chore(deps): bump webpack from 5.95.0 to 5.106.2 in the npm_and_yarn group across 1 directory

[dependabot]

Bumps the npm_and_yarn group with 1 update in the / directory: webpack.

Updates webpack from 5.95.0 to 5.106.2

Release notes

Sourced from webpack's releases.

v5.106.2

Patch Changes

• CSS @​import now inherits the parent module's exportType, so a file configured as "text" correctly creates a style tag when @​imported by a "style" parent. (by @​xiaoxiaojx in #20838)

• Make asset modules available in JS context when referenced from both CSS and a lazily compiled JS chunk. (by @​xiaoxiaojx in #20801)

• Include missing generator options in hash to ensure persistent cache invalidation when configuration changes (CssGenerator exportsOnly, JsonGenerator JSONParse, WebAssemblyGenerator mangleImports). (by @​xiaoxiaojx in #20821)

• Fix || default value handling in ProgressPlugin and ManifestPlugin that incorrectly overrode user-provided falsy values (e.g. modules: false, entries: false, entrypoints: false). (by @​xiaoxiaojx in #20823)

• Migrate from mime-types to mime-db. (by @​alexander-akait in #20812)

• Handle @charset at-rules in CSS modules. (by @​alexander-akait in #20831)

• Marked all experimental options in types. (by @​alexander-akait in #20814)

v5.106.1

Patch Changes

• Fix two ES5-environment regressions in the anonymous default export .name fix-up: the generated code referenced an undeclared __WEBPACK_DEFAULT_EXPORT__ binding causing ReferenceError, and used Reflect.defineProperty which is not available in pre-ES2015 runtimes. The fix-up now references the real assignment target and uses Object.defineProperty / Object.getOwnPropertyDescriptor. (by @​xiaoxiaojx in #20796)

• Prevent !important from being renamed as a local identifier in CSS modules. (by @​xiaoxiaojx in #20798)

• Use compiler context instead of module context for CSS modules local ident hashing to avoid hash collisions when files with the same name exist in different directories. (by @​xiaoxiaojx in #20799)

v5.106.0

Minor Changes

• Add exportType: "style" for CSS modules to inject styles into DOM via HTMLStyleElement, similar to style-loader functionality. (by @​xiaoxiaojx in #20579)

• Add context option support for VirtualUrlPlugin (by @​xiaoxiaojx in #20449)

  • The context for the virtual module. A string path. Defaults to 'auto', which will try to resolve the context from the module id.
  • Support custom context path for resolving relative imports in virtual modules
  • Add examples demonstrating context usage and filename customization

• Generate different CssModule instances for different exportType values. (by @​xiaoxiaojx in #20590)

• Added the localIdentHashFunction option to configure the hash function to be used for hashing. (by @​alexander-akait in #20694) Additionally, the localIdentName option can now be a function.

• Added support for destructuring assignment require in cjs, allowing for tree shaking. (by @​ahabhgk in #20548)

• Added the validate option to enable/disable validation in webpack/plugins/loaders, also implemented API to make it inside plugins. (by @​xiaoxiaojx in #20275)

• Added source support for async WASM modules. (by @​magic-akari in #20364)

Patch Changes

• Add a static getSourceBasicTypes method to the Module class to prevent errors across multiple versions. (by @​xiaoxiaojx in #20614)

... (truncated)

Changelog

Sourced from webpack's changelog.

5.106.2

Patch Changes

• CSS @​import now inherits the parent module's exportType, so a file configured as "text" correctly creates a style tag when @​imported by a "style" parent. (by @​xiaoxiaojx in #20838)

• Make asset modules available in JS context when referenced from both CSS and a lazily compiled JS chunk. (by @​xiaoxiaojx in #20801)

• Include missing generator options in hash to ensure persistent cache invalidation when configuration changes (CssGenerator exportsOnly, JsonGenerator JSONParse, WebAssemblyGenerator mangleImports). (by @​xiaoxiaojx in #20821)

• Fix || default value handling in ProgressPlugin and ManifestPlugin that incorrectly overrode user-provided falsy values (e.g. modules: false, entries: false, entrypoints: false). (by @​xiaoxiaojx in #20823)

• Migrate from mime-types to mime-db. (by @​alexander-akait in #20812)

• Handle @charset at-rules in CSS modules. (by @​alexander-akait in #20831)

• Marked all experimental options in types. (by @​alexander-akait in #20814)

5.106.1

Patch Changes

• Fix two ES5-environment regressions in the anonymous default export .name fix-up: the generated code referenced an undeclared __WEBPACK_DEFAULT_EXPORT__ binding causing ReferenceError, and used Reflect.defineProperty which is not available in pre-ES2015 runtimes. The fix-up now references the real assignment target and uses Object.defineProperty / Object.getOwnPropertyDescriptor. (by @​xiaoxiaojx in #20796)

• Prevent !important from being renamed as a local identifier in CSS modules. (by @​xiaoxiaojx in #20798)

• Use compiler context instead of module context for CSS modules local ident hashing to avoid hash collisions when files with the same name exist in different directories. (by @​xiaoxiaojx in #20799)

5.106.0

Minor Changes

• Add exportType: "style" for CSS modules to inject styles into DOM via HTMLStyleElement, similar to style-loader functionality. (by @​xiaoxiaojx in #20579)

• Add context option support for VirtualUrlPlugin (by @​xiaoxiaojx in #20449)

  • The context for the virtual module. A string path. Defaults to 'auto', which will try to resolve the context from the module id.
  • Support custom context path for resolving relative imports in virtual modules
  • Add examples demonstrating context usage and filename customization

• Generate different CssModule instances for different exportType values. (by @​xiaoxiaojx in #20590)

• Added the localIdentHashFunction option to configure the hash function to be used for hashing. (by @​alexander-akait in #20694) Additionally, the localIdentName option can now be a function.

• Added support for destructuring assignment require in cjs, allowing for tree shaking. (by @​ahabhgk in #20548)

• Added the validate option to enable/disable validation in webpack/plugins/loaders, also implemented API to make it inside plugins. (by @​xiaoxiaojx in #20275)

• Added source support for async WASM modules. (by @​magic-akari in #20364)

... (truncated)

Commits

• 0d7e3e0 chore(release): new release (#20815)
• d5df118 chore(deps): bump actions/cache in the dependencies group (#20839)
• 5f0874b fix: make asset modules available in JS when referenced from CSS and lazy JS ...
• b63ab37 chore(deps): bump test/test262-cases in the dependencies group (#20792)
• 313dfc5 ci: improve time for windows (#20840)
• a553f61 test: update test262 (#20841)
• 1ef747c fix: CSS @​import should inherit parent's exportType over parser config (#20838)
• 485d4ce chore(deps): update open-cli (#20834)
• 46042b9 chore(deps): no outdated strip-ansi (#20835)
• 8c7700b fix: handle @charset at-rules in CSS modules
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for webpack since your current version.

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
  You can disable automated security fix PRs for this repo from the Security Alerts page.

[dependabot]

Assignees

The following users could not be added as assignees: protocol-galileo. Either the username does not exist or it does not have the correct permissions to be added as an assignee.

Please fix the above issues or remove invalid values from dependabot.yml.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
metamask-docs	Error		Apr 22, 2026 7:17pm

[socket-security]

Caution

MetaMask internal reviewing guidelines:

• Do not ignore-all
• Each alert has instructions on how to review if you don't know what it means. If lost, ask your Security Liaison or the supply-chain group
• Copy-paste ignore lines for specific packages or a group of one kind with a note on what research you did to deem it safe.
  @SocketSecurity ignore npm/PACKAGE@VERSION

Action	Severity	Alert  (click "▶" to expand/collapse)
Block		Publisher changed: npm loader-runner is now published by evilebottnawi instead of sokra New Author: evilebottnawi Previous Author: sokra From: package-lock.json → npm/node-polyfill-webpack-plugin@2.0.1 → npm/docusaurus-plugin-sass@0.2.5 → npm/@docusaurus/theme-mermaid@3.9.2 → npm/@docusaurus/plugin-client-redirects@3.9.2 → npm/@docusaurus/plugin-google-tag-manager@3.9.2 → npm/@docusaurus/types@3.9.2 → npm/@docusaurus/preset-classic@3.9.2 → npm/@docusaurus/plugin-content-pages@3.9.2 → npm/@docusaurus/theme-common@3.9.2 → npm/@docusaurus/plugin-google-gtag@3.9.2 → npm/@docusaurus/plugin-content-docs@3.9.2 → npm/@docusaurus/core@3.9.2 → npm/loader-runner@4.3.1 ℹ Read more on: This package | This alert | What is new author? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Scrutinize new collaborator additions to packages because they now have the ability to publish code into your dependency tree. Packages should avoid frequent or unnecessary additions or changes to publishing rights. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/loader-runner@4.3.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Potential code anomaly (AI signal): npm @webassemblyjs/helper-buffer is 100.0% likely to have a medium risk anomaly Notes: The code is a focused utility to compare two wasm binary buffers by decoding them into textual dumps and diffing the results. It does not exhibit data exfiltration or network activity. The main concern is the temporary override of console.log, which could affect the host environment or other concurrent code. Overall, functional risk is moderate due to side effects rather than a security vulnerability. Confidence: 1.00 Severity: 0.60 From: package-lock.json → npm/node-polyfill-webpack-plugin@2.0.1 → npm/docusaurus-plugin-sass@0.2.5 → npm/@docusaurus/theme-mermaid@3.9.2 → npm/@docusaurus/plugin-client-redirects@3.9.2 → npm/@docusaurus/plugin-google-tag-manager@3.9.2 → npm/@docusaurus/types@3.9.2 → npm/@docusaurus/preset-classic@3.9.2 → npm/@docusaurus/plugin-content-pages@3.9.2 → npm/@docusaurus/theme-common@3.9.2 → npm/@docusaurus/plugin-google-gtag@3.9.2 → npm/@docusaurus/plugin-content-docs@3.9.2 → npm/@docusaurus/core@3.9.2 → npm/@webassemblyjs/helper-buffer@1.14.1 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@webassemblyjs/helper-buffer@1.14.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Potential code anomaly (AI signal): npm @webassemblyjs/helper-wasm-section is 100.0% likely to have a medium risk anomaly Notes: The code appears to be a legitimate utility for inserting an empty section into a WebAssembly module binary and updating both the in-memory AST and the binary buffer. There is no evidence of data leakage, remote control, or malicious behavior in this fragment. Confidence: 1.00 Severity: 0.60 From: package-lock.json → npm/node-polyfill-webpack-plugin@2.0.1 → npm/docusaurus-plugin-sass@0.2.5 → npm/@docusaurus/theme-mermaid@3.9.2 → npm/@docusaurus/plugin-client-redirects@3.9.2 → npm/@docusaurus/plugin-google-tag-manager@3.9.2 → npm/@docusaurus/types@3.9.2 → npm/@docusaurus/preset-classic@3.9.2 → npm/@docusaurus/plugin-content-pages@3.9.2 → npm/@docusaurus/theme-common@3.9.2 → npm/@docusaurus/plugin-google-gtag@3.9.2 → npm/@docusaurus/plugin-content-docs@3.9.2 → npm/@docusaurus/core@3.9.2 → npm/@webassemblyjs/helper-wasm-section@1.14.1 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@webassemblyjs/helper-wasm-section@1.14.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Potential code anomaly (AI signal): npm @webassemblyjs/wasm-edit is 100.0% likely to have a medium risk anomaly Notes: The analyzed code is a WASM binary editor utility that applies structural edits (add/update/delete) to a WASM module by manipulating an AST and an in-memory byte buffer. It carefully maintains section sizes and node locations to preserve a consistent binary, and performs validations for certain node types (Func, Global) to ensure proper termination of expressions. There is no indication of malicious behavior, such as data exfiltration, arbitrary code execution, or external network access. The primary risk is operational: incorrect or malicious op sequences could corrupt the wasm binary. With trusted inputs, the component is appropriate for its purpose. Confidence: 1.00 Severity: 0.60 From: package-lock.json → npm/node-polyfill-webpack-plugin@2.0.1 → npm/docusaurus-plugin-sass@0.2.5 → npm/@docusaurus/theme-mermaid@3.9.2 → npm/@docusaurus/plugin-client-redirects@3.9.2 → npm/@docusaurus/plugin-google-tag-manager@3.9.2 → npm/@docusaurus/types@3.9.2 → npm/@docusaurus/preset-classic@3.9.2 → npm/@docusaurus/plugin-content-pages@3.9.2 → npm/@docusaurus/theme-common@3.9.2 → npm/@docusaurus/plugin-google-gtag@3.9.2 → npm/@docusaurus/plugin-content-docs@3.9.2 → npm/@docusaurus/core@3.9.2 → npm/@webassemblyjs/wasm-edit@1.14.1 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@webassemblyjs/wasm-edit@1.14.