Bump braces, webpack, mini-css-extract-plugin, webpack-cli and webpack-dev-server

[dependabot]

Bumps braces to 3.0.3 and updates ancestor dependencies braces, webpack, mini-css-extract-plugin, webpack-cli and webpack-dev-server. These dependencies need to be updated together.

Updates braces from 2.3.2 to 3.0.3

Changelog

Sourced from braces's changelog.

Release history

All notable changes to this project will be documented in this file.

The format is based on Keep a Changelog and this project adheres to Semantic Versioning.

• Changelogs are for humans, not machines.
• There should be an entry for every single version.
• The same types of changes should be grouped.
• Versions and sections should be linkable.
• The latest version comes first.
• The release date of each versions is displayed.
• Mention whether you follow Semantic Versioning.

Changelog entries are classified using the following labels (from keep-a-changelog):

• Added for new features.
• Changed for changes in existing functionality.
• Deprecated for soon-to-be removed features.
• Removed for now removed features.
• Fixed for any bug fixes.
• Security in case of vulnerabilities.

[3.0.0] - 2018-04-08

v3.0 is a complete refactor, resulting in a faster, smaller codebase, with fewer deps, and a more accurate parser and compiler.

Breaking Changes

• The undocumented .makeRe method was removed
• Require Node.js >= 8.3

Non-breaking changes

• Caching was removed

Commits

• See full diff in compare view

Updates webpack from 4.47.0 to 5.103.0

Release notes

Sourced from webpack's releases.

v5.103.0

Features

• Added DotenvPlugin and top level dotenv option to enable this plugin
• Added WebpackManifestPlugin
• Added support the ignoreList option in devtool plugins
• Allow to use custom javascript parse function
• Added import.meta.env support for environment variables
• Added support for import.meta.dirname and import.meta.filename
• Added support import.defer() for statistical path
• Handle import.meta.main
• Added suport to setup named exports for JSON modules and disable usage named export for import file from "./file.json" with { type: "json" }
• Added support __dirname/__filename/import.meta.dirname/import.meta.filename for universal target
• [CSS] Added the exportType option with link (by default), "text" and css-style-sheet values
• [CSS] Added support for composes properties

Fixes

• The dependOn chunk must be loaded before the common chunk
• Return to namespace import when the external request includes a specific export
• No runtime extra runtime code for module libraries
• Delay HMR accept dependencies to preserve import attributes
• Properly handle external presets for universal target
• Fixed incorrect identifier of import binding for module externals
• Fixed when defer import and dynamic default export mixed
• Reduce generated output when globalThis supported
• Fixed loading async modules in defer import
• Reexport module for default import when no used exports for systemjs library
• Rename HarmonyExportDependencyParserPlugin exported id to CompatibilityPlugin tagged id
• Handle __dirname and __filename for ES modules
• Rename single nested __webpack_export__ and __webpack_require__ in already bundled code
• [Types] webpack function type
• [Types] NormalModule type
• [Types] Multi compiler configuration type
• [Types] Fixed regression in custom hashDigest type
• [CSS] No extra runtime for initial chunk
• [CSS] Fixed a lot of CSS modules bugs

v5.102.1

Fixes

• Supported extends with env for browserslist
• Supported JSONP fragment format for web workers.
• Fixed dynamic import support in workers using browserslist.
• Fixed default defer import mangling.
• Fixed default import of commonjs externals for SystemJS format.
• Fixed context modules to the same file with different import attributes.
• Fixed typescript types.
• Improved import.meta warning messages to be more clear when used directly.
• [CSS] Fixed CC_UPPER_U parsing (E -> U) in tokenizer.

... (truncated)

Commits

• e021948 chore(release): 5.103.0
• 1dc6967 chore(deps): bump actions/checkout from 5.0.0 to 5.0.1 (#20130)
• 077417f fix(css): many css modules bugs (#20129)
• 7722518 chore: fix script (#20128)
• 688a7f9 test: no runtime requirements for module library (#20127)
• 04fe5a1 refactor: pkg.pr.new publish (#20093)
• 27c05c7 fix: return to namespace import when the external request includes a specific...
• 067cc60 refactor: no runtime requirements for module library (#20096)
• d4208ba fix: delay HMR accept dependencies to preserve import attributes (#20124)
• 102e1a4 feat(css): added css-style-sheet to exportType for CSSStyleSheet return (#20104)
• Additional commits viewable in compare view

Updates mini-css-extract-plugin from 0.9.0 to 2.9.4

Release notes

Sourced from mini-css-extract-plugin's releases.

v2.9.4

2.9.4 (2025-08-11)

Bug Fixes

• hmr crash in some situations (#1140) (f67c05a)

v2.9.3

2.9.3 (2025-08-04)

Bug Fixes

• should update initial chunks correctly with filename (dab023f)

v2.9.2

2.9.2 (2024-11-01)

Bug Fixes

• prefetch and preload runtime generation (#1116) (58c6b74)

v2.9.1

2.9.1 (2024-08-19)

Bug Fixes

• add export default {} when CSS modules enabled and a file is empty for the defaultExport option (8f77e19)

v2.9.0

2.9.0 (2024-04-16)

Features

• add support for link preload/prefetch (#1043) (ee25e51)
• added the defaultExport option to generate default and named export together (#1084) (74ae781)

Bug Fixes

• avoid reloading all csses when hot load (#1090) (1a56673)

v2.8.1

2.8.1 (2024-02-27)

... (truncated)

Changelog

Sourced from mini-css-extract-plugin's changelog.

