Skip to content

Update dependency webpack-dev-server [SECURITY]#29

Open
renovate[bot] wants to merge 1 commit into
masterfrom
renovate/npm-webpack-dev-server-vulnerability
Open

Update dependency webpack-dev-server [SECURITY]#29
renovate[bot] wants to merge 1 commit into
masterfrom
renovate/npm-webpack-dev-server-vulnerability

Conversation

@renovate

@renovate renovate Bot commented Apr 15, 2026

Copy link
Copy Markdown

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package Change Age Confidence
webpack-dev-server ^1.16.2^6.0.0 age confidence
webpack-dev-server 3.1.93.1.11 age confidence

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.


Missing Origin Validation in webpack-dev-server

CVE-2018-14732 / GHSA-cf66-xwfp-gvc4

More information

Details

Versions of webpack-dev-server before 3.1.10 are missing origin validation on the websocket server. This vulnerability allows a remote attacker to steal a developer's source code because the origin of requests to the websocket server that is used for Hot Module Replacement (HMR) are not validated.

Recommendation

For webpack-dev-server update to version 3.1.11 or later.

Severity

  • CVSS Score: 7.5 / 10 (High)
  • Vector String: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).


Release Notes

webpack/webpack-dev-server (webpack-dev-server)

v6.0.0

Compare Source

Major Changes
  • Bump Express to v5. See the Express 5 migration guide for the full list of breaking changes. (by @​bjohansebas in #​5674)

  • Bump the webpack peer dependency range from ^5.0.0 to ^5.101.0. (by @​bjohansebas in #​5674)

  • Drop support for Node.js < 22.15.0. (by @​bjohansebas in #​5674)

  • Convert the source to native ES modules. The package keeps "type": "module" and now exposes both an ESM and a CommonJS build via the exports field: ESM consumers import the native lib/, while CommonJS consumers require() a transpiled dist/ build — so the package works from both ESM and CommonJS, including environments where require(ESM) is not supported. (by @​bjohansebas in #​5674)

  • Remove CLI flags. Use the serve command from webpack-cli together with a configuration file or the programmatic API instead. (by @​bjohansebas in #​5674)

  • Remove the internalIP and internalIPSync static methods from Server. Resolve the local IP yourself if you need it. (by @​bjohansebas in #​5674)

  • Remove the bypass option from proxy configuration. Use the router or context options provided by http-proxy-middleware instead. (by @​bjohansebas in #​5674)

  • Remove SockJS support. The webSocketServer option no longer accepts "sockjs"; use the default "ws" transport instead. (by @​bjohansebas in #​5674)

  • Remove the spdy dependency. Use the built-in node:http2 module via the server option for HTTP/2 support. (by @​bjohansebas in #​5674)

  • Update http-proxy-middleware to v4. See the http-proxy-middleware v3 release notes and v4 release notes for the full list of breaking changes. (by @​bjohansebas in #​5674)

  • Update webpack-dev-middleware to v8 and sync originalUrl for middleware compatibility. server.middleware.getFilenameFromUrl() is now asynchronous and resolves to { filename, extra: { stats, outputFileSystem } }. See the webpack-dev-middleware v8 release notes for details. (by @​bjohansebas in #​5674)

Minor Changes
  • Add plugin support. webpack-dev-server can now be used as a webpack plugin, integrating with the compiler lifecycle without explicitly passing a compiler, preventing multiple server starts on recompilation, ensuring clean shutdown, and supporting MultiCompiler setups with multiple independent plugin servers. (by @​bjohansebas in #​5674)

  • Enable the compression middleware for HTTP/2 connections. (by @​bjohansebas in #​5674)

  • Remove the colorette dependency in favor of native ANSI styling. (by @​bjohansebas in #​5674)

  • Update chokidar to v5 and extend watchFiles.options.ignored to support glob string patterns via tinyglobby. (by @​bjohansebas in #​5674)

  • Use compiler.platform to determine the target environment instead of inspecting the resolved target string. Universal targets ("universal" or ["web", "node"], where compiler.platform.universal is true since webpack 5.108.0) are treated as web targets so the client runtime is injected. (by @​bjohansebas in #​5674)

  • Use the WHATWG URL API instead of the deprecated url.parse. (by @​bjohansebas in #​5674)

Patch Changes
  • Bump production dependencies, notably open to v11 and p-retry to v8. (by @​bjohansebas in #​5674)

  • Reject cross-site requests to the internal open-editor and invalidate endpoints. They performed state-changing actions (opening a file in the editor, forcing a recompilation) on any GET request, so a page the developer visited could trigger them. They now require a same-origin request, validated via Sec-Fetch-Site with an Origin/Host fallback. (by @​bjohansebas in #​5691)

  • Treat loopback aliases (127.0.0.1, ::1, localhost) as equivalent in isSameOrigin so the WebSocket client does not reject valid same-origin connections. (by @​bjohansebas in #​5674)

  • Migrate the test suite from Jest to node:test and set up the jsdom environment. (by @​bjohansebas in #​5674)

  • Update webpack-cli to v7.0.2. (by @​bjohansebas in #​5674)

v5.2.6

Compare Source

Patch Changes
  • fix: allow undefined as the Server constructor options argument again (by @​bjohansebas in #​5695)

    Restores accepting undefined (defaulting it to {}) for the options
    argument, so passing a webpack config's optional devServer field type-checks and works as before.

  • Protect the built-in state-changing routes (/webpack-dev-server/invalidate and /webpack-dev-server/open-editor) against cross-site request forgery. Requests are now checked with Sec-Fetch-Site (falling back to an Origin/Host comparison when it is absent), so a cross-site page can no longer trigger a rebuild or open a file in the editor. Same-origin requests, user-initiated navigations, and non-browser clients (e.g. curl) are unaffected. (by @​bjohansebas in #​5698)

  • Handle malformed Host and Origin header values gracefully when validating requests. (by @​bjohansebas in #​5699)

v5.2.5

Compare Source

Patch Changes
  • Skip the HMR WebSocket path when forwarding upgrade requests to user-defined proxies, so custom proxy WebSocket upgrades are no longer intercepted by the dev server. (by @​bjohansebas in #​5680)

All notable changes to this project will be documented in this file. See standard-version for commit guidelines.

5.2.4 (2026-05-11)
Bug Fixes
  • set Cross-Origin-Resource-Policy header to prevent source code theft over HTTP
5.2.3 (2026-01-12)
Bug Fixes
  • add cause for errorObject (#​5518) (37b033d)
  • compatibility with event target and universal target and lazy compilation (574026c)
  • overlay: add ESC key to dismiss overlay (#​5598) (f91baa8)
  • progress indicator styles (#​5557) (41a53a1)
  • upgrade selfsigned to v5
5.2.2 (2025-06-03)
Bug Fixes

v5.2.4

Compare Source

v5.2.3

Compare Source

v5.2.2

Compare Source

v5.2.1

Compare Source

Security
  • cross-origin requests are not allowed unless allowed by Access-Control-Allow-Origin header
  • requests with an IP addresses in the Origin header are not allowed to connect to WebSocket server unless configured by allowedHosts or it different from the Host header

The above changes may make the dev server not work if you relied on such behavior, but unfortunately they carry security risks, so they were considered as fixes.

Bug Fixes
  • prevent overlay for errors caught by React error boundaries (#​5431) (8c1abc9)
  • take the first network found instead of the last one, this restores the same behavior as 5.0.4 (#​5411) (ffd0b86)

v5.2.0

Compare Source

Features
  • added getClientEntry and getClientHotEntry methods to get clients entries (dc642a8)
Bug Fixes
  • speed up initial client bundling (145b5d0)

v5.1.0

Compare Source

Features
  • add visual progress indicators (a8f40b7)
  • added the app option to be Function (by default only with connect compatibility frameworks) (3096148)
  • allow the server option to be Function (#​5275) (02a1c6d)
  • http2 support for connect and connect compatibility frameworks which support HTTP2 (#​5267) (6509a3f)
Bug Fixes
5.0.4 (2024-03-19)
Bug Fixes
5.0.3 (2024-03-12)
Bug Fixes
5.0.2 (2024-02-16)
Bug Fixes
5.0.1 (2024-02-13)
Bug Fixes

v5.0.4

Compare Source

Security
  • cross-origin requests are not allowed unless allowed by Access-Control-Allow-Origin header
  • requests with an IP addresses in the Origin header are not allowed to connect to WebSocket server unless configured by allowedHosts or it different from the Host header

The above changes may make the dev server not work if you relied on such behavior, but unfortunately they carry security risks, so they were considered as fixes.

Bug Fixes
  • prevent overlay for errors caught by React error boundaries (#​5431) (8c1abc9)
  • take the first network found instead of the last one, this restores the same behavior as 5.0.4 (#​5411) (ffd0b86)

v5.0.3

Compare Source

Features
  • add visual progress indicators (a8f40b7)
  • added the app option to be Function (by default only with connect compatibility frameworks) (3096148)
  • allow the server option to be Function (#​5275) (02a1c6d)
  • http2 support for connect and connect compatibility frameworks which support HTTP2 (#​5267) (6509a3f)
Bug Fixes
5.0.4 (2024-03-19)
Bug Fixes
5.0.3 (2024-03-12)
Bug Fixes
5.0.2 (2024-02-16)
Bug Fixes
5.0.1 (2024-02-13)
Bug Fixes

v5.0.2

Compare Source

Features
  • add visual progress indicators (a8f40b7)
  • added the app option to be Function (by default only with connect compatibility frameworks) (3096148)
  • allow the server option to be Function (#​5275) (02a1c6d)
  • http2 support for connect and connect compatibility frameworks which support HTTP2 (#​5267) (6509a3f)
Bug Fixes
5.0.4 (2024-03-19)
Bug Fixes
5.0.3 (2024-03-12)
Bug Fixes
5.0.2 (2024-02-16)
Bug Fixes
5.0.1 (2024-02-13)
Bug Fixes

v5.0.1

Compare Source

Features
  • add visual progress indicators (a8f40b7)
  • added the app option to be Function (by default only with connect compatibility frameworks) (3096148)
  • allow the server option to be Function (#​5275) (02a1c6d)
  • http2 support for connect and connect compatibility frameworks which support HTTP2 (#​5267) (6509a3f)
Bug Fixes
5.0.4 (2024-03-19)
Bug Fixes
5.0.3 (2024-03-12)
Bug Fixes
5.0.2 (2024-02-16)
Bug Fixes
5.0.1 (2024-02-13)
Bug Fixes

v5.0.0

Compare Source

Features
  • add visual progress indicators (a8f40b7)
  • added the app option to be Function (by default only with connect compatibility frameworks) (3096148)
  • allow the server option to be Function (#​5275) (02a1c6d)
  • http2 support for connect and connect compatibility frameworks which support HTTP2 (#​5267) (6509a3f)
Bug Fixes
5.0.4 (2024-03-19)
Bug Fixes
5.0.3 (2024-03-12)
Bug Fixes
5.0.2 (2024-02-16)
Bug Fixes
5.0.1 (2024-02-13)
Bug Fixes

v4.15.2

Compare Source

4.15.2 (2024-03-20)
Bug Fixes
  • security: bump webpack-dev-middleware (4116209)

v4.15.1

Compare Source

Migration Guide and Changes.

4.15.1 (2023-06-09)
Bug Fixes

v4.15.0

Compare Source

Migration Guide and Changes.

4.15.1 (2023-06-09)
Bug Fixes

v4.14.0

Compare Source

Features
4.13.3 (2023-04-15)
Bug Fixes
4.13.2 (2023-03-31)
Bug Fixes
  • prevent open 0.0.0.0 in browser due windows problems (04e74f2)
4.13.1 (2023-03-18)
Bug Fixes

v4.13.3

Compare Source

Features
4.13.3 (2023-04-15)
Bug Fixes
4.13.2 (2023-03-31)
Bug Fixes
  • prevent open 0.0.0.0 in browser due windows problems (04e74f2)
4.13.1 (2023-03-18)
Bug Fixes

v4.13.2

Compare Source

Features
4.13.3 (2023-04-15)
Bug Fixes
4.13.2 (2023-03-31)
Bug Fixes
  • prevent open 0.0.0.0 in browser due windows problems (04e74f2)
4.13.1 (2023-03-18)
Bug Fixes

v4.13.1

Compare Source

Features
4.13.3 (2023-04-15)
Bug Fixes
4.13.2 (2023-03-31)
Bug Fixes
  • prevent open 0.0.0.0 in browser due windows problems (04e74f2)
4.13.1 (2023-03-18)
Bug Fixes

v4.13.0

Compare Source

Features
4.13.3 (2023-04-15)
Bug Fixes
4.13.2 (2023-03-31)
Bug Fixes
  • prevent open 0.0.0.0 in browser due windows problems (04e74f2)
4.13.1 (2023-03-18)
Bug Fixes

v4.12.0

Compare Source

Features
Bug Fixes
4.11.1 (2022-09-19)
Bug Fixes

v4.11.1

Compare Source

Features
Bug Fixes
4.11.1 (2022-09-19)
Bug Fixes

v4.11.0

Compare Source

Features
Bug Fixes
4.11.1 (2022-09-19)
Bug Fixes

v4.10.1

Compare Source

Features
  • make allowedHosts accept localhost subdomains by default (#​4357) (0a33e6a)
Bug Fixes
4.10.1 (2022-08-29)
Bug Fixes

Note

PR body was truncated to here.


Configuration

📅 Schedule: (UTC)

  • Branch creation
    • At any time (no schedule defined)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate
renovate Bot force-pushed the renovate/npm-webpack-dev-server-vulnerability branch 2 times, most recently from 3946a55 to 7a617ba Compare May 2, 2026 23:28
@renovate renovate Bot changed the title Update dependency webpack-dev-server [SECURITY] Update dependency webpack-dev-server to v3.1.11 [SECURITY] May 2, 2026
@renovate
renovate Bot force-pushed the renovate/npm-webpack-dev-server-vulnerability branch from 7a617ba to 5069fb4 Compare May 14, 2026 03:00
@renovate renovate Bot changed the title Update dependency webpack-dev-server to v3.1.11 [SECURITY] Update dependency webpack-dev-server [SECURITY] May 14, 2026
@renovate
renovate Bot force-pushed the renovate/npm-webpack-dev-server-vulnerability branch from 5069fb4 to 8c7e6e7 Compare May 17, 2026 12:06
@renovate renovate Bot changed the title Update dependency webpack-dev-server [SECURITY] Update dependency webpack-dev-server to v3.1.11 [SECURITY] May 17, 2026
@renovate renovate Bot changed the title Update dependency webpack-dev-server to v3.1.11 [SECURITY] Update dependency webpack-dev-server [SECURITY] May 23, 2026
@renovate
renovate Bot force-pushed the renovate/npm-webpack-dev-server-vulnerability branch 2 times, most recently from f0ad5a5 to b22e426 Compare May 26, 2026 18:17
@renovate renovate Bot changed the title Update dependency webpack-dev-server [SECURITY] Update dependency webpack-dev-server to v3.1.11 [SECURITY] May 26, 2026
@renovate
renovate Bot force-pushed the renovate/npm-webpack-dev-server-vulnerability branch from b22e426 to 5f88611 Compare May 30, 2026 16:33
@renovate renovate Bot changed the title Update dependency webpack-dev-server to v3.1.11 [SECURITY] Update dependency webpack-dev-server [SECURITY] May 30, 2026
@renovate
renovate Bot force-pushed the renovate/npm-webpack-dev-server-vulnerability branch 2 times, most recently from c3f0ad4 to 9a28e13 Compare June 7, 2026 03:33
@renovate renovate Bot changed the title Update dependency webpack-dev-server [SECURITY] Update dependency webpack-dev-server to v3.1.11 [SECURITY] Jun 7, 2026
@renovate
renovate Bot force-pushed the renovate/npm-webpack-dev-server-vulnerability branch from 9a28e13 to 2b40183 Compare June 13, 2026 08:06
@renovate renovate Bot changed the title Update dependency webpack-dev-server to v3.1.11 [SECURITY] Update dependency webpack-dev-server [SECURITY] Jun 13, 2026
@renovate
renovate Bot force-pushed the renovate/npm-webpack-dev-server-vulnerability branch from 2b40183 to 8ad1a15 Compare June 14, 2026 20:14
@renovate renovate Bot changed the title Update dependency webpack-dev-server [SECURITY] Update dependency webpack-dev-server to v3.1.11 [SECURITY] Jun 14, 2026
@renovate
renovate Bot force-pushed the renovate/npm-webpack-dev-server-vulnerability branch from 8ad1a15 to 605c7f8 Compare June 21, 2026 03:48
@renovate renovate Bot changed the title Update dependency webpack-dev-server to v3.1.11 [SECURITY] Update dependency webpack-dev-server [SECURITY] Jun 21, 2026
@mergify

mergify Bot commented Jun 21, 2026

Copy link
Copy Markdown

Tick the box to add this pull request to the merge queue (same as @mergifyio queue).

  • Queue this pull request

@renovate
renovate Bot force-pushed the renovate/npm-webpack-dev-server-vulnerability branch from 605c7f8 to f7c3aa8 Compare June 25, 2026 04:19
@renovate renovate Bot changed the title Update dependency webpack-dev-server [SECURITY] Update dependency webpack-dev-server to v3.1.11 [SECURITY] Jun 25, 2026
@renovate
renovate Bot force-pushed the renovate/npm-webpack-dev-server-vulnerability branch from f7c3aa8 to 87ad29e Compare July 18, 2026 03:59
@renovate renovate Bot changed the title Update dependency webpack-dev-server to v3.1.11 [SECURITY] Update dependency webpack-dev-server [SECURITY] Jul 18, 2026
@mergify

mergify Bot commented Jul 18, 2026

Copy link
Copy Markdown

Tick the box to add this pull request to the merge queue (same as @mergifyio queue).

  • Queue this pull request

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants