Please backport CVE-2018-14732 security fix to 2.x

[wchargin]

• Operating System: n/a
• Node Version: n/a
• NPM Version: n/a
• webpack Version: 3
• webpack-dev-server Version: 2
• This is a bug
• This is a modification request

CVE-2018-14732 describes a vulnerability in webpack-dev-server<3.1.11
by which attackers are able to steal developers’ code. The vulnerability
is classified as “HIGH severity” under the CVSS v3.0 score.

A patch has been released and included in version 3.1.11.
However, version 3.1.11 of the package requires webpack>=4, which
entails significant breaking changes from Webpack 3 and prior versions,
as well as major version bumps to transitive peer dependencies,
including @babel/core^7. It is not trivial for users of the 2.x
series to upgrade to a patched version of webpack-dev-server.

As such, please backport the fix to version 2 and release a new version,
to protect the security of users who are unable to upgrade.

Thank you for the hard work that you put into developing and maintaining
this library. We appreciate it.

[alexander-akait]

The webpack-dev-server contains other security fixes (some of them is not public), we strongly recommend to update webpack-dev-server to latest version because backport solve only one security problem. You may receive a new vulnerability report at any time. Also 2 version is not maintenance. Sorry, better spend time to update.