2.9.4 (2025-08-11)

Bug Fixes

• hmr crash in some situations (#1140) (f67c05a)

2.9.3 (2025-08-04)

Bug Fixes

• should update initial chunks correctly with filename (dab023f)

2.9.2 (2024-11-01)

Bug Fixes

• prefetch and preload runtime generation (#1116) (58c6b74)

2.9.1 (2024-08-19)

Bug Fixes

• add export default {} when CSS modules enabled and a file is empty for the defaultExport option (8f77e19)

2.9.0 (2024-04-16)

Features

• add support for link preload/prefetch (#1043) (ee25e51)
• added the defaultExport option to generate default and named export together (#1084) (74ae781)

Bug Fixes

• avoid reloading all csses when hot load (#1090) (1a56673)

2.8.1 (2024-02-27)

Bug Fixes

• add nonce if __webpack_nonce__ has been defined (c7f0aee)

2.8.0 (2024-02-01)

... (truncated)

Commits

• 29df465 chore(release): 2.9.4
• f67c05a fix: hmr crash in some situations (#1140)
• ba231e2 chore(deps-dev): bump webpack-dev-server from 4.15.2 to 5.2.1 (#1138)
• 82355f8 chore: eslint migration (#1137)
• e07dd41 chore(release): 2.9.3
• 2d3f477 ci: add Node.js 24 (#1136)
• 9642a3a chore(deps): update (#1135)
• dab023f fix: should update initial chunks correctly with filename
• 6351aa3 docs: fix typos and improve clarity in contribution guidelines (#1127)
• 554277b docs: fix typos and improve clarity in README.md (#1128)
• Additional commits viewable in compare view

Updates webpack-cli from 3.3.12 to 6.0.1

Release notes

Sourced from webpack-cli's releases.

v6.0.1

6.0.1 (2024-12-20)

Bug Fixes

• update peer dependencies (#4356) (7a7e5d9)

v6.0.0

6.0.0 (2024-12-19)

BREAKING CHANGES

• the minimum required Node.js version is 18.12.0
• removed init, loader and plugin commands in favor create-webpack-app
• dropped support for webpack-dev-server@v4
• minimum supported webpack version is 5.82.0
• The --define-process-env-node-env option was renamed to --config-node-env

Bug Fixes

• allow to require webpack.config.js in ESM format (#4346) (5106684)
• correct the minimum help output (#4057) (c727c4f)
• gracefully shutting down (#4145) (90720e2)
• improve help output for possible values (#4316) (4cd5aef)
• no serve when dev-server is false (#2947) (a93e860)

Features

• output pnpm version with info/version command (#3906) (38f3c6f)

v5.1.4

5.1.4 (2023-06-07)

Bug Fixes

• multi compiler progress output (f659624)

v5.1.3

5.1.3 (2023-06-04)

Bug Fixes

• regression for custom configurations (#3834) (bb4f8eb)

v5.1.2

5.1.2 (2023-06-04)

Bug Fixes

• improve check for custom webpack and webpack-dev-server package existance (0931ab6)

... (truncated)

Changelog

Sourced from webpack-cli's changelog.

6.0.1 (2024-12-20)

Bug Fixes

• update peer dependencies (#4356) (7a7e5d9)

6.0.0 (2024-12-19)

BREAKING CHANGES

• the minimum required Node.js version is 18.12.0
• removed init, loader and plugin commands in favor create-webpack-app
• dropped support for webpack-dev-server@v4
• minimum supported webpack version is 5.82.0
• The --define-process-env-node-env option was renamed to --config-node-env

Bug Fixes

• allow to require webpack.config.js in ESM format (#4346) (5106684)
• correct the minimum help output (#4057) (c727c4f)
• gracefully shutting down (#4145) (90720e2)
• improve help output for possible values (#4316) (4cd5aef)
• no serve when dev-server is false (#2947) (a93e860)

Features

• output pnpm version with info/version command (#3906) (38f3c6f)

5.1.4 (2023-06-07)

Bug Fixes

• multi compiler progress output (f659624)

5.1.3 (2023-06-04)

Bug Fixes

• regression for custom configurations (#3834) (bb4f8eb)

