This version is covered by your current version range and after updating it in your project the build failed.
As webpack-dev-server is “only” a devDependency of this project it might not break production or downstream projects, but “only” your build or test tools – preventing new deploys or publishes.
I recommend you give this issue a high priority. I’m sure you can resolve this :muscle:
Status Details
- ❌ **continuous-integration/travis-ci/push** The Travis CI build failed [Details](https://travis-ci.org/Khaledgarbaya/virtual-scroll/builds/224638533)
Release Notesv2.4.3
Security fix:
This version contains a security fix, which is also breaking change if you have an insecure configuration.
We are releasing this breaking change as patch version to protect you from attacks.
Sorry if this breaks your setup, but the fix is easy.
We added a check for the correct Host header to the webpack-dev-server.
This allowed evil websites to access your assets.
The Host header of the request have to match the listening adress or the host provided in the public option.
Make sure to provide correct values here.
The response will contain a note when using an incorrect Host header.
For usage behind a Proxy or similar setups we also added a disableHostCheck option to disable this check.
Only use it when you know what you do. Not recommended.
Not sure how things should work exactly?
There is a collection of [frequently asked questions](https://greenkeeper.io/faq.html) and of course you may always [ask my humans](https://github.com/greenkeeperio/greenkeeper/issues/new).
Version 2.4.3 of webpack-dev-server just got published.
This version is covered by your current version range and after updating it in your project the build failed.
As webpack-dev-server is “only” a devDependency of this project it might not break production or downstream projects, but “only” your build or test tools – preventing new deploys or publishes.
I recommend you give this issue a high priority. I’m sure you can resolve this :muscle:
Status Details
- ❌ **continuous-integration/travis-ci/push** The Travis CI build failed [Details](https://travis-ci.org/Khaledgarbaya/virtual-scroll/builds/224638533)Release Notes
v2.4.3Security fix:
This version contains a security fix, which is also breaking change if you have an insecure configuration.
We are releasing this breaking change as patch version to protect you from attacks.
Sorry if this breaks your setup, but the fix is easy.
We added a check for the correct
Host
header to the webpack-dev-server.This allowed evil websites to access your assets.
The
Host
header of the request have to match the listening adress or the host provided in thepublic
option.Make sure to provide correct values here.
The response will contain a note when using an incorrect
Host
header.For usage behind a Proxy or similar setups we also added a
disableHostCheck
option to disable this check.Only use it when you know what you do. Not recommended.
This version also includes this security fix for webpack-dev-middleware: https://github.com/webpack/webpack-dev-middleware/releases/tag/v1.10.2
Note: This only affect the development server and middleware. webpack and built bundles are not affected.
Bugfixes:
Host
doesn't match listening host orpublic
option.localhost
or127.0.0.1
are not blocked.Features:
disableHostCheck
option to disable the host checkCommits
The new version differs by 4 commits0.
ca93284
2.4.3
f3a4ac6
Merge branch 'security/host-check'
8db5fd5
Require a secure webpack-dev-middleware version
2957853
enable Host header check for all requests and sockets
false
See the full diff
Not sure how things should work exactly?
There is a collection of [frequently asked questions](https://greenkeeper.io/faq.html) and of course you may always [ask my humans](https://github.com/greenkeeperio/greenkeeper/issues/new).Your Greenkeeper Bot :palm_tree: