single-item array), paying per-call overhead (closure allocation, resolverFactory.get, intermediate arrays in RequireContextPlugin) for every file. The hook is now invoked once per directory with all matched files in one batch — RequireContextPlugin's tap already iterates the items array, so the output is unchanged. Steady-state rebuild on a 4000-file require.context drops a further ~15 ms (after the watch-mode purge fix in the same release). (by @​alexander-akait in #21020)

• Include each external info's runtimeCondition in ConcatenatedModule#updateHash so changes to a concatenated external's runtime condition invalidate persistent caches instead of slipping through with the module id alone. (by @​alexander-akait in #21023)

• Fix HTML [contenthash] for referenced asset and inline-style URL changes. (by @​alexander-akait in #21018)

• Resolve chunk-hash placeholders in chunk URLs embedded into extracted HTML. (by @​alexander-akait in #21018)

• Remove unnecessary __webpack_require__ runtime helpers in ESM library output with multi-module chunks. (by @​xiaoxiaojx in #21032)

• Rewrite NormalModule#getSideEffectsConnectionState walk as an allocation-light iterative loop instead of a generator trampoline, restoring rebuild performance lost in #20993 while keeping deep import chains stack-safe. (by @​alexander-akait in #21014)

• Fix runtime ReferenceError on the first activation of a lazy-compiled module when output.library.type produces a closure-wrapped bundle (umd, umd2, amd, amd-require, system). (by @​alexander-akait in #21013)

  External modules of these types reference closure-bound identifiers like __WEBPACK_EXTERNAL_MODULE_react__, supplied by the library wrapper that is generated once per chunk. When lazyCompilation activates an entry or import for the first time, any external dependency the lazily-built module pulls in arrives in a hot-update chunk that lives outside the original wrapper closure, so its factory body cannot resolve the closure identifier and only a manual page refresh recovers.

  The inactive LazyCompilationProxyModule now declares statically-enumerable externals (string and object forms of externals) as its own dependencies, so the initial entry chunk's library wrapper already exposes their closure identifiers. When activation later pulls in those externals through the lazily-compiled module, they resolve to the already-installed factories instead of throwing. Function and RegExp externals are not pre-populated because their effective request set isn't knowable up front.

• Fill in missing entryOptions when an async block joins an existing entrypoint. (by @​alexander-akait in #21026)

• Release per-child codeGenerationResults in MultiCompiler and at Compiler.close to reduce memory retention. (by @​alexander-akait in #21015)

• Reduce peak memory of SourceMapDevToolPlugin on large builds (closes #20961). (by @​alexander-akait in #20963)

• Fix slow require.context() / dynamic import() rebuilds in watch mode (#13636). When a file inside a watched context directory changed, NodeWatchFileSystem would call inputFileSystem.purge(contextDir). The enhanced-resolve purge implementation matches cache keys with key.startsWith(contextDir), so the stat cache of every file under the directory was discarded on every rebuild — ContextModuleFactory.resolveDependencies then re-stat-ed the whole tree on each rebuild. Single-file rebuilds on a 4000-file context now reuse the warm stat cache, dropping median rebuild from ~1260 ms to ~650 ms in a local reproduction (≈49%). For directory items that are explicitly watched contexts, purge is now called with { exact: true } (added in enhanced-resolve@5.22.0) so only the directory's own entry is invalidated; file-level changes in the same aggregated event continue to purge file stats and the parent readdir as before. (by @​alexander-akait in #21020)

v5.107.1

Patch Changes

• Align the experimental HTML tokenizer with the WHATWG spec: fix offset-range bugs in the script-data, content-mode end-tag, attribute-value, and EOF states; surface tokenizer parse errors to consumers via a new parseError callback ("warning" when the tokenizer recovers and the emitted token is still well-formed, "error" when the offset range is incomplete — e.g. eof-in-tag); and add the full WHATWG named character references table so decodeHtmlEntities handles all named entities (including legacy bare forms like &AMP and multi-code-point entities like ≂̸) with proper longest-prefix backtracking. (by @​alexander-akait in #21000)

