Skip to content

Update npm package webpack-dev-server to v5.2.4 [SECURITY]#8738

Open
hash-worker[bot] wants to merge 1 commit into
mainfrom
deps/js/npm-webpack-dev-server-vulnerability
Open

Update npm package webpack-dev-server to v5.2.4 [SECURITY]#8738
hash-worker[bot] wants to merge 1 commit into
mainfrom
deps/js/npm-webpack-dev-server-vulnerability

Conversation

@hash-worker
Copy link
Copy Markdown
Contributor

@hash-worker hash-worker Bot commented May 22, 2026

This PR contains the following updates:

Package Change Age Confidence
webpack-dev-server 5.2.35.2.4 age confidence

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

GitHub Vulnerability Alerts

CVE-2026-6402

Impact

When webpack-dev-server is running on a non-HTTPS origin (the default), cross-origin requests from malicious websites can load the dev server's JavaScript bundles via <script> tags. The fix introduced in v5.2.1 (CVE-2025-30359) relied on Sec-Fetch-Mode and Sec-Fetch-Site request headers to block these requests, but browsers only send these headers for potentially trustworthy origins. Over plain HTTP, the headers are absent and the check is bypassed.

An attacker who knows the dev server's host, port, and output path can exfiltrate all module source code by intercepting the webpack runtime's module registration.

This does not affect Chrome 142+ (and other Chromium-based browsers) due to local network access restrictions.

Patches

Patched in webpack-dev-server >= 5.2.4 by setting Cross-Origin-Resource-Policy: same-origin on responses.

Workarounds

Run the dev server with HTTPS enabled (--https or server.type: 'https' in config).

Resources

Release Notes

webpack/webpack-dev-server (webpack-dev-server)

v5.2.4

Compare Source

Configuration

📅 Schedule: (UTC)

  • Branch creation
    • ""
  • Automerge
    • "before 4am every weekday,every weekend"

🚦 Automerge: Enabled.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR has been generated by Renovate Bot.

@hash-worker hash-worker Bot enabled auto-merge May 22, 2026 12:24
@hash-worker
Copy link
Copy Markdown
Contributor Author

hash-worker Bot commented May 22, 2026

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

  • any of the package files in this branch needs updating, or
  • the branch becomes conflicted, or
  • you click the rebase/retry checkbox if found above, or
  • you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: yarn.lock
error This project's package.json defines "packageManager": "yarn@4.12.0". However the current global version of Yarn is 1.22.22.

Presence of the "packageManager" field indicates that the project is meant to be used with Corepack, a tool included by default with all official Node.js distributions starting from 16.9 and 14.19.
Corepack must currently be enabled by running corepack enable in your terminal. For more information, check out https://yarnpkg.com/corepack.

@vercel
Copy link
Copy Markdown

vercel Bot commented May 22, 2026
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
hash Error Error May 22, 2026 12:25pm
2 Skipped Deployments
Project Deployment Actions Updated (UTC)
hashdotdesign-tokens Ignored Ignored Preview May 22, 2026 12:25pm
petrinaut Skipped Skipped May 22, 2026 12:25pm

@cursor
Copy link
Copy Markdown

cursor Bot commented May 22, 2026
edited
Loading

PR Summary

Low Risk
Low risk dependency patch update limited to the plugin-browser dev tooling; main risk is unexpected local dev/HMR behavior changes.

Overview
Updates apps/plugin-browser to use webpack-dev-server 5.2.4 (from 5.2.3) to pick up the latest patch/security fixes for the extension’s local development server.

Reviewed by Cursor Bugbot for commit 9bbba88. Bugbot is set up for automated code reviews on this repo. Configure here.

@github-actions github-actions Bot added area/deps Relates to third-party dependencies (area) area/apps labels May 22, 2026
@augmentcode
Copy link
Copy Markdown

augmentcode Bot commented May 22, 2026

🤖 Augment PR Summary

Summary: Updates the plugin-browser dev tooling dependency webpack-dev-server from 5.2.3 to 5.2.4.

Why: Pulls in upstream security patching for the recent dev-server cross-origin bundle exfiltration issue (CVE/GHSA noted in the PR description).

🤖 Was this summary useful? React with 👍 or 👎

augmentcode[bot]
augmentcode Bot reviewed May 22, 2026
View reviewed changes
Copy link
Copy Markdown

@augmentcode augmentcode Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Review completed. No suggestions at this time.

Comment augment review to trigger a new review at any time.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@augmentcode augmentcode[bot] augmentcode[bot] left review comments

Reviewers whose approvals may not affect merge requirements

At least 1 approving review is required to merge this pull request.

Assignees

@CiaranMn CiaranMn

Labels

area/apps area/deps Relates to third-party dependencies (area)

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@CiaranMn