This version is not covered by your current version range.
Without accepting this pull request your project will work just like it did before. There might be a bunch of new features, fixes and perf improvements that the maintainers worked on for you though.
I recommend you look into these changes and try to get onto the latest version of webpack-dev-server.
Given that you have a decent test suite, a passing build is a strong indicator that you can take advantage of these changes by merging the proposed change into your project. Otherwise this branch is a great starting point for you to work on the update.
Do you have any ideas how I could improve these pull requests? Did I report anything you think isn’t right?
Are you unsure about how things are supposed to work?
There is a collection of frequently asked questions and while I’m just a bot, there is a group of people who are happy to teach me new things. Let them know.
This version contains a security fix, which is also breaking change if you have an insecure configuration.
We are releasing this breaking change as patch version to protect you from attacks.
Sorry if this breaks your setup, but the fix is easy.
We added a check for the correct Host header to the webpack-dev-server.
This allowed evil websites to access your assets.
The Host header of the request have to match the listening adress or the host provided in the public option.
Make sure to provide correct values here.
The response will contain a note when using an incorrect Host header.
For usage behind a Proxy or similar setups we also added a disableHostCheck option to disable this check.
Only use it when you know what you do. Not recommended.
Bugfixes:
Requests are not blocked when Host doesn't match listening host or public option.
Requests to localhost or 127.0.0.1 are not blocked.
Features:
Added disableHostCheck option to disable the host check
With Integrationsfirst-class bot support landed on GitHub and we’ve rewritten Greenkeeper to take full advantage of it. Simpler setup, fewer pull-requests, faster than ever.
Screencast Try it today. Free for private repositories during beta.
Hello lovely humans,
webpack-dev-server just published its new version 2.4.3.
This version is not covered by your current version range.
Without accepting this pull request your project will work just like it did before. There might be a bunch of new features, fixes and perf improvements that the maintainers worked on for you though.
I recommend you look into these changes and try to get onto the latest version of webpack-dev-server. Given that you have a decent test suite, a passing build is a strong indicator that you can take advantage of these changes by merging the proposed change into your project. Otherwise this branch is a great starting point for you to work on the update.
Do you have any ideas how I could improve these pull requests? Did I report anything you think isn’t right? Are you unsure about how things are supposed to work?
There is a collection of frequently asked questions and while I’m just a bot, there is a group of people who are happy to teach me new things. Let them know.
Good luck with your project :sparkles:
You rock!
:palm_tree:
GitHub Release
Security fix:
This version contains a security fix, which is also breaking change if you have an insecure configuration.
We are releasing this breaking change as patch version to protect you from attacks.
Sorry if this breaks your setup, but the fix is easy.
We added a check for the correct
Host
header to the webpack-dev-server.This allowed evil websites to access your assets.
The
Host
header of the request have to match the listening adress or the host provided in thepublic
option.Make sure to provide correct values here.
The response will contain a note when using an incorrect
Host
header.For usage behind a Proxy or similar setups we also added a
disableHostCheck
option to disable this check.Only use it when you know what you do. Not recommended.
Bugfixes:
Host
doesn't match listening host orpublic
option.localhost
or127.0.0.1
are not blocked.Features:
disableHostCheck
option to disable the host checkThe new version differs by 282 commits .
ca93284
2.4.3
f3a4ac6
Merge branch 'security/host-check'
8db5fd5
Require a secure webpack-dev-middleware version
2957853
enable Host header check for all requests and sockets
60e4727
2.4.2
32adae3
Added beforeunload check to index.js (#544) (#841)
d69559a
Handle external upgrade for all websocket proxies (#843)
35a44d1
Remove Node.js v7 warning
d2f579c
Support for array of contentBase (#832)
aabeeaa
Remove unnecessary logging of closing the dev-server
1dc9461
Fix to share proxy option between proxy settings when the proxy option is a same object (#836)
42cd23c
Explicitely but gracefully handle SIGINT and SIGTERM signals. (#787)
85de417
Use arrow function if it possible and get rid of .bind in server part (#835)
234294a
Add unit tests for proxy options (#834)
8d4b826
add codecov
There are 250 commits in total. See the full diff.
Screencast
Try it today. Free for private repositories during beta.