Skip to content

Backport security fixes from v5.2.1 to v4 #5515

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
nikwen opened this issue Jun 8, 2025 · 1 comment
Open

Backport security fixes from v5.2.1 to v4 #5515

nikwen opened this issue Jun 8, 2025 · 1 comment

Comments

@nikwen
Copy link

nikwen commented Jun 8, 2025

Modification Proposal

Some projects are stuck on webpack-dev-server v4 because they have to support old Node.js versions.

v4 is still used by a large number of users. During the last 7 days, v4.15.2 alone received 3,356,309 downloads.

Expected Behavior / Situation

It would be great to have the security fixes from v5.2.1 backported to v4 and released as v4.15.3.

Actual Behavior / Situation

v4 currently does not have the security fixes. Millions of users are exposed to security vulnerabilities.

Please paste the results of npx webpack-cli info here, and mention other relevant information

  System:
    OS: macOS 15.5
    CPU: (8) arm64 Apple M1
    Memory: 212.97 MB / 16.00 GB
  Binaries:
    Node: 22.16.0 - /usr/local/bin/node
    Yarn: 1.22.19 - /opt/homebrew/bin/yarn
    npm: 10.9.2 - /usr/local/bin/npm
  Browsers:
    Brave Browser: 118.1.59.122
    Chrome: 137.0.7151.69
    Safari: 18.5
@MrBMT
Copy link

MrBMT commented Jun 9, 2025

There's already a PR for this: #5514 though it looks like there may be further changes needed

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@nikwen @MrBMT