This repository has been archived by the owner on Dec 4, 2019. It is now read-only.

Update dependency webpack-dev-server to v3 [SECURITY] #145

Open

renovate wants to merge 1 commit into develop from renovate/npm-webpack-dev-server-vulnerability

renovate bot commented Mar 22, 2019 •

edited

Loading

This PR contains the following updates:

Package	Type	Update	Change
webpack-dev-server	devDependencies	major	`2.6.1` -> `3.1.11`

GitHub Vulnerability Alerts

CVE-2018-14732

An issue was discovered in lib/Server.js in webpack-dev-server before 3.1.11. Attackers are able to steal developer's code because the origin of requests is not checked by the WebSocket server, which is used for HMR (Hot Module Replacement). Anyone can receive the HMR message sent by the WebSocket server via a ws://127.0.0.1:8080/ connection from any origin.

Release Notes

webpack/webpack-dev-server

`v3.1.11`

Bug Fixes

regression in checkHost for checking Origin header (#1606) (8bb3ca8)

`v3.1.10`

Bug Fixes

bin/options: correct check for color support (options.color) (#1555) (55398b5)
package: update spdy v3.4.1...4.0.0 (assertion error) (#1491) (#1563) (7a3a257)
Server: correct node version checks (#1543) (927a2b3)
Server: mime type for wasm in contentBase directory (#1575) (#1580) (fadae5d)
add url for compatibility with webpack@5 (#1598) (#1599) (68dd49a)
check origin header for websocket connection (#1603) (b3217ca)

`v3.1.9`

Bug Fixes

options: add writeToDisk option to schema (#1520) (d2f4902)
package: update sockjs-client v1.1.5...1.3.0 (url-parse vulnerability) (#1537) (e719959)
Server: set tls.DEFAULT_ECDH_CURVE to 'auto' (#1531) (c12def3)

`v3.1.8`

3.1.9 (2018-09-24)

`v3.1.7`

Bug Fixes

package: yargs security vulnerability (dependencies) (#1492) (8fb67c9)
utils/createLogger: ensure quiet always takes precedence (options.quiet) (#1486) (7a6ca47)

`v3.1.6`

Bug Fixes

Server: don't use spdy on node >= v10.0.0 (#1451) (8ab9eb6)

`v3.1.5`

Bug Fixes

bin: handle process signals correctly when the server isn't ready yet (#1432) (334c3a5)
examples/cli: correct template path in open-page example (#1401) (df30727)
schema: allow the output filename to be a {Function} (#1409) (e2220c4)

`v3.1.4`

Update to webpack-dev-middleware 3.1.3, which should fix paths with a space not working on Windows (#1392)
Fix logLevel option silent not being accepted by schema validation (#1372)

`v3.1.3`

Fix HMR causing a crash when trying to reload

`v3.1.2`

Speed up incremental builds (#1362)
Update webpack-dev-middleware to 3.1.2

`v3.1.1`

Bug Fixes

add workaround for Origin header in sockjs (#1608) (1dfd4fb)

`v3.1.0`

Updates

Fancy logging; webpack-log is now used for logging to the terminal (webpack-dev-middleware was already using this).
The logLevel option is added for more fine-grained control over the logging.

Bugfixes

MultiCompiler was broken with webpack 4.
Fix deprecation warnings caused by webpack 4. Note that you will still see some deprecation warnings because webpack-dev-middleware has not been updated yet.

`v3.0.0`

Updates

Breaking change: webpack v4 is now supported. Older versions of webpack are not supported.
Breaking change: drops support for Node.js v4, going forward we only support v6+ (same as webpack).
webpack-dev-middleware updated to v2 (see changes).

Bugfixes

After starting webpack-dev-server with an error in your code, it would not reload the page after fixing that error (#1317).
DynamicEntryPlugin is now supported correctly (#1319).

Huge thanks to all the contributors!

Please note that webpack-serve will eventually be the successor of webpack-dev-server. The core features already work so if you're brave enough give it a try!

`v2.11.5`

`v2.11.4`

`v2.11.3`

`v2.11.2`

`v2.11.1`

Our third attempt to fix compatibility with old browsers (#1273), this time we'll get it right.

`v2.11.0`

Version 2.11.0 adds the transpilation of the client scripts via babel to ES5 which restores backwards compatibility (that was removed in 2.8.0) to very old or out of date browsers.

