@docusaurus/code latest version used webpack-dev-server@4.15.2, which has Security Vulnerability

[naico-wang]

Have you read the Contributing Guidelines on issues?

• I have read the Contributing Guidelines on issues.

Prerequisites

• I'm using the latest version of Docusaurus.
• I have tried the npm run clear or yarn clear command.
• I have tried rm -rf node_modules yarn.lock package-lock.json and re-installing packages.
• I have tried creating a repro with https://new.docusaurus.io.
• I have read the console error message carefully (if applicable).

Description

Security Vulnerability found by Trivy:

Of course we can override the reference, but can we fix this officially?

Thanks.

Reproducible demo

No response

Steps to reproduce

1. npm ls webpack-dev-server
2. find the result

Expected behavior

Use the version which is higher than 5.2.1

Actual behavior

No functional affect, but for the security issue.

Trivy report shows the vulnerability

Your environment

• Public source code:
• Public site URL:
• Docusaurus version used:
• Environment name and version (e.g. Chrome 89, Node.js 16.4):
• Operating system and version (e.g. Ubuntu 20.04.2 LTS):

Self-service

• I'd be willing to fix this bug myself.

[slorber]

We will fix it if there is a backport to dev server v4 (looks planned: webpack/webpack-dev-server#5514), otherwise it requires a breaking change since this upgrades our minimum Node.js version.

See also #11252 (comment)

[hailey-datagrail]

Hi @slorber !

Thank you for the context here and your continued work on this package. It appears the backport has stalled: webpack/webpack-dev-server#5514 (comment)

Is there a timeline you were thinking for releasing v4 of Docusaurus with this fix? We understand that this is an open source project and timelines can be tricky and malleable, so totally understand if not.

[slorber]

I changed my mind and will likely do like many others do: upgrade to Node >= 20 in a minor release.

Since Node 18 is end-of-life, many lib authors don't support it anymore. In this specific case, the project was willing to backport the security fix, but if similar problems arise in the future, we have no guarantee that security backports will be made, even for critical security issues.

For this reason, it seems reasonable to bump to Node v20+ in v3.x and ensure security for this major release line.

---

Even Node 18 itself won't receive security patches anymore:

https://nodejs.org/en/blog/announcements/node-18-eol-support

Node.js 18 and all earlier versions are End-Of-Life. They are now completely unsupported, meaning they receive no updates, including security patches.

The security implications are immediate and serious. The May 2025 security releases revealed that Node.js 20 is vulnerable to 1 low severity issue, 1 high severity issue, and 1 medium severity issue. As the security advisory notes, "End-of-Life versions are always affected when a security release occurs", meaning Node.js 18 and all earlier versions have these same vulnerabilities but will never receive patches.