New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update dependency webpack-dev-server to v3 [SECURITY] #5

Open

renovate wants to merge 1 commit into master from renovate/npm-webpack-dev-server-vulnerability

renovate bot commented Aug 29, 2019 •

edited

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
webpack-dev-server	`^2.4.5` -> `^3.0.0`

GitHub Vulnerability Alerts

CVE-2018-14732

Versions of webpack-dev-server before 3.1.10 are missing origin validation on the websocket server. This vulnerability allows a remote attacker to steal a developer's source code because the origin of requests to the websocket server that is used for Hot Module Replacement (HMR) are not validated.

Recommendation

For webpack-dev-server update to version 3.1.11 or later.

Release Notes

webpack/webpack-dev-server

`v3.1.11`

Bug Fixes

bin/options: correct check for color support (options.color) (#1555) (55398b5)
package: update spdy v3.4.1...4.0.0 (assertion error) (#1491) (#1563) (7a3a257)
Server: correct node version checks (#1543) (927a2b3)
Server: mime type for wasm in contentBase directory (#1575) (#1580) (fadae5d)
add url for compatibility with webpack@5 (#1598) (#1599) (68dd49a)
check origin header for websocket connection (#1603) (b3217ca)

`v3.1.10`

Bug Fixes

options: add writeToDisk option to schema (#1520) (d2f4902)
package: update sockjs-client v1.1.5...1.3.0 (url-parse vulnerability) (#1537) (e719959)
Server: set tls.DEFAULT_ECDH_CURVE to 'auto' (#1531) (c12def3)

`v3.1.9`

3.1.9 (2018-09-24)

`v3.1.8`

Bug Fixes

package: yargs security vulnerability (dependencies) (#1492) (8fb67c9)
utils/createLogger: ensure quiet always takes precedence (options.quiet) (#1486) (7a6ca47)

`v3.1.7`

Bug Fixes

Server: don't use spdy on node >= v10.0.0 (#1451) (8ab9eb6)

`v3.1.6`

Bug Fixes

bin: handle process signals correctly when the server isn't ready yet (#1432) (334c3a5)
examples/cli: correct template path in open-page example (#1401) (df30727)
schema: allow the output filename to be a {Function} (#1409) (e2220c4)

`v3.1.5`

Send the Progress event in the client so plugins can use it (#1427)
Update sockjs-client to fix infinite reconnection loop (#1434)

`v3.1.4`

Update to webpack-dev-middleware 3.1.3, which should fix paths with a space not working on Windows (#1392)
Fix logLevel option silent not being accepted by schema validation (#1372)

`v3.1.3`

Fix HMR causing a crash when trying to reload

`v3.1.2`

Speed up incremental builds (#1362)
Update webpack-dev-middleware to 3.1.2

`v3.1.1`

Bug Fixes

add workaround for Origin header in sockjs (#1608) (1dfd4fb)

`v3.1.0`

Updates

Fancy logging; webpack-log is now used for logging to the terminal (webpack-dev-middleware was already using this).
The logLevel option is added for more fine-grained control over the logging.

Bugfixes

MultiCompiler was broken with webpack 4.
Fix deprecation warnings caused by webpack 4. Note that you will still see some deprecation warnings because webpack-dev-middleware has not been updated yet.

`v3.0.0`

Updates

Breaking change: webpack v4 is now supported. Older versions of webpack are not supported.
Breaking change: drops support for Node.js v4, going forward we only support v6+ (same as webpack).
webpack-dev-middleware updated to v2 (see changes).

Bugfixes

After starting webpack-dev-server with an error in your code, it would not reload the page after fixing that error (#1317).
DynamicEntryPlugin is now supported correctly (#1319).

Huge thanks to all the contributors!

Please note that webpack-serve will eventually be the successor of webpack-dev-server. The core features already work so if you're brave enough give it a try!

`v2.11.5`

`v2.11.4`

`v2.11.3`

`v2.11.2`

`v2.11.1`

Our third attempt to fix compatibility with old browsers (#1273), this time we'll get it right.

`v2.11.0`

Version 2.11.0 adds the transpilation of the client scripts via babel to ES5 which restores backwards compatibility (that was removed in 2.8.0) to very old or out of date browsers.

`v2.10.1`

`v2.10.0`

Version 2.10.0 adds the transpilation of the client scripts via babel to ES5 which restores backwards compatibility (that was removed in 2.8.0) to very old or out of date browsers.

Important webpack-dev-server has entered a maintenance-only mode. We won't be accepting any new features or major modifications. We'll still welcome pull requests for fixes however, and will continue to address any bugs that arise. Announcement with specifics pending.

Bugfixes

iOS Safari 10 bug where SockJS couldn't be found (#1238)
reportTime option (#1209)
don't mutate stats configuration (#1174)
enable progress from config (#1181)

Updates

transpile client bundles with babel (#1242)
dependency updates (ce30460)
Increase minimum marked version for ReDos vuln (#1255)
Update sockjs dependency to fix auditjs security vulnerability warning

`v2.9.7`

`v2.9.6`

Bugfixes

fixes #1208: watchOptions not passed to chokidar in wds

`v2.9.5`

Updates

fixes #1198: bump express for security (6b2d7a0)

`v2.9.4`

Bugfixes

assert ssl certs aren't published. fixes #1171
fixes #860: failure to exit on SIGINT race condition (#1157)

`v2.9.3`

Bugfixes

Fixes #1082, #1142. bin file correctly prefers local module, uses it, and bails if local module detected.
Use dist/build sockjs-client instead of module source (#1148)

`v2.9.2`

Bugfixes

Changed property descriptor for Array.includes polyfill (#1134)

Updates

Remove header additional property validation (#1115)
Allow explicitly setting the protocol from the public option (#1117)
Updates readme with support, usage, and caveats (outlines no support for old IE)

`v2.9.1`

Patch release to resolve an errant log message in setup

`v2.9.0`

Note: Minor release due to addition of before and after hooks

Features

Deprecate setup in favor of before and after hooks (#1108)

Bugfixes

Fixed check for webpack/hot/log when setting HMR log level. (#1096)
fixes #1109: internal-ip update breaks useLocalIp option
Fix quote style to satisfy ESLint (#1098)

Updates

Made error overlay translucent. (#1097)

`v2.8.2`

Bugfixes

fixes #1087: yargs@8 causes error output with webpack@2.x
fixes #1084: template literals causing errors on IE (#1089) …
fixes #1086: promise configs fix and example

Updates

add promise-config example

`v2.8.1`

Bugfixes

fixes #1081, closes #1079. addDevServerEndpoints needs app stub for createDomain
fixes #1080 - jQuery update caused live bundle iframe issue
clean up progress option typo and options def

`v2.8.0`

Features

Print webpack progress to browser console (#1063)
Disable hot reloading with query string (#1068)

Bugfixes

Fixes issue #1064 by switching to a named logger (#1070)
Fix Broken Socket on Client for Custom/Random Port Numbers (#1060)
Addresses #998 to properly assign a random port and access the port assigned (#1054)
Don't generate ssl cert when one is already specified via options (#1036)
Fix for ./log module not found (#1050)
Fixes #1042: overlay doesn't clear if errors are fixed but warnings remain (#1043)
Handle IPv6-addresses correctly in checkHost() (#1026)

Updates

Allow --open option to specify the browser to use (#825)
Adds requestCert support to the server
Code cleanup and ESLint + eslint-config-webpack (#1058)
Include subjectAltName field in self-signed cert (#987)

`v2.7.1`

`v2.6.1`

Move loglevel from devDependencies to dependencies #1001

`v2.6.0`

Browser console messages now respect clientLogLevel (#921).
Don't output startup info if quiet is set to true (#970).
Only load Bonjour when needed (#958).
Set HMR log level (#926).
Do not show warnings @ overlay unless explicitly set (#881).
Add cli option --disable-host-check (#980).

`v2.5.1`

Bugfixes

Fix peer dependencies to support webpack 3 ( #946 ) ( Fixes #932 )

`v2.5.0`

Security

Don't provide a SSL cert, but generate one on demand. Unique for each developer.

https://medium.com/[@mikenorth/961572624c54](https://togithub.com/mikenorth/961572624c54) by Mike North

Bugfixes

allow port 0 again
add allowedHosts option
better check for WebWorker
add openPage option to open a specific page
add --bonjour
add lan option, which listen on lan ip by default

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate. View repository job log here.


          Update dependency webpack-dev-server to v3 [SECURITY]

61453a4

Author

renovate bot commented Mar 24, 2023 •

edited

Edited/Blocked Notification

Renovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR.

You can manually request rebase by checking the rebase/retry box above.

⚠️ Warning: custom changes will be lost.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment