Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update dependency webpack-dev-server to v2 - autoclosed #78

Closed
wants to merge 1 commit into from
Closed

Update dependency webpack-dev-server to v2 - autoclosed #78

wants to merge 1 commit into from

Conversation

mend-for-jackfan.us.kg[bot]
Copy link
Contributor

@mend-for-jackfan.us.kg mend-for-jackfan.us.kg bot commented Nov 20, 2022
edited
Loading

This PR contains the following updates:

Package Type Update Change
webpack-dev-server devDependencies major ^1.8.2 -> ^2.2.0

By merging this PR, the below issues will be automatically resolved and closed:

Severity CVSS Score CVE GitHub Issue
High 9.8 CVE-2022-0691 #84
High 9.3 CVE-2022-1650 #68
High 9.1 CVE-2022-0686 #59
High 7.8 WS-2018-0107 #7
High 7.5 CVE-2018-14732 #38
Medium 5.3 CVE-2022-0512 #57
Medium 5.3 CVE-2022-0639 #58

Release Notes

webpack/webpack-dev-server

v2.2.0

Compare Source

First webpack-dev-server 2 release

Following the webpack 2 release.
It's equal to the last RC.

If you're curious about the highlights, read this fancy Medium post.

v1.16.5

Compare Source

v1.16.4

Compare Source

Security fix:

This version contains a security fix, which is also breaking change if you have an insecure configuration.
We are releasing this breaking change as patch version to protect you from attacks.
Sorry if this breaks your setup, but the fix is easy.

We added a check for the correct Host header to the webpack-dev-server.
This allowed evil websites to access your assets.

The Host header of the request have to match the listening adress or the host provided in the public option.
Make sure to provide correct values here.

The response will contain a note when using an incorrect Host header.

For usage behind a Proxy or similar setups we also added a disableHostCheck option to disable this check.
Only use it when you know what you do. Not recommended.

This version also includes this security fix for webpack-dev-middleware: https://github.com/webpack/webpack-dev-middleware/releases/tag/v1.10.2

Note: This only affect the development server and middleware. webpack and built bundles are not affected.

Credits to Ed Morley from Mozilla for reporting the issue.

Bugfixes:

  • Requests are not blocked when Host doesn't match listening host or public option.
  • Requests to localhost or 127.0.0.1 are not blocked.

Features:

  • Added disableHostCheck option to disable the host check

v1.16.3

Compare Source

Probably the last release in the v1.x range:

  • Backport support for webpack config as a Promise.

v1.16.2

Compare Source

  • Backport a few fixes from v2:
    • Support for PFX files as SSL connection options (#​630).
    • Fix edge case where quickly refreshing the browser could result in the server crashing (#​637).
    • Webpack bundle assets were not loaded after using the proxy bypass feature (#​614).

v1.16.1

Compare Source

v1.16.0

Compare Source

  • Backport a few more fixes from v2:
    • Add clientLogLevel (--client-log-level for CLI) option. It controls the log messages shown in the browser. Available levels are error, warning, info or none (#​579).
    • Limit websocket retries when the server can't be reached (#​589).

v1.15.2

Compare Source

  • Backport a few fixes from v2 (#​604):
    • Using https and manually including the client script resulted in a wrong url for the websocket.
    • Manually including the client script didn't work resulted in a wrong url for the websocket in some cases.
    • Compatibility with platforms that don't use a hostname (Electron / Ionic).

v1.15.1

Compare Source

  • Fix the bypass config option for proxies (#​563).
  • Reverted a change that prevented clicks from registering in the iframe.
  • Fix using * as a proxy wildcard.
  • Avoid accessing document when using inline modus (#​577).

v1.15.0

Compare Source

  • Use http-proxy-middleware instead of http-proxy. This fixes compatibility with native web sockets (#​359).
  • Properly close the server, which fixes issues with the port not freeing up (#​357).
  • Add --stdin flag, to close the dev server on process exit (#​352).
  • Fix issues with incorrect socket urls (#​338, #​443, #​447).
  • Add --open flag to open a browser pointing to the server (#​329).
  • Add --public flag to override the url used for connecting to the web socket (#​368).
  • Allow array for options.contentBase, so multiple sources are allowed (#​374).
  • Add options.staticOptions to allow passing through Express static options (#​385).
  • Update self-signed certs (#​436).
  • Don't reload the app upon proxy errors (#​478).
  • Allow running dev-server behind https proxy (#​470).
  • Set headers on all requests to support e.g. CORS (#​499).
  • Fix --cacert flag not doing anything (#​532).
  • Allow using Express middleware (#​537).

v1.14.1

Compare Source

v1.14.0

Compare Source

v1.13.0

Compare Source

v1.12.1

Compare Source

v1.12.0

Compare Source

v1.11.0

Compare Source

v1.10.1

Compare Source

v1.10.0

Compare Source

v1.9.0

Compare Source

  • If you want to rebase/retry this PR, check this box

@mend-for-jackfan.us.kg mend-for-jackfan.us.kg bot added the security fix Security fix generated by WhiteSource label Nov 20, 2022
@mend-for-jackfan.us.kg mend-for-jackfan.us.kg bot changed the title Update dependency webpack-dev-server to v2 Update dependency webpack-dev-server to v2 - autoclosed Mar 26, 2023
@mend-for-jackfan.us.kg mend-for-jackfan.us.kg bot deleted the whitesource-remediate/webpack-dev-server-2.x branch March 26, 2023 20:38
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
security fix Security fix generated by WhiteSource
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
0 participants