Skip to content

fix: update webpack-dev-server to secure versions (^4.15.2 || ^5.2.2)#585

Merged
justin808 merged 1 commit into
mainfrom
fix/webpack-dev-server-security-update
Sep 9, 2025
Merged

fix: update webpack-dev-server to secure versions (^4.15.2 || ^5.2.2)#585
justin808 merged 1 commit into
mainfrom
fix/webpack-dev-server-security-update

Conversation

@justin808

Copy link
Copy Markdown
Member

Summary

Addresses critical security vulnerability CVE-2025-30359 in webpack-dev-server versions ≤5.2.0 that allows source code theft when users access malicious websites.

Changes

  • Updated webpack-dev-server peerDependency constraint from ^4.9.0 || ^5.0.0 to ^4.15.2 || ^5.2.2
  • Ensures new installations use secure versions by default
  • Maintains compatibility with both 4.x and 5.x branches
  • Installation template will still default to version 5.x (now 5.2.2+)

Security Impact

The vulnerability (CVE-2025-30359) allows attackers to steal source code by exploiting how webpack-dev-server handles script requests. The fix in versions 4.15.2+ and 5.2.1+ addresses origin validation issues.

Testing

  • ✅ All existing tests pass
  • ✅ ESLint passes
  • ✅ Version extraction logic verified to work correctly with new constraints

Migration Notes

Users can upgrade by running:

  • npm update webpack-dev-server
  • yarn upgrade webpack-dev-server
  • pnpm update webpack-dev-server

Resolves #584

🤖 Generated with Claude Code

Addresses security vulnerability CVE-2025-30359 in webpack-dev-server
versions ≤5.2.0 that allows source code theft. Updates peerDependencies
to require minimum secure versions:
- 4.x: ^4.15.2 (from ^4.9.0)
- 5.x: ^5.2.2 (from ^5.0.0)

Resolves #584

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>
@coderabbitai

coderabbitai Bot commented Sep 9, 2025

Copy link
Copy Markdown

Warning

Rate limit exceeded

@justin808 has exceeded the limit for the number of commits or files that can be reviewed per hour. Please wait 2 minutes and 46 seconds before requesting another review.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

📥 Commits

Reviewing files that changed from the base of the PR and between 0ae9408 and 80ef4e5.

📒 Files selected for processing (1)
  • package.json (1 hunks)
✨ Finishing Touches
🧪 Generate unit tests
  • Create PR with unit tests
  • Post copyable unit tests in a comment
  • Commit unit tests in branch fix/webpack-dev-server-security-update

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@justin808 justin808 requested a review from tomdracz September 9, 2025 08:24
@justin808

Copy link
Copy Markdown
Member Author

Should we encourage moving to 5.x?

@justin808 justin808 merged commit ea16ce6 into main Sep 9, 2025
33 of 55 checks passed
@justin808 justin808 deleted the fix/webpack-dev-server-security-update branch September 9, 2025 08:26
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Support webpack-dev-server 5.x with 4.x fallback for compatibility

2 participants