build(deps-dev): bump webpack-dev-server from 3.3.1 to 5.2.1 #160

dependabot · 2025-06-06T10:36:12Z

Bumps webpack-dev-server from 3.3.1 to 5.2.1.

Release notes

Sourced from webpack-dev-server's releases.

v5.2.1

5.2.1 (2025-03-26)

Security

cross-origin requests are not allowed unless allowed by Access-Control-Allow-Origin header

requests with an IP addresses in the Origin header are not allowed to connect to WebSocket server unless configured by allowedHosts or it different from the Host header

The above changes may make the dev server not work if you relied on such behavior, but unfortunately they carry security risks, so they were considered as fixes.

Bug Fixes

prevent overlay for errors caught by React error boundaries (#5431) (8c1abc9)

take the first network found instead of the last one, this restores the same behavior as 5.0.4 (#5411) (ffd0b86)

v5.2.0

5.2.0 (2024-12-11)

Features

added getClientEntry and getClientHotEntry methods to get clients entries (dc642a8)

Bug Fixes

speed up initial client bundling (145b5d0)

v5.1.0

5.1.0 (2024-09-03)

Features

add visual progress indicators (a8f40b7)

added the app option to be Function (by default only with connect compatibility frameworks) (3096148)

allow the server option to be Function (#5275) (02a1c6d)

http2 support for connect and connect compatibility frameworks which support HTTP2 (#5267) (6509a3f)

Bug Fixes

check the platform property to determinate the target (#5269) (c3b532c)

ipv6 output (#5270) (06005e7)

replace rimraf with rm (#5162) (1a1561f)

replace default gateway (#5255) (f5f0902)

support devServer: false (#5272) (8b341cb)

v5.0.4

5.0.4 (2024-03-19)

... (truncated)

Changelog

Sourced from webpack-dev-server's changelog.

5.2.1 (2025-03-26)

Security

cross-origin requests are not allowed unless allowed by Access-Control-Allow-Origin header

requests with an IP addresses in the Origin header are not allowed to connect to WebSocket server unless configured by allowedHosts or it different from the Host header

The above changes may make the dev server not work if you relied on such behavior, but unfortunately they carry security risks, so they were considered as fixes.

Bug Fixes

prevent overlay for errors caught by React error boundaries (#5431) (8c1abc9)

take the first network found instead of the last one, this restores the same behavior as 5.0.4 (#5411) (ffd0b86)

5.2.0 (2024-12-11)

Features

added getClientEntry and getClientHotEntry methods to get clients entries (dc642a8)

Bug Fixes

speed up initial client bundling (145b5d0)

5.1.0 (2024-09-03)

Features

add visual progress indicators (a8f40b7)

added the app option to be Function (by default only with connect compatibility frameworks) (3096148)

allow the server option to be Function (#5275) (02a1c6d)

http2 support for connect and connect compatibility frameworks which support HTTP2 (#5267) (6509a3f)

Bug Fixes

check the platform property to determinate the target (#5269) (c3b532c)

ipv6 output (#5270) (06005e7)

replace rimraf with rm (#5162) (1a1561f)

replace default gateway (#5255) (f5f0902)

support devServer: false (#5272) (8b341cb)

5.0.4 (2024-03-19)

Bug Fixes

... (truncated)

Commits

0d22a08 chore(release): 5.2.1
6045b1e chore(deps): update (#5444)
ffd0b86 fix: take the first network found instead of the last one, this restores the ...
9ea7b08 ci: update dependency-review-action (#5442)
5c9378b Merge commit from fork
d2575ad Merge commit from fork
8c1abc9 fix: prevent overlay for errors caught by React error boundaries (#5431)
5a39c70 ci: update codecov/codecov-action to v5 (#5406)
55220a8 chore(deps-dev): bump the dependencies group across 1 directory with 4 update...
09f6f8e chore(deps): bump the dependencies group across 1 directory with 2 updates (#...
Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

@dependabot rebase will rebase this PR
@dependabot recreate will recreate this PR, overwriting any edits that have been made to it
@dependabot merge will merge this PR after your CI passes on it
@dependabot squash and merge will squash and merge this PR after your CI passes on it
@dependabot cancel merge will cancel a previously requested merge and block automerging
@dependabot reopen will reopen this PR if it is closed
@dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
@dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
@dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the Security Alerts page.

Bumps [webpack-dev-server](https://github.com/webpack/webpack-dev-server) from 3.3.1 to 5.2.1. - [Release notes](https://github.com/webpack/webpack-dev-server/releases) - [Changelog](https://github.com/webpack/webpack-dev-server/blob/master/CHANGELOG.md) - [Commits](webpack/webpack-dev-server@v3.3.1...v5.2.1) --- updated-dependencies: - dependency-name: webpack-dev-server dependency-version: 5.2.1 dependency-type: direct:development ... Signed-off-by: dependabot[bot] <[email protected]>

ibcheckmarx · 2025-06-06T10:51:23Z

Checkmarx One – Scan Summary & Details – 7d19dcfd-876b-455b-8a7d-0baa4799e23b

New Issues (497)

Checkmarx found the following issues in this Pull Request

Issue	Source File / Package	Checkmarx Insight
CVE-2017-16042	Npm-growl-1.9.2	details Recommended version: 1.10.0 Description: Growl adds growl notification support to nodejs. Growl before 1.10.0 does not properly sanitize input before passing it to exec, allowing for arbit... Attack Vector: NETWORK Attack Complexity: LOW `ID: gDYJVJaRhr0SefjNkNEUvR5ZOSBJCjPgIZAVMagUGAw%3D` Vulnerable Package
CVE-2018-11499	Npm-node-sass-4.5.3	details Description: A Use-After-Free vulnerability exists in "handle_error()" in "sass_context.cpp" in LibSass 3.4.x and 3.5.x through 3.5.5 that could be leveraged to... Attack Vector: NETWORK Attack Complexity: LOW `ID: xE91d%2B6PZC5Gf%2FS9%2Buy9Fpkhmpj0Hu6Jp1%2BXW5%2B6qv4%3D` Vulnerable Package
CVE-2018-16492	Npm-extend-3.0.1	details Recommended version: 3.0.2 Description: A prototype pollution vulnerability was found in module extend <2.0.2, ~<3.0.2 that allows an attacker to inject arbitrary properties onto Object.p... Attack Vector: NETWORK Attack Complexity: LOW `ID: B5o6juMfnUJxgopAkvhZag78w9dqgwJDIMIdaADBGM8%3D` Vulnerable Package
CVE-2018-16492	Npm-extend-3.0.0	details Recommended version: 3.0.2 Description: A prototype pollution vulnerability was found in module extend <2.0.2, ~<3.0.2 that allows an attacker to inject arbitrary properties onto Object.p... Attack Vector: NETWORK Attack Complexity: LOW `ID: xZoOY8eLDqyqh%2FaQLP9kQ1KD4j58k%2F9X%2F6a190XYFWw%3D` Vulnerable Package
CVE-2018-3739	Npm-https-proxy-agent-1.0.0	details Recommended version: 2.2.0 Description: https-proxy-agent before 2.2.0 passes auth option to the Buffer constructor without proper sanitization, resulting in DoS and uninitialized memory ... Attack Vector: NETWORK Attack Complexity: LOW `ID: Bn4U555scjQK6UuNGfeYygtxRWdFhlZM%2BvJgAds0JZ4%3D` Vulnerable Package
CVE-2018-3739	Npm-https-proxy-agent-2.1.0	details Recommended version: 2.2.0 Description: https-proxy-agent before 2.2.0 passes auth option to the Buffer constructor without proper sanitization, resulting in DoS and uninitialized memory ... Attack Vector: NETWORK Attack Complexity: LOW `ID: O6aY3w56TrUF58%2BsbRtrxCC67KuZiBVBcWB52bKfaFs%3D` Vulnerable Package
CVE-2018-3750	Npm-deep-extend-0.4.2	details Recommended version: 0.5.1 Description: The utilities function in all versions <= 0.5.0 of the deep-extend node module can be tricked into modifying the prototype of Object when the attac... Attack Vector: NETWORK Attack Complexity: LOW `ID: 4%2B5bywEgOtGRfui5GVMomG0aD2KL19g%2FyZd6CM0gX0o%3D` Vulnerable Package
CVE-2018-3750	Npm-deep-extend-0.4.1	details Recommended version: 0.5.1 Description: The utilities function in all versions <= 0.5.0 of the deep-extend node module can be tricked into modifying the prototype of Object when the attac... Attack Vector: NETWORK Attack Complexity: LOW `ID: YRZSjoHJ13GHIhIkSeqJ%2BId4iYdr0wwsui6dp4lo86s%3D` Vulnerable Package
CVE-2019-10747	Npm-set-value-0.4.3	details Recommended version: 2.0.1 Description: set-value is vulnerable to Prototype Pollution before 2.0.1 and 3.x before 3.0.1. The function mixin-deep could be tricked into adding or modifying... Attack Vector: NETWORK Attack Complexity: LOW `ID: %2FdrkXCEspSi8NWnA2sUhPuecQyEhzeOMvtFaP0BgrnQ%3D` Vulnerable Package
CVE-2019-10747	Npm-set-value-2.0.0	details Recommended version: 2.0.1 Description: set-value is vulnerable to Prototype Pollution before 2.0.1 and 3.x before 3.0.1. The function mixin-deep could be tricked into adding or modifying... Attack Vector: NETWORK Attack Complexity: LOW `ID: eUqnrujC68gdaXLKLejIGY2q8NDsP5y83G9%2FJZUT0%2Fs%3D` Vulnerable Package
CVE-2019-19919	Npm-handlebars-4.0.10	details Recommended version: 4.7.7 Description: Versions of handlebars prior to 3.0.8 and 4.x prior to 4.3.0 are vulnerable to Prototype Pollution leading to Remote Code Execution. Templates may ... Attack Vector: NETWORK Attack Complexity: LOW `ID: Ln7HbO31WrI5DcZ5W07G80emNtg42CdCjjM3fvDpi8o%3D` Vulnerable Package
CVE-2019-19919	Npm-handlebars-4.1.2	details Recommended version: 4.7.7 Description: Versions of handlebars prior to 3.0.8 and 4.x prior to 4.3.0 are vulnerable to Prototype Pollution leading to Remote Code Execution. Templates may ... Attack Vector: NETWORK Attack Complexity: LOW `ID: zVyQapjrn3IsDukwFctIk9oNgIP%2F3YHeRcAHyptOX%2B0%3D` Vulnerable Package
CVE-2020-7788	Npm-ini-1.3.5	details Recommended version: 1.3.6 Description: This affects the package ini before 1.3.6. If an attacker submits a malicious INI file to an application that parses it with ini.parse, they will p... Attack Vector: NETWORK Attack Complexity: LOW `ID: o4NUd8p99JWVJMO6wM6CB%2Fkz3YV9S1gznMR818%2BXBAk%3D` Vulnerable Package
CVE-2020-7788	Npm-ini-1.3.4	details Recommended version: 1.3.6 Description: This affects the package ini before 1.3.6. If an attacker submits a malicious INI file to an application that parses it with ini.parse, they will p... Attack Vector: NETWORK Attack Complexity: LOW `ID: UsDzIngPSZJhmbKtPa%2FcB8nnl4bWpnbBiX%2FurwgkIAM%3D` Vulnerable Package
CVE-2021-21353	Npm-pug-code-gen-2.0.0	details Recommended version: 3.0.3 Description: In pug-code-gen before version 2.0.3 and 3.x before 3.0.2, if a remote attacker was able to control the `pretty` option of the pug compiler, e.g. i... Attack Vector: NETWORK Attack Complexity: HIGH `ID: jimBhvadzGa10qL0jL5n%2Br6XhvdAhuCONdT0wcuR3IE%3D` Vulnerable Package
CVE-2021-23406	Npm-pac-resolver-2.0.0	details Recommended version: 5.0.0 Description: This affects the package pac-resolver before 5.0.0. This can occur when used with untrusted input, due to unsafe PAC file handling. NOTE: The f... Attack Vector: NETWORK Attack Complexity: LOW `ID: pwtIZQTapn9H0hXl5vNroCyOZW71RzP%2BiribRDUD3sc%3D` Vulnerable Package
CVE-2021-23406	Npm-degenerator-1.0.4	details Recommended version: 3.0.1 Description: This affects the package pac-resolver before 5.0.0. This can occur when used with untrusted input, due to unsafe PAC file handling. NOTE: The f... Attack Vector: NETWORK Attack Complexity: LOW `ID: Qstn7RbOODv7Itm83r5xTBDCJcE%2Bc7ouWjbqqvZ5eLo%3D` Vulnerable Package
CVE-2021-23440	Npm-set-value-2.0.0	details Recommended version: 2.0.1 Description: This affects the package "set-value" prior to 2.0.1, prior to 3.0.3, and prior to 4.0.1. A Type Confusion vulnerability can lead to a bypass of CVE... Attack Vector: NETWORK Attack Complexity: LOW `ID: FMlb%2BTEssYDV5KzQYzq7lg0QaqLfM7mn%2B%2F6eDFQQ85Q%3D` Vulnerable Package
CVE-2021-23440	Npm-set-value-0.4.3	details Recommended version: 2.0.1 Description: This affects the package "set-value" prior to 2.0.1, prior to 3.0.3, and prior to 4.0.1. A Type Confusion vulnerability can lead to a bypass of CVE... Attack Vector: NETWORK Attack Complexity: LOW `ID: p4DKi5bJGUFlPw5govfTkkySOSYb38oQtrQjl6%2Bie5Y%3D` Vulnerable Package
CVE-2021-23555	Npm-vm2-3.5.0	details Recommended version: 3.9.6 Description: The package vm2 before 3.9.6 are vulnerable to Sandbox Bypass via direct access to host error objects generated by node internals during generation... Attack Vector: NETWORK Attack Complexity: LOW `ID: 1rqMvIW6eYqMGPI2DT2Sg5LHXp8foaRRxc2HjE%2Bk7Gs%3D` Vulnerable Package
CVE-2021-23555	Npm-vm2-3.6.0	details Recommended version: 3.9.6 Description: The package vm2 before 3.9.6 are vulnerable to Sandbox Bypass via direct access to host error objects generated by node internals during generation... Attack Vector: NETWORK Attack Complexity: LOW `ID: JeoZlLopEOkd7Sk8OUJ56mwim%2FwDDYG9h8RJq4HsAeg%3D` Vulnerable Package
CVE-2021-23807	Npm-jsonpointer-4.0.1	details Recommended version: 5.0.0 Description: A type confusion vulnerability in jsonpointer can lead to a bypass of a previous Prototype Pollution fix when the pointer components are arrays. Th... Attack Vector: NETWORK Attack Complexity: LOW `ID: %2FNzAr26LtyKYj4ohUplf9XrxO3xXlC2pDrIq8BgatqA%3D` Vulnerable Package
CVE-2021-28918	Npm-netmask-1.0.6	details Recommended version: 2.0.1 Description: Improper input validation of octal strings in netmask npm package up to 1.1.0 allows unauthenticated remote attackers to perform indeterminate SSRF... Attack Vector: NETWORK Attack Complexity: LOW `ID: FX44wd2FAAvPw%2B4tCZ%2BF%2Bn2hy6JGGELmmNQd3%2BD4dy0%3D` Vulnerable Package
CVE-2021-31597	Npm-xmlhttprequest-ssl-1.5.5	details Recommended version: 1.6.2 Description: The xmlhttprequest-ssl package before 1.6.1 for Node.js disables SSL certificate validation by default, because rejectUnauthorized (when the proper... Attack Vector: NETWORK Attack Complexity: LOW `ID: OS3G4v4Ce43pFXgC3ScWndHAK%2BC%2F%2B4dz1QoO9M4Zf9I%3D` Vulnerable Package
CVE-2021-3918	Npm-json-schema-0.2.3	details Recommended version: 0.4.0 Description: json-schema before 0.4.0 is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') Attack Vector: NETWORK Attack Complexity: LOW `ID: Yb0J%2FWkPc8bDebcoxSCW%2FxzSS50SWJLrP3ZsfzwBEzg%3D` Vulnerable Package
CVE-2021-42740	Npm-shell-quote-1.6.1	details Recommended version: 1.7.3 Description: The shell-quote package before 1.7.3 for Node.js allows command injection. An attacker can inject unescaped shell metacharacters through a regex de... Attack Vector: NETWORK Attack Complexity: LOW `ID: 2dYXMTgM%2FuodaBiTBQQRbZW8g52cKgRYUT2bYQ%2F0VSw%3D` Vulnerable Package
