Update dependency webpack-dev-server to v5 [SECURITY]

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
webpack-dev-server	^1.14.0 -> ^5.0.0

GitHub Vulnerability Alerts

CVE-2018-14732

Versions of webpack-dev-server before 3.1.10 are missing origin validation on the websocket server. This vulnerability allows a remote attacker to steal a developer's source code because the origin of requests to the websocket server that is used for Hot Module Replacement (HMR) are not validated.

Recommendation

For webpack-dev-server update to version 3.1.11 or later.

---

Release Notes

webpack/webpack-dev-server (webpack-dev-server)

v5.1.0

Compare Source

Features

• add visual progress indicators (a8f40b7)
• added the app option to be Function (by default only with connect compatibility frameworks) (3096148)
• allow the server option to be Function (#​5275) (02a1c6d)
• http2 support for connect and connect compatibility frameworks which support HTTP2 (#​5267) (6509a3f)

Bug Fixes

• check the platform property to determinate the target (#​5269) (c3b532c)
• ipv6 output (#​5270) (06005e7)
• replace rimraf with rm (#​5162) (1a1561f)
• replace default gateway (#​5255) (f5f0902)
• support devServer: false (#​5272) (8b341cb)

5.0.4 (2024-03-19)

Bug Fixes

• security: bump webpack-dev-middleware (#​5112) (aab576a)

5.0.3 (2024-03-12)

Bug Fixes

• types: proxy (#​5101) (6e1aed3)

5.0.2 (2024-02-16)

Bug Fixes

• types (#​5057) (da2c24d)

5.0.1 (2024-02-13)

Bug Fixes

• avoid using eval in client (#​5045) (7681477)
• overlay and require-trusted-types-for (#​5046) (e115436)

v5.0.4

Compare Source

v5.0.3

Compare Source

v5.0.2

Compare Source

v5.0.1

Compare Source

v5.0.0

Compare Source

Migration Guide and Changes.

4.15.1 (2023-06-09)

Bug Fixes

• replace :: with localhost before openBrowser() (#​4856) (874c44b)
• types: compatibility with @types/ws (#​4899) (34bcec2)

v4.15.2

Compare Source

4.15.2 (2024-03-20)

Bug Fixes

• security: bump webpack-dev-middleware (4116209)

v4.15.1

Compare Source

v4.15.0

Compare Source

Features

• overlay displays unhandled promise rejection (#​4849) (d1dd430)

v4.14.0

Compare Source

Features

• allow CLI to be ESM (#​4837) (bb4a5d9)
• allow filter overlay errors/warnings with function (#​4813) (aab01b3)

4.13.3 (2023-04-15)

Bug Fixes

• perf: reduced initial start time (#​4818) (fcf01d1)

4.13.2 (2023-03-31)

Bug Fixes

• prevent open 0.0.0.0 in browser due windows problems (04e74f2)

4.13.1 (2023-03-18)

Bug Fixes

• make webpack optional peer dependency (#​4778) (71be54e)

v4.13.3

Compare Source

v4.13.2

Compare Source

v4.13.1

Compare Source

v4.13.0

Compare Source

Features

• added client.overlay.runtimeErrors option to control runtime errors (#​4773) (dca2366)

v4.12.0

Compare Source

Features

• allow to set the sockjs_url option (only sockjs) using the webSocketServer.options.sockjsUrl option (#​4586) (69a2fba)
• catch runtime error (#​4605) (87a26cf)
• improve styles for overlay (#​4576) (791fb85)
• open editor when clicking error on overlay (#​4587) (efb2cec)

Bug Fixes

• compatibility with experiments.buildHttp (#​4585) (5b846cb)
• respect NODE_PATH env variable (#​4581) (b857e6f)

4.11.1 (2022-09-19)

Bug Fixes

• respect client.logging option for all logs (#​4572) (375835c)

v4.11.1

Compare Source

v4.11.0

Compare Source

Features

• make allowedHosts accept localhost subdomains by default (#​4357) (0a33e6a)

Bug Fixes

• auto reply to OPTIONS requests only when unhandled (#​4559) (984af02), closes #​4551

4.10.1 (2022-08-29)

Bug Fixes

• compatibility with old browsers (#​4544) (6a430d4)

v4.10.1

Compare Source

v4.10.0

Compare Source

Features

• allow to configure more client options via resource URL (#​4274) (216e3cb)

Bug Fixes

• response correctly when receive an OPTIONS request (#​4185) (2b3b7e0)

4.9.3 (2022-06-29)

Bug Fixes

• avoid creation unnecessary stream for static sockjs file (#​4482) (049b153)
• history-api-fallback now supports HEAD requests and handles them the same as GET (8936082)

4.9.2 (2022-06-06)

Bug Fixes

• add @types/serve-static to dependencies (#​4468) (af83deb)

4.9.1 (2022-05-31)

Bug Fixes

• security problem with sockjs (#​4465) (e765182)

v4.9.3

Compare Source

v4.9.2

Compare Source

v4.9.1

Compare Source

v4.9.0

Compare Source

Features

• support Trusted Types for client overlay (#​4404) (8132e1d)

Bug Fixes

• ie11 runtime (#​4403) (256d5fb)
• replace portfinder with custom implementation and fix security problem (#​4384) (eea50f3)
• use the host in options to check if port is available (#​4385) (a10c7cf)

4.8.1 (2022-04-06)

Bug Fixes

• types (#​4373) (f6fe6be)

v4.8.1

Compare Source

v4.8.0

Compare Source

Features

• export initialized socket client (#​4304) (7920364)

Bug Fixes

• update description for --no-client-reconnect (#​4248) (317648d)
• update description for --no-client (#​4250) (c3b6690)
• update description for --no-history-api-fallback (#​4277) (d63a0a2)
• update negated descriptions for more options (#​4287) (c64bd94)
• update schema to have negatedDescription only for type boolean (#​4280) (fcf8e8e)

4.7.4 (2022-02-02)

Bug Fixes

• add @​types/express (#​4226) (e55f728)
• negative descriptions (#​4216) (fd854c0)
• types for the proxy option (#​4173) (efec2f5)
• use CLI specific description for --open-app-name and --web-socket-server (#​4215) (329679a)

4.7.3 (2022-01-11)

Security

• update selfsigned to 2.0.0 version

4.7.2 (2021-12-29)

Bug Fixes

• apply onAfterSetupMiddleware after setupMiddlewares (as behavior earlier) (f6bc644)

4.7.1 (2021-12-22)

Bug Fixes

• removed url package, fixed compatibility with future webpack defaults (#​4132) (4e5d8ea)

v4.7.4

Compare Source

v4.7.3

Compare Source

v4.7.2

Compare Source

v4.7.1

Compare Source

v4.7.0

Compare Source

Features

• added the setupMiddlewares option and deprecated onAfterSetupMiddleware and onBeforeSetupMiddleware options (#​4068) (c13aa56)
• added types (8f02c3f)
• show deprecation warning for cacert option (#​4115) (c73ddfb)

Bug Fixes

• add description for watchFiles options (#​4057) (75f3817)
• allow passing options for custom server (#​4110) (fc8bed9)
• correct schema for ClientLogging (#​4084) (9b7ae7b)
• mark --open-app deprecated in favor of --open-app-name (#​4091) (693c28a)
• show deprecation warning for both https and http2 (#​4069) (d8d5d71)
• update --web-socket-server description (#​4098) (65955e9)
• update listen and close deprecation warning message (#​4097) (b217a19)
• update descriptions of https and server options (#​4094) (f97c9e2)

v4.6.0

Compare Source

Features

• allow to pass all chokidar options (#​4025) (5026601)

Bug Fixes

• reconnection logic (#​4044) (9b32c96)
• reload on warnings (#​4056) (1ba9720)

v4.5.0

Compare Source

Features

• add --web-socket-server-type option for CLI (#​4001) (17c390a)
• show deprecation warning for https/http2 option, migration guide for https and migration guide for http2 (because we use spdy for http2 due express doesn't support http2) (#​4003) (521cf85)

Bug Fixes

• infinity refresh on warnings (#​4006) (10da223)
• invalid host message is missing on client with https (#​3997) (#​3998) (ff0869c)
• remove process listeners after stopping the server (#​4013) (d198e4e)

v4.4.0

Compare Source

Features

• added the server option, now you can pass server options, example { server: { type: 'http', options: { maxHeaderSize: 32768 } } }, available options for http and https, note - for http2 is used spdy, options specified in the server.options option take precedence over https/http2 options (#​3940) (a70a7ef)
• added the client.reconnect option (#​3912) (5edad76)
• improve error handling within startCallback and endCallback (#​3969) (b0928ac)

Bug Fixes

• schema for web socket server type (#​3913) (f6aa6f7)
• typo in SSL information log (#​3939) (4c6103b)

4.3.1 (2021-10-04)

Bug Fixes

• perf (#​3906) (f6e2a19)

v4.3.1

Compare Source

v4.3.0

Compare Source

Features

• allow array for headers option (#​3847) (9911437)
• gracefully and force shutdown (#​3880) (db24b16)

Bug Fixes

• avoid web socket connection when web socket server is not running (#​3879) (8874d72)
• display file name for warnings/errors in overlay (#​3867) (d20def5)
• formatting errors/warnings (#​3877) (f0dbea0)
• handle 0 value of the port option property (ed67f66)

4.2.1 (2021-09-13)

Bug Fixes

• infinity loop for multi compiler mode (#​3840) (e019bd2)
• reloading logic for multi compiler mode (#​3841) (ef148ec)

4.2.0 (2021-09-09)

Features

• added the http.ca option (CLI option added too) (should be used instead cacert, because we will remove it in the next major release in favor the https.ca option)
• added the https.crl option (CLI options added too), more information
• https.ca/https.cacert/ https.cert/https.crl/https.key/https.pfx options are now accept Arrays of Buffer/string/Path to file, using --https-*-reset CLI options you can reset these options
• https.pfx/https.key can be Object[], more information
• https options can now accept custom options, you can use:

module.exports = {
  // Other options
  devServer: {
    https: {
      // Allow to set additional TSL options https://nodejs.org/api/tls.html#tls_tls_createsecurecontext_options
      minVersion: "TLSv1.1",
      ca: path.join(httpsCertificateDirectory, "ca.pem"),
      pfx: path.join(httpsCertificateDirectory, "server.pfx"),
      key: path.join(httpsCertificateDirectory, "server.key"),
      cert: path.join(httpsCertificateDirectory, "server.crt"),
      passphrase: "webpack-dev-server",
    },
  }
};

Bug Fixes

• accept connections with file: and chrome-extensions: protocol by default (#​3822) (138f064)
• close overlay on disconnection (#​3825) (011bcf1)
• respect https.cacert option (#​3820) (0002ebf)

4.1.1 (2021-09-07)

Bug Fixes

• improve the description of the magicHtml option (#​3772) (b80610f)
• replace ansi-html with ansi-html-community to avoid CVE (#​3801) (36fd214)

v4.2.1

Compare Source

v4.2.0

Compare Source

v4.1.1

Compare Source

v4.1.0

Compare Source

Features

• added the magicHtml option (#​3717) (4831f58)
• allow to set hot and live-reload for client using search params (1c57680)
• show warning when the hot option is enabled with the HMR plugin in config (#​3744) (6cb1e4e)

Bug Fixes

• change log type of Disconnected! to info (fde27f5)
• handle --allowed-hosts all correctly (#​3720) (326ed56)
• output documentation link on errors (#​3680) (e16221b)
• respect the bypass option with target/router options for proxy (b5dd568)

v4.0.0

Compare Source

v3.11.3

Compare Source

3.11.3 (2021-11-08)

Bug Fixes

• replace ansi-html with ansi-html-community (#​4011) (4fef67b)

v3.11.2

Compare Source

3.11.2 (2021-01-13)

Bug Fixes

• cli arguments for serve command (a5fe337)

v3.11.1

Compare Source

3.11.1 (2020-12-29)

Bug Fixes

• the open option works using webpack serve without value (#​2948) (4837dc9)
• vulnerable deps (#​2949) (78dde50)

v3.11.0

Compare Source

Features

• add icons for directory viewer (#​2441) (e953d01)
• allow multiple contentBasePublicPath paths (#​2489) (c6bdfe4)
• emit progress-update (#​2498) (4808abd), closes #​1666
• add invalidate endpoint (#​2493) (89ffb86)
• allow open option to accept an object (#​2492) (adeb92e)

Bug Fixes

• do not swallow errors from server (#​2512) (06583f2)
• security vulnerability in yargs-parser (#​2566) (41d1d0c)
• don't crash on setupExitSignals(undefined) (#​2507) (0d5c681)
• support entry descriptor (closes #​2453) (#​2465) (8bbef6a)
• update jquery (#​2516) (99ccfd8)

3.10.3 (2020-02-05)

Bug Fixes

• forward error requests to the proxy (#​2425) (e291cd4)

3.10.2 (2020-01-31)

Bug Fixes

• fallthrough non GET and HEAD request to routes (#​2374) (ebe8eca)
• add an optional peer dependency on webpack-cli (#​2396) (aa365df)
• add heartbeat for the websocket server (#​2404) (1a7c827)

3.10.1 (2019-12-19)

Bug Fixes

• ie11 compatibility (1306abe)

v3.10.3

Compare Source

v3.10.2

Compare Source

v3.10.1

Compare Source

v3.10.0

Compare Source

Features

• client: allow sock port to use location's port (sockPort: 'location') (#​2341) (dc10d06)
• server: add contentBasePublicPath option (#​2150) (cee700d)

Bug Fixes

• client: don't override protocol for socket connection to 127.0.0.1 (#​2303) (3a31917), closes #​2302
• server: respect sockPath on transportMode: 'ws' (#​2310) (#​2311) (e188542)
• https on chrome linux (#​2330) (dc8b475)
• support webpack@5 (#​2359) (8f89c01)

v3.9.0

Compare Source

Bug Fixes

• add hostname and port to bonjour name to prevent name collisions (#​2276) (d8af2d9)
• add extKeyUsage to self-signed cert (#​2274) (a4dbc3b)

Features

• add multiple openPage support (#​2266) (c9e9178)

3.8.2 (2019-10-02)

Security

• update selfsigned package

3.8.1 (2019-09-16)

Bug Fixes

• add null check for connection.headers (#​2200) (7964997)
• false positive for an absolute path in the ContentBase option on windows (#​2202) (68ecf78)
• add status in quiet log level (#​2235) (7e2224e)
• scriptHost in client (#​2246) (00903f6)

v3.8.2

Compare Source

v3.8.1

Compare Source

v3.8.0

Compare Source

Bug Fixes

• server: fix setupExitSignals usage (#​2181) (bbe410e)
• server: set port before instantiating server (#​2143) (cfbf229)
• check for name of HotModuleReplacementPlugin to avoid RangeError (#​2146) (4579775)
• server: check for external urls in array (#​1980) (fa78347)
• server: fix header check for socket server (#​2077) (7f51859)
• server: stricter headers security check (#​2092) (078ddca)

Features

• server: add transportMode (#​2116) (b5b9cb4)
• server: serverMode 'ws' option (#​2082) (04483f4)
• server/client: made progress option available to API (#​1961) (56274e4)

Potential Breaking changes

We have migrated serverMode and clientMode to transportMode as an experimental option. If you want to use this feature, you have to change your settings.

Related PR: https://github.com/webpack/webpack-dev-server/pull/2116

3.7.2 (2019-06-17)

Bug Fixes

• client: add default fallback for client (#​2015) (d26b444)
• open: set wait: false to run server.close successfully (#​2001) (2b4cb52)
• test: fixed ProvidePlugin.test.js (#​2002) (47453cb)

3.7.1 (2019-06-07)

Bug Fixes

• retry finding port when port is null and get ports in sequence (#​1993) (bc57514)

v3.7.2

Compare Source

v3.7.1

Compare Source

v3.7.0

Compare Source

Bug Fixes

• change clientLogLevel order to be called first (#​1973) (57c8c92)
• es6 syntax in client (#​1982) (802aa30)

v3.6.0

Compare Source

Bug Fixes

• config: enable --overlay (#​1968) (dc81e23)
• server: don't ignore node_modules by default (#​1970) (699f8b4), closes #​1794

Features

• server: add serverMode option (#​1937) (44a8cde)

3.5.1 (2019-06-01)

Bug Fixes

• allow passing promise function of webpack.config.js (#​1947) (8cf1053)

v3.5.1

Compare Source

v3.5.0

Compare Source

Bug Fixes

• add client code for electron-renderer target (#​1935) (9297988)
• add client code for node-webkit target (#​1942) (c6b2b1f)

Features

• server: onListening option (#​1930) (61d0cdf)
• server: add callback support for invalidate (#​1900) (cd218ef)
• server: add WEBPACK_DEV_SERVER env variable (#​1929) (856169e)

3.4.1 (2019-05-17)

Bug Fixes

• add none and warning to clientLogLevel ([#​1901](https://redirect.github

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.