New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update dependency webpack-dev-server to v3 [SECURITY] #5

Open

renovate wants to merge 1 commit into master from renovate/npm-webpack-dev-server-vulnerability

renovate bot commented Sep 11, 2021 •

edited

Loading

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
webpack-dev-server	`1.16.5` -> `3.1.11`

GitHub Vulnerability Alerts

CVE-2018-14732

Versions of webpack-dev-server before 3.1.10 are missing origin validation on the websocket server. This vulnerability allows a remote attacker to steal a developer's source code because the origin of requests to the websocket server that is used for Hot Module Replacement (HMR) are not validated.

Recommendation

For webpack-dev-server 2.x update to version 2.11.4 or later.
For webpack-dev-server 3.x update to version 3.1.11 or later.

Release Notes

webpack/webpack-dev-server

`v3.1.11`

Bug Fixes

bin/options: correct check for color support (options.color) (#1555) (55398b5)
package: update spdy v3.4.1...4.0.0 (assertion error) (#1491) (#1563) (7a3a257)
Server: correct node version checks (#1543) (927a2b3)
Server: mime type for wasm in contentBase directory (#1575) (#1580) (fadae5d)
add url for compatibility with webpack@5 (#1598) (#1599) (68dd49a)
check origin header for websocket connection (#1603) (b3217ca)

`v3.1.10`

Bug Fixes

options: add writeToDisk option to schema (#1520) (d2f4902)
package: update sockjs-client v1.1.5...1.3.0 (url-parse vulnerability) (#1537) (e719959)
Server: set tls.DEFAULT_ECDH_CURVE to 'auto' (#1531) (c12def3)

`v3.1.9`

3.1.9 (2018-09-24)

`v3.1.8`

Bug Fixes

package: yargs security vulnerability (dependencies) (#1492) (8fb67c9)
utils/createLogger: ensure quiet always takes precedence (options.quiet) (#1486) (7a6ca47)

`v3.1.7`

Bug Fixes

Server: don't use spdy on node >= v10.0.0 (#1451) (8ab9eb6)

`v3.1.6`

Bug Fixes

bin: handle process signals correctly when the server isn't ready yet (#1432) (334c3a5)
examples/cli: correct template path in open-page example (#1401) (df30727)
schema: allow the output filename to be a {Function} (#1409) (e2220c4)

`v3.1.5`

Send the Progress event in the client so plugins can use it (#1427)
Update sockjs-client to fix infinite reconnection loop (#1434)

`v3.1.4`

Update to webpack-dev-middleware 3.1.3, which should fix paths with a space not working on Windows (#1392)
Fix logLevel option silent not being accepted by schema validation (#1372)

`v3.1.3`

Fix HMR causing a crash when trying to reload

`v3.1.2`

Speed up incremental builds (#1362)
Update webpack-dev-middleware to 3.1.2

`v3.1.1`

Bug Fixes

add workaround for Origin header in sockjs (#1608) (1dfd4fb)

`v3.1.0`

Updates

Fancy logging; webpack-log is now used for logging to the terminal (webpack-dev-middleware was already using this).
The logLevel option is added for more fine-grained control over the logging.

Bugfixes

MultiCompiler was broken with webpack 4.
Fix deprecation warnings caused by webpack 4. Note that you will still see some deprecation warnings because webpack-dev-middleware has not been updated yet.

`v3.0.0`

Updates

Breaking change: webpack v4 is now supported. Older versions of webpack are not supported.
Breaking change: drops support for Node.js v4, going forward we only support v6+ (same as webpack).
webpack-dev-middleware updated to v2 (see changes).

Bugfixes

After starting webpack-dev-server with an error in your code, it would not reload the page after fixing that error (#1317).
DynamicEntryPlugin is now supported correctly (#1319).

Huge thanks to all the contributors!

Please note that webpack-serve will eventually be the successor of webpack-dev-server. The core features already work so if you're brave enough give it a try!

