Update dependency webpack-dev-server to v3.1.11 [SECURITY]

[renovate]

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Change	Age	Confidence
webpack-dev-server	^1.16.2 → ^3.1.11
webpack-dev-server	3.1.9 → 3.1.11

---

Missing Origin Validation in webpack-dev-server

CVE-2018-14732 / GHSA-cf66-xwfp-gvc4

More information

Details

Versions of webpack-dev-server before 3.1.10 are missing origin validation on the websocket server. This vulnerability allows a remote attacker to steal a developer's source code because the origin of requests to the websocket server that is used for Hot Module Replacement (HMR) are not validated.

Recommendation

For webpack-dev-server update to version 3.1.11 or later.

Severity

• CVSS Score: 7.5 / 10 (High)
• Vector String: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

References

• https://nvd.nist.gov/vuln/detail/CVE-2018-14732
• https://github.com/webpack/webpack-dev-server/commit/f18e5adf123221a1015be63e1ca2491ca45b8d10
• https://www.npmjs.com/advisories/725
• https://github.com/webpack/webpack-dev-server/issues/1445
• https://github.com/webpack/webpack-dev-server/blob/master/CHANGELOG.md#3111-2018-12-21
• https://github.com/webpack/webpack-dev-server/issues/1620
• https://github.com/advisories/GHSA-cf66-xwfp-gvc4

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

webpack/webpack-dev-server (webpack-dev-server)

v3.1.11

Compare Source

Bug Fixes

• compatibility with webpack-cli@​3.3 (#​1754) (fd7cb0d)
• ignore proxy when bypass return false (#​1696) (aa7de77)
• respect stats option from webpack config (#​1665) (efaa740)
• use location.port when location.hostname is used to infer HMR socket URL (#​1664) (2f7f052)
• don't crash with express.static.mime.types (#​1765) (919ff77)

Features

• add option "serveIndex" to enable/disable serveIndex middleware (#​1752) (d5d60cb)
• add webpack as argument to before and after options (#​1760) (0984d4b)
• http2 option to enable/disable HTTP/2 with HTTPS (#​1721) (dcd2434)
• random port retry logic (#​1692) (419f02e)
• relax depth limit from chokidar for content base (#​1697) (7ea9ab9)

3.2.1 (2019-02-25)

Bug Fixes

• deprecation message about setup now warning about v4 (#​1684) (523a6ec)
• regression: allow ca, key and cert will be string (#​1676) (b8d5c1e)
• regression: handle key, cert, cacert and pfx in CLI (#​1688) (4b2076c)
• regression: problem with idb-connector after update internal-ip (#​1691) (eb48691)

3.1.14 (2018-12-24)

Bug Fixes

• add workaround for Origin header in sockjs (#​1608) (1dfd4fb)

3.1.13 (2018-12-22)

Bug Fixes

• delete a comma for Node.js <= v7.x (#​1609) (0bab1c0)

3.1.12 (2018-12-22)

Bug Fixes

• regression in checkHost for checking Origin header (#​1606) (8bb3ca8)

3.1.11 (2018-12-21)

Bug Fixes

• bin/options: correct check for color support (options.color) (#​1555) (55398b5)
• package: update spdy v3.4.1...4.0.0 (assertion error) (#​1491) (#​1563) (7a3a257)
• Server: correct node version checks (#​1543) (927a2b3)
• Server: mime type for wasm in contentBase directory (#​1575) (#​1580) (fadae5d)
• add url for compatibility with webpack@​5 (#​1598) (#​1599) (68dd49a)
• check origin header for websocket connection (#​1603) (b3217ca)

3.1.10 (2018-10-23)

Bug Fixes

• options: add writeToDisk option to schema (#​1520) (d2f4902)
• package: update sockjs-client v1.1.5...1.3.0 (url-parse vulnerability) (#​1537) (e719959)
• Server: set tls.DEFAULT_ECDH_CURVE to 'auto' (#​1531) (c12def3)

3.1.9 (2018-09-24)

3.1.8 (2018-09-06)

Bug Fixes

• package: yargs security vulnerability (dependencies) (#​1492) (8fb67c9)
• utils/createLogger: ensure quiet always takes precedence (options.quiet) (#​1486) (7a6ca47)

3.1.7 (2018-08-29)

Bug Fixes

• Server: don't use spdy on node >= v10.0.0 (#​1451) (8ab9eb6)

3.1.6 (2018-08-26)

Bug Fixes

• bin: handle process signals correctly when the server isn't ready yet (#​1432) (334c3a5)
• examples/cli: correct template path in open-page example (#​1401) (df30727)
• schema: allow the output filename to be a {Function} (#​1409) (e2220c4)

v3.1.10

Compare Source

Bug Fixes

• compatibility with webpack-cli@​3.3 (#​1754) (fd7cb0d)
• ignore proxy when bypass return false (#​1696) (aa7de77)
• respect stats option from webpack config (#​1665) (efaa740)
• use location.port when location.hostname is used to infer HMR socket URL (#​1664) (2f7f052)
• don't crash with express.static.mime.types (#​1765) (919ff77)

Features

• add option "serveIndex" to enable/disable serveIndex middleware (#​1752) (d5d60cb)
• add webpack as argument to before and after options (#​1760) (0984d4b)
• http2 option to enable/disable HTTP/2 with HTTPS (#​1721) (dcd2434)
• random port retry logic (#​1692) (419f02e)
• relax depth limit from chokidar for content base (#​1697) (7ea9ab9)

3.2.1 (2019-02-25)

Bug Fixes

• deprecation message about setup now warning about v4 (#​1684) (523a6ec)
• regression: allow ca, key and cert will be string (#​1676) (b8d5c1e)
• regression: handle key, cert, cacert and pfx in CLI (#​1688) (4b2076c)
• regression: problem with idb-connector after update internal-ip (#​1691) (eb48691)

3.1.14 (2018-12-24)

Bug Fixes

• add workaround for Origin header in sockjs (#​1608) (1dfd4fb)

3.1.13 (2018-12-22)

Bug Fixes

• delete a comma for Node.js <= v7.x (#​1609) (0bab1c0)

3.1.12 (2018-12-22)

Bug Fixes

• regression in checkHost for checking Origin header (#​1606) (8bb3ca8)

3.1.11 (2018-12-21)

Bug Fixes

• bin/options: correct check for color support (options.color) (#​1555) (55398b5)
• package: update spdy v3.4.1...4.0.0 (assertion error) (#​1491) (#​1563) (7a3a257)
• Server: correct node version checks (#​1543) (927a2b3)
• Server: mime type for wasm in contentBase directory (#​1575) (#​1580) (fadae5d)
• add url for compatibility with webpack@​5 (#​1598) (#​1599) (68dd49a)
• check origin header for websocket connection (#​1603) (b3217ca)

3.1.10 (2018-10-23)

Bug Fixes

• options: add writeToDisk option to schema (#​1520) (d2f4902)
• package: update sockjs-client v1.1.5...1.3.0 (url-parse vulnerability) (#​1537) (e719959)
• Server: set tls.DEFAULT_ECDH_CURVE to 'auto' (#​1531) (c12def3)

3.1.9 (2018-09-24)

3.1.8 (2018-09-06)

Bug Fixes

• package: yargs security vulnerability (dependencies) (#​1492) (8fb67c9)
• utils/createLogger: ensure quiet always takes precedence (options.quiet) (#​1486) (7a6ca47)

3.1.7 (2018-08-29)

Bug Fixes

• Server: don't use spdy on node >= v10.0.0 (#​1451) (8ab9eb6)

3.1.6 (2018-08-26)

Bug Fixes

• bin: handle process signals correctly when the server isn't ready yet (#​1432) (334c3a5)
• examples/cli: correct template path in open-page example (#​1401) (df30727)
• schema: allow the output filename to be a {Function} (#​1409) (e2220c4)

v3.1.9

Compare Source

Bug Fixes

• compatibility with webpack-cli@​3.3 (#​1754) (fd7cb0d)
• ignore proxy when bypass return false (#​1696) (aa7de77)
• respect stats option from webpack config (#​1665) (efaa740)
• use location.port when location.hostname is used to infer HMR socket URL (#​1664) (2f7f052)
• don't crash with express.static.mime.types (#​1765) (919ff77)

Features

• add option "serveIndex" to enable/disable serveIndex middleware (#​1752) (d5d60cb)
• add webpack as argument to before and after options (#​1760) (0984d4b)
• http2 option to enable/disable HTTP/2 with HTTPS (#​1721) (dcd2434)
• random port retry logic (#​1692) (419f02e)
• relax depth limit from chokidar for content base (#​1697) (7ea9ab9)

3.2.1 (2019-02-25)

Bug Fixes

• deprecation message about setup now warning about v4 (#​1684) (523a6ec)
• regression: allow ca, key and cert will be string (#​1676) (b8d5c1e)
• regression: handle key, cert, cacert and pfx in CLI (#​1688) (4b2076c)
• regression: problem with idb-connector after update internal-ip (#​1691) (eb48691)

3.1.14 (2018-12-24)

Bug Fixes

• add workaround for Origin header in sockjs (#​1608) (1dfd4fb)

3.1.13 (2018-12-22)

Bug Fixes

• delete a comma for Node.js <= v7.x (#​1609) (0bab1c0)

3.1.12 (2018-12-22)

Bug Fixes

• regression in checkHost for checking Origin header (#​1606) (8bb3ca8)

3.1.11 (2018-12-21)

Bug Fixes

• bin/options: correct check for color support (options.color) (#​1555) (55398b5)
• package: update spdy v3.4.1...4.0.0 (assertion error) (#​1491) (#​1563) (7a3a257)
• Server: correct node version checks (#​1543) (927a2b3)
• Server: mime type for wasm in contentBase directory (#​1575) (#​1580) (fadae5d)
• add url for compatibility with webpack@​5 (#​1598) (#​1599) (68dd49a)
• check origin header for websocket connection (#​1603) (b3217ca)

3.1.10 (2018-10-23)

Bug Fixes

• options: add writeToDisk option to schema (#​1520) (d2f4902)
• package: update sockjs-client v1.1.5...1.3.0 (url-parse vulnerability) (#​1537) (e719959)
• Server: set tls.DEFAULT_ECDH_CURVE to 'auto' (#​1531) (c12def3)

3.1.9 (2018-09-24)

3.1.8 (2018-09-06)

Bug Fixes

• package: yargs security vulnerability (dependencies) (#​1492) (8fb67c9)
• utils/createLogger: ensure quiet always takes precedence (options.quiet) (#​1486) (7a6ca47)

3.1.7 (2018-08-29)

Bug Fixes

• Server: don't use spdy on node >= v10.0.0 (#​1451) (8ab9eb6)

3.1.6 (2018-08-26)

Bug Fixes

• bin: handle process signals correctly when the server isn't ready yet (#​1432) (334c3a5)
• examples/cli: correct template path in open-page example (#​1401) (df30727)
• schema: allow the output filename to be a {Function} (#​1409) (e2220c4)

v3.1.8

Compare Source

Bug Fixes

• compatibility with webpack-cli@​3.3 (#​1754) (fd7cb0d)
• ignore proxy when bypass return false (#​1696) (aa7de77)
• respect stats option from webpack config (#​1665) (efaa740)
• use location.port when location.hostname is used to infer HMR socket URL (#​1664) (2f7f052)
• don't crash with express.static.mime.types (#​1765) (919ff77)

Features

• add option "serveIndex" to enable/disable serveIndex middleware (#​1752) (d5d60cb)
• add webpack as argument to before and after options (#​1760) (0984d4b)
• http2 option to enable/disable HTTP/2 with HTTPS (#​1721) (dcd2434)
• random port retry logic (#​1692) (419f02e)
• relax depth limit from chokidar for content base (#​1697) (7ea9ab9)

3.2.1 (2019-02-25)

Bug Fixes

• deprecation message about setup now warning about v4 (#​1684) (523a6ec)
• regression: allow ca, key and cert will be string (#​1676) (b8d5c1e)
• regression: handle key, cert, cacert and pfx in CLI (#​1688) (4b2076c)
• regression: problem with idb-connector after update internal-ip (#​1691) (eb48691)

3.1.14 (2018-12-24)

Bug Fixes

• add workaround for Origin header in sockjs (#​1608) (1dfd4fb)

3.1.13 (2018-12-22)

Bug Fixes

• delete a comma for Node.js <= v7.x (#​1609) (0bab1c0)

3.1.12 (2018-12-22)

Bug Fixes

• regression in checkHost for checking Origin header (#​1606) (8bb3ca8)

3.1.11 (2018-12-21)

Bug Fixes

• bin/options: correct check for color support (options.color) (#​1555) (55398b5)
• package: update spdy v3.4.1...4.0.0 (assertion error) (#​1491) (#​1563) (7a3a257)
• Server: correct node version checks (#​1543) (927a2b3)
• Server: mime type for wasm in contentBase directory (#​1575) (#​1580) (fadae5d)
• add url for compatibility with webpack@​5 (#​1598) (#​1599) (68dd49a)
• check origin header for websocket connection (#​1603) (b3217ca)

3.1.10 (2018-10-23)

Bug Fixes

• options: add writeToDisk option to schema (#​1520) (d2f4902)
• package: update sockjs-client v1.1.5...1.3.0 (url-parse vulnerability) (#​1537) (e719959)
• Server: set tls.DEFAULT_ECDH_CURVE to 'auto' (#​1531) (c12def3)

3.1.9 (2018-09-24)

3.1.8 (2018-09-06)

Bug Fixes

• package: yargs security vulnerability (dependencies) (#​1492) (8fb67c9)
• utils/createLogger: ensure quiet always takes precedence (options.quiet) (#​1486) (7a6ca47)

3.1.7 (2018-08-29)

Bug Fixes

• Server: don't use spdy on node >= v10.0.0 (#​1451) (8ab9eb6)

3.1.6 (2018-08-26)

Bug Fixes

• bin: handle process signals correctly when the server isn't ready yet (#​1432) (334c3a5)
• examples/cli: correct template path in open-page example (#​1401) (df30727)
• schema: allow the output filename to be a {Function} (#​1409) (e2220c4)

v3.1.7

Compare Source

Bug Fixes

• compatibility with webpack-cli@​3.3 (#​1754) (fd7cb0d)
• ignore proxy when bypass return false (#​1696) (aa7de77)
• respect stats option from webpack config (#​1665) (efaa740)
• use location.port when location.hostname is used to infer HMR socket URL (#​1664) (2f7f052)
• don't crash with express.static.mime.types (#​1765) (919ff77)

Features

• add option "serveIndex" to enable/disable serveIndex middleware (#​1752) (d5d60cb)
• add webpack as argument to before and after options (#​1760) (0984d4b)
• http2 option to enable/disable HTTP/2 with HTTPS (#​1721) (dcd2434)
• random port retry logic (#​1692) (419f02e)
• relax depth limit from chokidar for content base (#​1697) (7ea9ab9)

3.2.1 (2019-02-25)

Bug Fixes

• deprecation message about setup now warning about v4 (#​1684) (523a6ec)
• regression: allow ca, key and cert will be string (#​1676) (b8d5c1e)
• regression: handle key, cert, cacert and pfx in CLI (#​1688) (4b2076c)
• regression: problem with idb-connector after update internal-ip (#​1691) (eb48691)

3.1.14 (2018-12-24)

Bug Fixes

• add workaround for Origin header in sockjs (#​1608) (1dfd4fb)

3.1.13 (2018-12-22)

Bug Fixes

• delete a comma for Node.js <= v7.x (#​1609) (0bab1c0)

3.1.12 (2018-12-22)

Bug Fixes

• regression in checkHost for checking Origin header (#​1606) (8bb3ca8)

3.1.11 (2018-12-21)

Bug Fixes

• bin/options: correct check for color support (options.color) (#​1555) (55398b5)
• package: update spdy v3.4.1...4.0.0 (assertion error) (#​1491) (#​1563) (7a3a257)
• Server: correct node version checks (#​1543) (927a2b3)
• Server: mime type for wasm in contentBase directory (#​1575) (#​1580) (fadae5d)
• add url for compatibility with webpack@​5 (#​1598) (#​1599) (68dd49a)
• check origin header for websocket connection (#​1603) (b3217ca)

3.1.10 (2018-10-23)

Bug Fixes

• options: add writeToDisk option to schema (#​1520) (d2f4902)
• package: update sockjs-client v1.1.5...1.3.0 (url-parse vulnerability) (#​1537) (e719959)
• Server: set tls.DEFAULT_ECDH_CURVE to 'auto' (#​1531) (c12def3)

3.1.9 (2018-09-24)

3.1.8 (2018-09-06)

Bug Fixes

• package: yargs security vulnerability (dependencies) (#​1492) (8fb67c9)
• utils/createLogger: ensure quiet always takes precedence (options.quiet) (#​1486) (7a6ca47)

3.1.7 (2018-08-29)

Bug Fixes

• Server: don't use spdy on node >= v10.0.0 (#​1451) (8ab9eb6)

3.1.6 (2018-08-26)

Bug Fixes

• bin: handle process signals correctly when the server isn't ready yet (#​1432) (334c3a5)
• examples/cli: correct template path in open-page example (#​1401) (df30727)
• schema: allow the output filename to be a {Function} (#​1409) (e2220c4)

v3.1.6

Compare Source

Bug Fixes

• compatibility with webpack-cli@​3.3 (#​1754) (fd7cb0d)
• ignore proxy when bypass return false (#​1696) (aa7de77)
• respect stats option from webpack config (#​1665) (efaa740)
• use location.port when location.hostname is used to infer HMR socket URL (#​1664) (2f7f052)
• don't crash with express.static.mime.types (#​1765) (919ff77)

Features

• add option "serveIndex" to enable/disable serveIndex middleware (#​1752) (d5d60cb)
• add webpack as argument to before and after options (#​1760) (0984d4b)
• http2 option to enable/disable HTTP/2 with HTTPS (#​1721) (dcd2434)
• random port retry logic (#​1692) (419f02e)
• relax depth limit from chokidar for content base (#​1697) (7ea9ab9)

3.2.1 (2019-02-25)

Bug Fixes

• deprecation message about setup now warning about v4 (#​1684) (523a6ec)
• regression: allow ca, key and cert will be string (#​1676) (b8d5c1e)
• regression: handle key, cert, cacert and pfx in CLI (#​1688) (4b2076c)
• regression: problem with idb-connector after update internal-ip (#​1691) (eb48691)

3.1.14 (2018-12-24)

Bug Fixes

• add workaround for Origin header in sockjs (#​1608) (1dfd4fb)

3.1.13 (2018-12-22)

Bug Fixes

• delete a comma for Node.js <= v7.x (#​1609) (0bab1c0)

3.1.12 (2018-12-22)

Bug Fixes

• regression in checkHost for checking Origin header (#​1606) (8bb3ca8)

3.1.11 (2018-12-21)

Bug Fixes

• bin/options: correct check for color support (options.color) (#​1555) (55398b5)
• package: update spdy v3.4.1...4.0.0 (assertion error) (#​1491) (#​1563) (7a3a257)
• Server: correct node version checks (#​1543) (927a2b3)
• Server: mime type for wasm in contentBase directory (#​1575) (#​1580) (fadae5d)
• add url for compatibility with webpack@​5 (#​1598) (#​1599) (68dd49a)
• check origin header for websocket connection (#​1603) (b3217ca)

3.1.10 (2018-10-23)

Bug Fixes

• options: add writeToDisk option to schema (#​1520) (d2f4902)
• package: update sockjs-client v1.1.5...1.3.0 (url-parse vulnerability) (#​1537) (e719959)
• Server: set tls.DEFAULT_ECDH_CURVE to 'auto' (#​1531) (c12def3)

3.1.9 (2018-09-24)

3.1.8 (2018-09-06)

Bug Fixes

• package: yargs security vulnerability (dependencies) (#​1492) (8fb67c9)
• utils/createLogger: ensure quiet always takes precedence (options.quiet) (#​1486) (7a6ca47)

3.1.7 (2018-08-29)

Bug Fixes

• Server: don't use spdy on node >= v10.0.0 (#​1451) (8ab9eb6)

3.1.6 (2018-08-26)

Bug Fixes

• bin: handle process signals correctly when the server isn't ready yet (#​1432) (334c3a5)
• examples/cli: correct template path in open-page example (#​1401) (df30727)
• schema: allow the output filename to be a {Function} (#​1409) (e2220c4)

v3.1.5

Compare Source

Bug Fixes

• compatibility with webpack-cli@​3.3 (#​1754) (fd7cb0d)
• ignore proxy when byp

✂ Note

PR body was truncated to here.

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • ""
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.