• Tree-shake CommonJS modules imported through a const NAME = require(LITERAL) binding when only static members of NAME are read. Previously webpack treated every export of such modules as referenced (because the bare require() dependency reports EXPORTS_OBJECT_REFERENCED), so unused exports.x = ... assignments remained in the bundle even with usedExports enabled. The parser now forwards NAME.x / NAME.x() / NAME["x"] accesses to the underlying CommonJsRequireDependency as referenced exports, falling back to the full exports object the moment NAME is read in any other context (passed by value, destructured later, accessed with a dynamic key, …). This brings the binding form to parity with the existing destructuring form (const { x } = require(...)). (by @​alexander-akait in #21003)

• Fix RangeError: Maximum call stack size exceeded thrown from HarmonyImportSideEffectDependency.getModuleEvaluationSideEffectsState on long linear chains of side-effect-free imports. NormalModule.getSideEffectsConnectionState previously descended through HarmonyImportSideEffectDependency.getModuleEvaluationSideEffectsState recursively, adding two stack frames per module, which overflowed V8's stack at a few thousand modules deep. The traversal is now iterative. (by @​alexander-akait in #20993)

• Fix NormalModuleFactory parser/generator types: (by @​alexander-akait in #20999)

  • module.generator.html now uses HtmlGeneratorOptions instead of EmptyGeneratorOptions (the extract option was hidden from the createGenerator / generator hook types).
  • WebAssembly (webassembly/async, webassembly/sync) generator hooks now use EmptyGeneratorOptions instead of EmptyParserOptions.
  • NormalModuleFactory#getParser / createParser / getGenerator / createGenerator are now generic over the module-type string, returning the specific parser/generator class for known types (e.g. JavascriptParser for "javascript/auto", CssGenerator for "css", etc.) instead of always returning the base Parser / Generator.
  • NormalModuleCreateData is now generic over the module type so parser, parserOptions, generator, and generatorOptions are narrowed to the specific class / options for the given type.

• Link import bindings used inside define(...) callbacks in ES modules. Previously, HarmonyDetectionParserPlugin skipped walking the arguments of define calls in harmony modules, so references to imported bindings inside an inline AMD define factory (e.g. define(function () { console.log(foo); })) were not rewritten to their imported references and could cause ReferenceError at runtime. Inner graph usage analysis is also fixed for the related pattern const fn = function () { foo; }; define(fn);. (by @​alexander-akait in #20990)

• HTML-entry pipeline (experiments.html + experiments.css): emit <link rel="stylesheet"> tags for CSS chunks reachable from a <script src> entry. Previously when the bundled JS imported CSS, the resulting .css file was emitted to disk but never referenced from the extracted HTML (no <link> tag), and when splitChunks extracted CSS into sibling chunks the HTML cloned the originating <script> for each one — producing <script src="style.js"> pointing at non-existent JS filenames instead of <link rel="stylesheet" href="style.css">. CSS chunks are now sorted by the entrypoint's module post-order index so the <link> tags also appear in source import order, fixing the cascade ordering issue documented in html-webpack-plugin#1838 and webpack/mini-css-extract-plugin#959 for HTML-entry builds. nonce/crossorigin/referrerpolicy are copied from the originating tag onto the emitted <link>. (by @​alexander-akait in #21002)

• Allow devtool and SourceMapDevToolPlugin (or multiple SourceMapDevToolPlugin instances) to coexist on the same asset. Previously the second instance would silently skip any asset whose info.related.sourceMap had already been set by an earlier instance, and even when it ran the asset had been rewrapped as a RawSource so no source map could be recovered — producing an empty .map file. The plugin now keeps a per-compilation stash of pristine source maps, namespaces its persistent cache entries by the options that affect output, and appends additional related.sourceMap entries instead of overwriting them. The classic workaround of pairing devtool: 'hidden-source-map' with a new webpack.SourceMapDevToolPlugin({ filename: '[file].secondary.map', noSources: true }) now produces both maps in a single build. (by @​alexander-akait in #21001)

... (truncated)

Changelog

Sourced from webpack's changelog.

5.107.2

Patch Changes

• Reduce per-file overhead in ContextModuleFactory.resolveDependencies by batching alternativeRequests hook calls. Previously the hook was invoked once per file in the context (with a single-item array), paying per-call overhead (closure allocation, resolverFactory.get, intermediate arrays in RequireContextPlugin) for every file. The hook is now invoked once per directory with all matched files in one batch — RequireContextPlugin's tap already iterates the items array, so the output is unchanged. Steady-state rebuild on a 4000-file require.context drops a further ~15 ms (after the watch-mode purge fix in the same release). (by @​alexander-akait in #21020)

• Include each external info's runtimeCondition in ConcatenatedModule#updateHash so changes to a concatenated external's runtime condition invalidate persistent caches instead of slipping through with the module id alone. (by @​alexander-akait in #21023)

• Fix HTML [contenthash] for referenced asset and inline-style URL changes. (by @​alexander-akait in #21018)

• Resolve chunk-hash placeholders in chunk URLs embedded into extracted HTML. (by @​alexander-akait in #21018)

• Remove unnecessary __webpack_require__ runtime helpers in ESM library output with multi-module chunks. (by @​xiaoxiaojx in #21032)

• Rewrite NormalModule#getSideEffectsConnectionState walk as an allocation-light iterative loop instead of a generator trampoline, restoring rebuild performance lost in #20993 while keeping deep import chains stack-safe. (by @​alexander-akait in #21014)

• Fix runtime ReferenceError on the first activation of a lazy-compiled module when output.library.type produces a closure-wrapped bundle (umd, umd2, amd, amd-require, system). (by @​alexander-akait in #21013)

  External modules of these types reference closure-bound identifiers like __WEBPACK_EXTERNAL_MODULE_react__, supplied by the library wrapper that is generated once per chunk. When lazyCompilation activates an entry or import for the first time, any external dependency the lazily-built module pulls in arrives in a hot-update chunk that lives outside the original wrapper closure, so its factory body cannot resolve the closure identifier and only a manual page refresh recovers.

  The inactive LazyCompilationProxyModule now declares statically-enumerable externals (string and object forms of externals) as its own dependencies, so the initial entry chunk's library wrapper already exposes their closure identifiers. When activation later pulls in those externals through the lazily-compiled module, they resolve to the already-installed factories instead of throwing. Function and RegExp externals are not pre-populated because their effective request set isn't knowable up front.

• Fill in missing entryOptions when an async block joins an existing entrypoint. (by @​alexander-akait in #21026)

• Release per-child codeGenerationResults in MultiCompiler and at Compiler.close to reduce memory retention. (by @​alexander-akait in #21015)

• Reduce peak memory of SourceMapDevToolPlugin on large builds (closes #20961). (by @​alexander-akait in #20963)

• Fix slow require.context() / dynamic import() rebuilds in watch mode (#13636). When a file inside a watched context directory changed, NodeWatchFileSystem would call inputFileSystem.purge(contextDir). The enhanced-resolve purge implementation matches cache keys with key.startsWith(contextDir), so the stat cache of every file under the directory was discarded on every rebuild — ContextModuleFactory.resolveDependencies then re-stat-ed the whole tree on each rebuild. Single-file rebuilds on a 4000-file context now reuse the warm stat cache, dropping median rebuild from ~1260 ms to ~650 ms in a local reproduction (≈49%). For directory items that are explicitly watched contexts, purge is now called with { exact: true } (added in enhanced-resolve@5.22.0) so only the directory's own entry is invalidated; file-level changes in the same aggregated event continue to purge file stats and the parent readdir as before. (by @​alexander-akait in #21020)

5.107.1

Patch Changes

• Align the experimental HTML tokenizer with the WHATWG spec: fix offset-range bugs in the script-data, content-mode end-tag, attribute-value, and EOF states; surface tokenizer parse errors to consumers via a new parseError callback ("warning" when the tokenizer recovers and the emitted token is still well-formed, "error" when the offset range is incomplete — e.g. eof-in-tag); and add the full WHATWG named character references table so decodeHtmlEntities handles all named entities (including legacy bare forms like &AMP and multi-code-point entities like ≂̸) with proper longest-prefix backtracking. (by @​alexander-akait in #21000)

• Tree-shake CommonJS modules imported through a const NAME = require(LITERAL) binding when only static members of NAME are read. Previously webpack treated every export of such modules as referenced (because the bare require() dependency reports EXPORTS_OBJECT_REFERENCED), so unused exports.x = ... assignments remained in the bundle even with usedExports enabled. The parser now forwards NAME.x / NAME.x() / NAME["x"] accesses to the underlying CommonJsRequireDependency as referenced exports, falling back to the full exports object the moment NAME is read in any other context (passed by value, destructured later, accessed with a dynamic key, …). This brings the binding form to parity with the existing destructuring form (const { x } = require(...)). (by @​alexander-akait in #21003)

• Fix RangeError: Maximum call stack size exceeded thrown from HarmonyImportSideEffectDependency.getModuleEvaluationSideEffectsState on long linear chains of side-effect-free imports. NormalModule.getSideEffectsConnectionState previously descended through HarmonyImportSideEffectDependency.getModuleEvaluationSideEffectsState recursively, adding two stack frames per module, which overflowed V8's stack at a few thousand modules deep. The traversal is now iterative. (by @​alexander-akait in #20993)

• Fix NormalModuleFactory parser/generator types: (by @​alexander-akait in #20999)

  • module.generator.html now uses HtmlGeneratorOptions instead of EmptyGeneratorOptions (the extract option was hidden from the createGenerator / generator hook types).
  • WebAssembly (webassembly/async, webassembly/sync) generator hooks now use EmptyGeneratorOptions instead of EmptyParserOptions.
  • NormalModuleFactory#getParser / createParser / getGenerator / createGenerator are now generic over the module-type string, returning the specific parser/generator class for known types (e.g. JavascriptParser for "javascript/auto", CssGenerator for "css", etc.) instead of always returning the base Parser / Generator.
  • NormalModuleCreateData is now generic over the module type so parser, parserOptions, generator, and generatorOptions are narrowed to the specific class / options for the given type.

• Link import bindings used inside define(...) callbacks in ES modules. Previously, HarmonyDetectionParserPlugin skipped walking the arguments of define calls in harmony modules, so references to imported bindings inside an inline AMD define factory (e.g. define(function () { console.log(foo); })) were not rewritten to their imported references and could cause ReferenceError at runtime. Inner graph usage analysis is also fixed for the related pattern const fn = function () { foo; }; define(fn);. (by @​alexander-akait in #20990)

• HTML-entry pipeline (experiments.html + experiments.css): emit <link rel="stylesheet"> tags for CSS chunks reachable from a <script src> entry. Previously when the bundled JS imported CSS, the resulting .css file was emitted to disk but never referenced from the extracted HTML (no <link> tag), and when splitChunks extracted CSS into sibling chunks the HTML cloned the originating <script> for each one — producing <script src="style.js"> pointing at non-existent JS filenames instead of <link rel="stylesheet" href="style.css">. CSS chunks are now sorted by the entrypoint's module post-order index so the <link> tags also appear in source import order, fixing the cascade ordering issue documented in html-webpack-plugin#1838 and webpack/mini-css-extract-plugin#959 for HTML-entry builds. nonce/crossorigin/referrerpolicy are copied from the originating tag onto the emitted <link>. (by @​alexander-akait in #21002)

... (truncated)

Commits

• cfb24a4 chore(release): new rel...

  Description has been truncated