`v2.11.5`

`v2.11.4`

`v2.11.3`

`v2.11.2`

`v2.11.1`

Our third attempt to fix compatibility with old browsers (#1273), this time we'll get it right.

`v2.11.0`

Version 2.11.0 adds the transpilation of the client scripts via babel to ES5 which restores backwards compatibility (that was removed in 2.8.0) to very old or out of date browsers.

`v2.10.1`

`v2.10.0`

Version 2.10.0 adds the transpilation of the client scripts via babel to ES5 which restores backwards compatibility (that was removed in 2.8.0) to very old or out of date browsers.

Important webpack-dev-server has entered a maintenance-only mode. We won't be accepting any new features or major modifications. We'll still welcome pull requests for fixes however, and will continue to address any bugs that arise. Announcement with specifics pending.

Bugfixes

iOS Safari 10 bug where SockJS couldn't be found (#1238)
reportTime option (#1209)
don't mutate stats configuration (#1174)
enable progress from config (#1181)

Updates

transpile client bundles with babel (#1242)
dependency updates (ce30460)
Increase minimum marked version for ReDos vuln (#1255)
Update sockjs dependency to fix auditjs security vulnerability warning

`v2.9.7`

`v2.9.6`

Bugfixes

fixes #1208: watchOptions not passed to chokidar in wds

`v2.9.5`

Updates

fixes #1198: bump express for security (6b2d7a0)

`v2.9.4`

Bugfixes

assert ssl certs aren't published. fixes #1171
fixes #860: failure to exit on SIGINT race condition (#1157)

`v2.9.3`

Bugfixes

Fixes #1082, #1142. bin file correctly prefers local module, uses it, and bails if local module detected.
Use dist/build sockjs-client instead of module source (#1148)

`v2.9.2`

Bugfixes

Changed property descriptor for Array.includes polyfill (#1134)

Updates

Remove header additional property validation (#1115)
Allow explicitly setting the protocol from the public option (#1117)
Updates readme with support, usage, and caveats (outlines no support for old IE)

`v2.9.1`

Patch release to resolve an errant log message in setup

`v2.9.0`

Note: Minor release due to addition of before and after hooks

Features

Deprecate setup in favor of before and after hooks (#1108)

Bugfixes

Fixed check for webpack/hot/log when setting HMR log level. (#1096)
fixes #1109: internal-ip update breaks useLocalIp option
Fix quote style to satisfy ESLint (#1098)

Updates

Made error overlay translucent. (#1097)

`v2.8.2`

Bugfixes

fixes #1087: yargs@8 causes error output with [email protected]
fixes #1084: template literals causing errors on IE (#1089) …
fixes #1086: promise configs fix and example

Updates

add promise-config example

`v2.8.1`

Bugfixes

fixes #1081, closes #1079. addDevServerEndpoints needs app stub for createDomain
fixes #1080 - jQuery update caused live bundle iframe issue
clean up progress option typo and options def

`v2.8.0`

Features

Print webpack progress to browser console (#1063)
Disable hot reloading with query string (#1068)

Bugfixes

Fixes issue #1064 by switching to a named logger (#1070)
Fix Broken Socket on Client for Custom/Random Port Numbers (#1060)
Addresses #998 to properly assign a random port and access the port assigned (#1054)
Don't generate ssl cert when one is already specified via options (#1036)
Fix for ./log module not found (#1050)
Fixes #1042: overlay doesn't clear if errors are fixed but warnings remain (#1043)
Handle IPv6-addresses correctly in checkHost() (#1026)

Updates

Allow --open option to specify the browser to use (#825)
Adds requestCert support to the server
Code cleanup and ESLint + eslint-config-webpack (#1058)
Include subjectAltName field in self-signed cert (#987)

`v2.7.1`

`v2.6.1`

Move loglevel from devDependencies to dependencies #1001

`v2.6.0`

Browser console messages now respect clientLogLevel (#921).
Don't output startup info if quiet is set to true (#970).
Only load Bonjour when needed (#958).
Set HMR log level (#926).
Do not show warnings @ overlay unless explicitly set (#881).
Add cli option --disable-host-check (#980).

`v2.5.1`

Bugfixes

Fix peer dependencies to support webpack 3 ( #946 ) ( Fixes #932 )

`v2.5.0`

Security

Don't provide a SSL cert, but generate one on demand. Unique for each developer.

https://medium.com/[@mikenorth/961572624c54](https://togithub.com/mikenorth/961572624c54) by Mike North

Bugfixes

allow port 0 again
add allowedHosts option
better check for WebWorker
add openPage option to open a specific page
add --bonjour
add lan option, which listen on lan ip by default

`v2.4.5`

Bugfixes

fix a bug preventing publicHost from working

`v2.4.4`

Bugfixes:

add disableHostCheck to schema

`v2.4.3`

Security fix:

This version contains a security fix, which is also breaking change if you have an insecure configuration.
We are releasing this breaking change as patch version to protect you from attacks.
Sorry if this breaks your setup, but the fix is easy.

We added a check for the correct Host header to the webpack-dev-server.
This allowed evil websites to access your assets.

The Host header of the request have to match the listening adress or the host provided in the public option.
Make sure to provide correct values here.

The response will contain a note when using an incorrect Host header.

For usage behind a Proxy or similar setups we also added a disableHostCheck option to disable this check.
Only use it when you know what you do. Not recommended.

This version also includes this security fix for webpack-dev-middleware: https://github.com/webpack/webpack-dev-middleware/releases/tag/v1.10.2

Note: This only affect the development server and middleware. webpack and built bundles are not affected.

Credits to Ed Morley from Mozilla for reporting the issue.

Bugfixes:

Requests are not blocked when Host doesn't match listening host or public option.
Requests to localhost or 127.0.0.1 are not blocked.

Features:

Added disableHostCheck option to disable the host check

`v2.4.2`

Properly close CLI when SIGINT or SIGTERM is called. This should fix some Docker issues (#787).
Fix for entry not working when it was a function (#802).
Fix for exception when using webpack-dev-server in a webworker (#813).
Fix refresh loop that could happen on Firefox (#841).
contentBase as an array did not work when used via CLI (#832).
Proxy options were mutated, so this could lead to problems when re-using them (#836).

`v2.4.1`

After fixing a warning/error, the overlay was not always cleared correctly (3cb79bd).

`v2.4.0`

contentBase: false in combination with the historyApiFallback option threw an error (#791).
Separate logic of adding entry points to the webpack config; this allows alternative implementations like the webpack grunt plugin to use this instead of copying the code (#782).
Update SockJS dependency to fix issue with FireFox constantly refreshing the page (#762).
Show clear error message when --open fails to open the browser (#780).
Allow overlay option to also show compiler warnings (off by default) (#790):

overlay: {
  errors: true,
  warnings: true
}

`v2.3.0`

Add new fancy error overlay in-browser, which shows up when there are compilation errors. Disabled by default, add overlay: true to enable (#764)!
If you use --open and options.public, the browser will now open the same URL as you have defined in public (#749).
options.port now allows strings to be passed in, previously only integers were accepted (#766).

`v2.2.1`

`v2.2.0`

First webpack-dev-server 2 release

Following the webpack 2 release.
It's equal to the last RC.

If you're curious about the highlights, read this fancy Medium post.

Configuration

📅 Schedule: "" (UTC).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

If you want to rebase/retry this PR, check this box.

This PR has been generated by WhiteSource Renovate. View repository job log here.


          Update dependency webpack-dev-server to v3 [SECURITY]

a2268e8

renovate bot force-pushed the renovate/npm-webpack-dev-server-vulnerability branch from fad95f4 to a2268e8 Compare

September 11, 2021 07:15

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet