Skip to content

Commit

Permalink
CVE-2018-14732: webpack-dev-server vulnerability
Browse files Browse the repository at this point in the history 
This change updates to webpack-dev-server to 3.1.11

> CVE-2018-14732
>
> Severity low
> Vulnerable versions: < 3.1.11
> Patched version: 3.1.11
> An issue was discovered in lib/Server.js in webpack-dev-server before
> 3.1.11. Attackers are able to steal developer's code because the origin
> of requests is not checked by the WebSocket server, which is used for
> HMR (Hot Module Replacement). Anyone can receive the HMR message sent by
> the WebSocket server via a ws:https://127.0.0.1:8080/ connection from any
> origin.

Warning! This is based off the WS-2019-0100 branch since both change
things in package.json. That change was lower risk so I based these
changes off of it. I am having problems with some parts of the app so I
am not entirely confident these changes don't break anything. I will
work with someone to either help fix my dev environment or test on their
machine.
  • Loading branch information
@csexton
csexton committed Jun 1, 2019
1 parent ec5015d commit d21bb69
Show file tree
Hide file tree
Showing 2 changed files with 689 additions and 354 deletions.
2 changes: 1 addition & 1 deletion rails/package.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -20,7 +20,7 @@
"devDependencies": {
"jest": "^23.6.0",
"react-testing-library": "^6.0.3",
"webpack-dev-server": "2.11.2"
"webpack-dev-server": ">=3.1.11"
},
"jest": {
"setupFiles": [
Expand Down
Loading

0 comments on commit d21bb69

Please sign in to comment.