This version contains a security fix, which is also breaking change if you have an insecure configuration.
We are releasing this breaking change as patch version to protect you from attacks.
Sorry if this breaks your setup, but the fix is easy.
We added a check for the correct Host header to the webpack-dev-server.
This allowed evil websites to access your assets.
The Host header of the request have to match the listening adress or the host provided in the public option.
Make sure to provide correct values here.
The response will contain a note when using an incorrect Host header.
For usage behind a Proxy or similar setups we also added a disableHostCheck option to disable this check.
Only use it when you know what you do. Not recommended.
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
- `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
- `@dependabot use these labels` will set the current labels as the default for future PRs for this repo and language
- `@dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language
- `@dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language
- `@dependabot use this milestone` will set the current milestone as the default for future PRs for this repo and language
You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/twobin/react-lazyload/network/alerts).
Bumps debug to 2.6.9 and updates ancestor dependencies debug, karma, mocha and webpack-dev-server. These dependencies need to be updated together.
Updates
debug
from 2.2.0 to 2.6.9Release notes
Sourced from debug's releases.
... (truncated)
Changelog
Sourced from debug's changelog.
... (truncated)
Commits
13abeae
Release 2.6.9f53962e
remove ReDoS regexp in %o formatter (#504)52e1f21
Release 2.6.82482e08
Check for undefined on browser globals (#462)6bb07f7
release 2.6.715850cb
Fix Regular Expression Denial of Service (ReDoS)4a6c85c
update "debug" to v1.0.0 (#454)b68dbf8
Fix typo (#455)1351d2f
Inline extend function in node implementation (#452)c211947
update version for componentUpdates
karma
from 0.13.22 to 6.4.1Release notes
Sourced from karma's releases.
... (truncated)
Changelog
Sourced from karma's changelog.
... (truncated)
Commits
0013121
chore(release): 6.4.1 [skip ci]63d86be
fix: pass integrity value84f7cc3
chore(release): 6.4.0 [skip ci]f2d0663
docs: add integrity parameterdc51a2e
feat: support SRI verification of link tags6a54b1c
feat: support SRI verification of script tags5e71cf5
chore(release): 6.3.20 [skip ci]e17698f
fix: prefer IPv4 addresses when resolving domains60f4f79
build: add Node 16 and 18 to the CI matrix6ff5aaf
chore(release): 6.3.19 [skip ci]Updates
mocha
from 2.5.3 to 10.2.0Release notes
Sourced from mocha's releases.
... (truncated)
Changelog
Sourced from mocha's changelog.
... (truncated)
Commits
202e9b8
build(v10.2.0): release6782d6d
build(v10.2.0): update CHANGELOG73bb819
feat(esm): ability to decorate ESM module name before importing it (#4945)fc4ac58
chore(devDeps): remove unused depedencies (#4949)0a10ddc
docs: remove duplicated header (#4944)b0a0fb8
fix(browser): failed test icon color (#4946)3cc9cac
ci: update stale action (#4931)8f3c37b
chore(ci): workaround for firefox error (#4933)5f96d51
build(v10.1.0): releaseed74f16
build(v10.1.0): update CHANGELOGMaintainer changes
This version was pushed to npm by juergba, a new releaser for mocha since your current version.
Updates
webpack-dev-server
from 1.10.1 to 1.16.5Release notes
Sourced from webpack-dev-server's releases.
Commits
cc67bff
1.16.5e7b5b51
Use idxPublic when extracting hostname from publicHost168e783
fix usage of ES5 featuresda20bc2
1.16.4762a509
Merge branch 'security/host-check-webpack-1' into webpack-1eb5eaab
Require a secure webpack-dev-middleware version02ec65b
enable Host header check for all requests and sockets59348b2
1.16.3fb31442
fix linting errors700b19d
Now accepting config as Promise. (Fixes #419) (#698)Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase
.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) - `@dependabot use these labels` will set the current labels as the default for future PRs for this repo and language - `@dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language - `@dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language - `@dependabot use this milestone` will set the current milestone as the default for future PRs for this repo and language You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/twobin/react-lazyload/network/alerts).