You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Convert the source to native ES modules. The package keeps "type": "module" and now exposes both an ESM and a CommonJS build via the exports field: ESM consumers import the native lib/, while CommonJS consumers require() a transpiled dist/ build — so the package works from both ESM and CommonJS, including environments where require(ESM) is not supported. (by @bjohansebas in #5674)
Remove CLI flags. Use the serve command from webpack-cli together with a configuration file or the programmatic API instead. (by @bjohansebas in #5674)
Remove the internalIP and internalIPSync static methods from Server. Resolve the local IP yourself if you need it. (by @bjohansebas in #5674)
Remove the bypass option from proxy configuration. Use the router or context options provided by http-proxy-middleware instead. (by @bjohansebas in #5674)
Remove SockJS support. The webSocketServer option no longer accepts "sockjs"; use the default "ws" transport instead. (by @bjohansebas in #5674)
Remove the spdy dependency. Use the built-in node:http2 module via the server option for HTTP/2 support. (by @bjohansebas in #5674)
Update webpack-dev-middleware to v8 and sync originalUrl for middleware compatibility. server.middleware.getFilenameFromUrl() is now asynchronous and resolves to { filename, extra: { stats, outputFileSystem } }. See the webpack-dev-middleware v8 release notes for details. (by @bjohansebas in #5674)
Minor Changes
Add plugin support. webpack-dev-server can now be used as a webpack plugin, integrating with the compiler lifecycle without explicitly passing a compiler, preventing multiple server starts on recompilation, ensuring clean shutdown, and supporting MultiCompiler setups with multiple independent plugin servers. (by @bjohansebas in #5674)
Enable the compression middleware for HTTP/2 connections. (by @bjohansebas in #5674)
Remove the colorette dependency in favor of native ANSI styling. (by @bjohansebas in #5674)
Update chokidar to v5 and extend watchFiles.options.ignored to support glob string patterns via tinyglobby. (by @bjohansebas in #5674)
Use compiler.platform to determine the target environment instead of inspecting the resolved target string. Universal targets ("universal" or ["web", "node"], where compiler.platform.universal is true since webpack 5.108.0) are treated as web targets so the client runtime is injected. (by @bjohansebas in #5674)
Use the WHATWG URL API instead of the deprecated url.parse. (by @bjohansebas in #5674)
Patch Changes
Bump production dependencies, notably open to v11 and p-retry to v8. (by @bjohansebas in #5674)
Reject cross-site requests to the internal open-editor and invalidate endpoints. They performed state-changing actions (opening a file in the editor, forcing a recompilation) on any GET request, so a page the developer visited could trigger them. They now require a same-origin request, validated via Sec-Fetch-Site with an Origin/Host fallback. (by @bjohansebas in #5691)
Treat loopback aliases (127.0.0.1, ::1, localhost) as equivalent in isSameOrigin so the WebSocket client does not reject valid same-origin connections. (by @bjohansebas in #5674)
Migrate the test suite from Jest to node:test and set up the jsdom environment. (by @bjohansebas in #5674)
Next steps: Take a moment to review the security alert above. Review
the linked package source code to understand the potential risk. Ensure the
package is not malicious before proceeding. If you're unsure how to proceed,
reach out to your security team or ask the Socket team for help at
support@socket.dev.
Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.
Mark the package as acceptable risk. To ignore this alert only
in this pull request, reply with the comment
@SocketSecurity ignore npm/powershell-utils@0.1.0. You can
also ignore all packages with @SocketSecurity ignore-all.
To ignore an alert for all future pull requests, use Socket's Dashboard to
change the triage state of this alert.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
5.2.6→6.0.0Release Notes
webpack/webpack-dev-server (webpack-dev-server)
v6.0.0Compare Source
Major Changes
Bump Express to v5. See the Express 5 migration guide for the full list of breaking changes. (by @bjohansebas in #5674)
Bump the
webpackpeer dependency range from^5.0.0to^5.101.0. (by @bjohansebas in #5674)Drop support for Node.js < 22.15.0. (by @bjohansebas in #5674)
Convert the source to native ES modules. The package keeps
"type": "module"and now exposes both an ESM and a CommonJS build via theexportsfield: ESM consumersimportthe nativelib/, while CommonJS consumersrequire()a transpileddist/build — so the package works from both ESM and CommonJS, including environments whererequire(ESM)is not supported. (by @bjohansebas in #5674)Remove CLI flags. Use the
servecommand fromwebpack-clitogether with a configuration file or the programmatic API instead. (by @bjohansebas in #5674)Remove the
internalIPandinternalIPSyncstatic methods fromServer. Resolve the local IP yourself if you need it. (by @bjohansebas in #5674)Remove the
bypassoption from proxy configuration. Use therouterorcontextoptions provided byhttp-proxy-middlewareinstead. (by @bjohansebas in #5674)Remove SockJS support. The
webSocketServeroption no longer accepts"sockjs"; use the default"ws"transport instead. (by @bjohansebas in #5674)Remove the
spdydependency. Use the built-innode:http2module via theserveroption for HTTP/2 support. (by @bjohansebas in #5674)Update
http-proxy-middlewareto v4. See the http-proxy-middleware v3 release notes and v4 release notes for the full list of breaking changes. (by @bjohansebas in #5674)Update
webpack-dev-middlewareto v8 and syncoriginalUrlfor middleware compatibility.server.middleware.getFilenameFromUrl()is now asynchronous and resolves to{ filename, extra: { stats, outputFileSystem } }. See the webpack-dev-middleware v8 release notes for details. (by @bjohansebas in #5674)Minor Changes
Add plugin support.
webpack-dev-servercan now be used as a webpack plugin, integrating with the compiler lifecycle without explicitly passing a compiler, preventing multiple server starts on recompilation, ensuring clean shutdown, and supportingMultiCompilersetups with multiple independent plugin servers. (by @bjohansebas in #5674)Enable the compression middleware for HTTP/2 connections. (by @bjohansebas in #5674)
Remove the
colorettedependency in favor of native ANSI styling. (by @bjohansebas in #5674)Update
chokidarto v5 and extendwatchFiles.options.ignoredto support glob string patterns viatinyglobby. (by @bjohansebas in #5674)Use
compiler.platformto determine the target environment instead of inspecting the resolvedtargetstring. Universal targets ("universal"or["web", "node"], wherecompiler.platform.universalistruesince webpack5.108.0) are treated as web targets so the client runtime is injected. (by @bjohansebas in #5674)Use the WHATWG
URLAPI instead of the deprecatedurl.parse. (by @bjohansebas in #5674)Patch Changes
Bump production dependencies, notably
opento v11 andp-retryto v8. (by @bjohansebas in #5674)Reject cross-site requests to the internal
open-editorandinvalidateendpoints. They performed state-changing actions (opening a file in the editor, forcing a recompilation) on any GET request, so a page the developer visited could trigger them. They now require a same-origin request, validated viaSec-Fetch-Sitewith anOrigin/Hostfallback. (by @bjohansebas in #5691)Treat loopback aliases (
127.0.0.1,::1,localhost) as equivalent inisSameOriginso the WebSocket client does not reject valid same-origin connections. (by @bjohansebas in #5674)Migrate the test suite from Jest to
node:testand set up the jsdom environment. (by @bjohansebas in #5674)Update
webpack-clito v7.0.2. (by @bjohansebas in #5674)Configuration
📅 Schedule: (UTC)
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.