Fix security issues reported by Dependabot for version 4 by kretajak · Pull Request #5514

Fix security issues reported by Dependabot for version 4 by kretajak · Pull Request #5514 · webpack/webpack-dev-server

This is a bugfix
This is a feature
This is a code refactor
This is a test update
This is a docs update
This is a metadata update

For Bugs and Features; did you add new tests?

Fixes Security issues present in version 4 of webpack-dev-server. Similar fixes were already merged into version 5 of webpack-dev-server.

Motivation / Use-Case

Fix issues reported by Dependabot:

Breaking Changes

It is breaking change but it's security wise. Similar changes are already in 5.x.x branch. See commits d2575ad and 5c9378b

Additional Info

…lowed to connect to WebSocket

		const headers =
		/** @type {{ [key: string]: string \| undefined }} */
		(req.headers);
		if (

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Recently we added some fixes here to skip check for allowedHost, please add it here

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It seems not that straightforward. To me bigger effort is needed to incorporate changes from 03d1214. This PR uses functions defined in previous commits not available in line 4.

If it's not a problem, I would consider merging this PR and creating separate PR for task you mentioned.

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@kretajak let's include 03d1214 here, otherwise in some cases it will be impossible to setup a new version and we can merge

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@kretajak let me know if you need help backporting that commit. I could try to add it on top of your existing PR if you don't have time to. We have at least 3 Docusaurus issues asking us to solve this security warning so happy to help and get this solved asap.

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm currently trying to backport that commit. I'll inform you whether I was able to make it.

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I have added new commit which should move us a bit closer. Seems like also changes from 6045b1e might be required as they are tightly connected to 03d1214.

@slorber feel free to continue the work.

Thanks, we'd also appreciate a backport for Docusaurus because our current minor supports Node 18.0, incompatible with dev server v5, and all newly initialized Docusaurus sites will get dev server v4.

We could bump to the latest Node 18 like Astro did recently (since it reached end of life) but if it's possible to avoid that it's better to not force our users to upgrade Node.js when upgrading a minor version (and I'd rather not release a new major version just for that security fix)

facebook/docusaurus#11252 (comment)

MrBMT mentioned this pull request

Jun 9, 2025

Hello :) Is there an ETA for the release of potentially version 4.15.3 with the changes from this PR?

The committers listed above are authorized under a signed CLA.

✅ login: sapphi-red / name: 翠 (5ba835f, ba2e692)
✅ login: alexander-akait / name: Alexander Akait (8de7782)

		hostname === "localhost" \|\|
		hostname.endsWith(".localhost") \|\|
		hostname === this.options.host
		: true;

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I believe there is a bug in version 5 of weboack-dev-server. false is returned there, but my guess is that when validateHost is false we should bypass checking and return true here.

Above function when called: isValidHost({ host: '127.0.0.1 }, 'host', validateHost = false) return false while it should return true. I assume that is the reason so many tests of 6045b1e were changed.

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@kretajak it is not a bug, because 127.0.0.1 can be used for attack, you should manually set 127.0.0.1 in allowedHosts for CORS requests, i.e. you opened bad-site.com, this this site can try to connect to ws://localhost:3000 and without such headers non chromium and old chromium browsers will connect to your websockets and can take your source code (in some cases)

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Okey. I reverted it to false.

@kretajak Can you change your email in the last commin, CLA is failed, we can't merge commits without CLA

@pikachugb This week

I have converted it to draft as it's incomplete.

hello please when this version will be published ?

As I wrote here: #5514 (comment) backporting these extra changes is not straightforward. I would recommend dropping the last commit and merge this PR with the very first two commits, as they are essentially fixing the security issue.

that sounds good , we looking forward to get this release.

@kretajak Do you need any help with this?

That would be great, if you feel changes from 03d1214 and 6045b1e must be incorporated here.

Hi, I'm not able to continue the effort, as I do not feel confident enough to incorporate changes from 03d1214 and 6045b1e.

This was referenced

Sep 12, 2025

hi :) is there an ETA to the new 4 version release?