fix(node-webpack): CVE-2025-68157, CVE-2025-68458

[deepin-ci-robot]

Security Update

CVE ID: CVE-2025-68157, CVE-2025-68458

漏洞描述:

CVE-2025-68157: HTTP(S) resolver enforces allowedUris only for the initial URL, but does not re-validate allowedUris after following HTTP 30x redirects. This allows an import that appears restricted to a trusted allow-list to be redirected to URLs outside the allow-list.

CVE-2025-68458: HTTP(S) resolver can be bypassed to fetch resources from hosts outside allowedUris by using crafted URLs that include userinfo (username:password@host). If allowedUris enforcement relies on a raw string prefix check, a URL that looks allow-listed can pass validation while the actual network request is sent to a different authority/host.

修复方案: Backport upstream security patches with adaptations for version 5.76.1

Upstream: webpack/webpack@2179fdbcb
Upstream: webpack/webpack@c51007023

Strategy: patch

Generated-By: glm-5.1
Co-Authored-By: hudeng hudeng@deepin.org

---

Generated by AI

[deepin-ci-robot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign zccrs for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• https:/raw.githubusercontent.com/deepin-community/template-repository/master/debian/deepin/OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[github-actions]

TAG Bot

TAG: 5.76.1+dfsg1+_cs17.16.16-2
EXISTED: no
DISTRIBUTION: unstable

[hudeng-go]

/integrate

[github-actions]

AutoIntegrationPr Bot
auto integrate with pr url: deepin-community/Repository-Integration#3970
PrNumber: 3970
PrBranch: auto-integration-25588745432