5.1.2 (2023-06-04)

Bug Fixes

• improve check for custom webpack and webpack-dev-server package existance (0931ab6)
• improve help for some flags (f468614)
• improved support for .cts and .mts extensions (a77daf2)

5.1.1 (2023-05-09)

... (truncated)

Commits

• 480b33d chore(release): publish new version
• 7a5071b test: fix
• 8326501 fix: better default values
• eab2f39 fix: less dependencies
• 2db1195 refactor: code
• fca8c00 fix: logging
• 09c7cd7 fix: reduce package size, avoid *.d.ts
• 7a7e5d9 fix: update peer dependencies (#4356)
• 5405aed chore(deps-dev): bump readable-stream in the dependencies group (#4355)
• 270fdc2 chore(release): create-webpack-app
• Additional commits viewable in compare view

Updates webpack-dev-server from 3.11.3 to 5.2.2

Release notes

Sourced from webpack-dev-server's releases.

v5.2.2

5.2.2 (2025-06-03)

Bug Fixes

• "Overlay enabled" false positive (18e72ee)
• do not crush when error is null for runtime errors (#5447) (309991f)
• remove unnecessary header X_TEST (#5451) (64a6124)
• respect the allowedHosts option for cross-origin header check (#5510) (03d1214)

v5.2.1

5.2.1 (2025-03-26)

Security

• cross-origin requests are not allowed unless allowed by Access-Control-Allow-Origin header
• requests with an IP addresses in the Origin header are not allowed to connect to WebSocket server unless configured by allowedHosts or it different from the Host header

The above changes may make the dev server not work if you relied on such behavior, but unfortunately they carry security risks, so they were considered as fixes.

Bug Fixes

• prevent overlay for errors caught by React error boundaries (#5431) (8c1abc9)
• take the first network found instead of the last one, this restores the same behavior as 5.0.4 (#5411) (ffd0b86)

v5.2.0

5.2.0 (2024-12-11)

Features

• added getClientEntry and getClientHotEntry methods to get clients entries (dc642a8)

Bug Fixes

• speed up initial client bundling (145b5d0)

v5.1.0

5.1.0 (2024-09-03)

Features

• add visual progress indicators (a8f40b7)
• added the app option to be Function (by default only with connect compatibility frameworks) (3096148)
• allow the server option to be Function (#5275) (02a1c6d)
• http2 support for connect and connect compatibility frameworks which support HTTP2 (#5267) (6509a3f)

... (truncated)

Changelog

Sourced from webpack-dev-server's changelog.

5.2.2 (2025-06-03)

Bug Fixes

• "Overlay enabled" false positive (18e72ee)
• do not crush when error is null for runtime errors (#5447) (309991f)
• remove unnecessary header X_TEST (#5451) (64a6124)
• respect the allowedHosts option for cross-origin header check (#5510) (03d1214)

5.2.1 (2025-03-26)

Security

• cross-origin requests are not allowed unless allowed by Access-Control-Allow-Origin header
• requests with an IP addresses in the Origin header are not allowed to connect to WebSocket server unless configured by allowedHosts or it different from the Host header

The above changes may make the dev server not work if you relied on such behavior, but unfortunately they carry security risks, so they were considered as fixes.

Bug Fixes

• prevent overlay for errors caught by React error boundaries (#5431) (8c1abc9)
• take the first network found instead of the last one, this restores the same behavior as 5.0.4 (#5411) (ffd0b86)

5.2.0 (2024-12-11)

Features

• added getClientEntry and getClientHotEntry methods to get clients entries (dc642a8)

Bug Fixes

• speed up initial client bundling (145b5d0)

5.1.0 (2024-09-03)

Features

• add visual progress indicators (a8f40b7)
• added the app option to be Function (by default only with connect compatibility frameworks) (3096148)
• allow the server option to be Function (#5275) (02a1c6d)
• http2 support for connect and connect compatibility frameworks which support HTTP2 (#5267) (6509a3f)

Bug Fixes

• check the platform property to determinate the target (#5269) (c3b532c)

... (truncated)

Commits

• 195a7e6 chore(release): 5.2.2
• 620bef1 chore(deps): update (#5511)
• 03d1214 fix: respect the allowedHosts option for cross-origin header check (#5510)
• 5ba862e chore(deps-dev): bump the dependencies group across 1 directory with 7 update...
• f7fec94 chore: fix typo (#5508)
• 6ee8cd0 ci: add Node.js v24 (#5492)
• d30f963 chore: update http-proxy-middleware to ^2.0.9 (#5503)
• 66cf033 chore(deps-dev): bump the dependencies group with 2 updates (#5504)
• 4367a5c refactor: use 'String#startsWith' & replace if-then-else (#5501)
• 8e6604f chore(deps): bump the dependencies group across 1 directory with 4 updates (#...
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.