react-scripts/ webpack-dev-server

[hilalevx]

I'm using react-scripts@5.0.1, which is locked to webpack-dev-server@4.x.
A vulnerability was found: CVE-2025-30360
While webpack5.2.1 fixes the CVE (using override), the upgrade doesn't let me run the app. I get this error on npm start:
Invalid options object. Dev Server has been initialized using an options object that does not match the API schema.
options has an unknown property 'onAfterSetupMiddleware'. These properties are valid:
object { allowedHosts?, bonjour?, client?, compress?, devMiddleware?, headers?, historyApiFallback?, host?, hot?, ipc?, liveReload?, onListening?, open?, port?, proxy?, server?, app?, setupExitSignals?, setupMiddlewares?, static?, watchFiles?, webSocketServer? }

any solutions?

[zFl4wless]

You’re hitting this because react-scripts@5.0.1 is not compatible with webpack-dev-server@5.

react-scripts@5.0.1 still configures the dev server using the old hooks:

• onBeforeSetupMiddleware
• onAfterSetupMiddleware

Those were removed in webpack-dev-server@5 and replaced with setupMiddlewares.

So when you force an override to webpack-dev-server@5.2.1, CRA still passes the old options, which is why npm start fails with:

options has an unknown property 'onAfterSetupMiddleware'

---

Why the override fails

Even though webpack-dev-server@5.2.1 contains the fix for CVE-2025-30360, react-scripts@5.0.1 itself was written against WDS 4, not WDS 5.

So this is not just a version mismatch — it’s a breaking API incompatibility between CRA 5 and webpack-dev-server@5.

---

Realistic options

1. Stay on CRA 5 + WDS 4 for now

This is the simplest path if you need the app running without reworking the build setup.

But to be clear: this does not fix the CVE. It just avoids the compatibility break caused by forcing WDS 5.

Since this issue affects the development server, not the production build, some teams choose to accept or mitigate the risk depending on how their dev environment is exposed.

---

2. Patch CRA’s dev-server config (advanced)

If you absolutely must use webpack-dev-server@5, you need to adapt CRA’s dev-server configuration.

That usually means one of these:

• ejecting
• using CRACO
• using react-app-rewired

At minimum, you would need to:

• remove onBeforeSetupMiddleware
• remove onAfterSetupMiddleware
• replace them with setupMiddlewares

Example with CRACO:

module.exports = {
  devServer: (devServerConfig) => {
    delete devServerConfig.onBeforeSetupMiddleware;
    delete devServerConfig.onAfterSetupMiddleware;

    devServerConfig.setupMiddlewares = (middlewares, devServer) => {
      return middlewares;
    };

    return devServerConfig;
  },
};

That said, this may not be enough on its own. CRA 5 was not designed for WDS 5, so additional incompatibilities may appear.

---

3. Migrate away from CRA (best long-term option)

Long term, this is probably the cleanest solution.

react-scripts@5.0.1 is effectively stuck on an older toolchain, so these kinds of dependency/security conflicts are likely to keep happening.

If keeping up with security fixes matters, it’s worth considering a move to:

• Vite
• Next.js
• a custom Webpack setup

---

Bottom line

This is not something you can reliably solve with a simple overrides entry alone.

Your practical choices are:

• stay on CRA 5 + WDS 4 and accept/mitigate the dev-server risk,
• patch CRA’s dev-server config so it works with WDS 5,
• or migrate off CRA to a newer toolchain.

So yes: the error you’re seeing is expected when forcing webpack-dev-server@5 into react-scripts@5.0.1.