Skip to content

Bump webpack-dev-server and @angular-devkit/build-angular in /Standalone#546

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/Standalone/multi-c449e0b749
Open

Bump webpack-dev-server and @angular-devkit/build-angular in /Standalone#546
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/Standalone/multi-c449e0b749

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 20, 2026

Copy link
Copy Markdown
Contributor

Bumps webpack-dev-server to 5.2.5 and updates ancestor dependency @angular-devkit/build-angular. These dependencies need to be updated together.

Updates webpack-dev-server from 4.15.1 to 5.2.5

Release notes

Sourced from webpack-dev-server's releases.

v5.2.5

Patch Changes

  • Skip the HMR WebSocket path when forwarding upgrade requests to user-defined proxies, so custom proxy WebSocket upgrades are no longer intercepted by the dev server. (by @​bjohansebas in #5680)

v5.2.4

5.2.4 (2026-05-11)

Bug Fixes

  • set Cross-Origin-Resource-Policy header to prevent source code theft over HTTP

v5.2.3

5.2.3 (2026-01-12)

Bug Fixes

  • add cause for errorObject (#5518) (37b033d)
  • compatibility with event target and universal target and lazy compilation (574026c)
  • overlay: add ESC key to dismiss overlay (#5598) (f91baa8)
  • progress indicator styles (#5557) (41a53a1)
  • upgrade selfsigned to v5

v5.2.2

5.2.2 (2025-06-03)

Bug Fixes

  • "Overlay enabled" false positive (18e72ee)
  • do not crush when error is null for runtime errors (#5447) (309991f)
  • remove unnecessary header X_TEST (#5451) (64a6124)
  • respect the allowedHosts option for cross-origin header check (#5510) (03d1214)

v5.2.1

5.2.1 (2025-03-26)

Security

  • cross-origin requests are not allowed unless allowed by Access-Control-Allow-Origin header
  • requests with an IP addresses in the Origin header are not allowed to connect to WebSocket server unless configured by allowedHosts or it different from the Host header

The above changes may make the dev server not work if you relied on such behavior, but unfortunately they carry security risks, so they were considered as fixes.

Bug Fixes

  • prevent overlay for errors caught by React error boundaries (#5431) (8c1abc9)
  • take the first network found instead of the last one, this restores the same behavior as 5.0.4 (#5411) (ffd0b86)

... (truncated)

Changelog

Sourced from webpack-dev-server's changelog.

5.2.5

Patch Changes

  • Skip the HMR WebSocket path when forwarding upgrade requests to user-defined proxies, so custom proxy WebSocket upgrades are no longer intercepted by the dev server. (by @​bjohansebas in #5680)

All notable changes to this project will be documented in this file. See standard-version for commit guidelines.

5.2.4 (2026-05-11)

Bug Fixes

  • set Cross-Origin-Resource-Policy header to prevent source code theft over HTTP

5.2.3 (2026-01-12)

Bug Fixes

  • add cause for errorObject (#5518) (37b033d)
  • compatibility with event target and universal target and lazy compilation (574026c)
  • overlay: add ESC key to dismiss overlay (#5598) (f91baa8)
  • progress indicator styles (#5557) (41a53a1)
  • upgrade selfsigned to v5

5.2.2 (2025-06-03)

Bug Fixes

  • "Overlay enabled" false positive (18e72ee)
  • do not crush when error is null for runtime errors (#5447) (309991f)
  • remove unnecessary header X_TEST (#5451) (64a6124)
  • respect the allowedHosts option for cross-origin header check (#5510) (03d1214)

5.2.1 (2025-03-26)

Security

  • cross-origin requests are not allowed unless allowed by Access-Control-Allow-Origin header
  • requests with an IP addresses in the Origin header are not allowed to connect to WebSocket server unless configured by allowedHosts or it different from the Host header

The above changes may make the dev server not work if you relied on such behavior, but unfortunately they carry security risks, so they were considered as fixes.

