Releases: webpack/webpack-dev-server
v2.7.0
v2.6.1
v2.6.0
v2.5.1
v2.5.0
Security
Don't provide a SSL cert, but generate one on demand. Unique for each developer.
https://medium.com/@mikenorth/961572624c54 by Mike North
Bugfixes
- allow port 0 again
- add
allowedHosts
option - better check for WebWorker
- add
openPage
option to open a specific page - add
--bonjour
- add
lan
option, which listen on lan ip by default
v2.4.5
v2.4.4
v2.4.3
Security fix:
This version contains a security fix, which is also breaking change if you have an insecure configuration.
We are releasing this breaking change as patch version to protect you from attacks.
Sorry if this breaks your setup, but the fix is easy.
We added a check for the correct Host
header to the webpack-dev-server.
This allowed evil websites to access your assets.
The Host
header of the request have to match the listening adress or the host provided in the public
option.
Make sure to provide correct values here.
The response will contain a note when using an incorrect Host
header.
For usage behind a Proxy or similar setups we also added a disableHostCheck
option to disable this check.
Only use it when you know what you do. Not recommended.
This version also includes this security fix for webpack-dev-middleware: https://github.com/webpack/webpack-dev-middleware/releases/tag/v1.10.2
Note: This only affect the development server and middleware. webpack and built bundles are not affected.
Credits to Ed Morley from Mozilla for reporting the issue.
Bugfixes:
- Requests are not blocked when
Host
doesn't match listening host orpublic
option. - Requests to
localhost
or127.0.0.1
are not blocked.
Features:
- Added
disableHostCheck
option to disable the host check
v1.16.4
Security fix:
This version contains a security fix, which is also breaking change if you have an insecure configuration.
We are releasing this breaking change as patch version to protect you from attacks.
Sorry if this breaks your setup, but the fix is easy.
We added a check for the correct Host
header to the webpack-dev-server.
This allowed evil websites to access your assets.
The Host
header of the request have to match the listening adress or the host provided in the public
option.
Make sure to provide correct values here.
The response will contain a note when using an incorrect Host
header.
For usage behind a Proxy or similar setups we also added a disableHostCheck
option to disable this check.
Only use it when you know what you do. Not recommended.
This version also includes this security fix for webpack-dev-middleware: https://github.com/webpack/webpack-dev-middleware/releases/tag/v1.10.2
Note: This only affect the development server and middleware. webpack and built bundles are not affected.
Credits to Ed Morley from Mozilla for reporting the issue.
Bugfixes:
- Requests are not blocked when
Host
doesn't match listening host orpublic
option. - Requests to
localhost
or127.0.0.1
are not blocked.
Features:
- Added
disableHostCheck
option to disable the host check
v2.4.2
- Properly close CLI when SIGINT or SIGTERM is called. This should fix some Docker issues (#787).
- Fix for
entry
not working when it was a function (#802). - Fix for exception when using webpack-dev-server in a webworker (#813).
- Fix refresh loop that could happen on Firefox (#841).
contentBase
as an array did not work when used via CLI (#832).- Proxy options were mutated, so this could lead to problems when re-using them (#836).