Skip to content

fix: resolve webpack-dev-server security vulnerabilities #719

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Nov 11, 2025
Merged

fix: resolve webpack-dev-server security vulnerabilities #719

merged 1 commit into from
Nov 11, 2025

Conversation

@GaryJones
Copy link
Contributor

@GaryJones GaryJones commented Nov 11, 2025

Summary

Resolves the last 2 remaining security vulnerabilities by upgrading webpack-dev-server from 4.15.2 to 5.2.2 using npm overrides.

Vulnerabilities Fixed

Both moderate severity, dev-only:

  1. GHSA-9jgg-88mc-972h - CVE-2025-30360: Source code theft via malicious website (non-Chromium browsers)
  2. GHSA-4v9v-hfq4-rm2v - Source code theft via malicious website

Affected: webpack-dev-server <=5.2.0
Fixed in: webpack-dev-server 5.2.1+

The Solution

webpack-dev-server is a transitive dependency of @wordpress/scripts which specifies ^4.15.1. Using npm's overrides feature forces all packages to use the patched version:

"overrides": {
  "webpack-dev-server": "^5.2.1"
}

Testing

Build: Completes successfully
Tests: All pass
npm audit: 0 vulnerabilities (production and dev)

Security Achievement

Complete vulnerability elimination:

  • Started: 138 vulnerabilities (34 critical, 38 high, 68 moderate, 4 low)
  • Ended: 0 vulnerabilities 🎉

Related PRs

🤖 Generated with Claude Code

@GaryJones @claude
fix: resolve webpack-dev-server security vulnerabilities
429f76f 
Uses npm overrides to force webpack-dev-server to v5.2.1+, which fixes
two moderate severity vulnerabilities (CVE-2025-30360 and related).

The vulnerabilities allowed source code theft when developers access
malicious websites while running the dev server. While these are
dev-only risks (don't affect production), it's good practice to patch.

webpack-dev-server is a transitive dependency of @wordpress/scripts
which specifies ^4.15.1. The override forces all packages to use the
patched 5.2.1+ version.

Result: 0 total vulnerabilities (production and dev)

Ref GHSA-9jgg-88mc-972h, GHSA-4v9v-hfq4-rm2v

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <[email protected]>
@GaryJones GaryJones self-assigned this Nov 11, 2025
@GaryJones GaryJones added the type: maintenance Routine maintenance and code quality improvements label Nov 11, 2025
@GaryJones GaryJones merged commit 1baf49a into develop Nov 11, 2025
20 of 21 checks passed
@GaryJones GaryJones deleted the fix/webpack-dev-server-vulnerabilities branch November 11, 2025 01:33
@GaryJones GaryJones added the dependencies Dependency updates label Nov 11, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@GaryJones GaryJones

Labels

dependencies Dependency updates type: maintenance Routine maintenance and code quality improvements

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@GaryJones