shakapacker 8.2.0 → 8.4.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: e79664eb847e6cd529faef7596863300465e9ae31cccde5042e86363d3bf8a66
-  data.tar.gz: 57c9eb85b20b964f80bf458a1a6f8f0db79c5bf394819f7e687b973e10839a77
+  metadata.gz: 6ccbba3c39a550ae683e13c45e3ac4f79733ae6ffebabf2d6ab55f37b7427d99
+  data.tar.gz: 569998bb9475e8ed2b8ba786d1ccdf2b84d562d61ba8ef78d08ad195c3ea2230
 SHA512:
-  metadata.gz: ed317c5485ff9db1aabc55ce8ac2e9a53975882f180faa65e1cb4565175956c416e9543d8e5683906d77d3b992f282159a049ef689d6b03de6a90c76d9269a6b
-  data.tar.gz: 557c44369b8af2c300f8bb71810fead6ab59b37770cd7b6898a11b901c73c4da241df82591190ccc65ec3d5b5b3e7b4ce4e055cee51e03bd297d585efd49ba3e
+  metadata.gz: 2c529d5f970394ca40b79d7ac1ddb430c197cbd508bf533195f13d81937cca872232436bcb92c5a8f38eafc9968ef0d1a82c280120545e421d143dcf72d12f0c
+  data.tar.gz: b341f56e92124b2418b56483dab20374aee03fca5de1e946e5b09ce1f2ca7d0daa16c47ed365a90f51a8f5bdf55235dbe9107cf95dc0a3b9b00e19056f72f343

data/CHANGELOG.md

@@ -4,12 +4,38 @@
 * Please see the [v6 Upgrade Guide](./docs/v6_upgrade.md) to go from versions prior to v6.
 * [ShakaCode](https://www.shakacode.com) offers support for upgrading from Webpacker or using Shakapacker. If interested, contact Justin Gordon, [justin@shakacode.com](mailto:justin@shakacode.com).
 
-_next_ branch is for v8 changes
-
-## Versions
+# Versions
 ## [Unreleased]
 Changes since the last non-beta release.
 
+## [v8.4.0] - September 8, 2025
+
+### Added
+
+- Support for subresource integrity. [PR 570](https://github.com/shakacode/shakapacker/pull/570) by [panagiotisplytas](https://github.com/panagiotisplytas)
+
+### Fixed
+
+- Install the latest major version of peer dependencies [PR 576](https://github.com/shakacode/shakapacker/pull/576) by [G-Rath](https://github.com/g-rath).
+- Remove duplicate word in comment from generated `shakapacker.yml` config [PR 572](https://github.com/shakacode/shakapacker/pull/572) by [G-Rath](https://github.com/g-rath).
+- fix: update webpack-dev-server to secure versions (^4.15.2 || ^5.2.2) [PR 585](https://github.com/shakacode/shakapacker/pull/585) by [justin808](https://github.com/justin808)
+
+
+## [v8.3.0] - April 25, 2025
+### Added
+
+- Allow `webpack-assets-manifest` v6. [PR 562](https://github.com/shakacode/shakapacker/pull/562) by [tagliala](https://github.com/tagliala), [shoeyn](https://github.com/shoeyn).
+
+### Changed
+
+- Instead of a fixed `core-js` version, take the current one from `node_modules` if available. [PR 556](https://github.com/shakacode/shakapacker/pull/556) by [alexeyr-ci2](https://github.com/alexeyr-ci2).
+- Require webpack >= 5.76.0 to reduce exposure to CVE-2023-28154. [PR 568](https://github.com/shakacode/shakapacker/pull/568) by [granowski](https://github.com/granowski).
+
+### Fixed
+
+- More precise types for `devServer` and `rules` in the configuration. [PR 555](https://github.com/shakacode/shakapacker/pull/555) by [alexeyr-ci2](https://github.com/alexeyr-ci2).
+
+## [v8.2.0] - March 12, 2025
 ### Added
 
 - Support for `async` attribute in `javascript_pack_tag`, `append_javascript_pack_tag`, and `prepend_javascript_pack_tag`. [PR 554](https://github.com/shakacode/shakapacker/pull/554) by [AbanoubGhadban](https://github.com/abanoubghadban).
@@ -406,7 +432,10 @@ Note: [Rubygem is 6.3.0.pre.rc.1](https://rubygems.org/gems/shakapacker/versions
 ## v5.4.3 and prior changes from rails/webpacker
 See [CHANGELOG.md in rails/webpacker (up to v5.4.3)](https://github.com/rails/webpacker/blob/master/CHANGELOG.md)
 
-[Unreleased]: https://github.com/shakacode/shakapacker/compare/v8.1.0...main
+[Unreleased]: https://github.com/shakacode/shakapacker/compare/v8.4.0...main
+[v8.4.0]: https://github.com/shakacode/shakapacker/compare/v8.3.0...v8.4.0
+[v8.3.0]: https://github.com/shakacode/shakapacker/compare/v8.2.0...v8.3.0
+[v8.2.0]: https://github.com/shakacode/shakapacker/compare/v8.1.0...v8.2.0
 [v8.1.0]: https://github.com/shakacode/shakapacker/compare/v8.0.2...v8.1.0
 [v8.0.2]: https://github.com/shakacode/shakapacker/compare/v8.0.1...v8.0.2
 [v8.0.1]: https://github.com/shakacode/shakapacker/compare/v8.0.0...v8.0.1

data/Gemfile.lock

@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    shakapacker (8.2.0)
+    shakapacker (8.4.0)
       activesupport (>= 5.2)
       package_json
       rack-proxy (>= 0.6.1)

data/README.md

@@ -625,7 +625,7 @@ By default, you will find the Shakapacker preset in your `package.json`. Note, y
   ]
 },
 ```
-Optionally, you can change your Babel configuration by removing these lines in your `package.json` and adding [a Babel](https://babeljs.io/docs/en/config-files) configuration file](https://babeljs.io/docs/en/config-files) to your project. For an example of customization based on the original, see [Customizing Babel Config](./docs/customizing_babel_config.md).
+Optionally, you can change your Babel configuration by removing these lines in your `package.json` and adding [a Babel configuration file](https://babeljs.io/docs/en/config-files) to your project. For an example of customization based on the original, see [Customizing Babel Config](./docs/customizing_babel_config.md).
 
 
 ### SWC configuration

data/docs/react.md

@@ -61,11 +61,7 @@ const webpackConfig = generateWebpackConfig();
 
 if (isDevelopment && inliningCss) {
   webpackConfig.plugins.push(
-    new ReactRefreshWebpackPlugin({
-      overlay: {
-        sockPort: webpackConfig.devServer.port,
-      },
-    })
+    new ReactRefreshWebpackPlugin()
   );
 }
 
@@ -201,11 +197,7 @@ const webpackConfig = generateWebpackConfig();
 
 if (isDevelopment && inliningCss) {
   webpackConfig.plugins.push(
-    new ReactRefreshWebpackPlugin({
-      overlay: {
-        sockPort: webpackConfig.devServer.port,
-      },
-    })
+    new ReactRefreshWebpackPlugin()
   );
 }
 

data/docs/subresource_integrity.md

@@ -0,0 +1,54 @@
+# Subresource integrity
+It's a cryptographic hash that helps browsers check that the served js or css file has not been tampered in any way.
+
+[MDN - Subresource Integrity](https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity)
+
+## Important notes
+- If you somehow modify the file after the hash was generated, it will automatically be considered as tampered, and the browser will not allow it to be executed.
+- Enabling subresource integrity generation, will change the structure of `manifest.json`. Keep that in mind if you utilize this file in any other custom implementation.
+
+Before:
+```json
+{
+  "application.js": "/path_to_asset"
+}
+```
+
+After:
+```json
+{
+  "application.js": {
+    "src": "/path_to_asset",
+    "integrity": "<sha256-hash> <sha384-hash> <sha512-hash>"
+  }
+}
+```
+
+## Possible CORS issues
+Enabling subresource integrity for an asset, actually enforces CORS checks on that resource too. Which means that
+if you haven't set that up properly beforehand, it will probably lead to CORS errors with cached assets.
+
+[MDN - How browsers handle Subresource Integrity](https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity#how_browsers_handle_subresource_integrity)
+
+## Configuration
+
+By default, this setting is disabled, to ensure backwards compatibility, and let developers adapt at their own pace.
+This may change in the future, as it is a very nice security feature, and it should be enabled by default.
+
+To enable it, just add this in `shakapacker.yml`
+```yml
+  integrity:
+    enabled: true    
+```
+
+For further customization, you can also utilize the options `hash_functions` that control the functions used to generate 
+integrity hashes. And `cross_origin` that sets the cross-origin loading attribute.
+
+```yml
+  integrity:
+    enabled: true
+    hash_functions: ["sha256", "sha384", "sha512"]
+    cross_origin: "anonymous" # or "use-credentials"
+```
+
+This will utilize under the hood webpack-subresource-integrity plugin and will modify `manifest.json` to include integrity hashes.

data/lib/install/config/shakapacker.yml

@@ -42,7 +42,7 @@ default: &default
   # Raises an error if there is a mismatch in the shakapacker gem and npm package being used
   ensure_consistent_versioning: true
 
-  # Select whether the compiler will use SHA digest ('digest' option) or most most recent modified timestamp ('mtime') to determine freshness
+  # Select whether the compiler will use SHA digest ('digest' option) or most recent modified timestamp ('mtime') to determine freshness
   compiler_strategy: digest
 
   # Select whether the compiler will always use a content hash and not just in production
@@ -55,6 +55,16 @@ default: &default
   # SHAKAPACKER_ASSET_HOST will override both configurations.
   # asset_host: custom-path
 
+  # Utilizing webpack-subresource-integrity plugin, will generate integrity hashes for all entries in manifest.json
+  # https://github.com/waysact/webpack-subresource-integrity/tree/main/webpack-subresource-integrity
+  integrity:
+    enabled: false
+    # Which cryptographic function(s) to use, for generating the integrity hash(es). Default sha-384. Other possible values sha256, sha512
+    hash_functions: ["sha384"]
+    # Default "anonymous". Other possible value "use-credentials"
+    # https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity#cross-origin_resource_sharing_and_subresource_integrity
+    cross_origin: "anonymous"
+
 development:
   <<: *default
   compile: true
@@ -71,7 +81,7 @@ development:
     # Hot Module Replacement updates modules while the application is running without a full reload
     # Used instead of the `hot` key in https://webpack.js.org/configuration/dev-server/#devserverhot
     hmr: false
-    # If HMR is on, CSS will by inlined by delivering it as part of the script payload via style-loader. Be sure
+    # If HMR is on, CSS will be inlined by delivering it as part of the script payload via style-loader. Be sure
     # that you add style-loader to your project dependencies.
     #
     # If you want to instead deliver CSS via <link> with the mini-css-extract-plugin, set inline_css to false.
@@ -114,7 +124,7 @@ production:
   # Production depends on precompilation of packs prior to booting for performance.
   compile: false
 
-  # Use content hash for naming assets. Cannot be overridden by for production.
+  # Use content hash for naming assets. Cannot be overridden in production.
   useContentHash: true
 
   # Cache manifest.json for performance

data/lib/install/template.rb

@@ -136,7 +136,7 @@ Dir.chdir(Rails.root) do
   dev_dependencies_to_add = []
 
   peers.each do |(package, version)|
-    major_version = version.match(/(\d+)/)[1]
+    major_version = version.split("||").last.match(/(\d+)/)[1]
     entry = "#{package}@#{major_version}"
 
     if dev_dependency_packages.include? package

data/lib/shakapacker/configuration.rb

@@ -99,6 +99,10 @@ class Shakapacker::Configuration
     )
   end
 
+  def integrity
+    fetch(:integrity)
+  end
+
   private
     def data
       @data ||= load

data/lib/shakapacker/helper.rb

@@ -109,11 +109,11 @@ module Shakapacker::Helper
     @javascript_pack_tag_loaded = true
 
     capture do
-      concat javascript_include_tag(*async, **options.dup.tap { |o| o[:async] = true })
+      render_tags(async, :javascript, **options.dup.tap { |o| o[:async] = true })
       concat "\n" if async.any? && deferred.any?
-      concat javascript_include_tag(*deferred, **options.dup.tap { |o| o[:defer] = true })
+      render_tags(deferred, :javascript, **options.dup.tap { |o| o[:defer] = true })
       concat "\n" if sync.any? && deferred.any?
-      concat javascript_include_tag(*sync, **options)
+      render_tags(sync, :javascript, options)
     end
   end
 
@@ -166,7 +166,9 @@ module Shakapacker::Helper
 
     @stylesheet_pack_tag_loaded = true
 
-    stylesheet_link_tag(*(requested_packs | appended_packs), **options)
+    capture do
+      render_tags(requested_packs | appended_packs, :stylesheet, options)
+    end
   end
 
   def append_stylesheet_pack_tag(*names)
@@ -238,4 +240,38 @@ module Shakapacker::Helper
     rescue
       path_to_asset(current_shakapacker_instance.manifest.lookup!(name), options)
     end
+
+    def lookup_integrity(source)
+      (source.respond_to?(:dig) && source.dig("integrity")) || nil
+    end
+
+    def lookup_source(source)
+      (source.respond_to?(:dig) && source.dig("src")) || source
+    end
+
+    # Handles rendering javascript and stylesheet tags with integrity, if that's enabled.
+    def render_tags(sources, type, options)
+      return unless sources.present? || type.present?
+
+      sources.each.with_index do |source, index|
+        tag_source = lookup_source(source)
+
+        if current_shakapacker_instance.config.integrity[:enabled]
+          integrity = lookup_integrity(source)
+
+          if integrity.present?
+            options[:integrity] = integrity
+            options[:crossorigin] = current_shakapacker_instance.config.integrity[:cross_origin]
+          end
+        end
+
+        if type == :javascript
+          concat javascript_include_tag(tag_source, **options)
+        else
+          concat stylesheet_link_tag(tag_source, **options)
+        end
+
+        concat "\n" unless index == sources.size - 1
+      end
+    end
 end

data/lib/shakapacker/manifest.rb

@@ -67,7 +67,12 @@ class Shakapacker::Manifest
     end
 
     def find(name)
-      data[name.to_s].presence
+      return nil unless data[name.to_s].present?
+
+      return data[name.to_s] unless data[name.to_s].respond_to?(:dig)
+
+      # Try to return src, if that fails, (ex. entrypoints object) return the whole object.
+      data[name.to_s].dig("src") || data[name.to_s]
     end
 
     def full_pack_name(name, pack_type)

data/lib/shakapacker/version.rb

@@ -1,4 +1,4 @@
 module Shakapacker
   # Change the version in package.json too, please!
-  VERSION = "8.2.0".freeze
+  VERSION = "8.4.0".freeze
 end

data/package/babel/preset.js

@@ -1,5 +1,18 @@
-const { moduleExists } = require("shakapacker")
+const { moduleExists, packageFullVersion } = require("../utils/helpers")
 
+const coreJsVersion = () => {
+  try {
+    return packageFullVersion("core-js").match(/^\d+\.\d+/)[0]
+  } catch (e) {
+    if (e.code !== "MODULE_NOT_FOUND") {
+      throw e
+    }
+
+    return "3.8"
+  }
+}
+
+/** @param api {import("@babel/core").ConfigAPI} */
 module.exports = function config(api) {
   const validEnv = ["development", "test", "production"]
   const currentEnv = api.env()
@@ -9,9 +22,7 @@ module.exports = function config(api) {
 
   if (!validEnv.includes(currentEnv)) {
     throw new Error(
-      `Please specify a valid NODE_ENV or BABEL_ENV environment variable. Valid values are "development", "test", and "production". Instead, received: "${JSON.stringify(
-        currentEnv
-      )}".`
+      `Please specify a valid NODE_ENV or BABEL_ENV environment variable. Valid values are "development", "test", and "production". Instead, received: "${currentEnv}".`
     )
   }
 
@@ -22,7 +33,7 @@ module.exports = function config(api) {
         "@babel/preset-env",
         {
           useBuiltIns: "entry",
-          corejs: "3.8",
+          corejs: coreJsVersion(),
           modules: "auto",
           bugfixes: true,
           exclude: ["transform-typeof-symbol"]

data/package/config.js

@@ -50,5 +50,7 @@ if (config.manifest_path) {
 } else {
   config.manifestPath = resolve(config.outputPath, "manifest.json")
 }
+// Ensure no duplicate hash functions exist in the returned config object
+config.integrity.hash_functions = [...new Set(config.integrity.hash_functions)]
 
 module.exports = config

data/package/environments/base.js

@@ -4,6 +4,7 @@
 const { existsSync, readdirSync } = require("fs")
 const { basename, dirname, join, relative, resolve } = require("path")
 const extname = require("path-complete-extname")
+// TODO: Change to `const { WebpackAssetsManifest }` when dropping 'webpack-assets-manifest < 6.0.0' (Node >=20.10.0) support
 const WebpackAssetsManifest = require("webpack-assets-manifest")
 const webpack = require("webpack")
 const rules = require("../rules")
@@ -72,15 +73,22 @@ const getModulePaths = () => {
   return result
 }
 
+// TODO: Remove WebpackAssetsManifestConstructor workaround when dropping 'webpack-assets-manifest < 6.0.0' (Node >=20.10.0) support
+const WebpackAssetsManifestConstructor =
+  "WebpackAssetsManifest" in WebpackAssetsManifest
+    ? WebpackAssetsManifest.WebpackAssetsManifest
+    : WebpackAssetsManifest
 const getPlugins = () => {
   const plugins = [
     new webpack.EnvironmentPlugin(process.env),
-    new WebpackAssetsManifest({
+    new WebpackAssetsManifestConstructor({
       entrypoints: true,
       writeToDisk: true,
       output: config.manifestPath,
       entrypointsUseAssets: true,
-      publicPath: config.publicPathWithoutCDN
+      publicPath: config.publicPathWithoutCDN,
+      integrity: config.integrity.enabled,
+      integrityHashes: config.integrity.hash_functions
     })
   ]
 
@@ -99,6 +107,22 @@ const getPlugins = () => {
     )
   }
 
+  if (
+    moduleExists("webpack-subresource-integrity") &&
+    config.integrity.enabled
+  ) {
+    const {
+      SubresourceIntegrityPlugin
+    } = require("webpack-subresource-integrity")
+
+    plugins.push(
+      new SubresourceIntegrityPlugin({
+        hashFuncNames: config.integrity.hash_functions,
+        enabled: isProduction
+      })
+    )
+  }
+
   return plugins
 }
 
@@ -115,7 +139,12 @@ module.exports = {
     // https://webpack.js.org/configuration/output/#outputhotupdatechunkfilename
     hotUpdateChunkFilename: "js/[id].[fullhash].hot-update.js",
     path: config.outputPath,
-    publicPath: config.publicPath
+    publicPath: config.publicPath,
+
+    // This is required for SRI to work.
+    crossOriginLoading: config.integrity.enabled
+      ? config.integrity.cross_origin
+      : false
   },
   entry: getEntryObject(),
   resolve: {

data/package/index.d.ts

@@ -1,5 +1,6 @@
 declare module 'shakapacker' {
-  import { Configuration } from 'webpack'
+  import { Configuration, RuleSetRule } from 'webpack'
+  import * as https from 'node:https';
 
   export interface Config {
     source_path: string
@@ -32,12 +33,48 @@ declare module 'shakapacker' {
     runningWebpackDevServer: boolean
   }
 
+  type Header = Array<{ key: string; value: string }> | Record<string, string | string[]>
+  type ServerType = 'http' | 'https' | 'spdy'
+  type WebSocketType = 'sockjs' | 'ws'
+
+  /**
+   * This has the same keys and behavior as https://webpack.js.org/configuration/dev-server/ except:
+   * 1. `hot` is replaced by `hmr`;
+   * 2. Camel-cased properties are replaced by snake-cased ones.
+   * @see {import('webpack-dev-server').Configuration}
+   */
+  interface DevServerConfig {
+    allowed_hosts?: 'all' | 'auto' | string | string[]
+    bonjour?: boolean | Record<string, unknown> // bonjour.BonjourOptions
+    client?: Record<string, unknown> // Client
+    compress?: boolean
+    dev_middleware?: Record<string, unknown> // webpackDevMiddleware.Options
+    headers?: Header | (() => Header)
+    history_api_fallback?: boolean | Record<string, unknown> // HistoryApiFallbackOptions
+    hmr?: 'only' | boolean
+    host?: 'local-ip' | 'local-ipv4' | 'local-ipv6' | string
+    http2?: boolean
+    https?: boolean | https.ServerOptions
+    ipc?: boolean | string
+    magic_html?: boolean
+    live_reload?: boolean
+    open?: boolean | string | string[] | Record<string, unknown> | Record<string, unknown>[]
+    port?: 'auto' | string | number
+    proxy?: unknown // ProxyConfigMap | ProxyConfigArray
+    setup_exit_signals?: boolean
+    static?: boolean | string | unknown // Static | Array<string | Static>
+    watch_files?: string | string[] | unknown // WatchFiles | Array<WatchFiles | string>
+    web_socket_server?: string | boolean | WebSocketType | { type?: string | boolean | WebSocketType, options?: Record<string, unknown> }
+    server?: string | boolean | ServerType | { type?: string | boolean | ServerType, options?: https.ServerOptions }
+    [otherWebpackDevServerConfigKey: string]: unknown
+  }
+
   export const config: Config
-  export const devServer: Record<string, unknown>
+  export const devServer: DevServerConfig
   export function generateWebpackConfig(extraConfig?: Configuration): Configuration
   export const baseConfig: Configuration
   export const env: Env
-  export const rules: Record<string, unknown>
+  export const rules: RuleSetRule[]
   export function moduleExists(packageName: string): boolean
   export function canProcess<T = unknown>(rule: string, fn: (modulePath: string) => T): T | null
   export const inliningCss: boolean

data/package/rules/index.js

@@ -1,20 +1,16 @@
 /* eslint global-require: 0 */
 /* eslint import/no-dynamic-require: 0 */
 
-const rules = {
-  raw: require("./raw"),
-  file: require("./file"),
-  css: require("./css"),
-  sass: require("./sass"),
-  babel: require("./babel"),
-  swc: require("./swc"),
-  esbuild: require("./esbuild"),
-  erb: require("./erb"),
-  coffee: require("./coffee"),
-  less: require("./less"),
-  stylus: require("./stylus")
-}
-
-module.exports = Object.keys(rules)
-  .filter((key) => !!rules[key])
-  .map((key) => rules[key])
+module.exports = [
+  require("./raw"),
+  require("./file"),
+  require("./css"),
+  require("./sass"),
+  require("./babel"),
+  require("./swc"),
+  require("./esbuild"),
+  require("./erb"),
+  require("./coffee"),
+  require("./less"),
+  require("./stylus")
+].filter(Boolean)

data/package/utils/helpers.js

@@ -41,18 +41,22 @@ const loaderMatches = (configLoader, loaderToCheck, fn) => {
   return fn()
 }
 
-const packageMajorVersion = (packageName) => {
+const packageFullVersion = (packageName) => {
   // eslint-disable-next-line import/no-dynamic-require
   const packageJsonPath = require.resolve(`${packageName}/package.json`)
   // eslint-disable-next-line import/no-dynamic-require, global-require
-  return require(packageJsonPath).version.match(/^\d+/)[0]
+  return require(packageJsonPath).version
 }
 
+const packageMajorVersion = (packageName) =>
+  packageFullVersion(packageName).match(/^\d+/)[0]
+
 module.exports = {
   isBoolean,
   ensureTrailingSlash,
   canProcess,
   moduleExists,
   loaderMatches,
+  packageFullVersion,
   packageMajorVersion
 }

data/package.json

@@ -1,6 +1,6 @@
 {
   "name": "shakapacker",
-  "version": "8.2.0",
+  "version": "8.4.0",
   "description": "Use webpack to manage app-like JavaScript modules in Rails",
   "homepage": "https://github.com/shakacode/shakapacker",
   "bugs": {
@@ -33,19 +33,20 @@
     "eslint": "^8.0.0",
     "eslint-config-airbnb": "^19.0.0",
     "eslint-config-prettier": "^9.0.0",
-    "eslint-plugin-import": "^2.24.2",
+    "eslint-plugin-import": "^2.31.0",
     "eslint-plugin-jest": "^27.9.0",
-    "eslint-plugin-jsx-a11y": "^6.4.1",
-    "eslint-plugin-prettier": "^5.1.3",
-    "eslint-plugin-react": "^7.26.0",
+    "eslint-plugin-jsx-a11y": "^6.10.2",
+    "eslint-plugin-prettier": "^5.2.6",
+    "eslint-plugin-react": "^7.37.5",
     "eslint-plugin-react-hooks": "^4.6.0",
-    "jest": "^28.1.3",
+    "jest": "^29.7.0",
     "memory-fs": "^0.5.0",
     "prettier": "^3.2.5",
     "swc-loader": "^0.1.15",
     "thenify": "^3.3.1",
-    "webpack": "^5.72.0",
+    "webpack": "5.93.0",
     "webpack-assets-manifest": "^5.0.6",
+    "webpack-subresource-integrity": "^5.1.0",
     "webpack-merge": "^5.8.0"
   },
   "peerDependencies": {
@@ -58,10 +59,11 @@
     "babel-loader": "^8.2.4 || ^9.0.0 || ^10.0.0",
     "compression-webpack-plugin": "^9.0.0 || ^10.0.0|| ^11.0.0",
     "terser-webpack-plugin": "^5.3.1",
-    "webpack": "^5.72.0",
-    "webpack-assets-manifest": "^5.0.6",
+    "webpack": "^5.76.0",
+    "webpack-assets-manifest": "^5.0.6 || ^6.0.0",
+    "webpack-subresource-integrity": "^5.1.0",
     "webpack-cli": "^4.9.2 || ^5.0.0 || ^6.0.0",
-    "webpack-dev-server": "^4.9.0 || ^5.0.0",
+    "webpack-dev-server": "^4.15.2 || ^5.2.2",
     "webpack-merge": "^5.8.0 || ^6.0.0"
   },
   "peerDependenciesMeta": {
@@ -70,6 +72,9 @@
     },
     "@types/webpack": {
       "optional": true
+    },
+    "webpack-subresource-integrity": {
+      "optional": true
     }
   },
   "packageManager": "yarn@1.22.22",

data/test/helpers.js

@@ -9,7 +9,7 @@ const createTrackLoader = () => {
     filesTracked,
     (source) => {
       filesTracked[source.resource] = true
-      return source
+      return "" // Fix #567
     }
   ]
 }