Update dependency webpack-dev-server [SECURITY]#29
Open
renovate[bot] wants to merge 1 commit into
Open
Conversation
renovate
Bot
force-pushed
the
renovate/npm-webpack-dev-server-vulnerability
branch
2 times, most recently
from
May 2, 2026 23:28
3946a55 to
7a617ba
Compare
renovate
Bot
force-pushed
the
renovate/npm-webpack-dev-server-vulnerability
branch
from
May 14, 2026 03:00
7a617ba to
5069fb4
Compare
renovate
Bot
force-pushed
the
renovate/npm-webpack-dev-server-vulnerability
branch
from
May 17, 2026 12:06
5069fb4 to
8c7e6e7
Compare
renovate
Bot
force-pushed
the
renovate/npm-webpack-dev-server-vulnerability
branch
2 times, most recently
from
May 26, 2026 18:17
f0ad5a5 to
b22e426
Compare
renovate
Bot
force-pushed
the
renovate/npm-webpack-dev-server-vulnerability
branch
from
May 30, 2026 16:33
b22e426 to
5f88611
Compare
renovate
Bot
force-pushed
the
renovate/npm-webpack-dev-server-vulnerability
branch
2 times, most recently
from
June 7, 2026 03:33
c3f0ad4 to
9a28e13
Compare
renovate
Bot
force-pushed
the
renovate/npm-webpack-dev-server-vulnerability
branch
from
June 13, 2026 08:06
9a28e13 to
2b40183
Compare
renovate
Bot
force-pushed
the
renovate/npm-webpack-dev-server-vulnerability
branch
from
June 14, 2026 20:14
2b40183 to
8ad1a15
Compare
renovate
Bot
force-pushed
the
renovate/npm-webpack-dev-server-vulnerability
branch
from
June 21, 2026 03:48
8ad1a15 to
605c7f8
Compare
|
Tick the box to add this pull request to the merge queue (same as
|
renovate
Bot
force-pushed
the
renovate/npm-webpack-dev-server-vulnerability
branch
from
June 25, 2026 04:19
605c7f8 to
f7c3aa8
Compare
renovate
Bot
force-pushed
the
renovate/npm-webpack-dev-server-vulnerability
branch
from
July 18, 2026 03:59
f7c3aa8 to
87ad29e
Compare
|
Tick the box to add this pull request to the merge queue (same as
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
^1.16.2→^6.0.03.1.9→3.1.11Warning
Some dependencies could not be looked up. Check the Dependency Dashboard for more information.
Missing Origin Validation in webpack-dev-server
CVE-2018-14732 / GHSA-cf66-xwfp-gvc4
More information
Details
Versions of
webpack-dev-serverbefore 3.1.10 are missing origin validation on the websocket server. This vulnerability allows a remote attacker to steal a developer's source code because the origin of requests to the websocket server that is used for Hot Module Replacement (HMR) are not validated.Recommendation
For
webpack-dev-serverupdate to version 3.1.11 or later.Severity
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Release Notes
webpack/webpack-dev-server (webpack-dev-server)
v6.0.0Compare Source
Major Changes
Bump Express to v5. See the Express 5 migration guide for the full list of breaking changes. (by @bjohansebas in #5674)
Bump the
webpackpeer dependency range from^5.0.0to^5.101.0. (by @bjohansebas in #5674)Drop support for Node.js < 22.15.0. (by @bjohansebas in #5674)
Convert the source to native ES modules. The package keeps
"type": "module"and now exposes both an ESM and a CommonJS build via theexportsfield: ESM consumersimportthe nativelib/, while CommonJS consumersrequire()a transpileddist/build — so the package works from both ESM and CommonJS, including environments whererequire(ESM)is not supported. (by @bjohansebas in #5674)Remove CLI flags. Use the
servecommand fromwebpack-clitogether with a configuration file or the programmatic API instead. (by @bjohansebas in #5674)Remove the
internalIPandinternalIPSyncstatic methods fromServer. Resolve the local IP yourself if you need it. (by @bjohansebas in #5674)Remove the
bypassoption from proxy configuration. Use therouterorcontextoptions provided byhttp-proxy-middlewareinstead. (by @bjohansebas in #5674)Remove SockJS support. The
webSocketServeroption no longer accepts"sockjs"; use the default"ws"transport instead. (by @bjohansebas in #5674)Remove the
spdydependency. Use the built-innode:http2module via theserveroption for HTTP/2 support. (by @bjohansebas in #5674)Update
http-proxy-middlewareto v4. See the http-proxy-middleware v3 release notes and v4 release notes for the full list of breaking changes. (by @bjohansebas in #5674)Update
webpack-dev-middlewareto v8 and syncoriginalUrlfor middleware compatibility.server.middleware.getFilenameFromUrl()is now asynchronous and resolves to{ filename, extra: { stats, outputFileSystem } }. See the webpack-dev-middleware v8 release notes for details. (by @bjohansebas in #5674)Minor Changes
Add plugin support.