CVE-2022-0686	Npm-url-parse-1.1.9	details Recommended version: 1.5.9 Description: Authorization Bypass through User-Controlled Key in NPM url-parse prior to 1.5.8. When no port number is provided in the "url", url-parse is unable... Attack Vector: NETWORK Attack Complexity: LOW `ID: E%2F9Vzrukdh8wd7vYV2mWa6mTmCCZXXsARojHBAKW1sg%3D` Vulnerable Package
CVE-2022-0686	Npm-url-parse-1.4.4	details Recommended version: 1.5.9 Description: Authorization Bypass through User-Controlled Key in NPM url-parse prior to 1.5.8. When no port number is provided in the "url", url-parse is unable... Attack Vector: NETWORK Attack Complexity: LOW `ID: F5srvrwnhZ6u9yfsGT%2F6djy5lG06dK0rtQZ21K5kPDg%3D` Vulnerable Package
CVE-2022-0686	Npm-url-parse-1.1.8	details Recommended version: 1.5.9 Description: Authorization Bypass through User-Controlled Key in NPM url-parse prior to 1.5.8. When no port number is provided in the "url", url-parse is unable... Attack Vector: NETWORK Attack Complexity: LOW `ID: iyJ2jlARholCh8jgjclCkQKmAXD5L8grhp1Dj0q71hA%3D` Vulnerable Package
CVE-2022-0686	Npm-url-parse-1.0.5	details Recommended version: 1.5.9 Description: Authorization Bypass through User-Controlled Key in NPM url-parse prior to 1.5.8. When no port number is provided in the "url", url-parse is unable... Attack Vector: NETWORK Attack Complexity: LOW `ID: N4mXHbsk%2Facruv9Y6%2FGq%2BXqgEZCkgcdPwNB8SnGfQpw%3D` Vulnerable Package
CVE-2022-25893	Npm-vm2-3.6.0	details Recommended version: 3.9.10 Description: The package vm2 prior to 3.9.10 is vulnerable to Arbitrary Code Execution due to the usage of prototype lookup for the ''WeakMap.prototype.set'' me... Attack Vector: NETWORK Attack Complexity: LOW `ID: JJdS8%2FGx71kaU5v1seg0HDoq3nsFEU7Bm0pfo7rf4U8%3D` Vulnerable Package
CVE-2022-25893	Npm-vm2-3.5.0	details Recommended version: 3.9.10 Description: The package vm2 prior to 3.9.10 is vulnerable to Arbitrary Code Execution due to the usage of prototype lookup for the ''WeakMap.prototype.set'' me... Attack Vector: NETWORK Attack Complexity: LOW `ID: t5SsqqQrRDExuur57Hh5ewtZ%2FQ6dZIRmsP0kVIn5Hi4%3D` Vulnerable Package
CVE-2022-37611	Npm-gh-pages-1.1.0	details Recommended version: 5.0.0 Description: Prototype pollution vulnerability in the package gh-pages versions 0.2.0 through 4.0.0 via the "partial" variable in "util.js". Attack Vector: NETWORK Attack Complexity: LOW `ID: ROh2uaUNMXdxclyQF0egqMKsz1pKlYBt86ocibkpVAE%3D` Vulnerable Package
CVE-2023-29017	Npm-vm2-3.5.0	details Recommended version: 3.9.15 Description: vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules. Prior to version 3.9.15, vm2 was not properly handling host ... Attack Vector: NETWORK Attack Complexity: LOW `ID: Fl4BQ7HRJwl1DHkGU%2Fc3iOUWWtNAWsfuqG3QlGGwE%2FU%3D` Vulnerable Package
CVE-2023-29017	Npm-vm2-3.6.0	details Recommended version: 3.9.15 Description: vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules. Prior to version 3.9.15, vm2 was not properly handling host ... Attack Vector: NETWORK Attack Complexity: LOW `ID: WDtHt0QI%2B8XwyDOV%2FjBzAzZKhHmKteibv7Yadq6Qzs0%3D` Vulnerable Package
CVE-2023-30547	Npm-vm2-3.6.0	details Recommended version: 3.9.17 Description: vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules. There exists a vulnerability in exception sanitization of vm... Attack Vector: NETWORK Attack Complexity: LOW `ID: 3wmFaO5pwJEOc0phCuD5BsIlgIm6f13DFm%2BLNoYg0JQ%3D` Vulnerable Package
CVE-2023-30547	Npm-vm2-3.5.0	details Recommended version: 3.9.17 Description: vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules. There exists a vulnerability in exception sanitization of vm... Attack Vector: NETWORK Attack Complexity: LOW `ID: EByTQRs2mUOYpusgFMl5xbjXC3syTi46PInUYRBWzWg%3D` Vulnerable Package
CVE-2023-32314	Npm-vm2-3.5.0	details Recommended version: 3.9.18 Description: The NPM package "vm2" is a sandbox that can run untrusted code with Node's built-in modules. A sandbox escape vulnerability exists in vm2 in versio... Attack Vector: NETWORK Attack Complexity: LOW `ID: 20s5NThbQQXZ%2FaOmMeh7E14u58EewJbS6lEQUnCYoyg%3D` Vulnerable Package
CVE-2023-32314	Npm-vm2-3.6.0	details Recommended version: 3.9.18 Description: The NPM package "vm2" is a sandbox that can run untrusted code with Node's built-in modules. A sandbox escape vulnerability exists in vm2 in versio... Attack Vector: NETWORK Attack Complexity: LOW `ID: 3hiSkYE3ULrN244ednPdgCoj7Okl15ePuG%2FClBSHXFc%3D` Vulnerable Package
CVE-2023-37903	Npm-vm2-3.5.0	details Description: vm2 is an open source vm/sandbox for Node.js. In vm2 for all versions ,Node.js custom inspect function allows attackers to escape the sandbox and r... Attack Vector: NETWORK Attack Complexity: LOW `ID: 15VNyaZPtzLJicSXRjAoMEB1zsS2Ykxv45OGkT3h8wM%3D` Vulnerable Package
CVE-2023-37903	Npm-vm2-3.6.0	details Description: vm2 is an open source vm/sandbox for Node.js. In vm2 for all versions ,Node.js custom inspect function allows attackers to escape the sandbox and r... Attack Vector: NETWORK Attack Complexity: LOW `ID: C5pHLSUjIFw7Opc4hG5r02yBO7NWPpxHEY4trGSqmAo%3D` Vulnerable Package
CVE-2023-42282	Npm-ip-1.0.1	details Description: An issue in NPM ip package 0.0.2 through 2.0.1 allows an attacker to execute arbitrary code and obtain sensitive information via the "isPublic()" f... Attack Vector: NETWORK Attack Complexity: LOW `ID: nCzY%2BbkCkpRM9z0xsMRLGDjImPsieEtN1IsRuSOhsKA%3D` Vulnerable Package
CVE-2023-42282	Npm-ip-1.1.9	details Description: An issue in NPM ip package 0.0.2 through 2.0.1 allows an attacker to execute arbitrary code and obtain sensitive information via the "isPublic()" f... Attack Vector: NETWORK Attack Complexity: LOW `ID: ry0l1C09v2iJmkQ6VWRqra%2BJEcoZXGJHrKh%2FmB7eNpg%3D` Vulnerable Package
CVE-2023-42282	Npm-ip-1.1.5	details Description: An issue in NPM ip package 0.0.2 through 2.0.1 allows an attacker to execute arbitrary code and obtain sensitive information via the "isPublic()" f... Attack Vector: NETWORK Attack Complexity: LOW `ID: Y0H8nVGXonFKH%2BaruC87ETHjBJJyMkrCKHmVihgihns%3D` Vulnerable Package
CVE-2023-45311	Npm-fsevents-1.1.3	details Recommended version: 1.2.11 Description: The package fsevents in versions 1.0.0 through 1.2.10 depends on the "https://fsevents\-binaries\.s3\-us\-west\-2\.amazonaws\.com" URL, which might allow ... Attack Vector: NETWORK Attack Complexity: LOW `ID: 0T569bcEg8yzO1%2Bz%2FuYfM7DnmrxIs1wPS72W0gEukk4%3D` Vulnerable Package
CVE-2023-45311	Npm-fsevents-1.1.1	details Recommended version: 1.2.11 Description: The package fsevents in versions 1.0.0 through 1.2.10 depends on the "https://fsevents\-binaries\.s3\-us\-west\-2\.amazonaws\.com" URL, which might allow ... Attack Vector: NETWORK Attack Complexity: LOW `ID: 3iWijVKEDILnVaQsI7UXEBtt8skRJWVz0JjZk2GYsR8%3D` Vulnerable Package
CVE-2023-45311	Npm-fsevents-1.2.8	details Recommended version: 1.2.11 Description: The package fsevents in versions 1.0.0 through 1.2.10 depends on the "https://fsevents\-binaries\.s3\-us\-west\-2\.amazonaws\.com" URL, which might allow ... Attack Vector: NETWORK Attack Complexity: LOW `ID: 8%2BTcyKw8Bb1tSwuwUaOIN7noh%2BVDYGs2S5AS2KScbcw%3D` Vulnerable Package
CVE-2023-45311	Npm-fsevents-1.1.2	details Recommended version: 1.2.11 Description: The package fsevents in versions 1.0.0 through 1.2.10 depends on the "https://fsevents\-binaries\.s3\-us\-west\-2\.amazonaws\.com" URL, which might allow ... Attack Vector: NETWORK Attack Complexity: LOW `ID: GNUvqX3PnYwOnU7cRI5G%2FX0CmHeTfQYXB3zDxI6JsoY%3D` Vulnerable Package
CVE-2023-45311	Npm-fsevents-1.2.7	details Recommended version: 1.2.11 Description: The package fsevents in versions 1.0.0 through 1.2.10 depends on the "https://fsevents\-binaries\.s3\-us\-west\-2\.amazonaws\.com" URL, which might allow ... Attack Vector: NETWORK Attack Complexity: LOW `ID: xMvQScxFm4Ojcqv8y3jqvqHEzx9ZiQvoXL1FTBB74BI%3D` Vulnerable Package
CVE-2023-45311	Npm-fsevents-1.2.4	details Recommended version: 1.2.11 Description: The package fsevents in versions 1.0.0 through 1.2.10 depends on the "https://fsevents\-binaries\.s3\-us\-west\-2\.amazonaws\.com" URL, which might allow ... Attack Vector: NETWORK Attack Complexity: LOW `ID: xynv%2FmgDuRSVYSt8ZpQGcME02GtHrJXsvKCAlAtIqA8%3D` Vulnerable Package
CVE-2024-42461	Npm-elliptic-6.4.0	details Recommended version: 6.6.1 Description: In the elliptic package, "ECDSA" signature malleability occurs because "BER-encoded" signatures are allowed which leads to Improper Verification of... Attack Vector: NETWORK Attack Complexity: LOW `ID: Dz9S4jzRQcHjzyl3uT3BdUH5TC6Y%2Fkb5xJziY4E9JMg%3D` Vulnerable Package
CVE-2024-42461	Npm-elliptic-6.4.1	details Recommended version: 6.6.1 Description: In the elliptic package, "ECDSA" signature malleability occurs because "BER-encoded" signatures are allowed which leads to Improper Verification of... Attack Vector: NETWORK Attack Complexity: LOW `ID: kv7NK6SH2vkxZEW6XOMvLsIjhQHriL0z0wY%2B1uDINmo%3D` Vulnerable Package
CVE-2025-25200	Npm-koa-2.7.0	details Recommended version: 2.16.1 Description: Koa is expressive middleware for Node.js using `ES2017` async functions. Versions prior to 0.21.2, 1.x prior to 1.7.1, 2.x prior to 2.15.4, and 3.x... Attack Vector: NETWORK Attack Complexity: LOW `ID: VuAleQAAINbMxxVVjE0qi8KGWwEYS0d1uJVrjbYTWjc%3D` Vulnerable Package
Cx35ef42d7-054c	Npm-ejs-2.5.7	details Recommended version: 3.1.10 Description: ejs package before 3.1.6 is vulnerable to arbitrary code injection. The vulnerability exists due to improper input validation passed via the option... Attack Vector: NETWORK Attack Complexity: LOW `ID: cFgLdtjmTV7ocb%2FmazfQS%2BcULfi5Q2g9qE25zp%2F5r3E%3D` Vulnerable Package
Cx35ef42d7-054c	Npm-ejs-2.6.1	details Recommended version: 3.1.10 Description: ejs package before 3.1.6 is vulnerable to arbitrary code injection. The vulnerability exists due to improper input validation passed via the option... Attack Vector: NETWORK Attack Complexity: LOW `ID: TCjRTs5QkUGDWkLI%2FcjJfoh81rMGdxNjLmkephhE95Y%3D` Vulnerable Package
Cx6f6f1276-7a2e	Npm-tar-4.3.3	details Recommended version: 6.2.1 Description: Tar is vulnerable to Arbitrary File Overwrite. Extracting tarballs containing a hardlink to a file that already exists in the system, and a file th... Attack Vector: NETWORK Attack Complexity: LOW `ID: GNd5YP1NNFGDMYrgu3%2B4QxfXQnLxmT6i2IVPNZNz3n0%3D` Vulnerable Package
Cx6f6f1276-7a2e	Npm-tar-2.2.1	details Recommended version: 6.2.1 Description: Tar is vulnerable to Arbitrary File Overwrite. Extracting tarballs containing a hardlink to a file that already exists in the system, and a file th... Attack Vector: NETWORK Attack Complexity: LOW `ID: oI3yNPmGntK6anuwWIUgcuzZu1er1mAo28gqvtFuZUo%3D` Vulnerable Package
Cx6f6f1276-7a2e	Npm-tar-4.4.1	details Recommended version: 6.2.1 Description: Tar is vulnerable to Arbitrary File Overwrite. Extracting tarballs containing a hardlink to a file that already exists in the system, and a file th... Attack Vector: NETWORK Attack Complexity: LOW `ID: qjXLOcM%2FHtsheDkRo8EhIjJeuJqN7tamR6MaLDm8DPU%3D` Vulnerable Package
Cx9fce0189-774f	Npm-handlebars-4.0.10	details Recommended version: 4.7.7 Description: handlebars before 3.0.7 and 4.0.x before 4.0.13 are vulnerable to Prototype Pollution. Templates may alter an Objects' prototype, thus allowing an ... Attack Vector: NETWORK Attack Complexity: LOW `ID: A%2BL0MAA%2B9zIogbpgOQcnpIV6zGVJn%2FyTuXau9Z8sgVg%3D` Vulnerable Package
Cxcc09496a-59c8	Npm-js-yaml-3.10.0	details Recommended version: 3.13.1 Description: js-yaml is vulnerable to Code Injection before 3.13.1. The load() function may execute arbitrary code injected through a malicious YAML file. Objec... Attack Vector: NETWORK Attack Complexity: LOW `ID: ce7xi2PsHL0jvL7LogwwgnYEV8vFkhJOpabsOM8Sg4A%3D` Vulnerable Package
Cxcc09496a-59c8	Npm-js-yaml-3.12.1	details Recommended version: 3.13.1 Description: js-yaml is vulnerable to Code Injection before 3.13.1. The load() function may execute arbitrary code injected through a malicious YAML file. Objec... Attack Vector: NETWORK Attack Complexity: LOW `ID: gc7FiydWFuLkvSU549O9scqsQJ2d9HmWud%2BPiE%2FgAIM%3D` Vulnerable Package
Cxcc09496a-59c8	Npm-js-yaml-3.12.0	details Recommended version: 3.13.1 Description: js-yaml is vulnerable to Code Injection before 3.13.1. The load() function may execute arbitrary code injected through a malicious YAML file. Objec... Attack Vector: NETWORK Attack Complexity: LOW `ID: kjuHBXKX54VVF%2Fas%2BREB51104ihSdd5xPL2oYq%2BO2D4%3D` Vulnerable Package
Cxcc09496a-59c8	Npm-js-yaml-3.7.0	details Recommended version: 3.13.1 Description: js-yaml is vulnerable to Code Injection before 3.13.1. The load() function may execute arbitrary code injected through a malicious YAML file. Objec... Attack Vector: NETWORK Attack Complexity: LOW `ID: rYZytvOZWsdAMXDwaKKxcMhy35gz5bZoeQ3nnlkFhhM%3D` Vulnerable Package
Cxcc09496a-59c8	Npm-js-yaml-3.8.2	details Recommended version: 3.13.1 Description: js-yaml is vulnerable to Code Injection before 3.13.1. The load() function may execute arbitrary code injected through a malicious YAML file. Objec... Attack Vector: NETWORK Attack Complexity: LOW `ID: wExdWeLe%2FpRKRMe792a%2FV5%2B962FJ2EvFql5b%2Fe3ee%2Fg%3D` Vulnerable Package
CVE-2017-1000048	Npm-qs-2.3.3	details Recommended version: 6.2.4 Description: the web framework using ljharb's qs module older than v6.3.2, v6.2.3, v6.1.2, and v6.0.4 is vulnerable to a DoS. A malicious user can send a evil r... Attack Vector: NETWORK Attack Complexity: LOW `ID: J%2BZRzalbI7YkAgyizHAoDkzd%2B9t0qwOD166wHqxdc0w%3D` Vulnerable Package
CVE-2017-1000048	Npm-qs-6.2.0	details Recommended version: 6.2.4 Description: the web framework using ljharb's qs module older than v6.3.2, v6.2.3, v6.1.2, and v6.0.4 is vulnerable to a DoS. A malicious user can send a evil r... Attack Vector: NETWORK Attack Complexity: LOW `ID: KLBqWWkd5xw%2FAm21ssadHjsPxGRYyV3%2FmOOJ2vqLDTY%3D` Vulnerable Package
CVE-2017-1000048	Npm-qs-6.3.1	details Recommended version: 6.3.3 Description: the web framework using ljharb's qs module older than v6.3.2, v6.2.3, v6.1.2, and v6.0.4 is vulnerable to a DoS. A malicious user can send a evil r... Attack Vector: NETWORK Attack Complexity: LOW `ID: MjTWqTykQWcfeYweh06%2BLoQjYiMZgr%2BxVYCXMInZUv0%3D` Vulnerable Package
CVE-2017-10687	Npm-node-sass-4.5.3	details Recommended version: 4.8.1 Description: In LibSass 3.4.5, and 3.5.0.beta.1 through 3.5.0.beta.3 there is a heap-based buffer over-read in the function json_mkstream() in sass_context.cpp.... Attack Vector: NETWORK Attack Complexity: LOW `ID: DRHgvbXGyZGcWpp2kVxwzIxg78EPdQMbNTqjXW%2FU0bg%3D` Vulnerable Package
CVE-2017-11341	Npm-node-sass-4.5.3	details Recommended version: 4.8.1 Description: There is a heap based buffer over-read in lexer.hpp of LibSass 3.4.5, and 3.5.0.beta.1 through 3.5.0.beta.3. A crafted input will lead to a remote ... Attack Vector: NETWORK Attack Complexity: LOW `ID: ZVMLHuBs9uABNiQNoGGmzGr5qHPdeHyX2WXhn8hpcNY%3D` Vulnerable Package
CVE-2017-11554	Npm-node-sass-4.5.3	details Recommended version: 4.8.1 Description: There is a stack consumption vulnerability in the lex function in "parser.hpp" (as used in sassc) in LibSass 3.4.5, and 3.5.0.beta.1 through 3.5.0.... Attack Vector: NETWORK Attack Complexity: LOW `ID: MJ%2B0E50yxkZngCC8sV6Rtmjh4OXMAxZMjvydTHqTqOg%3D` Vulnerable Package
CVE-2017-11556	Npm-node-sass-4.5.3	details Recommended version: 4.8.1 Description: There is a stack consumption vulnerability in the Parser::advanceToNextToken function in parser.cpp in LibSass prior to 3.5.0. A crafted input may ... Attack Vector: NETWORK Attack Complexity: LOW `ID: sWKnPcExTy3UnqTVrh0MINE7xD9BWpFTylhuXkXtE%2BQ%3D` Vulnerable Package
CVE-2017-12962	Npm-node-sass-4.5.3	details Recommended version: 4.8.1 Description: There are memory leaks in LibSass 3.4.5, and 3.5.0.beta.1 through 3.5.0.beta.3, triggered by deeply nested code, such as code with a long sequence ... Attack Vector: NETWORK Attack Complexity: LOW `ID: 9TlbOPDBgHZcV1gSSnLwLbfddGpbWgzfiBqS%2BeJgrx8%3D` Vulnerable Package
CVE-2017-12964	Npm-node-sass-4.5.3	details Description: There is a stack consumption issue in all versions of LibSass, that is triggered in the function "Sass::Eval::operator()" in "eval.cpp". It will le... Attack Vector: NETWORK Attack Complexity: LOW `ID: WIK3V2o6cfx97HT4uXjZG%2BWckdYWnYkaOwQKWPdok20%3D` Vulnerable Package
CVE-2017-15010	Npm-tough-cookie-2.3.2	details Recommended version: 4.1.3 Description: A ReDoS (regular expression denial of service) flaw was found in the tough-cookie module before 2.3.3 for Node.js. An attacker that is able to make... Attack Vector: NETWORK Attack Complexity: LOW `ID: uVlOJYzP2d%2B3%2BwWDshhp8XCueFRaGR8Z8jdVLroJgw0%3D` Vulnerable Package
CVE-2017-16032	Npm-brace-expansion-1.1.6	details Recommended version: 1.1.7 Description: Brace-expansion is vulnerable to a Regular Expression Denial of Service (ReDoS) condition in versions prior to 1.1.7. Attack Vector: NETWORK Attack Complexity: LOW `ID: Jz%2Fbx9XMhIqfwNxJuYghm052tVbq%2BeMSuTIJrTZgLZg%3D` Vulnerable Package
CVE-2017-16118	Npm-forwarded-0.1.0	details Recommended version: 0.1.2 Description: The forwarded module is used by the Express.js framework to handle the X-Forwarded-For header. It is vulnerable to a regular expression denial of s... Attack Vector: NETWORK Attack Complexity: LOW `ID: EG29HO%2F6Qkksi3xzSNeiQEprC9LZTv7cIesgGSuJN2U%3D` Vulnerable Package
CVE-2017-16119	Npm-fresh-0.3.0	details Recommended version: 0.5.2 Description: Fresh is a module used by the Express.js framework for HTTP response freshness testing. Prior to v0.5.2 it is vulnerable to a regular expression de... Attack Vector: NETWORK Attack Complexity: LOW `ID: I0fH%2FyMZAVD%2FBM1XizvONaF8Rwdp%2FkTR3j04aY7sd1M%3D` Vulnerable Package
CVE-2017-16119	Npm-fresh-0.5.1	details Recommended version: 0.5.2 Description: Fresh is a module used by the Express.js framework for HTTP response freshness testing. Prior to v0.5.2 it is vulnerable to a regular expression de... Attack Vector: NETWORK Attack Complexity: LOW `ID: pT8Iwjt7tjurCDrCPkebgT6tmdV88D25EsRO1FQ%2BGmw%3D` Vulnerable Package

More results are available on the CxOne platform

dependabot bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Jun 6, 2025

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

build(deps-dev): bump webpack-dev-server from 3.3.1 to 5.2.1 #160

build(deps-dev): bump webpack-dev-server from 3.3.1 to 5.2.1 #160

Uh oh!

dependabot bot commented on behalf of github Jun 6, 2025

Uh oh!

ibcheckmarx commented Jun 6, 2025

Uh oh!

Uh oh!

build(deps-dev): bump webpack-dev-server from 3.3.1 to 5.2.1 #160

Are you sure you want to change the base?

build(deps-dev): bump webpack-dev-server from 3.3.1 to 5.2.1 #160

Uh oh!

Conversation

dependabot bot commented on behalf of github Jun 6, 2025

v5.2.1

5.2.1 (2025-03-26)

Security

Bug Fixes

v5.2.0

5.2.0 (2024-12-11)

Features

Bug Fixes

v5.1.0

5.1.0 (2024-09-03)

Features

Bug Fixes

v5.0.4

5.0.4 (2024-03-19)

5.2.1 (2025-03-26)

Security

Bug Fixes

5.2.0 (2024-12-11)

Features

Bug Fixes

5.1.0 (2024-09-03)

Features

Bug Fixes

5.0.4 (2024-03-19)

Bug Fixes

Uh oh!

ibcheckmarx commented Jun 6, 2025

Uh oh!

Uh oh!