Skip to content

Releases: webpack/webpack-dev-server

v6.0.0

Choose a tag to compare

@github-actions github-actions released this 03 Jul 03:21
05cb792

Major Changes

  • Bump Express to v5. See the Express 5 migration guide for the full list of breaking changes. (by @bjohansebas in #5674)

  • Bump the webpack peer dependency range from ^5.0.0 to ^5.101.0. (by @bjohansebas in #5674)

  • Drop support for Node.js < 22.15.0. (by @bjohansebas in #5674)

  • Convert the source to native ES modules. The package keeps "type": "module" and now exposes both an ESM and a CommonJS build via the exports field: ESM consumers import the native lib/, while CommonJS consumers require() a transpiled dist/ build — so the package works from both ESM and CommonJS, including environments where require(ESM) is not supported. (by @bjohansebas in #5674)

  • Remove CLI flags. Use the serve command from webpack-cli together with a configuration file or the programmatic API instead. (by @bjohansebas in #5674)

  • Remove the internalIP and internalIPSync static methods from Server. Resolve the local IP yourself if you need it. (by @bjohansebas in #5674)

  • Remove the bypass option from proxy configuration. Use the router or context options provided by http-proxy-middleware instead. (by @bjohansebas in #5674)

  • Remove SockJS support. The webSocketServer option no longer accepts "sockjs"; use the default "ws" transport instead. (by @bjohansebas in #5674)

  • Remove the spdy dependency. Use the built-in node:http2 module via the server option for HTTP/2 support. (by @bjohansebas in #5674)

  • Update http-proxy-middleware to v4. See the http-proxy-middleware v3 release notes and v4 release notes for the full list of breaking changes. (by @bjohansebas in #5674)

  • Update webpack-dev-middleware to v8 and sync originalUrl for middleware compatibility. server.middleware.getFilenameFromUrl() is now asynchronous and resolves to { filename, extra: { stats, outputFileSystem } }. See the webpack-dev-middleware v8 release notes for details. (by @bjohansebas in #5674)

Minor Changes

  • Add plugin support. webpack-dev-server can now be used as a webpack plugin, integrating with the compiler lifecycle without explicitly passing a compiler, preventing multiple server starts on recompilation, ensuring clean shutdown, and supporting MultiCompiler setups with multiple independent plugin servers. (by @bjohansebas in #5674)

  • Enable the compression middleware for HTTP/2 connections. (by @bjohansebas in #5674)

  • Remove the colorette dependency in favor of native ANSI styling. (by @bjohansebas in #5674)

  • Update chokidar to v5 and extend watchFiles.options.ignored to support glob string patterns via tinyglobby. (by @bjohansebas in #5674)

  • Use compiler.platform to determine the target environment instead of inspecting the resolved target string. Universal targets ("universal" or ["web", "node"], where compiler.platform.universal is true since webpack 5.108.0) are treated as web targets so the client runtime is injected. (by @bjohansebas in #5674)

  • Use the WHATWG URL API instead of the deprecated url.parse. (by @bjohansebas in #5674)

Patch Changes

  • Bump production dependencies, notably open to v11 and p-retry to v8. (by @bjohansebas in #5674)

  • Reject cross-site requests to the internal open-editor and invalidate endpoints. They performed state-changing actions (opening a file in the editor, forcing a recompilation) on any GET request, so a page the developer visited could trigger them. They now require a same-origin request, validated via Sec-Fetch-Site with an Origin/Host fallback. (by @bjohansebas in #5691)

  • Treat loopback aliases (127.0.0.1, ::1, localhost) as equivalent in isSameOrigin so the WebSocket client does not reject valid same-origin connections. (by @bjohansebas in #5674)

  • Migrate the test suite from Jest to node:test and set up the jsdom environment. (by @bjohansebas in #5674)

  • Update webpack-cli to v7.0.2. (by @bjohansebas in #5674)

v5.2.6

Choose a tag to compare

@github-actions github-actions released this 02 Jul 19:43
8a37b0e

Patch Changes

  • fix: allow undefined as the Server constructor options argument again (by @bjohansebas in #5695)

    Restores accepting undefined (defaulting it to {}) for the options
    argument, so passing a webpack config's optional devServer field type-checks and works as before.

