Skip to content

Update dependency webpack-dev-middleware to v5 [SECURITY]#23

Open
renovate[bot] wants to merge 1 commit into
masterfrom
renovate/npm-webpack-dev-middleware-vulnerability
Open

Update dependency webpack-dev-middleware to v5 [SECURITY]#23
renovate[bot] wants to merge 1 commit into
masterfrom
renovate/npm-webpack-dev-middleware-vulnerability

Conversation

@renovate
Copy link
Copy Markdown

@renovate renovate Bot commented Mar 24, 2024
edited
Loading

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package Change Age Confidence
webpack-dev-middleware ^1.2.0^5.3.4 age confidence

Path traversal in webpack-dev-middleware

CVE-2024-29180 / GHSA-wr3j-pwj9-hqq6

More information

Details

Summary

The webpack-dev-middleware middleware does not validate the supplied URL address sufficiently before returning the local file. It is possible to access any file on the developer's machine.

Details

The middleware can either work with the physical filesystem when reading the files or it can use a virtualized in-memory memfs filesystem.
If writeToDisk configuration option is set to true, the physical filesystem is used:
https://github.com/webpack/webpack-dev-middleware/blob/7ed24e0b9f53ad1562343f9f517f0f0ad2a70377/src/utils/setupOutputFileSystem.js#L21

The getFilenameFromUrl method is used to parse URL and build the local file path.
The public path prefix is stripped from the URL, and the unsecaped path suffix is appended to the outputPath:
https://github.com/webpack/webpack-dev-middleware/blob/7ed24e0b9f53ad1562343f9f517f0f0ad2a70377/src/utils/getFilenameFromUrl.js#L82
As the URL is not unescaped and normalized automatically before calling the midlleware, it is possible to use %2e and %2f sequences to perform path traversal attack.

PoC

A blank project can be created containing the following configuration file webpack.config.js:
module.exports = { devServer: { devMiddleware: { writeToDisk: true } } };

When started, it is possible to access any local file, e.g. /etc/passwd:
$ curl localhost:8080/public/..%2f..%2f..%2f..%2f../etc/passwd

root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
Impact

The developers using webpack-dev-server or webpack-dev-middleware are affected by the issue. When the project is started, an attacker might access any file on the developer's machine and exfiltrate the content (e.g. password, configuration files, private source code, ...).

If the development server is listening on a public IP address (or 0.0.0.0), an attacker on the local network can access the local files without any interaction from the victim (direct connection to the port).

If the server allows access from third-party domains (CORS, Allow-Access-Origin: * ), an attacker can send a malicious link to the victim. When visited, the client side script can connect to the local server and exfiltrate the local files.

Recommendation

The URL should be unescaped and normalized before any further processing.

Severity

  • CVSS Score: 7.4 / 10 (High)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

Release Notes

webpack/webpack-dev-middleware (webpack-dev-middleware)

v5.3.4

Compare Source

5.3.4 (2024-03-20)
Bug Fixes

v5.3.3

Compare Source

⚠ BREAKING CHANGES
  • minimum supported webpack version is 5.0.0
  • minimum supported Nodejs version is 14.15.0
5.3.3 (2022-05-18)
Bug Fixes
5.3.2 (2022-05-17)
Bug Fixes
5.3.1 (2022-02-01)
Bug Fixes

v5.3.2

Compare Source

⚠ BREAKING CHANGES
  • minimum supported webpack version is 5.0.0
  • minimum supported Nodejs version is 14.15.0
5.3.3 (2022-05-18)
Bug Fixes
5.3.2 (2022-05-17)
Bug Fixes
5.3.1 (2022-02-01)
Bug Fixes

v5.3.1

Compare Source

⚠ BREAKING CHANGES
  • minimum supported webpack version is 5.0.0
  • minimum supported Nodejs version is 14.15.0
5.3.3 (2022-05-18)
Bug Fixes
5.3.2 (2022-05-17)
Bug Fixes
5.3.1 (2022-02-01)
Bug Fixes

v5.3.0

Compare Source

⚠ BREAKING CHANGES
  • minimum supported webpack version is 5.0.0
  • minimum supported Nodejs version is 14.15.0
5.3.3 (2022-05-18)
Bug Fixes
5.3.2 (2022-05-17)
Bug Fixes
5.3.1 (2022-02-01)
Bug Fixes

v5.2.2

Compare Source

Features
5.2.2 (2021-11-17)
Chore
  • update schema-utils package to 4.0.0 version
5.2.1 (2021-09-25)
  • internal release, no visible changes and features

v5.2.1

Compare Source

Features
5.2.2 (2021-11-17)
Chore
  • update schema-utils package to 4.0.0 version
5.2.1 (2021-09-25)
  • internal release, no visible changes and features

v5.2.0

Compare Source

Features
5.2.2 (2021-11-17)
Chore
  • update schema-utils package to 4.0.0 version
5.2.1 (2021-09-25)
  • internal release, no visible changes and features

v5.1.0

Compare Source

Features
  • don't read full file if Range header is present (e8b21f0)
  • output more information on errors (#​1024) (7df9e44)
Bug Fixes

v5.0.0

Compare Source

⚠ BREAKING CHANGES

v4.3.0

Compare Source

Features
Bug Fixes

v4.2.0

Compare Source

Features

v4.1.0

Compare Source

Features
4.0.4 (2021-01-13)
Bug Fixes
4.0.3 (2021-01-12)
Bug Fixes
  • output stats to stdout instead stderr, how does webpack-cli, if you need hide stats from output please use { stats: false } or { stats: 'none' } (4de0f97)
  • colors are working for stats (4de0f97)
  • schema description (#​783) (f9ce2b2)
  • skip Content-type header on unknown types (#​809) (5c9eee5)
4.0.2 (2020-11-10)
Bug Fixes
4.0.1 (2020-11-09)
Bug Fixes
  • compatibility with connect (b83a1db)

v4.0.4

Compare Source

Features
4.0.4 (2021-01-13)
Bug Fixes
4.0.3 (2021-01-12)
Bug Fixes
  • output stats to stdout instead stderr, how does webpack-cli, if you need hide stats from output please use { stats: false } or { stats: 'none' } (4de0f97)
  • colors are working for stats (4de0f97)
  • schema description (#​783) (f9ce2b2)
  • skip Content-type header on unknown types (#​809) (5c9eee5)
4.0.2 (2020-11-10)
Bug Fixes
4.0.1 (2020-11-09)
Bug Fixes
  • compatibility with connect (b83a1db)

v4.0.3

Compare Source

Features
4.0.4 (2021-01-13)
Bug Fixes
4.0.3 (2021-01-12)
Bug Fixes
  • output stats to stdout instead stderr, how does webpack-cli, if you need hide stats from output please use { stats: false } or { stats: 'none' } (4de0f97)
  • colors are working for stats (4de0f97)
  • schema description (#​783) (f9ce2b2)
  • skip Content-type header on unknown types (#​809) (5c9eee5)
4.0.2 (2020-11-10)
Bug Fixes
4.0.1 (2020-11-09)
Bug Fixes
  • compatibility with connect (b83a1db)

v4.0.2

Compare Source

Features
4.0.4 (2021-01-13)
Bug Fixes
4.0.3 (2021-01-12)
Bug Fixes
  • output stats to stdout instead stderr, how does webpack-cli, if you need hide stats from output please use { stats: false } or { stats: 'none' } (4de0f97)
  • colors are working for stats (4de0f97)
  • schema description (#​783) (f9ce2b2)
  • skip Content-type header on unknown types (#​809) (5c9eee5)
4.0.2 (2020-11-10)
Bug Fixes
4.0.1 (2020-11-09)
Bug Fixes
  • compatibility with connect (b83a1db)

v4.0.1

Compare Source

Features
4.0.4 (2021-01-13)
Bug Fixes
4.0.3 (2021-01-12)
Bug Fixes
  • output stats to stdout instead stderr, how does webpack-cli, if you need hide stats from output please use { stats: false } or { stats: 'none' } (4de0f97)
  • colors are working for stats (4de0f97)
  • schema description (#​783) (f9ce2b2)
  • skip Content-type header on unknown types (#​809) (5c9eee5)
4.0.2 (2020-11-10)
Bug Fixes
4.0.1 (2020-11-09)
Bug Fixes
  • compatibility with connect (b83a1db)

v4.0.0

Compare Source

Features
4.0.4 (2021-01-13)
Bug Fixes
4.0.3 (2021-01-12)
Bug Fixes
  • output stats to stdout instead stderr, how does webpack-cli, if you need hide stats from output please use { stats: false } or { stats: 'none' } (4de0f97)
  • colors are working for stats (4de0f97)
  • schema description (#​783) (f9ce2b2)
  • skip Content-type header on unknown types (#​809) (5c9eee5)
4.0.2 (2020-11-10)
Bug Fixes
4.0.1 (2020-11-09)
Bug Fixes
  • compatibility with connect (b83a1db)

v3.7.3

Compare Source

3.7.3 (2020-12-15)
Bug Fixes

v3.7.2

Compare Source

Bug Fixes
4.0.0-rc.0 (2020-02-19)
Bug Fixes
  • respect output.path and output.publicPath options from the configuration
  • respect the stats option from the configuration
  • respect the watchOptions option from the configuration
  • the writeToDisk option now correctly works in multi-compiler mode
  • the outputFileSystem option now correctly works in multi-compiler mode
  • respect [hash]/[fullhash] in output.path and output.publicPath
  • handle exceptions for filesystem operations
  • the Content-Type header doesn't have charset=utf-8 value for custom MIME types and MIME types which can be non utf-8
Features
  • validate options
  • migrate on the webpack logger
  • migrate on the memfs package
  • improve performance
BREAKING CHANGES
  • minimum supported Node.js version is 10.13.0
  • the default value of the option publicPath is taken from the value of the output.publicPath option from the configuration (webpack.config.js)
  • the stats option was removed, the default value of the stats option is taken from the value of the stats option from the configuration (webpack.config.js)
  • the watchOptions was removed, the default value of the watchOptions option is taken from the value of the watchOptions option from the configuration (webpack.config.js)
  • the Content-Type header doesn't have charset=utf-8 value for custom MIME types and MIME types which can be non utf-8
  • the fs option was renamed to the outputFileSystem option
  • the lazy option was removed without replacement
  • the logger, logLevel and logTime options were removed without replacement. You can setup the level value using { infrastructureLogging: { level: 'warn' } }, please read https://webpack.js.org/configuration/other-options/#infrastructurelogging. You can use the infrastructurelog (infrastructureLog in webpack@5) hook to customize logs. The log property in the middleware context was renamed to logger
  • the mimeTypes option first requires you to specify an extension and then a content-type - { mimeTypes: { phtml: 'text/html' } }
  • the force option from the mimeTypes option was removed without replacement
  • the reporter option was removed without replacement
  • the getFilenameFromUrl method was removed from the API
  • the middleware locals now under res.locals.webpack - use res.locals.webpack.stats for access stats and res.locals.webpack.outputFileSystem to access outputFileSystem
3.7.2 (2019-09-28)
Bug Fixes
3.7.1 (2019-09-03)
Bug Fixes

v3.7.1

Compare Source

Bug Fixes
4.0.0-rc.0 (2020-02-19)
Bug Fixes
  • respect output.path and output.publicPath options from the configuration
  • respect the stats option from the configuration
  • respect the watchOptions option from the configuration
  • the writeToDisk option now correctly works in multi-compiler mode
  • the outputFileSystem option now correctly works in multi-compiler mode
  • respect [hash]/[fullhash] in output.path and output.publicPath
  • handle exceptions for filesystem operations
  • the Content-Type header doesn't have charset=utf-8 value for custom MIME types and MIME types which can be non utf-8
Features
  • validate options
  • migrate on the webpack logger
  • migrate on the memfs package
  • improve performance
BREAKING CHANGES
  • minimum supported Node.js version is 10.13.0
  • the default value of the option publicPath is taken from the value of the output.publicPath option from the configuration (webpack.config.js)
  • the stats option was removed, the default value of the stats option is taken from the value of the stats option from the configuration (webpack.config.js)
  • the watchOptions was removed, the default value of the watchOptions option is taken from the value of the watchOptions option from the configuration (webpack.config.js)
  • the Content-Type header doesn't have charset=utf-8 value for custom MIME types and MIME types which can be non utf-8
  • the fs option was renamed to the outputFileSystem option
  • the lazy option was removed without replacement
  • the logger, logLevel and logTime options were removed without replacement. You can setup the level value using { infrastructureLogging: { level: 'warn' } }, please read https://webpack.js.org/configuration/other-options/#infrastructurelogging. You can use the infrastructurelog (infrastructureLog in webpack@5) hook to customize logs. The log property in the middleware context was renamed to logger
  • the mimeTypes option first requires you to specify an extension and then a content-type - { mimeTypes: { phtml: 'text/html' } }
  • the force option from the mimeTypes option was removed without replacement
  • the reporter option was removed without replacement
  • the getFilenameFromUrl method was removed from the API
  • the middleware locals now under res.locals.webpack - use res.locals.webpack.stats for access stats and res.locals.webpack.outputFileSystem to access outputFileSystem
3.7.2 (2019-09-28)
Bug Fixes
3.7.1 (2019-09-03)
Bug Fixes

v3.7.0

Compare Source

Bug Fixes
4.0.0-rc.0 (2020-02-19)
Bug Fixes
  • respect output.path and output.publicPath options from the configuration
  • respect the stats option from the configuration
  • respect the watchOptions option from the configuration
  • the writeToDisk option now correctly works in multi-compiler mode
  • the outputFileSystem option now correctly works in multi-compiler mode
  • respect [hash]/[fullhash] in output.path and output.publicPath
  • handle exceptions for filesystem operations
  • the Content-Type header doesn't have charset=utf-8 value for custom MIME types and MIME types which can be non utf-8
Features
  • validate options
  • migrate on the webpack logger
  • migrate on the memfs package
  • improve performance
BREAKING CHANGES
  • minimum supported Node.js version is 10.13.0
  • the default value of the option publicPath is taken from the value of the output.publicPath option from the configuration (webpack.config.js)
  • the stats option was removed, the default value of the stats option is taken from the value of the stats option from the configuration (webpack.config.js)
  • the watchOptions was removed, the default value of the watchOptions option is taken from the value of the watchOptions option from the configuration (webpack.config.js)
  • the Content-Type header doesn't have charset=utf-8 value for custom MIME types and MIME types which can be non utf-8
  • the fs option was renamed to the outputFileSystem option
  • the lazy option was removed without replacement
  • the logger, logLevel and logTime options were removed without replacement. You can setup the level value using { infrastructureLogging: { level: 'warn' } }, please read https://webpack.js.org/configuration/other-options/#infrastructurelogging. You can use the infrastructurelog (infrastructureLog in webpack@5) hook to customize logs. The log property in the middleware context was renamed to logger
  • the mimeTypes option first requires you to specify an extension and then a content-type - { mimeTypes: { phtml: 'text/html' } }
  • the force option from the mimeTypes option was removed without replacement
  • the reporter option was removed without replacement
  • the getFilenameFromUrl method was removed from the API
  • the middleware locals now under res.locals.webpack - use res.locals.webpack.stats for access stats and res.locals.webpack.outputFileSystem to access outputFileSystem
3.7.2 (2019-09-28)
Bug Fixes
3.7.1 (2019-09-03)
Bug Fixes

v3.6.2

Compare Source

Bug Fixes
  • check existence of res.getHeader and set the correct Content-Type (#​385) (56dc705)

v3.6.1

Compare Source

Bug Fixes
  • do not overwrite Content-Type if header already exists (#​377) (b2a6fed)

v3.6.0

Compare Source

Features

v3.5.2

Compare Source

Bug Fixes

v3.5.1

Compare Source

Bug Fixes
  • remove querystring from filenames when writing to disk (#​361) (90d0d94)

v3.5.0

Compare Source

Bug Fixes
Features
  • allow to redefine mimeTypes (possible to use force option) (#​349) (e56a181)

v3.4.0

Compare Source

Bug Fixes
  • index: don't modify the default behavior for unhandledRejection (#​340) (f0a8e3e)
  • middleware: replace url-join with path.posix.join (#​334) (d75802b)

v3.3.0

Compare Source

Features
  • middleware: expose the memory filesystem (response.locals.fs) (#​337) (f9a138e)

v3.2.0

Compare Source

Bug Fixes
Features
  • middleware: add methods option (options.methods) (#​319) (fe6bb86)

v3.1.3

Compare Source

Bugfixes

  • Excluded outputPath from URI escaping to fix #​297. (#​303)
  • fix: fixes #​290 - MultiCompiler exception with writeToDisk (#​301)

v3.1.2

Compare Source

Updates

  • refactor: use chalk from webpack-log (#​293)

v3.1.1

Compare Source

Bugfixes

  • fix(package): add chalk to peerDeps (#​292)

v3.1.0

Compare Source

Bugfixes

Features

  • Allow Writing Files to Disk (#​287)

v3.0.1

Compare Source

v3.0.0

Compare Source

Updates

  • Webpack 4 (#​267)
  • remove watchOffset option in favor of time-fix-plugin

Breaking Changes

  • Introduces full support for webpack v4 and removes support for lesser versions.
  • The watchOffset option has been removed and the README has been updated with alternative means of accomplishing the same result for this module and webpack v4.
  • middleware.webpack now returns a Promise that should be handled with .then when needing to perform other actions, like adding additional middleware.

v2.0.6

Compare Source

v2.0.5

Compare Source

v2.0.4

Compare Source

v2.0.3

Compare Source

v2.0.2

Compare Source

Updates

  • Implemented webpack-log, removed dependencies related to the previous logging implementation.

v2.0.1

Compare Source

Publish to correct package.json.

v2.0.0

Compare Source

This major release introduces a comprehensive refactor of the codebase and move to leverage more ES6 as supported by Node 6+. It also introduced a number of breaking changes, as outlined below.

Node Version Support

webpack-dev-middleware version 2 and higher will only support Node 6.x and higher. Active
LTS for Node 4.x ended October 31st, 2017 and entered maintenance on that date.
Likewise, the version 1.x branch of webpack-dev-middleware will enter maintenance on
that date.

Informative Changes

  • logging is now handled by log-level and follows the same patterns as
    webpack-dev-server.

Breaking Changes

  • watchDelay option was previous deprecated and has now been removed.
  • reportTime option renamed to logTime
  • noInfo option removed in favor of setting a logLevel higher than 'info'
  • `quie

Note

PR body was truncated to here.

Configuration

📅 Schedule: (UTC)

  • Branch creation
    • ""
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate Bot force-pushed the renovate/npm-webpack-dev-middleware-vulnerability branch from 2e419c3 to a4dbe6d Compare March 26, 2024 02:58
@renovate renovate Bot changed the title Update dependency webpack-dev-middleware to v7 [SECURITY] Update dependency webpack-dev-middleware to v5 [SECURITY] Mar 26, 2024
@renovate renovate Bot force-pushed the renovate/npm-webpack-dev-middleware-vulnerability branch from a4dbe6d to c759933 Compare April 14, 2024 14:50
@renovate renovate Bot changed the title Update dependency webpack-dev-middleware to v5 [SECURITY] Update dependency webpack-dev-middleware to v7 [SECURITY] Apr 14, 2024
@renovate renovate Bot force-pushed the renovate/npm-webpack-dev-middleware-vulnerability branch from c759933 to e94fcaf Compare April 15, 2024 18:01
@renovate renovate Bot changed the title Update dependency webpack-dev-middleware to v7 [SECURITY] Update dependency webpack-dev-middleware to v5 [SECURITY] Apr 15, 2024
@renovate renovate Bot changed the title Update dependency webpack-dev-middleware to v5 [SECURITY] Update dependency webpack-dev-middleware to v7 [SECURITY] Apr 22, 2024
@renovate renovate Bot force-pushed the renovate/npm-webpack-dev-middleware-vulnerability branch 2 times, most recently from b2b0331 to 616986f Compare April 24, 2024 02:38
@renovate renovate Bot changed the title Update dependency webpack-dev-middleware to v7 [SECURITY] Update dependency webpack-dev-middleware to v5 [SECURITY] Apr 24, 2024
@renovate renovate Bot force-pushed the renovate/npm-webpack-dev-middleware-vulnerability branch from 616986f to 2a993ba Compare April 26, 2024 02:53
@renovate renovate Bot changed the title Update dependency webpack-dev-middleware to v5 [SECURITY] Update dependency webpack-dev-middleware to v7 [SECURITY] Apr 26, 2024
@renovate renovate Bot force-pushed the renovate/npm-webpack-dev-middleware-vulnerability branch from 2a993ba to 0d2227b Compare April 28, 2024 02:54
@renovate renovate Bot changed the title Update dependency webpack-dev-middleware to v7 [SECURITY] Update dependency webpack-dev-middleware to v5 [SECURITY] Apr 28, 2024
@renovate renovate Bot force-pushed the renovate/npm-webpack-dev-middleware-vulnerability branch from 0d2227b to 1929433 Compare May 1, 2024 08:31
@renovate renovate Bot changed the title Update dependency webpack-dev-middleware to v5 [SECURITY] Update dependency webpack-dev-middleware to v7 [SECURITY] May 1, 2024
@renovate renovate Bot force-pushed the renovate/npm-webpack-dev-middleware-vulnerability branch from 1929433 to 325fb76 Compare May 2, 2024 08:24
@renovate renovate Bot changed the title Update dependency webpack-dev-middleware to v7 [SECURITY] Update dependency webpack-dev-middleware to v5 [SECURITY] May 2, 2024
@renovate renovate Bot changed the title Update dependency webpack-dev-middleware to v5 [SECURITY] Update dependency webpack-dev-middleware to v7 [SECURITY] May 9, 2024
@renovate renovate Bot force-pushed the renovate/npm-webpack-dev-middleware-vulnerability branch 2 times, most recently from 5c2a04b to e5b4602 Compare May 10, 2024 17:46
@renovate renovate Bot changed the title Update dependency webpack-dev-middleware to v7 [SECURITY] Update dependency webpack-dev-middleware to v5 [SECURITY] May 10, 2024
@renovate renovate Bot force-pushed the renovate/npm-webpack-dev-middleware-vulnerability branch from e5b4602 to c5fc36c Compare May 23, 2024 02:41
@renovate renovate Bot changed the title Update dependency webpack-dev-middleware to v5 [SECURITY] Update dependency webpack-dev-middleware to v7 [SECURITY] May 23, 2024
@renovate renovate Bot force-pushed the renovate/npm-webpack-dev-middleware-vulnerability branch from c5fc36c to b767af8 Compare May 24, 2024 11:47
@renovate renovate Bot changed the title Update dependency webpack-dev-middleware to v7 [SECURITY] Update dependency webpack-dev-middleware to v5 [SECURITY] May 24, 2024
@renovate renovate Bot changed the title Update dependency webpack-dev-middleware to v5 [SECURITY] Update dependency webpack-dev-middleware to v7 [SECURITY] Jun 4, 2024
@renovate renovate Bot force-pushed the renovate/npm-webpack-dev-middleware-vulnerability branch 2 times, most recently from ad296a2 to c8ae78f Compare June 5, 2024 05:52
@renovate renovate Bot force-pushed the renovate/npm-webpack-dev-middleware-vulnerability branch from df1bac2 to ec2e2ba Compare July 24, 2024 05:44
@renovate renovate Bot changed the title Update dependency webpack-dev-middleware to v7 [SECURITY] Update dependency webpack-dev-middleware to v5 [SECURITY] Jul 24, 2024
@renovate renovate Bot force-pushed the renovate/npm-webpack-dev-middleware-vulnerability branch from ec2e2ba to f4c2b03 Compare July 29, 2024 05:47
@renovate renovate Bot changed the title Update dependency webpack-dev-middleware to v5 [SECURITY] Update dependency webpack-dev-middleware to v7 [SECURITY] Jul 29, 2024
@renovate renovate Bot force-pushed the renovate/npm-webpack-dev-middleware-vulnerability branch from f4c2b03 to 0c31133 Compare July 31, 2024 02:45
@renovate renovate Bot changed the title Update dependency webpack-dev-middleware to v7 [SECURITY] Update dependency webpack-dev-middleware to v5 [SECURITY] Jul 31, 2024
@renovate renovate Bot force-pushed the renovate/npm-webpack-dev-middleware-vulnerability branch from 0c31133 to 2d5b9db Compare October 10, 2024 02:48
@renovate renovate Bot changed the title Update dependency webpack-dev-middleware to v5 [SECURITY] Update dependency webpack-dev-middleware to v7 [SECURITY] Oct 10, 2024
@renovate renovate Bot force-pushed the renovate/npm-webpack-dev-middleware-vulnerability branch from 2d5b9db to 20390c9 Compare October 11, 2024 05:40
@renovate renovate Bot changed the title Update dependency webpack-dev-middleware to v7 [SECURITY] Update dependency webpack-dev-middleware to v5 [SECURITY] Oct 11, 2024
@renovate renovate Bot force-pushed the renovate/npm-webpack-dev-middleware-vulnerability branch from 20390c9 to 960bca0 Compare October 29, 2024 05:44
@renovate renovate Bot changed the title Update dependency webpack-dev-middleware to v5 [SECURITY] Update dependency webpack-dev-middleware to v7 [SECURITY] Oct 29, 2024
@renovate renovate Bot force-pushed the renovate/npm-webpack-dev-middleware-vulnerability branch from 960bca0 to 7b0ad79 Compare October 31, 2024 05:23
@renovate renovate Bot changed the title Update dependency webpack-dev-middleware to v7 [SECURITY] Update dependency webpack-dev-middleware to v5 [SECURITY] Oct 31, 2024
@renovate renovate Bot force-pushed the renovate/npm-webpack-dev-middleware-vulnerability branch from 7b0ad79 to 98c555b Compare December 5, 2024 05:34
@renovate renovate Bot changed the title Update dependency webpack-dev-middleware to v5 [SECURITY] Update dependency webpack-dev-middleware to v7 [SECURITY] Dec 5, 2024
@renovate renovate Bot force-pushed the renovate/npm-webpack-dev-middleware-vulnerability branch from 98c555b to 59f9cab Compare December 7, 2024 02:33
@renovate renovate Bot changed the title Update dependency webpack-dev-middleware to v7 [SECURITY] Update dependency webpack-dev-middleware to v5 [SECURITY] Dec 7, 2024
@renovate renovate Bot force-pushed the renovate/npm-webpack-dev-middleware-vulnerability branch from 59f9cab to 70134eb Compare December 21, 2024 17:25
@renovate renovate Bot changed the title Update dependency webpack-dev-middleware to v5 [SECURITY] Update dependency webpack-dev-middleware to v7 [SECURITY] Dec 21, 2024
@renovate renovate Bot force-pushed the renovate/npm-webpack-dev-middleware-vulnerability branch from 70134eb to 86fe7a5 Compare December 23, 2024 17:59
@renovate renovate Bot changed the title Update dependency webpack-dev-middleware to v7 [SECURITY] Update dependency webpack-dev-middleware to v5 [SECURITY] Dec 23, 2024
@renovate renovate Bot force-pushed the renovate/npm-webpack-dev-middleware-vulnerability branch from 86fe7a5 to 88742e9 Compare January 15, 2025 03:52
@renovate renovate Bot changed the title Update dependency webpack-dev-middleware to v5 [SECURITY] Update dependency webpack-dev-middleware to v7 [SECURITY] Jan 15, 2025
@renovate renovate Bot force-pushed the renovate/npm-webpack-dev-middleware-vulnerability branch from 88742e9 to 2a532e6 Compare January 17, 2025 11:48
@renovate renovate Bot changed the title Update dependency webpack-dev-middleware to v7 [SECURITY] Update dependency webpack-dev-middleware to v5 [SECURITY] Jan 17, 2025
@renovate renovate Bot force-pushed the renovate/npm-webpack-dev-middleware-vulnerability branch from 2a532e6 to 6d29102 Compare January 25, 2025 08:16
@renovate renovate Bot changed the title Update dependency webpack-dev-middleware to v5 [SECURITY] Update dependency webpack-dev-middleware to v7 [SECURITY] Jan 25, 2025
@renovate renovate Bot force-pushed the renovate/npm-webpack-dev-middleware-vulnerability branch from 6d29102 to dad4bd9 Compare January 26, 2025 07:39
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

size/XS

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants