webpack-dev-server icon indicating copy to clipboard operation
webpack-dev-server copied to clipboard
verified publisher icon webpack

Backport security fixes from v5.2.1 to v4

Open nikwen opened this issue 6 months ago • 3 comments

Modification Proposal

Some projects are stuck on webpack-dev-server v4 because they have to support old Node.js versions.

v4 is still used by a large number of users. During the last 7 days, v4.15.2 alone received 3,356,309 downloads.

Expected Behavior / Situation

It would be great to have the security fixes from v5.2.1 backported to v4 and released as v4.15.3.

Actual Behavior / Situation

v4 currently does not have the security fixes. Millions of users are exposed to security vulnerabilities.

Please paste the results of npx webpack-cli info here, and mention other relevant information

  System:
    OS: macOS 15.5
    CPU: (8) arm64 Apple M1
    Memory: 212.97 MB / 16.00 GB
  Binaries:
    Node: 22.16.0 - /usr/local/bin/node
    Yarn: 1.22.19 - /opt/homebrew/bin/yarn
    npm: 10.9.2 - /usr/local/bin/npm
  Browsers:
    Brave Browser: 118.1.59.122
    Chrome: 137.0.7151.69
    Safari: 18.5

nikwen avatar Jun 08 '25 22:06 nikwen

There's already a PR for this: https://github.com/webpack/webpack-dev-server/pull/5514 though it looks like there may be further changes needed

MrBMT avatar Jun 09 '25 09:06 MrBMT

The PR was closed. It would be awesome if someone else could continue the work on the PR.

nikwen avatar Sep 10 '25 21:09 nikwen

Hey @nikwen sir can I work on this issue

ronakmaheshwari avatar Nov 08 '25 17:11 ronakmaheshwari