Skip to content

Bump webpack-dev-server from 5.2.4 to 5.2.6#421

Merged
SteffenLm merged 1 commit into
mainfrom
dependabot/npm_and_yarn/webpack-dev-server-5.2.5
Jul 3, 2026
Merged

Bump webpack-dev-server from 5.2.4 to 5.2.6#421
SteffenLm merged 1 commit into
mainfrom
dependabot/npm_and_yarn/webpack-dev-server-5.2.5

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 30, 2026

Copy link
Copy Markdown
Contributor

Bumps webpack-dev-server from 5.2.4 to 5.2.6.

Release notes

Sourced from webpack-dev-server's releases.

v5.2.6

Patch Changes

  • fix: allow undefined as the Server constructor options argument again (by @​bjohansebas in #5695)

    Restores accepting undefined (defaulting it to {}) for the options argument, so passing a webpack config's optional devServer field type-checks and works as before.

  • Protect the built-in state-changing routes (/webpack-dev-server/invalidate and /webpack-dev-server/open-editor) against cross-site request forgery. Requests are now checked with Sec-Fetch-Site (falling back to an Origin/Host comparison when it is absent), so a cross-site page can no longer trigger a rebuild or open a file in the editor. Same-origin requests, user-initiated navigations, and non-browser clients (e.g. curl) are unaffected. (by @​bjohansebas in #5698)

  • Handle malformed Host and Origin header values gracefully when validating requests. (by @​bjohansebas in #5699)

v5.2.5

Patch Changes

  • Skip the HMR WebSocket path when forwarding upgrade requests to user-defined proxies, so custom proxy WebSocket upgrades are no longer intercepted by the dev server. (by @​bjohansebas in #5680)
Changelog

Sourced from webpack-dev-server's changelog.

5.2.6

Patch Changes

  • fix: allow undefined as the Server constructor options argument again (by @​bjohansebas in #5695)

    Restores accepting undefined (defaulting it to {}) for the options argument, so passing a webpack config's optional devServer field type-checks and works as before.

  • Protect the built-in state-changing routes (/webpack-dev-server/invalidate and /webpack-dev-server/open-editor) against cross-site request forgery. Requests are now checked with Sec-Fetch-Site (falling back to an Origin/Host comparison when it is absent), so a cross-site page can no longer trigger a rebuild or open a file in the editor. Same-origin requests, user-initiated navigations, and non-browser clients (e.g. curl) are unaffected. (by @​bjohansebas in #5698)

  • Handle malformed Host and Origin header values gracefully when validating requests. (by @​bjohansebas in #5699)

5.2.5

Patch Changes

  • Skip the HMR WebSocket path when forwarding upgrade requests to user-defined proxies, so custom proxy WebSocket upgrades are no longer intercepted by the dev server. (by @​bjohansebas in #5680)

All notable changes to this project will be documented in this file. See standard-version for commit guidelines.

Commits
  • 8a37b0e chore(release): new release (#5697)
  • f21ed0f fix: handle malformed Host and Origin headers (#5699)
  • 80cd9ee fix: reject cross-site requests to open-editor and invalidate endpoints (#5698)
  • 308e853 fix: handle undefined options in Server constructor (#5695)
  • 8b2b915 chore: update branch references from v4 to v5 in workflow configuration
  • 870ed22 chore: add v5 branch to release workflow triggers
  • c3ee325 chore(release): new release (#5682)
  • 60173be feat: add changeset validation and release workflow (#5680)
  • 948d5e6 fix(proxy): match the HMR upgrade path exactly like the ws server (#5678)
  • 93e8996 fix: skip HMR websocket path when forwarding upgrades to user-defined proxies...
  • See full diff in compare view
Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for webpack-dev-server since your current version.


@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Jun 30, 2026
@github-actions

github-actions Bot commented Jun 30, 2026

Copy link
Copy Markdown
Contributor
PR Preview Action v1.8.1
Preview removed because the pull request was closed.
2026-07-03 08:11 UTC

@dependabot dependabot Bot changed the title Bump webpack-dev-server from 5.2.4 to 5.2.5 Bump webpack-dev-server from 5.2.4 to 5.2.6 Jul 3, 2026
@dependabot dependabot Bot force-pushed the dependabot/npm_and_yarn/webpack-dev-server-5.2.5 branch 2 times, most recently from 5b60c25 to 1242dda Compare July 3, 2026 07:49
@SteffenLm

Copy link
Copy Markdown
Contributor

@dependabot rebase

Bumps [webpack-dev-server](https://github.com/webpack/webpack-dev-server) from 5.2.4 to 5.2.6.
- [Release notes](https://github.com/webpack/webpack-dev-server/releases)
- [Changelog](https://github.com/webpack/webpack-dev-server/blob/v5.2.6/CHANGELOG.md)
- [Commits](webpack/webpack-dev-server@v5.2.4...v5.2.6)

---
updated-dependencies:
- dependency-name: webpack-dev-server
  dependency-version: 5.2.5
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot force-pushed the dependabot/npm_and_yarn/webpack-dev-server-5.2.5 branch from 1242dda to f90c21a Compare July 3, 2026 08:08
@SteffenLm SteffenLm merged commit 3f4b728 into main Jul 3, 2026
3 checks passed
@SteffenLm SteffenLm deleted the dependabot/npm_and_yarn/webpack-dev-server-5.2.5 branch July 3, 2026 08:11
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant