Skip to content

Fix security issues reported by Dependabot for version 4 #5514

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 2 commits into
base: version-4
Choose a base branch
from
Open

Fix security issues reported by Dependabot for version 4 #5514

wants to merge 2 commits into from
+265 −7

Conversation

kretajak
Copy link

@kretajak kretajak commented Jun 6, 2025

  • This is a bugfix
  • This is a feature
  • This is a code refactor
  • This is a test update
  • This is a docs update
  • This is a metadata update

For Bugs and Features; did you add new tests?

Fixes Security issues present in version 4 of webpack-dev-server. Similar fixes were already merged into version 5 of webpack-dev-server.

Motivation / Use-Case

Fix issues reported by Dependabot:

Breaking Changes

It is breaking change but it's security wise. Similar changes are already in 5.x.x branch. See commits d2575ad and 5c9378b

Additional Info

alexander-akait
alexander-akait reviewed Jun 6, 2025
View reviewed changes
lib/Server.js
const headers =
/** @type {{ [key: string]: string | undefined }} */
(req.headers);
if (
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Recently we added some fixes here to skip check for allowedHost, please add it here

@slorber slorber mentioned this pull request Jun 6, 2025
Closed
@slorber
Copy link

slorber commented Jun 6, 2025

Thanks, we'd also appreciate a backport for Docusaurus because our current minor supports Node 18.0, incompatible with dev server v5, and all newly initialized Docusaurus sites will get dev server v4.

We could bump to the latest Node 18 like Astro did recently (since it reached end of life) but if it's possible to avoid that it's better to not force our users to upgrade Node.js when upgrading a minor version (and I'd rather not release a new major version just for that security fix)

facebook/docusaurus#11252 (comment)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@alexander-akait alexander-akait alexander-akait left review comments

@hiroppy hiroppy Awaiting requested review from hiroppy hiroppy is a code owner

@snitin315 snitin315 Awaiting requested review from snitin315 snitin315 is a code owner

@anshumanv anshumanv Awaiting requested review from anshumanv anshumanv is a code owner

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@kretajak @slorber @alexander-akait @sapphi-red