Versions of webpack-dev-server before 3.1.10 are missing origin validation on the websocket server. This vulnerability allows a remote attacker to steal a developer's source code because the origin of requests to the websocket server that is used for Hot Module Replacement (HMR) are not validated.
Recommendation
For webpack-dev-server update to version 3.1.11 or later.
Release Notes
webpack/webpack-dev-server (webpack-dev-server)
### [`v3.1.11`](https://redirect.github.com/webpack/webpack-dev-server/blob/HEAD/CHANGELOG.md#3111-2018-12-21)
[Compare Source](https://redirect.github.com/webpack/webpack-dev-server/compare/v3.1.10...v3.1.11)
##### Bug Fixes
- **bin/options:** correct check for color support (`options.color`) ([#1555](https://redirect.github.com/webpack/webpack-dev-server/issues/1555)) ([55398b5](https://redirect.github.com/webpack/webpack-dev-server/commit/55398b5))
- **package:** update `spdy` v3.4.1...4.0.0 (assertion error) ([#1491](https://redirect.github.com/webpack/webpack-dev-server/issues/1491)) ([#1563](https://redirect.github.com/webpack/webpack-dev-server/issues/1563)) ([7a3a257](https://redirect.github.com/webpack/webpack-dev-server/commit/7a3a257))
- **Server:** correct `node` version checks ([#1543](https://redirect.github.com/webpack/webpack-dev-server/issues/1543)) ([927a2b3](https://redirect.github.com/webpack/webpack-dev-server/commit/927a2b3))
- **Server:** mime type for wasm in contentBase directory ([#1575](https://redirect.github.com/webpack/webpack-dev-server/issues/1575)) ([#1580](https://redirect.github.com/webpack/webpack-dev-server/issues/1580)) ([fadae5d](https://redirect.github.com/webpack/webpack-dev-server/commit/fadae5d))
- add url for compatibility with webpack@5 ([#1598](https://redirect.github.com/webpack/webpack-dev-server/issues/1598)) ([#1599](https://redirect.github.com/webpack/webpack-dev-server/issues/1599)) ([68dd49a](https://redirect.github.com/webpack/webpack-dev-server/commit/68dd49a))
- check origin header for websocket connection ([#1603](https://redirect.github.com/webpack/webpack-dev-server/issues/1603)) ([b3217ca](https://redirect.github.com/webpack/webpack-dev-server/commit/b3217ca))
### [`v3.1.10`](https://redirect.github.com/webpack/webpack-dev-server/blob/HEAD/CHANGELOG.md#3110-2018-10-23)
[Compare Source](https://redirect.github.com/webpack/webpack-dev-server/compare/v3.1.9...v3.1.10)
##### Bug Fixes
- **options:** add `writeToDisk` option to schema ([#1520](https://redirect.github.com/webpack/webpack-dev-server/issues/1520)) ([d2f4902](https://redirect.github.com/webpack/webpack-dev-server/commit/d2f4902))
- **package:** update `sockjs-client` v1.1.5...1.3.0 (`url-parse` vulnerability) ([#1537](https://redirect.github.com/webpack/webpack-dev-server/issues/1537)) ([e719959](https://redirect.github.com/webpack/webpack-dev-server/commit/e719959))
- **Server:** set `tls.DEFAULT_ECDH_CURVE` to `'auto'` ([#1531](https://redirect.github.com/webpack/webpack-dev-server/issues/1531)) ([c12def3](https://redirect.github.com/webpack/webpack-dev-server/commit/c12def3))
### [`v3.1.9`](https://redirect.github.com/webpack/webpack-dev-server/blob/HEAD/CHANGELOG.md#319-2018-09-24)
[Compare Source](https://redirect.github.com/webpack/webpack-dev-server/compare/v3.1.8...v3.1.9)
#### [3.1.9](https://redirect.github.com/webpack/webpack-dev-server/compare/v3.1.8...v3.1.9) (2018-09-24)
### [`v3.1.8`](https://redirect.github.com/webpack/webpack-dev-server/blob/HEAD/CHANGELOG.md#318-2018-09-06)
[Compare Source](https://redirect.github.com/webpack/webpack-dev-server/compare/v3.1.7...v3.1.8)
##### Bug Fixes
- **package:** `yargs` security vulnerability (`dependencies`) ([#1492](https://redirect.github.com/webpack/webpack-dev-server/issues/1492)) ([8fb67c9](https://redirect.github.com/webpack/webpack-dev-server/commit/8fb67c9))