webpack-dev-servercan now be used as a webpack plugin, integrating with the compiler lifecycle without explicitly passing a compiler, preventing multiple server starts on recompilation, ensuring clean shutdown, and supportingMultiCompilersetups with multiple independent plugin servers. (by @bjohansebas in #5674)Enable the compression middleware for HTTP/2 connections. (by @bjohansebas in #5674)
Remove the
colorettedependency in favor of native ANSI styling. (by @bjohansebas in #5674)Update
chokidarto v5 and extendwatchFiles.options.ignoredto support glob string patterns viatinyglobby. (by @bjohansebas in #5674)Use
compiler.platformto determine the target environment instead of inspecting the resolvedtargetstring. Universal targets ("universal"or["web", "node"], wherecompiler.platform.universalistruesince webpack5.108.0) are treated as web targets so the client runtime is injected. (by @bjohansebas in #5674)Use the WHATWG
URLAPI instead of the deprecatedurl.parse. (by @bjohansebas in #5674)Patch Changes
Bump production dependencies, notably
opento v11 andp-retryto v8. (by @bjohansebas in #5674)Reject cross-site requests to the internal
open-editorandinvalidateendpoints. They performed state-changing actions (opening a file in the editor, forcing a recompilation) on any GET request, so a page the developer visited could trigger them. They now require a same-origin request, validated viaSec-Fetch-Sitewith anOrigin/Hostfallback. (by @bjohansebas in #5691)Treat loopback aliases (
127.0.0.1,::1,localhost) as equivalent inisSameOriginso the WebSocket client does not reject valid same-origin connections. (by @bjohansebas in #5674)Migrate the test suite from Jest to
node:testand set up the jsdom environment. (by @bjohansebas in #5674)Update
webpack-clito v7.0.2. (by @bjohansebas in #5674)v5.2.6Compare Source
Patch Changes
fix: allow
undefinedas theServerconstructoroptionsargument again (by @bjohansebas in #5695)Restores accepting
undefined(defaulting it to{}) for theoptionsargument, so passing a webpack config's optional
devServerfield type-checks and works as before.Protect the built-in state-changing routes (
/webpack-dev-server/invalidateand/webpack-dev-server/open-editor) against cross-site request forgery. Requests are now checked withSec-Fetch-Site(falling back to anOrigin/Hostcomparison when it is absent), so a cross-site page can no longer trigger a rebuild or open a file in the editor. Same-origin requests, user-initiated navigations, and non-browser clients (e.g. curl) are unaffected. (by @bjohansebas in #5698)Handle malformed
HostandOriginheader values gracefully when validating requests. (by @bjohansebas in #5699)v5.2.5Compare Source
Patch Changes
All notable changes to this project will be documented in this file. See standard-version for commit guidelines.
5.2.4 (2026-05-11)
Bug Fixes
5.2.3 (2026-01-12)
Bug Fixes
causeforerrorObject(#5518) (37b033d)5.2.2 (2025-06-03)
Bug Fixes
X_TEST(#5451) (64a6124)allowedHostsoption for cross-origin header check (#5510) (03d1214)v5.2.4Compare Source
v5.2.3Compare Source
v5.2.2Compare Source
v5.2.1Compare Source
Security
Access-Control-Allow-OriginheaderOriginheader are not allowed to connect to WebSocket server unless configured byallowedHostsor it different from theHostheaderThe above changes may make the dev server not work if you relied on such behavior, but unfortunately they carry security risks, so they were considered as fixes.
Bug Fixes
v5.2.0Compare Source
Features
getClientEntryandgetClientHotEntrymethods to get clients entries (dc642a8)Bug Fixes
v5.1.0Compare Source
Features
appoption to beFunction(by default only withconnectcompatibility frameworks) (3096148)serveroption to beFunction(#5275) (02a1c6d)connectandconnectcompatibility frameworks which support HTTP2 (#5267) (6509a3f)Bug Fixes
platformproperty to determinate the target (#5269) (c3b532c)rimrafwithrm(#5162) (1a1561f)devServer: false(#5272) (8b341cb)5.0.4 (2024-03-19)
Bug Fixes
5.0.3 (2024-03-12)
Bug Fixes
5.0.2 (2024-02-16)
Bug Fixes
5.0.1 (2024-02-13)
Bug Fixes
require-trusted-types-for(#5046) (e115436)v5.0.4Compare Source
Security
Access-Control-Allow-OriginheaderOriginheader are not allowed to connect to WebSocket server unless configured byallowedHostsor it different from theHostheaderThe above changes may make the dev server not work if you relied on such behavior, but unfortunately they carry security risks, so they were considered as fixes.
Bug Fixes
v5.0.3Compare Source
Features
appoption to beFunction(by default only withconnectcompatibility frameworks) (3096148)serveroption to beFunction(#5275) (02a1c6d)connectandconnectcompatibility frameworks which support HTTP2 (#5267) (6509a3f)Bug Fixes
platformproperty to determinate the target (#5269) (c3b532c)rimrafwithrm(#5162) (1a1561f)devServer: false(#5272) (8b341cb)5.0.4 (2024-03-19)
Bug Fixes
5.0.3 (2024-03-12)
Bug Fixes
5.0.2 (2024-02-16)
Bug Fixes
5.0.1 (2024-02-13)
Bug Fixes
require-trusted-types-for(#5046) (e115436)v5.0.2Compare Source
Features
appoption to beFunction(by default only withconnectcompatibility frameworks) (3096148)serveroption to beFunction(#5275) (02a1c6d)connectandconnectcompatibility frameworks which support HTTP2 (#5267) (6509a3f)Bug Fixes
platformproperty to determinate the target (#5269) (c3b532c)rimrafwithrm(#5162) (1a1561f)devServer: false(#5272) (8b341cb)5.0.4 (2024-03-19)
Bug Fixes
5.0.3 (2024-03-12)
Bug Fixes
5.0.2 (2024-02-16)
Bug Fixes
5.0.1 (2024-02-13)
Bug Fixes
require-trusted-types-for(#5046) (e115436)v5.0.1Compare Source
Features
appoption to beFunction(by default only withconnectcompatibility frameworks) (3096148)serveroption to beFunction(#5275) (02a1c6d)connectandconnectcompatibility frameworks which support HTTP2 (#5267) (6509a3f)Bug Fixes
platformproperty to determinate the target (#5269) (c3b532c)rimrafwithrm(#5162) (1a1561f)devServer: false(#5272) (8b341cb)5.0.4 (2024-03-19)
Bug Fixes
5.0.3 (2024-03-12)
Bug Fixes
5.0.2 (2024-02-16)
Bug Fixes
5.0.1 (2024-02-13)
Bug Fixes
require-trusted-types-for(#5046) (e115436)v5.0.0Compare Source
Features
appoption to beFunction(by default only withconnectcompatibility frameworks) (3096148)serveroption to beFunction(#5275) (02a1c6d)connectandconnectcompatibility frameworks which support HTTP2 (#5267) (6509a3f)Bug Fixes
platformproperty to determinate the target (#5269) (c3b532c)rimrafwithrm(#5162) (1a1561f)devServer: false(#5272) (8b341cb)5.0.4 (2024-03-19)
Bug Fixes
5.0.3 (2024-03-12)
Bug Fixes
5.0.2 (2024-02-16)
Bug Fixes
5.0.1 (2024-02-13)
Bug Fixes
require-trusted-types-for(#5046) (e115436)v4.15.2Compare Source
4.15.2 (2024-03-20)
Bug Fixes
v4.15.1Compare Source
Migration Guide and Changes.
4.15.1 (2023-06-09)
Bug Fixes
::withlocalhostbefore openBrowser() (#4856) (874c44b)@types/ws(#4899) (34bcec2)v4.15.0Compare Source
Migration Guide and Changes.
4.15.1 (2023-06-09)
Bug Fixes
::withlocalhostbefore openBrowser() (#4856) (874c44b)@types/ws(#4899) (34bcec2)v4.14.0Compare Source
Features
4.13.3 (2023-04-15)
Bug Fixes
4.13.2 (2023-03-31)
Bug Fixes
4.13.1 (2023-03-18)
Bug Fixes
v4.13.3Compare Source
Features
4.13.3 (2023-04-15)
Bug Fixes
4.13.2 (2023-03-31)
Bug Fixes
4.13.1 (2023-03-18)
Bug Fixes
v4.13.2Compare Source
Features
4.13.3 (2023-04-15)
Bug Fixes
4.13.2 (2023-03-31)
Bug Fixes
4.13.1 (2023-03-18)
Bug Fixes
v4.13.1Compare Source
Features
4.13.3 (2023-04-15)
Bug Fixes
4.13.2 (2023-03-31)
Bug Fixes
4.13.1 (2023-03-18)
Bug Fixes
v4.13.0Compare Source
Features
4.13.3 (2023-04-15)
Bug Fixes
4.13.2 (2023-03-31)
Bug Fixes
4.13.1 (2023-03-18)
Bug Fixes
v4.12.0Compare Source
Features
sockjs_urloption (onlysockjs) using thewebSocketServer.options.sockjsUrloption (#4586) (69a2fba)Bug Fixes
experiments.buildHttp(#4585) (5b846cb)NODE_PATHenv variable (#4581) (b857e6f)4.11.1 (2022-09-19)
Bug Fixes
client.loggingoption for all logs (#4572) (375835c)v4.11.1Compare Source
Features
sockjs_urloption (onlysockjs) using thewebSocketServer.options.sockjsUrloption (#4586) (69a2fba)Bug Fixes
experiments.buildHttp(#4585) (5b846cb)NODE_PATHenv variable (#4581) (b857e6f)4.11.1 (2022-09-19)
Bug Fixes
client.loggingoption for all logs (#4572) (375835c)v4.11.0Compare Source
Features
sockjs_urloption (onlysockjs) using thewebSocketServer.options.sockjsUrloption (#4586) (69a2fba)Bug Fixes
experiments.buildHttp(#4585) (5b846cb)NODE_PATHenv variable (#4581) (b857e6f)4.11.1 (2022-09-19)
Bug Fixes
client.loggingoption for all logs (#4572) (375835c)v4.10.1Compare Source
Features
Bug Fixes
4.10.1 (2022-08-29)
Bug Fixes
Configuration
📅 Schedule: (UTC)
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.
This PR was generated by Mend Renovate. View the repository job log.