Update Webpack to 5.94.0

longwave → credited spokje → .

10.2.x MR !9701
10.3.x MR !9700
10.4.x MR !9699
11.0.x: MR !9698
11.x: MR !9697

I've ran a yarn build in all MRs

10.4.x and 10.3.x introduced a lot of CSS changes, not too sure where those came from.
10.2.x introduces jquery-ui map file changes on top of the above CSS changes. The same amount of confidence where those came from, namely none.

Either the webpack update introduces some CSS/JS linting changes, which I find unlikely, or the changes for these were already made before these MRs and somehow yarn build was never ran.

I'll leave that to the experts.

Did some digging to find out what happened here.

As far as I can tell, the CSS changes are due to the bump in caniuse-lite which determines what the browserslist key means in package.json. The bulk of the changes are swapping from prefixing with the [dir=rtl] attribute at the top of the DOM to using the :dir() pseudo-class. The pseudo-class is available since December 2023 according to caniuse so it makes sense that upgrading caniuse-lite results in the use of newer features when rebuilding the CSS.

In 10.2.x the change is adding "ignoreList":[] to the generated source maps for jQuery UI. This also appears to be a relatively recent feature, I couldn't find where it was added exactly but the map files are generated by Terser which was also upgraded here, so it makes some sense for this to change. This change looks harmless anyway as the ignoreList is always empty.

Therefore I think all these changes are valid and OK to commit.

Thanks @longwave for the sleuthing, sense = made.

Thanks @quietone, added release note snippet

catch → closed merge request !9697

catch → closed merge request !9698

I double checked the caniuse data because I was concerned Firefox ESR when 10.3.0 might possibly have not supported this, but actually firefox was one of the first to support it and it's chrome and edge that didn't add full support until December 2023. This to me means we're clear back to 10.3.x

For 10.2.x, at the time that 10.2.x was released, we probably did support browser versions that didn't support the dir pseudoclass, so going to get a second opinion for that.

catch → closed merge request !9699

Committed/pushed to 11.x, 11.0.x, 10.4.x and 10.3.x, leaving RTBC against 10.2.x

Added a more detailed release not directly in the 10.3.6 release notes draft and also the issue summary https://docs.google.com/document/d/1xqpX5FHvfpFjN3Xg47ESFSFu5WUjCEP4sjiO...

catch → closed merge request !9700

Given that Drupal is not affected by this security release and there is a risk of breaking CSS if users are still relying on the browsers initially supported by 10.2, I think this is not worth fixing there now. Users who are bothered by security scanners complaining about an insecure Webpack should upgrade to Drupal 10.3.

spokje → closed merge request !9701

Automatically closed - issue fixed for 2 weeks with no activity.