Bug Fixes

  • prevent overlay for errors caught by React error boundaries (#5431) (8c1abc9)
  • take the first network found instead of the last one, this restores the same behavior as 5.0.4 (#5411) (ffd0b86)

5.2.0 (2024-12-11)

Features

... (truncated)

Commits
  • c3ee325 chore(release): new release (#5682)
  • 60173be feat: add changeset validation and release workflow (#5680)
  • 948d5e6 fix(proxy): match the HMR upgrade path exactly like the ws server (#5678)
  • 93e8996 fix: skip HMR websocket path when forwarding upgrades to user-defined proxies...
  • fd40130 chore(release): 5.2.4
  • ece4f36 chore: update deps (#5661)
  • a216144 ci: fix test (#5658)
  • df073c5 Merge commit from fork
  • b550a70 chore(release): 5.2.3
  • 9704dc5 chore: upgrade selfsigned to v5 and remove node-forge dependency (#5618)
  • Additional commits viewable in compare view
Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for webpack-dev-server since your current version.

Install script changes

This version modifies prepare script that runs during installation. Review the package contents before updating.


Updates @angular-devkit/build-angular from 17.0.0 to 21.2.16

Release notes

Sourced from @​angular-devkit/build-angular's releases.

21.2.16

@​angular/cli

Commit Description
fix - 77c9047ac update pacote to 21.5.1

@​angular/ssr

Commit Description
fix - d052e97da prioritize options over environment variables in AngularNodeAppEngine

21.2.15

@​angular/cli

Commit Description
fix - 42ac0ed0f remove forceAuth and unscoped credential parsing
fix - c7a7f1955 support registry metadata fetching under bun package manager

21.2.14

@​angular/cli

Commit Description
fix - aed448748 expand package groups for newly added peer dependencies in update schematic

@​angular/build

Commit Description
fix - d46c082fb prevent esbuild service child process leakage

21.2.13

@​angular-devkit/build-angular

Commit Description
fix - 3c6d26a31 remove unconditional CORS wildcard from webpack dev-server

@​angular/build

Commit Description
fix - 2b3e95517 assert that asset input paths are within workspace root

21.2.12

@​angular/build

Commit Description
fix - cbad57579 ignore virtual esbuild paths with (disabled):

21.2.11

@​angular/cli

Commit Description
fix - bbd63b7a5 robustly parse npm manifest from array

@​angular/ssr

| Commit | Description |

... (truncated)

Changelog

Sourced from @​angular-devkit/build-angular's changelog.

21.2.16 (2026-06-17)

@​angular/cli

Commit Type Description
77c9047ac fix update pacote to 21.5.1

@​angular/ssr

Commit Type Description
d052e97da fix prioritize options over environment variables in AngularNodeAppEngine

20.3.29 (2026-06-17)

@​angular/cli

Commit Type Description
5f7c0328c fix update pacote to 21.5.1

@​angular/ssr

Commit Type Description
a75d78e68 fix prioritize options over environment variables in AngularNodeAppEngine

22.0.2 (2026-06-17)

@​angular/cli

Commit Type Description
136fc2714 fix support registry metadata fetching under bun package manager
2653dd5c7 perf implement semaphore backpressure throttling in PackageManager

@​angular/build

Commit Type Description
0b4a48add perf implement semaphore backpressure throttling in JavaScriptTransformer

... (truncated)

Commits
  • 1efc647 release: cut the v21.2.16 release
  • 14459e2 build: update dependency webpack-dev-server to 5.2.5
  • 77c9047 fix(@​angular/cli): update pacote to 21.5.1
  • d052e97 fix(@​angular/ssr): prioritize options over environment variables in AngularNo...
  • d318ddd release: cut the v21.2.15 release
  • c7a7f19 fix(@​angular/cli): support registry metadata fetching under bun package manager
  • bdc3d2f test(@​angular/cli): ignore engines in version-specifier E2E test when using yarn
  • 42ac0ed fix(@​angular/cli): remove forceAuth and unscoped credential parsing
  • 2c25333 test(@​angular/cli): remove unscoped authentication test cases from registry t...
  • 4488398 release: cut the v21.2.14 release
  • Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    You can disable automated security fix PRs for this repo from the Security Alerts page.

