Update dependency webpack-dev-server to v5.2.4 [SECURITY]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
webpack-dev-server	5.2.3 → 5.2.4

---

webpack-dev-server vulnerable to cross-origin source code exposure on non-HTTPS origins

CVE-2026-6402 / GHSA-79cf-xcqc-c78w

More information

Details

Impact

When webpack-dev-server is running on a non-HTTPS origin (the default), cross-origin requests from malicious websites can load the dev server's JavaScript bundles via <script> tags. The fix introduced in v5.2.1 (CVE-2025-30359) relied on Sec-Fetch-Mode and Sec-Fetch-Site request headers to block these requests, but browsers only send these headers for potentially trustworthy origins. Over plain HTTP, the headers are absent and the check is bypassed.

An attacker who knows the dev server's host, port, and output path can exfiltrate all module source code by intercepting the webpack runtime's module registration.

This does not affect Chrome 142+ (and other Chromium-based browsers) due to local network access restrictions.

Patches

Patched in webpack-dev-server >= 5.2.4 by setting Cross-Origin-Resource-Policy: same-origin on responses.

Workarounds

Run the dev server with HTTPS enabled (--https or server.type: 'https' in config).

Resources

• GHSA-4v9v-hfq4-rm2v (CVE-2025-30359) - original vulnerability
• GHSA-9jgg-88mc-972h (CVE-2025-30360) - prior bypass

Severity

• CVSS Score: 5.3 / 10 (Medium)
• Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N

References

• https://github.com/webpack/webpack-dev-server/security/advisories/GHSA-4v9v-hfq4-rm2v
• https://github.com/webpack/webpack-dev-server/security/advisories/GHSA-79cf-xcqc-c78w
• https://github.com/webpack/webpack-dev-server/security/advisories/GHSA-9jgg-88mc-972h
• https://nvd.nist.gov/vuln/detail/CVE-2026-6402
• https://cna.openjsf.org/security-advisories.html
• https://github.com/advisories/GHSA-79cf-xcqc-c78w

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

webpack/webpack-dev-server (webpack-dev-server)

v5.2.4

Compare Source

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

⚠️ Artifact update problem

Renovate failed to update artifacts related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

• any of the package files in this branch needs updating, or
• the branch becomes conflicted, or
• you click the rebase/retry checkbox if found above, or
• you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: undefined

Post-upgrade command 'npm ci --ignore-scripts' has not been added to the allowed list in allowedCommands

File name: undefined

Post-upgrade command 'npm run lint' has not been added to the allowed list in allowedCommands