`v2.10.1`

`v2.10.0`

Version 2.10.0 adds the transpilation of the client scripts via babel to ES5 which restores backwards compatibility (that was removed in 2.8.0) to very old or out of date browsers.

Important webpack-dev-server has entered a maintenance-only mode. We won't be accepting any new features or major modifications. We'll still welcome pull requests for fixes however, and will continue to address any bugs that arise. Announcement with specifics pending.

Bugfixes

iOS Safari 10 bug where SockJS couldn't be found (#1238)
reportTime option (#1209)
don't mutate stats configuration (#1174)
enable progress from config (#1181)

Updates

transpile client bundles with babel (#1242)
dependency updates (ce30460)
Increase minimum marked version for ReDos vuln (#1255)
Update sockjs dependency to fix auditjs security vulnerability warning

`v2.9.7`

`v2.9.6`

Bugfixes

fixes #1208: watchOptions not passed to chokidar in wds

`v2.9.5`

Updates

fixes #1198: bump express for security (6b2d7a0)

`v2.9.4`

Bugfixes

assert ssl certs aren't published. fixes #1171
fixes #860: failure to exit on SIGINT race condition (#1157)

`v2.9.3`

Bugfixes

Fixes #1082, #1142. bin file correctly prefers local module, uses it, and bails if local module detected.
Use dist/build sockjs-client instead of module source (#1148)

`v2.9.2`

Bugfixes

Changed property descriptor for Array.includes polyfill (#1134)

Updates

Remove header additional property validation (#1115)
Allow explicitly setting the protocol from the public option (#1117)
Updates readme with support, usage, and caveats (outlines no support for old IE)

`v2.9.1`

Patch release to resolve an errant log message in setup

`v2.9.0`

Note: Minor release due to addition of before and after hooks

Features

Deprecate setup in favor of before and after hooks (#1108)

Bugfixes

Fixed check for webpack/hot/log when setting HMR log level. (#1096)
fixes #1109: internal-ip update breaks useLocalIp option
Fix quote style to satisfy ESLint (#1098)

Updates

Made error overlay translucent. (#1097)

`v2.8.2`

Bugfixes

fixes #1087: yargs@8 causes error output with [email protected]
fixes #1084: template literals causing errors on IE (#1089) …
fixes #1086: promise configs fix and example

Updates

add promise-config example

`v2.8.1`

Bugfixes

fixes #1081, closes #1079. addDevServerEndpoints needs app stub for createDomain
fixes #1080 - jQuery update caused live bundle iframe issue
clean up progress option typo and options def

`v2.8.0`

Features

Print webpack progress to browser console (#1063)
Disable hot reloading with query string (#1068)

Bugfixes

Fixes issue #1064 by switching to a named logger (#1070)
Fix Broken Socket on Client for Custom/Random Port Numbers (#1060)
Addresses #998 to properly assign a random port and access the port assigned (#1054)
Don't generate ssl cert when one is already specified via options (#1036)
Fix for ./log module not found (#1050)
Fixes #1042: overlay doesn't clear if errors are fixed but warnings remain (#1043)
Handle IPv6-addresses correctly in checkHost() (#1026)

Updates

Allow --open option to specify the browser to use (#825)
Adds requestCert support to the server
Code cleanup and ESLint + eslint-config-webpack (#1058)
Include subjectAltName field in self-signed cert (#987)

`v2.7.1`

Renovate configuration

📅 Schedule: "" (UTC).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻️ Rebasing: Whenever PR becomes conflicted, or if you modify the PR title to begin with "rebase!".

🔕 Ignore: Close this PR and you won't be reminded about this update again.

If you want to rebase/retry this PR, check this box

Newsflash: Renovate has joined WhiteSource, and is now free for all use. Learn more or view updated terms and privacy policies.

renovate bot added bot dependency update labels

renovate bot force-pushed the renovate/npm-webpack-dev-server-vulnerability branch 2 times, most recently from 4af67ad to cba6717 Compare

April 9, 2019 21:59

renovate bot force-pushed the renovate/npm-webpack-dev-server-vulnerability branch from cba6717 to ac6ccf0 Compare

May 19, 2019 06:58


          Update dependency webpack-dev-server to v3 [SECURITY]

fc0d17e

renovate bot force-pushed the renovate/npm-webpack-dev-server-vulnerability branch from ac6ccf0 to fc0d17e Compare

May 22, 2019 16:59

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Labels

bot dependency update