Update critters-webpack-plugin to 3.x to address CVE-2021-20066

[nocive]

What kind of change does this PR introduce?

Updates critters-webpack-plugin dependency to 3.x.

Did you add tests for your changes?
No.

Summary

The critters-webpack-plugin depends on jsdom which has a known CVE vulnerability in versions <16.5.0.
The latest version of critters-webpack-plugin (3.x) no longer depends on jsdom and therefore solves this issue.

See GHSA-f4c9-cqv8-9v98 for more information on the CVE.

Does this PR introduce a breaking change?

Looking at the critters-webpack-plugin changelog, none that I'm aware of.

[changeset-bot]

⚠️ No Changeset found

Latest commit: 0b339c3

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[nocive]

@preactjs/cli can someone please approve the workflow so that the tests can run? 🙏

[rschristian]

Sorry, can't do.

critters has a peer dependency on html-webpack-plugin, and upgrading from critters v2 -> v3 bumps that peer dep requirement from v3 -> v4.

Bumping html-webpack-plugin requires another major due to it being a part of the public API.

#1608 already handles this, though it can't be released into preact-cli 3.x

[nocive]

@rschristian thanks for the context, wasn't aware of any of that.

Just for my own reference though, you're saying we can only count on this being patched in a future preact-cli 4.x version?

[rschristian]

Unless Critters wants to release a patch for their 2.x line, yes.

Regardless, this vulnerability doesn't look like it actually matters? Critters is build-time only. It shouldn't affect anything.

JSDom improperly allows the loading of local resources, which allows for local files to be manipulated by a malicious web page when script execution is enabled.

Yeah this is totally irrelevant. There's no runtime to Critters or it's deps.

[rschristian]

Just to clarify a bit, the "malicious web app" from that text would have to be your own. So the vulnerability here is that you could write your app to maliciously manipulate your files at build time only.

I have many problems with the current state of JS security warnings, and this is why.