Update dependency webpack-dev-server [SECURITY]#29

Open

renovate[bot] wants to merge 1 commit intomasterfrom

renovate/npm-webpack-dev-server-vulnerability

renovate bot commented Apr 15, 2026

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Change	Age	Confidence
webpack-dev-server	`^1.16.2` → `^5.0.0`
webpack-dev-server	`3.1.9` → `3.1.11`

GitHub Vulnerability Alerts

CVE-2018-14732

Versions of webpack-dev-server before 3.1.10 are missing origin validation on the websocket server. This vulnerability allows a remote attacker to steal a developer's source code because the origin of requests to the websocket server that is used for Hot Module Replacement (HMR) are not validated.

Recommendation

For webpack-dev-server update to version 3.1.11 or later.

Severity

CVSS Score: 7.5 / 10 (High)
Vector String: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Release Notes

webpack/webpack-dev-server (webpack-dev-server)

`v5.2.3`

`v5.2.2`

`v5.2.1`

Security

cross-origin requests are not allowed unless allowed by Access-Control-Allow-Origin header
requests with an IP addresses in the Origin header are not allowed to connect to WebSocket server unless configured by allowedHosts or it different from the Host header

The above changes may make the dev server not work if you relied on such behavior, but unfortunately they carry security risks, so they were considered as fixes.

Bug Fixes

prevent overlay for errors caught by React error boundaries (#5431) (8c1abc9)
take the first network found instead of the last one, this restores the same behavior as 5.0.4 (#5411) (ffd0b86)

`v5.2.0`

Features

added getClientEntry and getClientHotEntry methods to get clients entries (dc642a8)

Bug Fixes

speed up initial client bundling (145b5d0)

`v5.1.0`

Features

add visual progress indicators (a8f40b7)
added the app option to be Function (by default only with connect compatibility frameworks) (3096148)
allow the server option to be Function (#5275) (02a1c6d)
http2 support for connect and connect compatibility frameworks which support HTTP2 (#5267) (6509a3f)

Bug Fixes

check the platform property to determinate the target (#5269) (c3b532c)
ipv6 output (#5270) (06005e7)
replace rimraf with rm (#5162) (1a1561f)
replace default gateway (#5255) (f5f0902)
support devServer: false (#5272) (8b341cb)

5.0.4 (2024-03-19)

Bug Fixes

security: bump webpack-dev-middleware (#5112) (aab576a)

5.0.3 (2024-03-12)

Bug Fixes

types: proxy (#5101) (6e1aed3)

5.0.2 (2024-02-16)

Bug Fixes

types (#5057) (da2c24d)

5.0.1 (2024-02-13)

Bug Fixes

avoid using eval in client (#5045) (7681477)
overlay and require-trusted-types-for (#5046) (e115436)

`v5.0.4`

Security

cross-origin requests are not allowed unless allowed by Access-Control-Allow-Origin header
requests with an IP addresses in the Origin header are not allowed to connect to WebSocket server unless configured by allowedHosts or it different from the Host header

The above changes may make the dev server not work if you relied on such behavior, but unfortunately they carry security risks, so they were considered as fixes.

Bug Fixes

prevent overlay for errors caught by React error boundaries (#5431) (8c1abc9)
take the first network found instead of the last one, this restores the same behavior as 5.0.4 (#5411) (ffd0b86)

`v5.0.3`

Features

add visual progress indicators (a8f40b7)
added the app option to be Function (by default only with connect compatibility frameworks) (3096148)
allow the server option to be Function (#5275) (02a1c6d)
http2 support for connect and connect compatibility frameworks which support HTTP2 (#5267) (6509a3f)

Bug Fixes

check the platform property to determinate the target (#5269) (c3b532c)
ipv6 output (#5270) (06005e7)
replace rimraf with rm (#5162) (1a1561f)
replace default gateway (#5255) (f5f0902)
support devServer: false (#5272) (8b341cb)

5.0.4 (2024-03-19)

Bug Fixes

security: bump webpack-dev-middleware (#5112) (aab576a)

5.0.3 (2024-03-12)

Bug Fixes

types: proxy (#5101) (6e1aed3)

5.0.2 (2024-02-16)

Bug Fixes

types (#5057) (da2c24d)

5.0.1 (2024-02-13)

Bug Fixes

avoid using eval in client (#5045) (7681477)
overlay and require-trusted-types-for (#5046) (e115436)

`v5.0.2`

Features

add visual progress indicators (a8f40b7)
added the app option to be Function (by default only with connect compatibility frameworks) (3096148)
allow the server option to be Function (#5275) (02a1c6d)
http2 support for connect and connect compatibility frameworks which support HTTP2 (#5267) (6509a3f)

Bug Fixes

check the platform property to determinate the target (#5269) (c3b532c)
ipv6 output (#5270) (06005e7)
replace rimraf with rm (#5162) (1a1561f)
replace default gateway (#5255) (f5f0902)
support devServer: false (#5272) (8b341cb)

5.0.4 (2024-03-19)

Bug Fixes

security: bump webpack-dev-middleware (#5112) (aab576a)

5.0.3 (2024-03-12)

Bug Fixes

types: proxy (#5101) (6e1aed3)

5.0.2 (2024-02-16)

Bug Fixes

types (#5057) (da2c24d)

5.0.1 (2024-02-13)

Bug Fixes

avoid using eval in client (#5045) (7681477)
overlay and require-trusted-types-for (#5046) (e115436)

`v5.0.1`

Features

add visual progress indicators (a8f40b7)
added the app option to be Function (by default only with connect compatibility frameworks) (3096148)
allow the server option to be Function (#5275) (02a1c6d)
http2 support for connect and connect compatibility frameworks which support HTTP2 (#5267) (6509a3f)

Bug Fixes

check the platform property to determinate the target (#5269) (c3b532c)
ipv6 output (#5270) (06005e7)
replace rimraf with rm (#5162) (1a1561f)
replace default gateway (#5255) (f5f0902)
support devServer: false (#5272) (8b341cb)

5.0.4 (2024-03-19)

Bug Fixes

security: bump webpack-dev-middleware (#5112) (aab576a)

5.0.3 (2024-03-12)

Bug Fixes

types: proxy (#5101) (6e1aed3)

5.0.2 (2024-02-16)

Bug Fixes

types (#5057) (da2c24d)

5.0.1 (2024-02-13)

Bug Fixes

avoid using eval in client (#5045) (7681477)
overlay and require-trusted-types-for (#5046) (e115436)

`v5.0.0`

Features

add visual progress indicators (a8f40b7)
added the app option to be Function (by default only with connect compatibility frameworks) (3096148)
allow the server option to be Function (#5275) (02a1c6d)
http2 support for connect and connect compatibility frameworks which support HTTP2 (#5267) (6509a3f)

Bug Fixes

check the platform property to determinate the target (#5269) (c3b532c)
ipv6 output (#5270) (06005e7)
replace rimraf with rm (#5162) (1a1561f)
replace default gateway (#5255) (f5f0902)
support devServer: false (#5272) (8b341cb)

5.0.4 (2024-03-19)

Bug Fixes

security: bump webpack-dev-middleware (#5112) (aab576a)

5.0.3 (2024-03-12)

Bug Fixes

types: proxy (#5101) (6e1aed3)

5.0.2 (2024-02-16)

Bug Fixes

types (#5057) (da2c24d)

5.0.1 (2024-02-13)

Bug Fixes

avoid using eval in client (#5045) (7681477)
overlay and require-trusted-types-for (#5046) (e115436)

`v4.15.2`

4.15.2 (2024-03-20)

Bug Fixes

security: bump webpack-dev-middleware (4116209)

`v4.15.1`

Migration Guide and Changes.

4.15.1 (2023-06-09)

Bug Fixes

replace :: with localhost before openBrowser() (#4856) (874c44b)
types: compatibility with @types/ws (#4899) (34bcec2)

`v4.15.0`

Migration Guide and Changes.

4.15.1 (2023-06-09)

Bug Fixes

replace :: with localhost before openBrowser() (#4856) (874c44b)
types: compatibility with @types/ws (#4899) (34bcec2)

`v4.14.0`

Features

allow CLI to be ESM (#4837) (bb4a5d9)
allow filter overlay errors/warnings with function (#4813) (aab01b3)

4.13.3 (2023-04-15)

Bug Fixes

perf: reduced initial start time (#4818) (fcf01d1)

4.13.2 (2023-03-31)

Bug Fixes

prevent open 0.0.0.0 in browser due windows problems (04e74f2)

4.13.1 (2023-03-18)

Bug Fixes

make webpack optional peer dependency (#4778) (71be54e)

`v4.13.3`

Features

allow CLI to be ESM (#4837) (bb4a5d9)
allow filter overlay errors/warnings with function (#4813) (aab01b3)

4.13.3 (2023-04-15)

Bug Fixes

perf: reduced initial start time (#4818) (fcf01d1)

4.13.2 (2023-03-31)

Bug Fixes

prevent open 0.0.0.0 in browser due windows problems (04e74f2)

4.13.1 (2023-03-18)

Bug Fixes

make webpack optional peer dependency (#4778) (71be54e)

`v4.13.2`

Features

allow CLI to be ESM (#4837) (bb4a5d9)
allow filter overlay errors/warnings with function (#4813) (aab01b3)

4.13.3 (2023-04-15)

Bug Fixes

perf: reduced initial start time (#4818) (fcf01d1)

4.13.2 (2023-03-31)

Bug Fixes

prevent open 0.0.0.0 in browser due windows problems (04e74f2)

4.13.1 (2023-03-18)

Bug Fixes

make webpack optional peer dependency (#4778) (71be54e)

`v4.13.1`

Features

allow CLI to be ESM (#4837) (bb4a5d9)
allow filter overlay errors/warnings with function (#4813) (aab01b3)

4.13.3 (2023-04-15)

Bug Fixes

perf: reduced initial start time (#4818) (fcf01d1)

4.13.2 (2023-03-31)

Bug Fixes

prevent open 0.0.0.0 in browser due windows problems (04e74f2)

4.13.1 (2023-03-18)

Bug Fixes

make webpack optional peer dependency (#4778) (71be54e)

`v4.13.0`

Features

allow CLI to be ESM (#4837) (bb4a5d9)
allow filter overlay errors/warnings with function (#4813) (aab01b3)

4.13.3 (2023-04-15)

Bug Fixes

perf: reduced initial start time (#4818) (fcf01d1)

4.13.2 (2023-03-31)

Bug Fixes

prevent open 0.0.0.0 in browser due windows problems (04e74f2)

4.13.1 (2023-03-18)

Bug Fixes

make webpack optional peer dependency (#4778) (71be54e)

`v4.12.0`

Features

allow to set the sockjs_url option (only sockjs) using the webSocketServer.options.sockjsUrl option (#4586) (69a2fba)
catch runtime error (#4605) (87a26cf)
improve styles for overlay (#4576) (791fb85)
open editor when clicking error on overlay (#4587) (efb2cec)

Bug Fixes

compatibility with experiments.buildHttp (#4585) (5b846cb)
respect NODE_PATH env variable (#4581) (b857e6f)

4.11.1 (2022-09-19)

Bug Fixes

respect client.logging option for all logs (#4572) (375835c)

`v4.11.1`

Features

allow to set the sockjs_url option (only sockjs) using the webSocketServer.options.sockjsUrl option (#4586) (69a2fba)
catch runtime error (#4605) (87a26cf)
improve styles for overlay (#4576) (791fb85)
open editor when clicking error on overlay (#4587) (efb2cec)

Bug Fixes

compatibility with experiments.buildHttp (#4585) (5b846cb)
respect NODE_PATH env variable (#4581) (b857e6f)

4.11.1 (2022-09-19)

Bug Fixes

respect client.logging option for all logs (#4572) (375835c)

`v4.11.0`

Features

allow to set the sockjs_url option (only sockjs) using the webSocketServer.options.sockjsUrl option (#4586) (69a2fba)
catch runtime error (#4605) (87a26cf)
improve styles for overlay (#4576) (791fb85)
open editor when clicking error on overlay (#4587) (efb2cec)

Bug Fixes

compatibility with experiments.buildHttp (#4585) (5b846cb)
respect NODE_PATH env variable (#4581) (b857e6f)

4.11.1 (2022-09-19)

Bug Fixes

respect client.logging option for all logs (#4572) (375835c)

`v4.10.1`

Features

make allowedHosts accept localhost subdomains by default (#4357) (0a33e6a)

Bug Fixes

auto reply to OPTIONS requests only when unhandled (#4559) (984af02), closes #4551

4.10.1 (2022-08-29)

Bug Fixes

compatibility with old browsers (#4544) (6a430d4)

`v4.10.0`

Features

make allowedHosts accept localhost subdomains by default (#4357) (0a33e6a)

Bug Fixes

auto reply to OPTIONS requests only when unhandled (#4559) (984af02), closes #4551

4.10.1 (2022-08-29)

Bug Fixes

compatibility with old browsers (#4544) (6a430d4)

`v4.9.3`

Features

allow to configure more client options via resource URL (#4274) (216e3cb)

Bug Fixes

response correctly when receive an OPTIONS request (#4185) (2b3b7e0)

4.9.3 (2022-06-29)

Bug Fixes

avoid creation unnecessary stream for static sockjs file (#4482) (049b153)
history-api-fallback now supports HEAD requests and handles them the same as GET (8936082)

4.9.2 (2022-06-06)

Bug Fixes

add @types/serve-static to dependencies (#4468) (af83deb)

4.9.1 (2022-05-31)

Bug Fixes

security problem with sockjs (#4465) (e765182)

`v4.9.2`

Features

allow to configure more client options via resource URL (#4274) (216e3cb)

Bug Fixes

response correctly when receive an OPTIONS request (#4185) (2b3b7e0)

4.9.3 (2022-06-29)

Bug Fixes

avoid creation unnecessary stream for static sockjs file (#4482) (049b153)
history-api-fallback now supports HEAD requests and handles them the same as GET (8936082)

4.9.2 (2022-06-06)

Bug Fixes

add @types/serve-static to dependencies (#4468) (af83deb)

4.9.1 (2022-05-31)

Bug Fixes

security problem with sockjs (#4465) (e765182)

`v4.9.1`

Features

allow to configure more client options via resource URL (#4274) (216e3cb)

Bug Fixes

response correctly when receive an OPTIONS request (#4185) (2b3b7e0)

4.9.3 (2022-06-29)

Bug Fixes

avoid creation unnecessary stream for static sockjs file (#4482) (049b153)
history-api-fallback now supports HEAD requests and handles them the same as GET (8936082)

4.9.2 (2022-06-06)

Bug Fixes

add @types/serve-static to dependencies (#4468) (af83deb)

4.9.1 (2022-05-31)

Bug Fixes

security problem with sockjs (#4465) (e765182)

`v4.9.0`

Features

allow to configure more client options via resource URL (#4274) (216e3cb)

Bug Fixes

response correctly when receive an OPTIONS request (#4185) (2b3b7e0)

4.9.3 (2022-06-29)

Bug Fixes

avoid creation unnecessary stream for static sockjs file (#4482) (049b153)
history-api-fallback now supports HEAD requests and handles them the same as GET (8936082)

4.9.2 (2022-06-06)

Bug Fixes

add @types/serve-static to dependencies (#4468) (af83deb)

4.9.1 (2022-05-31)

Bug Fixes

security problem with sockjs (#4465) (e765182)

`v4.8.1`

Features

support Trusted Types for client overlay (#4404) (8132e1d)

Bug Fixes

ie11 runtime (#4403) (256d5fb)
replace portfinder with custom implementation and fix security problem (#4384) (eea50f3)
use the host in options to check if port is available (#4385) (a10c7cf)

4.8.1 (2022-04-06)

Bug Fixes

types (#4373) (f6fe6be)

`v4.8.0`

Features

support Trusted Types for client overlay (#4404) (8132e1d)

Bug Fixes

ie11 runtime (#4403) (256d5fb)
replace portfinder with custom implementation and fix security problem (#4384) (eea50f3)
use the host in options to check if port is available (#4385) (a10c7cf)

4.8.1 (2022-04-06)

Bug Fixes

types (#4373) (f6fe6be)

`v4.7.4`

Features

export initialized socket client (#4304) (7920364)

Bug Fixes

update description for --no-client-reconnect (#4248) (317648d)
update description for --no-client ([#4250](https://redirect.github.com/

Configuration

📅 Schedule: (UTC)

Branch creation
- ""
Automerge
- At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.


          Update dependency webpack-dev-server [SECURITY]

d201d9f

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet