You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
cross-origin requests are not allowed unless allowed by Access-Control-Allow-Origin header
requests with an IP addresses in the Origin header are not allowed to connect to WebSocket server unless configured by allowedHosts or it different from the Host header
The above changes may make the dev server not work if you relied on such behavior, but unfortunately they carry security risks, so they were considered as fixes.
Bug Fixes
prevent overlay for errors caught by React error boundaries (#5431) (8c1abc9)
take the first network found instead of the last one, this restores the same behavior as 5.0.4 (#5411) (ffd0b86)
cross-origin requests are not allowed unless allowed by Access-Control-Allow-Origin header
requests with an IP addresses in the Origin header are not allowed to connect to WebSocket server unless configured by allowedHosts or it different from the Host header
The above changes may make the dev server not work if you relied on such behavior, but unfortunately they carry security risks, so they were considered as fixes.
Bug Fixes
prevent overlay for errors caught by React error boundaries (#5431) (8c1abc9)
take the first network found instead of the last one, this restores the same behavior as 5.0.4 (#5411) (ffd0b86)
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebase will rebase this PR
@dependabot recreate will recreate this PR, overwriting any edits that have been made to it
@dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
@dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the Security Alerts page.
The reason will be displayed to describe this comment to others. Learn more.
Stale comment
package.json:194 does upgrade to a patched webpack-dev-server, but this repository’s dev-server config still opts out of the new protection. Both config/webpackDevServer.config.js and webpack.config.js set allowedHosts: "all" and Access-Control-Allow-Origin: "*"; upstream 5.2.4 only adds Cross-Origin-Resource-Policy: same-origin when neither of those opt-outs is present. I verified the current local server response for /web-component.html still lacks a Cross-Origin-Resource-Policy header, so the published source-exposure issue remains effectively unmitigated for this repo’s default HTTP dev setup.
Open questions / assumptions:
Assuming the permissive cross-origin settings are intentional for embedding and local integration flows. If so, I would treat this as a follow-up security/config decision rather than a compatibility blocker for the dependency bump itself.
Change summary:
Upstream security improvements included here are real: webpack-dev-server 5.2.1 fixed GHSA-4v9v-hfq4-rm2v / CVE-2025-30359 and GHSA-9jgg-88mc-972h / CVE-2025-30360, while 5.2.4 fixed GHSA-79cf-xcqc-c78w / CVE-2026-6402 for default/non-opt-out configs. The lockfile refresh also updates transitive packages such as express (4.22.2) and qs (6.15.1), and selfsigned moves to v5, removing the older node-forge dependency from the tree.
Safety of merging looks good from a behavior and test perspective: I found no repo code that appears directly broken by the 5.1.0 -> 5.2.4 changes, yarn lint passed, and CI=true yarn test --coverage --maxWorkers=4 --workerThreads=true --reporters=default --reporters=jest-junit --reporters=jest-github-actions-reporter passed (92/92 suites, 835/835 tests). I could not complete Cypress here because the machine did not have the Cypress binary cached and downloading it from download.cypress.io failed with an SSL/network error.
Recommendation:
Merge with caution. This looks safe to merge for compatibility, and it is still a net-positive dependency refresh, but it should not be considered a complete security fix for this repository until the dev server stops opting into wildcard cross-origin access or is run over HTTPS.
Sent by Cursor Automation: Editor-UI - Tests Dependabot PRs
The reason will be displayed to describe this comment to others. Learn more.
This upgrade brings in the upstream 5.2.4 fix, but this repo’s current dev-server config still opts out of it. config/webpackDevServer.config.js and webpack.config.js both set allowedHosts: "all" and Access-Control-Allow-Origin: "*", and upstream only adds Cross-Origin-Resource-Policy: same-origin when neither of those is true. A local check against /web-component.html still returned no Cross-Origin-Resource-Policy header, so GHSA-79cf-xcqc-c78w / CVE-2026-6402 is not actually closed for this project’s default HTTP dev setup.
The reason will be displayed to describe this comment to others. Learn more.
Findings
Medium: this bump does not fully activate the new 5.2.4 hardening in this repository's dev setup. Upstream webpack-dev-server now adds Cross-Origin-Resource-Policy: same-origin for the HTTP source-code theft fix (GHSA-79cf-xcqc-c78w / CVE-2026-6402), but it only does that when the server is not using allowedHosts: "all" and not sending wildcard CORS. Both webpack.config.js and config/webpackDevServer.config.js deliberately set allowedHosts: "all" plus Access-Control-Allow-Origin: "*", and in local testing curl -I http://127.0.0.1:3011/web-component.js still returned no Cross-Origin-Resource-Policy header. So this PR is still useful, but it should be treated as dependency hygiene rather than a full remediation of the latest upstream advisory for this repo.
Open Questions / Assumptions
I assumed the permissive dev-server settings are still required for the embedded/hosted local-development workflows. If that is no longer true, a follow-up should tighten allowedHosts/CORS or add a more selective CORP strategy so the 5.2.4 protection can actually take effect.
Change Summary
Security:
Upstream this version range includes fixes for GHSA-4v9v-hfq4-rm2v / CVE-2025-30359 (source-code theft via malicious site, patched in 5.2.1) and GHSA-79cf-xcqc-c78w / CVE-2026-6402 (HTTP-origin source-code exposure, patched in 5.2.4).
The lockfile also picks up some favorable transitive movement: express4.21.1 -> 4.22.2, http-proxy-middleware2.0.7 -> 2.0.9, and selfsigned2.4.1 -> 5.5.0 which removes the old node-forge dependency.
Residual risk: webpack-dev-server still depends on ws@^8.18.0, so the newer ws advisory GHSA-58qx-3vcg-4xpx is not resolved by this PR. That range was already present in 5.1.0, so it is not newly introduced here.
Safety of merging:
I did not find direct API usage of webpack-dev-server in this repo beyond webpack serve and static config, so the 5.2.x additive API work (getClientEntry / getClientHotEntry) does not affect this codebase.
The main upstream behavioural changes in 5.2.1 are stricter cross-origin / WebSocket checks, but this repo already opts into permissive settings (allowedHosts: "all", wildcard CORS), so those changes are unlikely to break local development here.
yarn exec cypress run: could not run in this environment because the Cypress 14.5.4 desktop binary is not installed in the agent cache (/home/ubuntu/.cache/Cypress/14.5.4/Cypress)
Recommendation
Merge with caution. I do not see a compatibility regression from the version bump itself, and the local lint/Jest/dev-server checks were good. The caution is that the repo's current dev-server configuration still opts out of the new CORP-based protection, so merging this PR does not by itself eliminate the latest webpack-dev-server exposure for local HTTP dev sessions.
Sent by Cursor Automation: Editor-UI - Tests Dependabot PRs
The reason will be displayed to describe this comment to others. Learn more.
Worth noting for the security assessment: webpack-dev-server5.2.4 only emits the new Cross-Origin-Resource-Policy: same-origin protection when allowedHosts !== "all" and wildcard CORS is not enabled. This repo's webpack.config.js and config/webpackDevServer.config.js deliberately use allowedHosts: "all" plus Access-Control-Allow-Origin: "*", and in local testing curl -I http://127.0.0.1:3011/web-component.js still returned no CORP header. So the bump is still low-risk and worth taking, but it doesn't fully remediate GHSA-79cf-xcqc-c78w for this repo's current dev-server configuration.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
dependenciesPull requests that update a dependency filejavascriptPull requests that update javascript code
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
dependabot
Bot
added
dependencies
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
Bumps webpack-dev-server from 5.1.0 to 5.2.4.
Release notes
Sourced from webpack-dev-server's releases.
... (truncated)
Changelog
Sourced from webpack-dev-server's changelog.
... (truncated)
Commits
fd40130chore(release): 5.2.4ece4f36chore: update deps (#5661)a216144ci: fix test (#5658)df073c5Merge commit from forkb550a70chore(release): 5.2.39704dc5chore: upgrade selfsigned to v5 and remove node-forge dependency (#5618)92bf644chore: bump express to update qs (#5621)792b2f0chore(deps-dev): bump the dependencies group with 4 updates (#5606)6d587cachore(deps): bump the dependencies group across 1 directory with 27 updates (...f91baa8fix(overlay): add ESC key to dismiss overlay (#5598)Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)You can disable automated security fix PRs for this repo from the Security Alerts page.