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Potential code anomaly (AI signal): npm @webassemblyjs/wasm-parser is 100.0% likely to have a medium risk anomaly Notes: The code is a legitimate WebAssembly binary decoder/AST builder. It decodes a WASM module into a rich AST representation without performing harmful actions, network activity, or data exfiltration. The primary security considerations are ensuring trust in the library's source and keeping dependencies current, as with any third-party tool. If kept updated and used with proper input validation, the component poses no immediate malicious risk based on this fragment. Confidence: 1.00 Severity: 0.60 From: package-lock.json → npm/node-polyfill-webpack-plugin@2.0.1 → npm/docusaurus-plugin-sass@0.2.5 → npm/@docusaurus/theme-mermaid@3.9.2 → npm/@docusaurus/plugin-client-redirects@3.9.2 → npm/@docusaurus/plugin-google-tag-manager@3.9.2 → npm/@docusaurus/types@3.9.2 → npm/@docusaurus/preset-classic@3.9.2 → npm/@docusaurus/plugin-content-pages@3.9.2 → npm/@docusaurus/theme-common@3.9.2 → npm/@docusaurus/plugin-google-gtag@3.9.2 → npm/@docusaurus/plugin-content-docs@3.9.2 → npm/@docusaurus/core@3.9.2 → npm/@webassemblyjs/wasm-parser@1.14.1 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@webassemblyjs/wasm-parser@1.14.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Potential code anomaly (AI signal): npm terser-webpack-plugin is 100.0% likely to have a medium risk anomaly Notes: The code contains an explicit arbitrary code execution primitive: transform evaluates a provided string via new Function with full access to require/module/exports and path context, then uses the result to call an implementation. This creates a high-impact RCE/config injection vector if the options string is untrusted. The file itself does not include embedded malicious payloads, but the pattern is dangerous and should be treated as a serious security risk in any environment where the options string could be influenced externally. Recommended remediation: avoid executing strings as code; accept structured data (JSON), validate/whitelist returned keys and types, or run evaluation inside a restricted sandbox (Node VM with whitelisted globals and no require), and do not expose require/module/exports to evaluated code. If transform is unnecessary, remove it. Treat use of transform with untrusted inputs as unacceptable. Confidence: 1.00 Severity: 0.60 From: package-lock.json → npm/node-polyfill-webpack-plugin@2.0.1 → npm/docusaurus-plugin-sass@0.2.5 → npm/@docusaurus/theme-mermaid@3.9.2 → npm/@docusaurus/plugin-client-redirects@3.9.2 → npm/@docusaurus/plugin-google-tag-manager@3.9.2 → npm/@docusaurus/types@3.9.2 → npm/@docusaurus/preset-classic@3.9.2 → npm/@docusaurus/plugin-content-pages@3.9.2 → npm/@docusaurus/theme-common@3.9.2 → npm/@docusaurus/plugin-google-gtag@3.9.2 → npm/@docusaurus/plugin-content-docs@3.9.2 → npm/@docusaurus/core@3.9.2 → npm/terser-webpack-plugin@5.4.0 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/terser-webpack-plugin@5.4.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Potential code anomaly (AI signal): npm webpack is 100.0% likely to have a medium risk anomaly Notes: This is a straightforward wasm-based hash wrapper. There is no evident malware behavior, external data leakage, or suspicious network/activity. The usage pattern is benign: loading a precompiled wasm blob and exposing a hashing function through a wrapper. No hardcoded secrets, no environment-variable use, and no dynamic code evaluation observed. However, the embedded wasm payload represents a potential supply chain risk if the binary is tampered in distribution; integrity verification (hashes/signatures) is essential. Confidence: 1.00 Severity: 0.60 From: package-lock.json → npm/node-polyfill-webpack-plugin@2.0.1 → npm/docusaurus-plugin-sass@0.2.5 → npm/@docusaurus/theme-mermaid@3.9.2 → npm/@docusaurus/plugin-client-redirects@3.9.2 → npm/@docusaurus/plugin-google-tag-manager@3.9.2 → npm/@docusaurus/types@3.9.2 → npm/@docusaurus/preset-classic@3.9.2 → npm/@docusaurus/plugin-content-pages@3.9.2 → npm/@docusaurus/theme-common@3.9.2 → npm/@docusaurus/plugin-google-gtag@3.9.2 → npm/@docusaurus/plugin-content-docs@3.9.2 → npm/@docusaurus/core@3.9.2 → npm/webpack@5.106.2 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/webpack@5.106.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

[dependabot]

Dependabot couldn't access the repository. Because of this, Dependabot cannot update this pull request.