Skip to content

build(deps): upgrade webpack-dev-server to v5.2.4 on next#4308

Merged
MarshallOfSound merged 1 commit into
nextfrom
fix/webpack-dev-server-cve-next
Jul 1, 2026
Merged

build(deps): upgrade webpack-dev-server to v5.2.4 on next#4308
MarshallOfSound merged 1 commit into
nextfrom
fix/webpack-dev-server-cve-next

Conversation

@claude

@claude claude Bot commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

Requested by Samuel Attard · Slack thread

  • I have read the contribution documentation for this project.
  • I agree to follow the code of conduct that this project follows, as appropriate.
  • The changes are appropriately documented (if applicable).
  • The changes have sufficient test coverage (if applicable).
  • The testsuite passes successfully on my local machine (if applicable).

Summarize your changes:

Bumps webpack-dev-server in @electron-forge/plugin-webpack from ^4.0.0 to ^5.2.4 on the release-bearing next branch.

Before: next pins webpack-dev-server ^4.0.0, which is affected by the moderate advisory GHSA-9jgg-88mc-972h (source code can be stolen via a malicious site in a non-Chromium browser).

After: bumped to ^5.2.4 (resolves to 5.2.5 in the lockfile), resolving the advisory.

How: mirrors the fix already merged to main in #4274; re-applied manually because that commit does not cherry-pick cleanly onto next (branches diverged since Nov 2025).

One deliberate difference from #4274: the // eslint-disable-next-line import/default suppression added on main is not needed here. next has migrated its JS/TS linting from ESLint to oxlint (.oxlintrc.json), and the import/default rule is not enabled in that config. oxlint reports 0 errors on the unchanged default import import WebpackDevServer from 'webpack-dev-server'; in both Config.ts and WebpackPlugin.ts, and the package type-checks/builds cleanly under wds v5.

Reference: fixes part of #4084 on the release-bearing next branch (main was already fixed by #4274).


Generated by Claude Code

Bumps webpack-dev-server in @electron-forge/plugin-webpack from ^4.0.0 to
^5.2.4 to resolve the moderate advisory GHSA-9jgg-88mc-972h. Mirrors the
fix merged to main in #4274; re-applied manually because that commit does
not cherry-pick cleanly onto next.

The eslint-disable import/default suppression from #4274 is intentionally
omitted here: next has migrated linting from ESLint to oxlint, and the
import/default rule is not enabled in .oxlintrc.json, so oxlint reports no
error on the default `import WebpackDevServer from 'webpack-dev-server'`.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_0181gUdj5iDhqVyJjakQbuei
@github-actions github-actions Bot added the next label Jul 1, 2026
@socket-security

Copy link
Copy Markdown

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security
Vulnerability Quality Maintenance License
Updatedwebpack-dev-server@​4.15.2 ⏵ 5.2.597 +1100 +610092100

View full report

@MarshallOfSound MarshallOfSound marked this pull request as ready for review July 1, 2026 18:24
@MarshallOfSound MarshallOfSound requested a review from a team as a code owner July 1, 2026 18:24
@MarshallOfSound MarshallOfSound merged commit 5761321 into next Jul 1, 2026
13 of 14 checks passed
@MarshallOfSound MarshallOfSound deleted the fix/webpack-dev-server-cve-next branch July 1, 2026 18:41
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants