Backport security fix from v5.2.1 to version-4 (non-Chromium browser dev-server vulnerability)

lib/Server.js

@@ -1,5 +1,10 @@
 "use strict";
 
+function isTrustedClient(req) {
+  // Only allow injection if client explicitly identifies itself
+  return req.headers["webpack-dev-server-client"] === "true";
+}
+
 const os = require("os");
 const path = require("path");
 const url = require("url");
@@ -2103,6 +2108,13 @@ class Server {
         /** @type {import("webpack-dev-middleware").API<Request, Response>}*/
         (middleware).waitUntilValid((stats) => {
           res.setHeader("Content-Type", "text/html");
+
+          if (!isTrustedClient(req)) {
+            res.statusCode = 403;
+            res.end("Access denied: Missing required dev server client header.");
+            return;
+          }
+
           res.write(
             '<!DOCTYPE html><html><head><meta charset="utf-8"/></head><body>'
           );

package.json

@@ -1,6 +1,6 @@
 {
-  "name": "webpack-dev-server",
-  "version": "4.15.2",
+  "name": "webpack-dev-server-wajih",
+  "version": "4.6.0-patched",
   "description": "Serves a webpack app. Updates the browser on changes.",
   "bin": "bin/webpack-dev-server.js",
   "main": "lib/Server.js",