Skip to content

Releases: webpack/webpack-dev-server

v2.4.3

22 Apr 10:03
@sokra sokra
v2.4.3
ca93284
Compare
Choose a tag to compare
v2.4.3

Security fix:

This version contains a security fix, which is also breaking change if you have an insecure configuration.
We are releasing this breaking change as patch version to protect you from attacks.
Sorry if this breaks your setup, but the fix is easy.

We added a check for the correct Host header to the webpack-dev-server.
This allowed evil websites to access your assets.

The Host header of the request have to match the listening adress or the host provided in the public option.
Make sure to provide correct values here.

The response will contain a note when using an incorrect Host header.

For usage behind a Proxy or similar setups we also added a disableHostCheck option to disable this check.
Only use it when you know what you do. Not recommended.

This version also includes this security fix for webpack-dev-middleware: https://github.com/webpack/webpack-dev-middleware/releases/tag/v1.10.2

Note: This only affect the development server and middleware. webpack and built bundles are not affected.

Credits to Ed Morley from Mozilla for reporting the issue.

Bugfixes:

  • Requests are not blocked when Host doesn't match listening host or public option.
  • Requests to localhost or 127.0.0.1 are not blocked.

Features:

  • Added disableHostCheck option to disable the host check
Loading

v1.16.4

22 Apr 10:06
@sokra sokra
v1.16.4
da20bc2
Compare
Choose a tag to compare
v1.16.4

Security fix:

This version contains a security fix, which is also breaking change if you have an insecure configuration.
We are releasing this breaking change as patch version to protect you from attacks.
Sorry if this breaks your setup, but the fix is easy.

We added a check for the correct Host header to the webpack-dev-server.
This allowed evil websites to access your assets.

The Host header of the request have to match the listening adress or the host provided in the public option.
Make sure to provide correct values here.

The response will contain a note when using an incorrect Host header.

For usage behind a Proxy or similar setups we also added a disableHostCheck option to disable this check.
Only use it when you know what you do. Not recommended.

This version also includes this security fix for webpack-dev-middleware: https://github.com/webpack/webpack-dev-middleware/releases/tag/v1.10.2

Note: This only affect the development server and middleware. webpack and built bundles are not affected.

Credits to Ed Morley from Mozilla for reporting the issue.

Bugfixes:

  • Requests are not blocked when Host doesn't match listening host or public option.
  • Requests to localhost or 127.0.0.1 are not blocked.

Features:

  • Added disableHostCheck option to disable the host check
Loading

v2.4.2

14 Mar 10:35
@SpaceK33z SpaceK33z
v2.4.2
60e4727
Compare
Choose a tag to compare
v2.4.2
  • Properly close CLI when SIGINT or SIGTERM is called. This should fix some Docker issues (#787).
  • Fix for entry not working when it was a function (#802).
  • Fix for exception when using webpack-dev-server in a webworker (#813).
  • Fix refresh loop that could happen on Firefox (#841).
  • contentBase as an array did not work when used via CLI (#832).
  • Proxy options were mutated, so this could lead to problems when re-using them (#836).
Loading

v2.4.1

19 Feb 22:15
@SpaceK33z SpaceK33z
v2.4.1
50ab2f0
Compare
Choose a tag to compare
v2.4.1
  • After fixing a warning/error, the overlay was not always cleared correctly (3cb79bd).
Loading

v2.4.0

19 Feb 12:00
@SpaceK33z SpaceK33z
v2.4.0
3f7c9f7
Compare
Choose a tag to compare
v2.4.0
  • contentBase: false in combination with the historyApiFallback option threw an error (#791).
  • Separate logic of adding entry points to the webpack config; this allows alternative implementations like the webpack grunt plugin to use this instead of copying the code (#782).
  • Update SockJS dependency to fix issue with FireFox constantly refreshing the page (#762).
  • Show clear error message when --open fails to open the browser (#780).
  • Allow overlay option to also show compiler warnings (off by default) (#790):
overlay: {
  errors: true,
  warnings: true
}
Loading

v2.3.0

03 Feb 15:16
@SpaceK33z SpaceK33z
v2.3.0
04eafa5
Compare
Choose a tag to compare
v2.3.0
  • Add new fancy error overlay in-browser, which shows up when there are compilation errors. Disabled by default, add overlay: true to enable (#764)!
  • If you use --open and options.public, the browser will now open the same URL as you have defined in public (#749).
  • options.port now allows strings to be passed in, previously only integers were accepted (#766).
Loading

v1.16.3

31 Jan 22:19
@SpaceK33z SpaceK33z
v1.16.3
22c34b2
Compare
Choose a tag to compare
v1.16.3

Probably the last release in the v1.x range:

  • Backport support for webpack config as a Promise.
Loading

v2.2.0

17 Jan 22:37
@SpaceK33z SpaceK33z
v2.2.0
7e18f6a
Compare
Choose a tag to compare
v2.2.0

First webpack-dev-server 2 release

Following the webpack 2 release.
It's equal to the last RC.

If you're curious about the highlights, read this fancy Medium post.

Loading

v2.2.0-rc.0

15 Dec 20:04
@SpaceK33z SpaceK33z
v2.2.0-rc.0
00bdcd5
Compare
Choose a tag to compare
v2.2.0-rc.0 Pre-release
Pre-release
  • Allow latest webpack 2.2.0-rc.0 as peer dependency (#714).
Loading

v2.1.0-beta.12

25 Nov 09:51
@SpaceK33z SpaceK33z
v2.1.0-beta.12
1f60309
Compare
Choose a tag to compare
v2.1.0-beta.12 Pre-release
Pre-release
  • beta.11 prevented the page from reloading when there was an error or a warning. Now it will only prevent a reload when there are errors, since you can ignore warnings (#697).
  • beta.11 introduced configuration validation. There was a small error that prevented clientLogLevel: "none" from working (#693).
  • Fix startup information not using colors in some cases (8a4b070).
Loading