- **utils/createLogger:** ensure `quiet` always takes precedence (`options.quiet`) ([#1486](https://redirect.github.com/webpack/webpack-dev-server/issues/1486)) ([7a6ca47](https://redirect.github.com/webpack/webpack-dev-server/commit/7a6ca47))
### [`v3.1.7`](https://redirect.github.com/webpack/webpack-dev-server/blob/HEAD/CHANGELOG.md#317-2018-08-29)
[Compare Source](https://redirect.github.com/webpack/webpack-dev-server/compare/v3.1.6...v3.1.7)
##### Bug Fixes
- **Server:** don't use `spdy` on `node >= v10.0.0` ([#1451](https://redirect.github.com/webpack/webpack-dev-server/issues/1451)) ([8ab9eb6](https://redirect.github.com/webpack/webpack-dev-server/commit/8ab9eb6))
### [`v3.1.6`](https://redirect.github.com/webpack/webpack-dev-server/blob/HEAD/CHANGELOG.md#316-2018-08-26)
[Compare Source](https://redirect.github.com/webpack/webpack-dev-server/compare/v3.1.5...v3.1.6)
##### Bug Fixes
- **bin:** handle `process` signals correctly when the server isn't ready yet ([#1432](https://redirect.github.com/webpack/webpack-dev-server/issues/1432)) ([334c3a5](https://redirect.github.com/webpack/webpack-dev-server/commit/334c3a5))
- **examples/cli:** correct template path in `open-page` example ([#1401](https://redirect.github.com/webpack/webpack-dev-server/issues/1401)) ([df30727](https://redirect.github.com/webpack/webpack-dev-server/commit/df30727))
- **schema:** allow the `output` filename to be a `{Function}` ([#1409](https://redirect.github.com/webpack/webpack-dev-server/issues/1409)) ([e2220c4](https://redirect.github.com/webpack/webpack-dev-server/commit/e2220c4))
### [`v3.1.5`](https://redirect.github.com/webpack/webpack-dev-server/releases/tag/v3.1.5)
[Compare Source](https://redirect.github.com/webpack/webpack-dev-server/compare/v3.1.4...v3.1.5)
- Send the `Progress` event in the client so plugins can use it ([#1427](https://redirect.github.com/webpack/webpack-dev-server/issues/1427))
- Update `sockjs-client` to fix infinite reconnection loop ([#1434](https://redirect.github.com/webpack/webpack-dev-server/issues/1434))
### [`v3.1.4`](https://redirect.github.com/webpack/webpack-dev-server/releases/tag/v3.1.4)
[Compare Source](https://redirect.github.com/webpack/webpack-dev-server/compare/v3.1.3...v3.1.4)
- Update to webpack-dev-middleware 3.1.3, which should fix paths with a space not working on Windows ([#1392](https://redirect.github.com/webpack/webpack-dev-server/issues/1392))
- Fix `logLevel` option `silent` not being accepted by schema validation ([#1372](https://redirect.github.com/webpack/webpack-dev-server/issues/1372))
### [`v3.1.3`](https://redirect.github.com/webpack/webpack-dev-server/releases/tag/v3.1.3)
[Compare Source](https://redirect.github.com/webpack/webpack-dev-server/compare/v3.1.2...v3.1.3)
- Fix HMR causing a crash when trying to reload
### [`v3.1.2`](https://redirect.github.com/webpack/webpack-dev-server/releases/tag/v3.1.2)
[Compare Source](https://redirect.github.com/webpack/webpack-dev-server/compare/v3.1.1...v3.1.2)
- Speed up incremental builds ([#1362](https://redirect.github.com/webpack/webpack-dev-server/issues/1362))
- Update webpack-dev-middleware to 3.1.2
### [`v3.1.1`](https://redirect.github.com/webpack/webpack-dev-server/blob/HEAD/CHANGELOG.md#3114-2018-12-24)
[Compare Source](https://redirect.github.com/webpack/webpack-dev-server/compare/v3.1.0...v3.1.1)
##### Bug Fixes
- add workaround for Origin header in sockjs ([#1608](https://redirect.github.com/webpack/webpack-dev-server/issues/1608)) ([1dfd4fb](https://redirect.github.com/webpack/webpack-dev-server/commit/1dfd4fb))
### [`v3.1.0`](https://redirect.github.com/webpack/webpack-dev-server/releases/tag/v3.1.0)
[Compare Source](https://redirect.github.com/webpack/webpack-dev-server/compare/v3.0.0...v3.1.0)
#### Updates
- Fancy logging; `webpack-log` is now used for logging to the terminal (webpack-dev-middleware was already using this).
- The `logLevel` option is added for more fine-grained control over the logging.
#### Bugfixes
- MultiCompiler was broken with webpack 4.
- Fix deprecation warnings caused by webpack 4. Note that you will still see some deprecation warnings because webpack-dev-middleware has not been updated yet.
### [`v3.0.0`](https://redirect.github.com/webpack/webpack-dev-server/releases/tag/v3.0.0)
[Compare Source](https://redirect.github.com/webpack/webpack-dev-server/compare/5807c7462f6dd15cade9c74216f2e829c2653351...v3.0.0)
#### Updates
- **Breaking change:** webpack v4 is now supported. Older versions of webpack are **not** supported.
- **Breaking change:** drops support for Node.js v4, going forward we only support v6+ (same as webpack).
- webpack-dev-middleware updated to v2 ([see changes](https://redirect.github.com/webpack/webpack-dev-middleware/releases)).
#### Bugfixes
- After starting webpack-dev-server with an error in your code, it would not reload the page after fixing that error ([#1317](https://redirect.github.com/webpack/webpack-dev-server/issues/1317)).
- DynamicEntryPlugin is now supported correctly ([#1319](https://redirect.github.com/webpack/webpack-dev-server/issues/1319)).
Huge thanks to all the contributors!
Please note that [webpack-serve](https://redirect.github.com/webpack-contrib/webpack-serve) will eventually be the successor of webpack-dev-server. The core features already work so if you're brave enough give it a try!
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
â™» Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
[ ] If you want to rebase/retry this PR, check this box
This PR contains the following updates:
2.11.5
->3.1.11
GitHub Vulnerability Alerts
CVE-2018-14732
Versions of
webpack-dev-server
before 3.1.10 are missing origin validation on the websocket server. This vulnerability allows a remote attacker to steal a developer's source code because the origin of requests to the websocket server that is used for Hot Module Replacement (HMR) are not validated.Recommendation
For
webpack-dev-server
update to version 3.1.11 or later.Release Notes
webpack/webpack-dev-server (webpack-dev-server)
### [`v3.1.11`](https://redirect.github.com/webpack/webpack-dev-server/blob/HEAD/CHANGELOG.md#3111-2018-12-21) [Compare Source](https://redirect.github.com/webpack/webpack-dev-server/compare/v3.1.10...v3.1.11) ##### Bug Fixes - **bin/options:** correct check for color support (`options.color`) ([#1555](https://redirect.github.com/webpack/webpack-dev-server/issues/1555)) ([55398b5](https://redirect.github.com/webpack/webpack-dev-server/commit/55398b5)) - **package:** update `spdy` v3.4.1...4.0.0 (assertion error) ([#1491](https://redirect.github.com/webpack/webpack-dev-server/issues/1491)) ([#1563](https://redirect.github.com/webpack/webpack-dev-server/issues/1563)) ([7a3a257](https://redirect.github.com/webpack/webpack-dev-server/commit/7a3a257)) - **Server:** correct `node` version checks ([#1543](https://redirect.github.com/webpack/webpack-dev-server/issues/1543)) ([927a2b3](https://redirect.github.com/webpack/webpack-dev-server/commit/927a2b3)) - **Server:** mime type for wasm in contentBase directory ([#1575](https://redirect.github.com/webpack/webpack-dev-server/issues/1575)) ([#1580](https://redirect.github.com/webpack/webpack-dev-server/issues/1580)) ([fadae5d](https://redirect.github.com/webpack/webpack-dev-server/commit/fadae5d)) - add url for compatibility with webpack@5 ([#1598](https://redirect.github.com/webpack/webpack-dev-server/issues/1598)) ([#1599](https://redirect.github.com/webpack/webpack-dev-server/issues/1599)) ([68dd49a](https://redirect.github.com/webpack/webpack-dev-server/commit/68dd49a)) - check origin header for websocket connection ([#1603](https://redirect.github.com/webpack/webpack-dev-server/issues/1603)) ([b3217ca](https://redirect.github.com/webpack/webpack-dev-server/commit/b3217ca)) ### [`v3.1.10`](https://redirect.github.com/webpack/webpack-dev-server/blob/HEAD/CHANGELOG.md#3110-2018-10-23) [Compare Source](https://redirect.github.com/webpack/webpack-dev-server/compare/v3.1.9...v3.1.10) ##### Bug Fixes - **options:** add `writeToDisk` option to schema ([#1520](https://redirect.github.com/webpack/webpack-dev-server/issues/1520)) ([d2f4902](https://redirect.github.com/webpack/webpack-dev-server/commit/d2f4902)) - **package:** update `sockjs-client` v1.1.5...1.3.0 (`url-parse` vulnerability) ([#1537](https://redirect.github.com/webpack/webpack-dev-server/issues/1537)) ([e719959](https://redirect.github.com/webpack/webpack-dev-server/commit/e719959)) - **Server:** set `tls.DEFAULT_ECDH_CURVE` to `'auto'` ([#1531](https://redirect.github.com/webpack/webpack-dev-server/issues/1531)) ([c12def3](https://redirect.github.com/webpack/webpack-dev-server/commit/c12def3)) ### [`v3.1.9`](https://redirect.github.com/webpack/webpack-dev-server/blob/HEAD/CHANGELOG.md#319-2018-09-24) [Compare Source](https://redirect.github.com/webpack/webpack-dev-server/compare/v3.1.8...v3.1.9) #### [3.1.9](https://redirect.github.com/webpack/webpack-dev-server/compare/v3.1.8...v3.1.9) (2018-09-24) ### [`v3.1.8`](https://redirect.github.com/webpack/webpack-dev-server/blob/HEAD/CHANGELOG.md#318-2018-09-06) [Compare Source](https://redirect.github.com/webpack/webpack-dev-server/compare/v3.1.7...v3.1.8) ##### Bug Fixes - **package:** `yargs` security vulnerability (`dependencies`) ([#1492](https://redirect.github.com/webpack/webpack-dev-server/issues/1492)) ([8fb67c9](https://redirect.github.com/webpack/webpack-dev-server/commit/8fb67c9)) - **utils/createLogger:** ensure `quiet` always takes precedence (`options.quiet`) ([#1486](https://redirect.github.com/webpack/webpack-dev-server/issues/1486)) ([7a6ca47](https://redirect.github.com/webpack/webpack-dev-server/commit/7a6ca47)) ### [`v3.1.7`](https://redirect.github.com/webpack/webpack-dev-server/blob/HEAD/CHANGELOG.md#317-2018-08-29) [Compare Source](https://redirect.github.com/webpack/webpack-dev-server/compare/v3.1.6...v3.1.7) ##### Bug Fixes - **Server:** don't use `spdy` on `node >= v10.0.0` ([#1451](https://redirect.github.com/webpack/webpack-dev-server/issues/1451)) ([8ab9eb6](https://redirect.github.com/webpack/webpack-dev-server/commit/8ab9eb6)) ### [`v3.1.6`](https://redirect.github.com/webpack/webpack-dev-server/blob/HEAD/CHANGELOG.md#316-2018-08-26) [Compare Source](https://redirect.github.com/webpack/webpack-dev-server/compare/v3.1.5...v3.1.6) ##### Bug Fixes - **bin:** handle `process` signals correctly when the server isn't ready yet ([#1432](https://redirect.github.com/webpack/webpack-dev-server/issues/1432)) ([334c3a5](https://redirect.github.com/webpack/webpack-dev-server/commit/334c3a5)) - **examples/cli:** correct template path in `open-page` example ([#1401](https://redirect.github.com/webpack/webpack-dev-server/issues/1401)) ([df30727](https://redirect.github.com/webpack/webpack-dev-server/commit/df30727)) - **schema:** allow the `output` filename to be a `{Function}` ([#1409](https://redirect.github.com/webpack/webpack-dev-server/issues/1409)) ([e2220c4](https://redirect.github.com/webpack/webpack-dev-server/commit/e2220c4)) ### [`v3.1.5`](https://redirect.github.com/webpack/webpack-dev-server/releases/tag/v3.1.5) [Compare Source](https://redirect.github.com/webpack/webpack-dev-server/compare/v3.1.4...v3.1.5) - Send the `Progress` event in the client so plugins can use it ([#1427](https://redirect.github.com/webpack/webpack-dev-server/issues/1427)) - Update `sockjs-client` to fix infinite reconnection loop ([#1434](https://redirect.github.com/webpack/webpack-dev-server/issues/1434)) ### [`v3.1.4`](https://redirect.github.com/webpack/webpack-dev-server/releases/tag/v3.1.4) [Compare Source](https://redirect.github.com/webpack/webpack-dev-server/compare/v3.1.3...v3.1.4) - Update to webpack-dev-middleware 3.1.3, which should fix paths with a space not working on Windows ([#1392](https://redirect.github.com/webpack/webpack-dev-server/issues/1392)) - Fix `logLevel` option `silent` not being accepted by schema validation ([#1372](https://redirect.github.com/webpack/webpack-dev-server/issues/1372)) ### [`v3.1.3`](https://redirect.github.com/webpack/webpack-dev-server/releases/tag/v3.1.3) [Compare Source](https://redirect.github.com/webpack/webpack-dev-server/compare/v3.1.2...v3.1.3) - Fix HMR causing a crash when trying to reload ### [`v3.1.2`](https://redirect.github.com/webpack/webpack-dev-server/releases/tag/v3.1.2) [Compare Source](https://redirect.github.com/webpack/webpack-dev-server/compare/v3.1.1...v3.1.2) - Speed up incremental builds ([#1362](https://redirect.github.com/webpack/webpack-dev-server/issues/1362)) - Update webpack-dev-middleware to 3.1.2 ### [`v3.1.1`](https://redirect.github.com/webpack/webpack-dev-server/blob/HEAD/CHANGELOG.md#3114-2018-12-24) [Compare Source](https://redirect.github.com/webpack/webpack-dev-server/compare/v3.1.0...v3.1.1) ##### Bug Fixes - add workaround for Origin header in sockjs ([#1608](https://redirect.github.com/webpack/webpack-dev-server/issues/1608)) ([1dfd4fb](https://redirect.github.com/webpack/webpack-dev-server/commit/1dfd4fb)) ### [`v3.1.0`](https://redirect.github.com/webpack/webpack-dev-server/releases/tag/v3.1.0) [Compare Source](https://redirect.github.com/webpack/webpack-dev-server/compare/v3.0.0...v3.1.0) #### Updates - Fancy logging; `webpack-log` is now used for logging to the terminal (webpack-dev-middleware was already using this). - The `logLevel` option is added for more fine-grained control over the logging. #### Bugfixes - MultiCompiler was broken with webpack 4. - Fix deprecation warnings caused by webpack 4. Note that you will still see some deprecation warnings because webpack-dev-middleware has not been updated yet. ### [`v3.0.0`](https://redirect.github.com/webpack/webpack-dev-server/releases/tag/v3.0.0) [Compare Source](https://redirect.github.com/webpack/webpack-dev-server/compare/5807c7462f6dd15cade9c74216f2e829c2653351...v3.0.0) #### Updates - **Breaking change:** webpack v4 is now supported. Older versions of webpack are **not** supported. - **Breaking change:** drops support for Node.js v4, going forward we only support v6+ (same as webpack). - webpack-dev-middleware updated to v2 ([see changes](https://redirect.github.com/webpack/webpack-dev-middleware/releases)). #### Bugfixes - After starting webpack-dev-server with an error in your code, it would not reload the page after fixing that error ([#1317](https://redirect.github.com/webpack/webpack-dev-server/issues/1317)). - DynamicEntryPlugin is now supported correctly ([#1319](https://redirect.github.com/webpack/webpack-dev-server/issues/1319)). Huge thanks to all the contributors! Please note that [webpack-serve](https://redirect.github.com/webpack-contrib/webpack-serve) will eventually be the successor of webpack-dev-server. The core features already work so if you're brave enough give it a try!Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
â™» Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.