chore(deps-dev): Bump webpack-dev-server from 4.15.2 to 5.2.1

[dependabot]

Bumps webpack-dev-server from 4.15.2 to 5.2.1.

Release notes

Sourced from webpack-dev-server's releases.

v5.2.1

5.2.1 (2025-03-26)

Security

• cross-origin requests are not allowed unless allowed by Access-Control-Allow-Origin header
• requests with an IP addresses in the Origin header are not allowed to connect to WebSocket server unless configured by allowedHosts or it different from the Host header

The above changes may make the dev server not work if you relied on such behavior, but unfortunately they carry security risks, so they were considered as fixes.

Bug Fixes

• prevent overlay for errors caught by React error boundaries (#5431) (8c1abc9)
• take the first network found instead of the last one, this restores the same behavior as 5.0.4 (#5411) (ffd0b86)

v5.2.0

5.2.0 (2024-12-11)

Features

• added getClientEntry and getClientHotEntry methods to get clients entries (dc642a8)

Bug Fixes

• speed up initial client bundling (145b5d0)

v5.1.0

5.1.0 (2024-09-03)

Features

• add visual progress indicators (a8f40b7)
• added the app option to be Function (by default only with connect compatibility frameworks) (3096148)
• allow the server option to be Function (#5275) (02a1c6d)
• http2 support for connect and connect compatibility frameworks which support HTTP2 (#5267) (6509a3f)

Bug Fixes

• check the platform property to determinate the target (#5269) (c3b532c)
• ipv6 output (#5270) (06005e7)
• replace rimraf with rm (#5162) (1a1561f)
• replace default gateway (#5255) (f5f0902)
• support devServer: false (#5272) (8b341cb)

v5.0.4

5.0.4 (2024-03-19)

... (truncated)

Changelog

Sourced from webpack-dev-server's changelog.

5.2.1 (2025-03-26)

Security

• cross-origin requests are not allowed unless allowed by Access-Control-Allow-Origin header
• requests with an IP addresses in the Origin header are not allowed to connect to WebSocket server unless configured by allowedHosts or it different from the Host header

The above changes may make the dev server not work if you relied on such behavior, but unfortunately they carry security risks, so they were considered as fixes.

Bug Fixes

• prevent overlay for errors caught by React error boundaries (#5431) (8c1abc9)
• take the first network found instead of the last one, this restores the same behavior as 5.0.4 (#5411) (ffd0b86)

5.2.0 (2024-12-11)

Features

• added getClientEntry and getClientHotEntry methods to get clients entries (dc642a8)

Bug Fixes

• speed up initial client bundling (145b5d0)

5.1.0 (2024-09-03)

Features

• add visual progress indicators (a8f40b7)
• added the app option to be Function (by default only with connect compatibility frameworks) (3096148)
• allow the server option to be Function (#5275) (02a1c6d)
• http2 support for connect and connect compatibility frameworks which support HTTP2 (#5267) (6509a3f)

Bug Fixes

• check the platform property to determinate the target (#5269) (c3b532c)
• ipv6 output (#5270) (06005e7)
• replace rimraf with rm (#5162) (1a1561f)
• replace default gateway (#5255) (f5f0902)
• support devServer: false (#5272) (8b341cb)

5.0.4 (2024-03-19)

Bug Fixes

... (truncated)

Commits

• 0d22a08 chore(release): 5.2.1
• 6045b1e chore(deps): update (#5444)
• ffd0b86 fix: take the first network found instead of the last one, this restores the ...
• 9ea7b08 ci: update dependency-review-action (#5442)
• 5c9378b Merge commit from fork
• d2575ad Merge commit from fork
• 8c1abc9 fix: prevent overlay for errors caught by React error boundaries (#5431)
• 5a39c70 ci: update codecov/codecov-action to v5 (#5406)
• 55220a8 chore(deps-dev): bump the dependencies group across 1 directory with 4 update...
• 09f6f8e chore(deps): bump the dependencies group across 1 directory with 2 updates (#...
• Additional commits viewable in compare view

You can trigger a rebase of this PR by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.

Note
Automatic rebases have been disabled on this pull request as it has been open for over 30 days.

[ankita10119]

@dependabot rebase

[ankita10119]

@dependabot rebase

[ankita10119]

@claude

[github-actions]

Claude finished @ankita10119's task —— View job

---

Overall Assessment

❌ This PR introduces breaking changes that require configuration updates before it can be safely merged.

---

Critical Issues Found

1. Breaking Configuration Change in Example Code

File: examples/bundling/webpack/webpack.config.js:9
Issue: The contentBase option was removed in webpack-dev-server v5. The example webpack configuration uses the deprecated property which will cause the dev server to fail.

Required Fix:

// BEFORE (v4)
devServer: {
  contentBase: './',
  https: true,
  port: 3000
}

// AFTER (v5)
devServer: {
  static: './',  // Changed from contentBase
  https: true,
  port: 3000
}

2. Security Changes May Affect Development Workflow

The v5.2.1 release includes important security fixes that may impact the development server:

• Cross-origin requests are now blocked unless explicitly allowed via Access-Control-Allow-Origin headers
• Requests with IP addresses in the Origin header are restricted unless configured in allowedHosts

Impact: If developers rely on cross-origin requests during development, the dev server may reject these requests after this upgrade.

Recommended Action: Add explicit CORS configuration if needed:

devServer: {
  headers: {
    'Access-Control-Allow-Origin': '*',
    'Access-Control-Allow-Methods': 'GET, POST, PUT, DELETE, PATCH, OPTIONS',
    'Access-Control-Allow-Headers': 'X-Requested-With, content-type, Authorization'
  }
}

---

Additional Breaking Changes to Verify

The main webpack.config.js:44-52 appears compatible (uses static property correctly), but the following should be tested:

1. Node.js Version: webpack-dev-server v5 requires Node.js ≥ 18.12.0 (up from ≥ 12.13.0 in v4)
2. webpack-dev-middleware: Upgraded from v5 to v7 (major version change with its own breaking changes)
3. Dependency updates: Multiple major version bumps in transitive dependencies:
   • open: v8 → v10
   • memfs: v3 → v4
   • p-retry: v4 → v6
   • is-wsl: v2 → v3
   • is-docker: v2 → v3

---

Required Actions Before Merge

1. ✅ Update the example webpack config to replace contentBase with static
2. ✅ Verify Node.js version meets the ≥18.12.0 requirement in CI/CD
3. ✅ Test the dev server locally to ensure it starts without errors
4. ✅ Test cross-origin scenarios if the application makes cross-origin requests during development
5. ✅ Update documentation if developers need to configure allowedHosts or CORS headers

---

Recommendation

Do not merge until the breaking configuration change is fixed. The example webpack configuration must be updated to use webpack-dev-server v5 syntax, otherwise the example will be broken for users.

---