Skip to content

Bump webpack-dev-server from 5.2.4 to 5.2.6 in /components/dash-table in the npm-dependencies-security group across 1 directory#3868

Open
dependabot[bot] wants to merge 1 commit into
devfrom
dependabot/npm_and_yarn/components/dash-table/npm-dependencies-security-b2fd70aae3
Open

Bump webpack-dev-server from 5.2.4 to 5.2.6 in /components/dash-table in the npm-dependencies-security group across 1 directory#3868
dependabot[bot] wants to merge 1 commit into
devfrom
dependabot/npm_and_yarn/components/dash-table/npm-dependencies-security-b2fd70aae3

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jul 3, 2026

Copy link
Copy Markdown
Contributor

Bumps the npm-dependencies-security group with 1 update in the /components/dash-table directory: webpack-dev-server.

Updates webpack-dev-server from 5.2.4 to 5.2.6

Release notes

Sourced from webpack-dev-server's releases.

v5.2.6

Patch Changes

  • fix: allow undefined as the Server constructor options argument again (by @​bjohansebas in #5695)

    Restores accepting undefined (defaulting it to {}) for the options argument, so passing a webpack config's optional devServer field type-checks and works as before.

  • Protect the built-in state-changing routes (/webpack-dev-server/invalidate and /webpack-dev-server/open-editor) against cross-site request forgery. Requests are now checked with Sec-Fetch-Site (falling back to an Origin/Host comparison when it is absent), so a cross-site page can no longer trigger a rebuild or open a file in the editor. Same-origin requests, user-initiated navigations, and non-browser clients (e.g. curl) are unaffected. (by @​bjohansebas in #5698)

  • Handle malformed Host and Origin header values gracefully when validating requests. (by @​bjohansebas in #5699)

v5.2.5

Patch Changes

  • Skip the HMR WebSocket path when forwarding upgrade requests to user-defined proxies, so custom proxy WebSocket upgrades are no longer intercepted by the dev server. (by @​bjohansebas in #5680)
Changelog

Sourced from webpack-dev-server's changelog.

5.2.6

Patch Changes

  • fix: allow undefined as the Server constructor options argument again (by @​bjohansebas in #5695)

    Restores accepting undefined (defaulting it to {}) for the options argument, so passing a webpack config's optional devServer field type-checks and works as before.

  • Protect the built-in state-changing routes (/webpack-dev-server/invalidate and /webpack-dev-server/open-editor) against cross-site request forgery. Requests are now checked with Sec-Fetch-Site (falling back to an Origin/Host comparison when it is absent), so a cross-site page can no longer trigger a rebuild or open a file in the editor. Same-origin requests, user-initiated navigations, and non-browser clients (e.g. curl) are unaffected. (by @​bjohansebas in #5698)

  • Handle malformed Host and Origin header values gracefully when validating requests. (by @​bjohansebas in #5699)

5.2.5

Patch Changes

  • Skip the HMR WebSocket path when forwarding upgrade requests to user-defined proxies, so custom proxy WebSocket upgrades are no longer intercepted by the dev server. (by @​bjohansebas in #5680)

All notable changes to this project will be documented in this file. See standard-version for commit guidelines.

Commits
  • 8a37b0e chore(release): new release (#5697)
  • f21ed0f fix: handle malformed Host and Origin headers (#5699)
  • 80cd9ee fix: reject cross-site requests to open-editor and invalidate endpoints (#5698)
  • 308e853 fix: handle undefined options in Server constructor (#5695)
  • 8b2b915 chore: update branch references from v4 to v5 in workflow configuration
  • 870ed22 chore: add v5 branch to release workflow triggers
  • c3ee325 chore(release): new release (#5682)
  • 60173be feat: add changeset validation and release workflow (#5680)
  • 948d5e6 fix(proxy): match the HMR upgrade path exactly like the ws server (#5678)
  • 93e8996 fix: skip HMR websocket path when forwarding upgrades to user-defined proxies...
  • See full diff in compare view
Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for webpack-dev-server since your current version.


@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Jul 3, 2026
Bumps the npm-dependencies-security group with 1 update in the /components/dash-table directory: [webpack-dev-server](https://github.com/webpack/webpack-dev-server).


Updates `webpack-dev-server` from 5.2.4 to 5.2.6
- [Release notes](https://github.com/webpack/webpack-dev-server/releases)
- [Changelog](https://github.com/webpack/webpack-dev-server/blob/v5.2.6/CHANGELOG.md)
- [Commits](webpack/webpack-dev-server@v5.2.4...v5.2.6)

---
updated-dependencies:
- dependency-name: webpack-dev-server
  dependency-version: 5.2.6
  dependency-type: direct:development
  dependency-group: npm-dependencies-security
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot force-pushed the dependabot/npm_and_yarn/components/dash-table/npm-dependencies-security-b2fd70aae3 branch from e2c317e to c4738b0 Compare July 10, 2026 15:35
@sonarqubecloud

Copy link
Copy Markdown

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants