Releases: webpack/webpack-dev-server
Release list
v6.0.0
Major Changes
-
Bump Express to v5. See the Express 5 migration guide for the full list of breaking changes. (by @bjohansebas in #5674)
-
Bump the
webpackpeer dependency range from^5.0.0to^5.101.0. (by @bjohansebas in #5674) -
Drop support for Node.js < 22.15.0. (by @bjohansebas in #5674)
-
Convert the source to native ES modules. The package keeps
"type": "module"and now exposes both an ESM and a CommonJS build via theexportsfield: ESM consumersimportthe nativelib/, while CommonJS consumersrequire()a transpileddist/build — so the package works from both ESM and CommonJS, including environments whererequire(ESM)is not supported. (by @bjohansebas in #5674) -
Remove CLI flags. Use the
servecommand fromwebpack-clitogether with a configuration file or the programmatic API instead. (by @bjohansebas in #5674) -
Remove the
internalIPandinternalIPSyncstatic methods fromServer. Resolve the local IP yourself if you need it. (by @bjohansebas in #5674) -
Remove the
bypassoption from proxy configuration. Use therouterorcontextoptions provided byhttp-proxy-middlewareinstead. (by @bjohansebas in #5674) -
Remove SockJS support. The
webSocketServeroption no longer accepts"sockjs"; use the default"ws"transport instead. (by @bjohansebas in #5674) -
Remove the
spdydependency. Use the built-innode:http2module via theserveroption for HTTP/2 support. (by @bjohansebas in #5674) -
Update
http-proxy-middlewareto v4. See the http-proxy-middleware v3 release notes and v4 release notes for the full list of breaking changes. (by @bjohansebas in #5674) -
Update
webpack-dev-middlewareto v8 and syncoriginalUrlfor middleware compatibility.server.middleware.getFilenameFromUrl()is now asynchronous and resolves to{ filename, extra: { stats, outputFileSystem } }. See the webpack-dev-middleware v8 release notes for details. (by @bjohansebas in #5674)
Minor Changes
-
Add plugin support.
webpack-dev-servercan now be used as a webpack plugin, integrating with the compiler lifecycle without explicitly passing a compiler, preventing multiple server starts on recompilation, ensuring clean shutdown, and supportingMultiCompilersetups with multiple independent plugin servers. (by @bjohansebas in #5674) -
Enable the compression middleware for HTTP/2 connections. (by @bjohansebas in #5674)
-
Remove the
colorettedependency in favor of native ANSI styling. (by @bjohansebas in #5674) -
Update
chokidarto v5 and extendwatchFiles.options.ignoredto support glob string patterns viatinyglobby. (by @bjohansebas in #5674) -
Use
compiler.platformto determine the target environment instead of inspecting the resolvedtargetstring. Universal targets ("universal"or["web", "node"], wherecompiler.platform.universalistruesince webpack5.108.0) are treated as web targets so the client runtime is injected. (by @bjohansebas in #5674) -
Use the WHATWG
URLAPI instead of the deprecatedurl.parse. (by @bjohansebas in #5674)
Patch Changes
-
Bump production dependencies, notably
opento v11 andp-retryto v8. (by @bjohansebas in #5674) -
Reject cross-site requests to the internal
open-editorandinvalidateendpoints. They performed state-changing actions (opening a file in the editor, forcing a recompilation) on any GET request, so a page the developer visited could trigger them. They now require a same-origin request, validated viaSec-Fetch-Sitewith anOrigin/Hostfallback. (by @bjohansebas in #5691) -
Treat loopback aliases (
127.0.0.1,::1,localhost) as equivalent inisSameOriginso the WebSocket client does not reject valid same-origin connections. (by @bjohansebas in #5674) -
Migrate the test suite from Jest to
node:testand set up the jsdom environment. (by @bjohansebas in #5674) -
Update
webpack-clito v7.0.2. (by @bjohansebas in #5674)
v5.2.6
Patch Changes
-
fix: allow
undefinedas theServerconstructoroptionsargument again (by @bjohansebas in #5695)Restores accepting
undefined(defaulting it to{}) for theoptions
argument, so passing a webpack config's optionaldevServerfield type-checks and works as before. -
Protect the built-in state-changing routes (
/webpack-dev-server/invalidateand/webpack-dev-server/open-editor) against cross-site request forgery. Requests are now checked withSec-Fetch-Site(falling back to anOrigin/Hostcomparison when it is absent), so a cross-site page can no longer trigger a rebuild or open a file in the editor. Same-origin requests, user-initiated navigations, and non-browser clients (e.g. curl) are unaffected. (by @bjohansebas in #5698) -
Handle malformed
HostandOriginheader values gracefully when validating requests. (by @bjohansebas in #5699)
v5.2.5
Patch Changes
- Skip the HMR WebSocket path when forwarding upgrade requests to user-defined proxies, so custom proxy WebSocket upgrades are no longer intercepted by the dev server. (by @bjohansebas in #5680)
v5.2.4
5.2.4 (2026-05-11)
Bug Fixes
- set Cross-Origin-Resource-Policy header to prevent source code theft over HTTP
v5.2.3
v5.2.2
v5.2.1
5.2.1 (2025-03-26)
Security
- cross-origin requests are not allowed unless allowed by
Access-Control-Allow-Originheader - requests with an IP addresses in the
Originheader are not allowed to connect to WebSocket server unless configured byallowedHostsor it different from theHostheader
The above changes may make the dev server not work if you relied on such behavior, but unfortunately they carry security risks, so they were considered as fixes.
Bug Fixes
v5.2.0
v5.1.0
5.1.0 (2024-09-03)
Features
- add visual progress indicators (a8f40b7)
- added the
appoption to beFunction(by default only withconnectcompatibility frameworks) (3096148) - allow the
serveroption to beFunction(#5275) (02a1c6d) - http2 support for
connectandconnectcompatibility frameworks which support HTTP2 (#5267) (6509a3f)