  • Protect the built-in state-changing routes (/webpack-dev-server/invalidate and /webpack-dev-server/open-editor) against cross-site request forgery. Requests are now checked with Sec-Fetch-Site (falling back to an Origin/Host comparison when it is absent), so a cross-site page can no longer trigger a rebuild or open a file in the editor. Same-origin requests, user-initiated navigations, and non-browser clients (e.g. curl) are unaffected. (by @bjohansebas in #5698)

  • Handle malformed Host and Origin header values gracefully when validating requests. (by @bjohansebas in #5699)

v5.2.5

Choose a tag to compare

@github-actions github-actions released this 12 Jun 21:39
c3ee325

Patch Changes

  • Skip the HMR WebSocket path when forwarding upgrade requests to user-defined proxies, so custom proxy WebSocket upgrades are no longer intercepted by the dev server. (by @bjohansebas in #5680)

v5.2.4

Choose a tag to compare

@alexander-akait alexander-akait released this 11 May 16:44

5.2.4 (2026-05-11)

Bug Fixes

  • set Cross-Origin-Resource-Policy header to prevent source code theft over HTTP

v5.2.3

Choose a tag to compare

@alexander-akait alexander-akait released this 12 Jan 16:30

5.2.3 (2026-01-12)

Bug Fixes

  • add cause for errorObject (#5518) (37b033d)
  • compatibility with event target and universal target and lazy compilation (574026c)
  • overlay: add ESC key to dismiss overlay (#5598) (f91baa8)
  • progress indicator styles (#5557) (41a53a1)
  • upgrade selfsigned to v5

v5.2.2

Choose a tag to compare

@alexander-akait alexander-akait released this 03 Jun 15:53

5.2.2 (2025-06-03)

Bug Fixes

  • "Overlay enabled" false positive (18e72ee)
  • do not crush when error is null for runtime errors (#5447) (309991f)
  • remove unnecessary header X_TEST (#5451) (64a6124)
  • respect the allowedHosts option for cross-origin header check (#5510) (03d1214)

v5.2.1

Choose a tag to compare

@alexander-akait alexander-akait released this 26 Mar 23:07

5.2.1 (2025-03-26)

Security

  • cross-origin requests are not allowed unless allowed by Access-Control-Allow-Origin header
  • requests with an IP addresses in the Origin header are not allowed to connect to WebSocket server unless configured by allowedHosts or it different from the Host header

The above changes may make the dev server not work if you relied on such behavior, but unfortunately they carry security risks, so they were considered as fixes.

Bug Fixes

  • prevent overlay for errors caught by React error boundaries (#5431) (8c1abc9)
  • take the first network found instead of the last one, this restores the same behavior as 5.0.4 (#5411) (ffd0b86)

v5.2.0

Choose a tag to compare

@alexander-akait alexander-akait released this 11 Dec 13:32

5.2.0 (2024-12-11)

Features

  • added getClientEntry and getClientHotEntry methods to get clients entries (dc642a8)

Bug Fixes

  • speed up initial client bundling (145b5d0)

v5.1.0

Choose a tag to compare

@alexander-akait alexander-akait released this 03 Sep 18:01

5.1.0 (2024-09-03)

Features

  • add visual progress indicators (a8f40b7)
  • added the app option to be Function (by default only with connect compatibility frameworks) (3096148)
  • allow the server option to be Function (#5275) (02a1c6d)
  • http2 support for connect and connect compatibility frameworks which support HTTP2 (#5267) (6509a3f)

Bug Fixes

v4.15.2

Choose a tag to compare

@alexander-akait alexander-akait released this 20 Mar 15:40

4.15.2 (2024-03-20)

Bug Fixes

  • security: bump webpack-dev-middleware (4116209)