webpack-dev-server
webpack-dev-server copied to clipboard
webpack
Fix security issues reported by Dependabot for version 4
- [x] This is a bugfix
- [ ] This is a feature
- [ ] This is a code refactor
- [ ] This is a test update
- [ ] This is a docs update
- [ ] This is a metadata update
For Bugs and Features; did you add new tests?
Fixes Security issues present in version 4 of webpack-dev-server. Similar fixes were already merged into version 5 of webpack-dev-server.
Motivation / Use-Case
Fix issues reported by Dependabot:
- https://github.com/webpack/webpack-dev-server/security/advisories/GHSA-9jgg-88mc-972h
- https://github.com/webpack/webpack-dev-server/security/advisories/GHSA-4v9v-hfq4-rm2v
Breaking Changes
It is breaking change but it's security wise. Similar changes are already in 5.x.x branch. See commits d2575ad8dfed9207ed810b5ea0ccf465115a2239 and 5c9378bb01276357d7af208a0856ca2163db188e
Additional Info
Thanks, we'd also appreciate a backport for Docusaurus because our current minor supports Node 18.0, incompatible with dev server v5, and all newly initialized Docusaurus sites will get dev server v4.
We could bump to the latest Node 18 like Astro did recently (since it reached end of life) but if it's possible to avoid that it's better to not force our users to upgrade Node.js when upgrading a minor version (and I'd rather not release a new major version just for that security fix)
https://github.com/facebook/docusaurus/discussions/11252#discussioncomment-13394208
Hello :) Is there an ETA for the release of potentially version 4.15.3 with the changes from this PR?
The committers listed above are authorized under a signed CLA.
- :white_check_mark: login: sapphi-red / name: 翠 (5ba835f20993800ad6538b63a772cc77c91033b3, ba2e692c170df23e0718c6be2e823e194c4252a2)
- :white_check_mark: login: alexander-akait / name: Alexander Akait (8de77820fbe94af6f5b533adb335d68723cd51be)
![linux-foundation-easycla[bot] avatar](https://avatars.githubusercontent.com/in/17893?v=4 "Published by a pub.dev verified publisher"){kind=small}
@kretajak Can you change your email in the last commin, CLA is failed, we can't merge commits without CLA
@pikachugb This week
@hiroppy @anshumanv @snitin315 could you guys please review the PR, and if good can it be published ?
As I wrote here: https://github.com/webpack/webpack-dev-server/pull/5514#discussion_r2135269069 backporting these extra changes is not straightforward. I would recommend dropping the last commit and merge this PR with the very first two commits, as they are essentially fixing the security issue.
@kretajak Do you need any help with this?
That would be great, if you feel changes from https://github.com/webpack/webpack-dev-server/commit/03d12141bf7be09dfb14e91e5c834ee63bd9a9a2 and https://github.com/webpack/webpack-dev-server/commit/6045b1e9d63078fb24cac52eb361b7356944cddd must be incorporated here.
Hi, I'm not able to continue the effort, as I do not feel confident enough to incorporate changes from https://github.com/webpack/webpack-dev-server/commit/03d12141bf7be09dfb14e91e5c834ee63bd9a9a2 and https://github.com/webpack/webpack-dev-server/commit/6045b1e9d63078fb24cac52eb361b7356944cddd.