@dependabot
Bump webpack-dev-server and @angular-devkit/build-angular in /Standalone
807dbf1 
Bumps [webpack-dev-server](https://github.com/webpack/webpack-dev-server) to 5.2.5 and updates ancestor dependency [@angular-devkit/build-angular](https://github.com/angular/angular-cli). These dependencies need to be updated together.


Updates `webpack-dev-server` from 4.15.1 to 5.2.5
- [Release notes](https://github.com/webpack/webpack-dev-server/releases)
- [Changelog](https://github.com/webpack/webpack-dev-server/blob/main/CHANGELOG.md)
- [Commits](webpack/webpack-dev-server@v4.15.1...v5.2.5)

Updates `@angular-devkit/build-angular` from 17.0.0 to 21.2.16
- [Release notes](https://github.com/angular/angular-cli/releases)
- [Changelog](https://github.com/angular/angular-cli/blob/main/CHANGELOG.md)
- [Commits](angular/angular-cli@17.0.0...v21.2.16)

---
updated-dependencies:
- dependency-name: webpack-dev-server
  dependency-version: 5.2.5
  dependency-type: indirect
- dependency-name: "@angular-devkit/build-angular"
  dependency-version: 21.2.16
  dependency-type: direct:development
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Jun 20, 2026
@semgrep-code-auth0-samples

semgrep-code-auth0-samples Bot commented Jun 20, 2026

Copy link
Copy Markdown

Semgrep found 1 ssc-c8b7a1f2-4d36-4f0a-9e2b-1a5c8d7e6f30 finding:

Risk: Affected versions of vite and vite-plus are vulnerable to Exposure of Sensitive Information to an Unauthorized Actor / Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'). Vite's server.fs.deny blocklist—which protects sensitive files such as .env and certificate files from being served—can be bypassed on Windows using alternate path representations (NTFS Alternate Data Stream syntax like /.env::$DATA?raw, or 8.3 short filenames), allowing an attacker to read otherwise-denied files when the dev server is exposed to the network.

Manual Review Advice: A vulnerability from this advisory is reachable if you expose the Vite dev server or vite-plus to the network by configuring a non-loopback address using the --host CLI flag on Windows

Fix: Upgrade this library to at least version 7.3.5 at auth0-angular-samples/Standalone/package-lock.json:389.

Reference(s): GHSA-fx2h-pf6j-xcff

Semgrep found 1 ssc-d17d3487-883b-46a9-bec9-dee3375f7532 finding:

Risk: Affected versions of esbuild are vulnerable to Download of Code Without Integrity Check / Untrusted Search Path. esbuild's Deno distribution module (lib/deno/mod.ts) contains an import.meta.main CLI entrypoint that calls install() directly when the module is run as a script (deno run https://deno.land/x/esbuild@vX/mod.js). This download path has no SHA-256 integrity verification: if NPM_CONFIG_REGISTRY resolves to an attacker-controlled registry, the fetched binary is executed immediately, yielding arbitrary code execution without any API call in user code.

Manual Review Advice: A vulnerability from this advisory is reachable if you invoke the esbuild Deno module directly as a CLI tool (e.g. deno run https://deno.land/x/esbuild@vX/mod.js) and the NPM_CONFIG_REGISTRY environment variable resolves the binary download to an untrusted registry

Fix: Upgrade this library to at least version 0.28.1 at auth0-angular-samples/Standalone/package-lock.json:10444.

Reference(s): GHSA-gv7w-rqvm-qjhr

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants