Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update dependency webpack-dev-server to v3 [SECURITY] #74

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Update dependency webpack-dev-server to v3 [SECURITY] #74

wants to merge 1 commit into from

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Apr 11, 2024
edited
Loading

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
webpack-dev-server 1.14.1 -> 3.1.11 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2018-14732

Versions of webpack-dev-server before 3.1.10 are missing origin validation on the websocket server. This vulnerability allows a remote attacker to steal a developer's source code because the origin of requests to the websocket server that is used for Hot Module Replacement (HMR) are not validated.

Recommendation

For webpack-dev-server update to version 3.1.11 or later.

Release Notes

webpack/webpack-dev-server (webpack-dev-server)

v3.1.11

Compare Source

Bug Fixes

v3.1.10

Compare Source

Bug Fixes

v3.1.9

Compare Source

3.1.9 (2018-09-24)

v3.1.8

Compare Source

Bug Fixes
  • package: yargs security vulnerability (dependencies) (#​1492) (8fb67c9)
  • utils/createLogger: ensure quiet always takes precedence (options.quiet) (#​1486) (7a6ca47)

v3.1.7

Compare Source

Bug Fixes

v3.1.6

Compare Source

Bug Fixes
  • bin: handle process signals correctly when the server isn't ready yet (#​1432) (334c3a5)
  • examples/cli: correct template path in open-page example (#​1401) (df30727)
  • schema: allow the output filename to be a {Function} (#​1409) (e2220c4)

v3.1.5

Compare Source

  • Send the Progress event in the client so plugins can use it (#​1427)
  • Update sockjs-client to fix infinite reconnection loop (#​1434)

v3.1.4

Compare Source

  • Update to webpack-dev-middleware 3.1.3, which should fix paths with a space not working on Windows (#​1392)
  • Fix logLevel option silent not being accepted by schema validation (#​1372)

v3.1.3

Compare Source

  • Fix HMR causing a crash when trying to reload

v3.1.2

Compare Source

  • Speed up incremental builds (#​1362)
  • Update webpack-dev-middleware to 3.1.2

v3.1.1

Compare Source

Bug Fixes

v3.1.0

Compare Source

Updates

  • Fancy logging; webpack-log is now used for logging to the terminal (webpack-dev-middleware was already using this).
  • The logLevel option is added for more fine-grained control over the logging.

Bugfixes

  • MultiCompiler was broken with webpack 4.
  • Fix deprecation warnings caused by webpack 4. Note that you will still see some deprecation warnings because webpack-dev-middleware has not been updated yet.

v3.0.0

Compare Source

Updates

  • Breaking change: webpack v4 is now supported. Older versions of webpack are not supported.
  • Breaking change: drops support for Node.js v4, going forward we only support v6+ (same as webpack).
  • webpack-dev-middleware updated to v2 (see changes).

Bugfixes

  • After starting webpack-dev-server with an error in your code, it would not reload the page after fixing that error (#​1317).
  • DynamicEntryPlugin is now supported correctly (#​1319).

Huge thanks to all the contributors!

Please note that webpack-serve will eventually be the successor of webpack-dev-server. The core features already work so if you're brave enough give it a try!

v2.11.5

Compare Source

v2.11.4

Compare Source

v2.11.3

Compare Source

v2.11.2

Compare Source

v2.11.1

Compare Source

Our third attempt to fix compatibility with old browsers (#​1273), this time we'll get it right.

v2.11.0

Compare Source

Version 2.11.0 adds the transpilation of the client scripts via babel to ES5 which restores backwards compatibility (that was removed in 2.8.0) to very old or out of date browsers.

v2.10.1

Compare Source

v2.10.0

Compare Source

Version 2.10.0 adds the transpilation of the client scripts via babel to ES5 which restores backwards compatibility (that was removed in 2.8.0) to very old or out of date browsers.

Important webpack-dev-server has entered a maintenance-only mode. We won't be accepting any new features or major modifications. We'll still welcome pull requests for fixes however, and will continue to address any bugs that arise. Announcement with specifics pending.

Bugfixes

  • iOS Safari 10 bug where SockJS couldn't be found (#​1238)
  • reportTime option (#​1209)
  • don't mutate stats configuration (#​1174)
  • enable progress from config (#​1181)

Updates

  • transpile client bundles with babel (#​1242)
  • dependency updates (ce30460)
  • Increase minimum marked version for ReDos vuln (#​1255)
  • Update sockjs dependency to fix auditjs security vulnerability warning

v2.9.7

Compare Source

v2.9.6

Compare Source

Bugfixes

  • fixes #​1208: watchOptions not passed to chokidar in wds

v2.9.5

Compare Source

Updates

v2.9.4

Compare Source

Bugfixes

  • assert ssl certs aren't published. fixes #​1171
  • fixes #​860: failure to exit on SIGINT race condition (#​1157)

v2.9.3

Compare Source

Bugfixes

  • Fixes #​1082, #​1142. bin file correctly prefers local module, uses it, and bails if local module detected.
  • Use dist/build sockjs-client instead of module source (#​1148)

v2.9.2

Compare Source

Bugfixes

Changed property descriptor for Array.includes polyfill (#​1134)

Updates

Remove header additional property validation (#​1115)
Allow explicitly setting the protocol from the public option (#​1117)
Updates readme with support, usage, and caveats (outlines no support for old IE)

v2.9.1

Compare Source

Patch release to resolve an errant log message in setup

v2.9.0

Compare Source

Note: Minor release due to addition of before and after hooks

Features

Deprecate setup in favor of before and after hooks (#​1108)

Bugfixes

Fixed check for webpack/hot/log when setting HMR log level. (#​1096)
fixes #​1109: internal-ip update breaks useLocalIp option
Fix quote style to satisfy ESLint (#​1098)

Updates

Made error overlay translucent. (#​1097)

v2.8.2

Compare Source

Bugfixes

fixes #​1087: yargs@8 causes error output with webpack@2.x
fixes #​1084: template literals causing errors on IE (#​1089) …
fixes #​1086: promise configs fix and example

Updates

add promise-config example

v2.8.1

Compare Source

Bugfixes

fixes #​1081, closes #​1079. addDevServerEndpoints needs app stub for createDomain
fixes #​1080 - jQuery update caused live bundle iframe issue
clean up progress option typo and options def

v2.8.0

Compare Source

Features

  • Print webpack progress to browser console (#​1063)
  • Disable hot reloading with query string (#​1068)

Bugfixes

  • Fixes issue #​1064 by switching to a named logger (#​1070)
  • Fix Broken Socket on Client for Custom/Random Port Numbers (#​1060)
  • Addresses #​998 to properly assign a random port and access the port assigned (#​1054)
  • Don't generate ssl cert when one is already specified via options (#​1036)
  • Fix for ./log module not found (#​1050)
  • Fixes #​1042: overlay doesn't clear if errors are fixed but warnings remain (#​1043)
  • Handle IPv6-addresses correctly in checkHost() (#​1026)

Updates

  • Allow --open option to specify the browser to use (#​825)
  • Adds requestCert support to the server
  • Code cleanup and ESLint + eslint-config-webpack (#​1058)
  • Include subjectAltName field in self-signed cert (#​987)

v2.7.1

Compare Source

v2.6.1

Compare Source

  • Move loglevel from devDependencies to dependencies #​1001

v2.6.0

Compare Source

  • Browser console messages now respect clientLogLevel (#​921).
  • Don't output startup info if quiet is set to true (#​970).
  • Only load Bonjour when needed (#​958).
  • Set HMR log level (#​926).
  • Do not show warnings @​ overlay unless explicitly set (#​881).
  • Add cli option --disable-host-check (#​980).

v2.5.1

Compare Source

Bugfixes

Fix peer dependencies to support webpack 3 ( #​946 ) ( Fixes #​932 )

v2.5.0

Compare Source

Security

Don't provide a SSL cert, but generate one on demand. Unique for each developer.

https://medium.com/[@​mikenorth/961572624c54](https://redirect.github.com/mikenorth/961572624c54) by Mike North

Bugfixes

  • allow port 0 again
  • add allowedHosts option
  • better check for WebWorker
  • add openPage option to open a specific page
  • add --bonjour
  • add lan option, which listen on lan ip by default

v2.4.5

Compare Source

Bugfixes

  • fix a bug preventing publicHost from working

v2.4.4

Compare Source

Bugfixes:

  • add disableHostCheck to schema

v2.4.3

Compare Source

Security fix:

This version contains a security fix, which is also breaking change if you have an insecure configuration.
We are releasing this breaking change as patch version to protect you from attacks.
Sorry if this breaks your setup, but the fix is easy.

We added a check for the correct Host header to the webpack-dev-server.
This allowed evil websites to access your assets.

The Host header of the request have to match the listening adress or the host provided in the public option.
Make sure to provide correct values here.

The response will contain a note when using an incorrect Host header.

For usage behind a Proxy or similar setups we also added a disableHostCheck option to disable this check.
Only use it when you know what you do. Not recommended.

This version also includes this security fix for webpack-dev-middleware: https://github.com/webpack/webpack-dev-middleware/releases/tag/v1.10.2

Note: This only affect the development server and middleware. webpack and built bundles are not affected.

Credits to Ed Morley from Mozilla for reporting the issue.

Bugfixes:

  • Requests are not blocked when Host doesn't match listening host or public option.
  • Requests to localhost or 127.0.0.1 are not blocked.

Features:

  • Added disableHostCheck option to disable the host check

v2.4.2

Compare Source

  • Properly close CLI when SIGINT or SIGTERM is called. This should fix some Docker issues (#​787).
  • Fix for entry not working when it was a function (#​802).
  • Fix for exception when using webpack-dev-server in a webworker (#​813).
  • Fix refresh loop that could happen on Firefox (#​841).
  • contentBase as an array did not work when used via CLI (#​832).
  • Proxy options were mutated, so this could lead to problems when re-using them (#​836).

v2.4.1

Compare Source

  • After fixing a warning/error, the overlay was not always cleared correctly (3cb79bd).

v2.4.0

Compare Source

  • contentBase: false in combination with the historyApiFallback option threw an error (#​791).
  • Separate logic of adding entry points to the webpack config; this allows alternative implementations like the webpack grunt plugin to use this instead of copying the code (#​782).
  • Update SockJS dependency to fix issue with FireFox constantly refreshing the page (#​762).
  • Show clear error message when --open fails to open the browser (#​780).
  • Allow overlay option to also show compiler warnings (off by default) (#​790):
overlay: {
  errors: true,
  warnings: true
}

v2.3.0

Compare Source

  • Add new fancy error overlay in-browser, which shows up when there are compilation errors. Disabled by default, add overlay: true to enable (#​764)!
  • If you use --open and options.public, the browser will now open the same URL as you have defined in public (#​749).
  • options.port now allows strings to be passed in, previously only integers were accepted (#​766).

v2.2.1

Compare Source

v2.2.0

Compare Source

First webpack-dev-server 2 release

Following the webpack 2 release.
It's equal to the last RC.

If you're curious about the highlights, read this fancy Medium post.

v1.16.5

Compare Source

v1.16.4

Compare Source

Security fix:

This version contains a security fix, which is also breaking change if you have an insecure configuration.
We are releasing this breaking change as patch version to protect you from attacks.
Sorry if this breaks your setup, but the fix is easy.

We added a check for the correct Host header to the webpack-dev-server.
This allowed evil websites to access your assets.

The Host header of the request have to match the listening adress or the host provided in the public option.
Make sure to provide correct values here.

The response will contain a note when using an incorrect Host header.

For usage behind a Proxy or similar setups we also added a disableHostCheck option to disable this check.
Only use it when you know what you do. Not recommended.

This version also includes this security fix for webpack-dev-middleware: https://github.com/webpack/webpack-dev-middleware/releases/tag/v1.10.2

Note: This only affect the development server and middleware. webpack and built bundles are not affected.

Credits to Ed Morley from Mozilla for reporting the issue.

Bugfixes:

  • Requests are not blocked when Host doesn't match listening host or public option.
  • Requests to localhost or 127.0.0.1 are not blocked.

Features:

  • Added disableHostCheck option to disable the host check

v1.16.3

Compare Source

Probably the last release in the v1.x range:

  • Backport support for webpack config as a Promise.

v1.16.2

Compare Source

  • Backport a few fixes from v2:
    • Support for PFX files as SSL connection options (#​630).
    • Fix edge case where quickly refreshing the browser could result in the server crashing (#​637).
    • Webpack bundle assets were not loaded after using the proxy bypass feature (#​614).

v1.16.1

Compare Source

v1.16.0

Compare Source

  • Backport a few more fixes from v2:
    • Add clientLogLevel (--client-log-level for CLI) option. It controls the log messages shown in the browser. Available levels are error, warning, info or none (#​579).
    • Limit websocket retries when the server can't be reached (#​589).

v1.15.2

Compare Source

  • Backport a few fixes from v2 (#​604):
    • Using https and manually including the client script resulted in a wrong url for the websocket.
    • Manually including the client script didn't work resulted in a wrong url for the websocket in some cases.
    • Compatibility with platforms that don't use a hostname (Electron / Ionic).

v1.15.1

Compare Source

  • Fix the bypass config option for proxies (#​563).
  • Reverted a change that prevented clicks from registering in the iframe.
  • Fix using * as a proxy wildcard.
  • Avoid accessing document when using inline modus (#​577).

v1.15.0

Compare Source

  • Use http-proxy-middleware instead of http-proxy. This fixes compatibility with native web sockets (#​359).
  • Properly close the server, which fixes issues with the port not freeing up (#​357).
  • Add --stdin flag, to close the dev server on process exit (#​352).
  • Fix issues with incorrect socket urls (#​338, #​443, #​447).
  • Add --open flag to open a browser pointing to the server (#​329).
  • Add --public flag to override the url used for connecting to the web socket (#​368).
  • Allow array for options.contentBase, so multiple sources are allowed (#​374).
  • Add options.staticOptions to allow passing through Express static options (#​385).
  • Update self-signed certs (#​436).
  • Don't reload the app upon proxy errors (#​478).
  • Allow running dev-server behind https proxy (#​470).
  • Set headers on all requests to support e.g. CORS (#​499).
  • Fix --cacert flag not doing anything (#​532).
  • Allow using Express middleware (#​537).

Configuration

📅 Schedule: Branch creation - "" in timezone US/Eastern, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot force-pushed the renovate/npm-webpack-dev-server-vulnerability branch 19 times, most recently from 7a2383a to d6cd44b Compare April 22, 2024 02:10
@renovate renovate bot force-pushed the renovate/npm-webpack-dev-server-vulnerability branch 11 times, most recently from dee2520 to 4844a8b Compare April 27, 2024 22:09
@renovate renovate bot force-pushed the renovate/npm-webpack-dev-server-vulnerability branch 7 times, most recently from 4f3aa28 to 81f40d5 Compare April 28, 2024 18:49
@renovate renovate bot force-pushed the renovate/npm-webpack-dev-server-vulnerability branch 2 times, most recently from 754365c to 82e6e28 Compare July 20, 2024 10:35
@renovate renovate bot force-pushed the renovate/npm-webpack-dev-server-vulnerability branch from 82e6e28 to abb4acb Compare July 20, 2024 14:12
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
0 participants