-
-
Notifications
You must be signed in to change notification settings - Fork 1.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Please backport CVE-2018-14732 security fix to 2.x #1620
Comments
The |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
CVE-2018-14732 describes a vulnerability in webpack-dev-server<3.1.11
by which attackers are able to steal developers’ code. The vulnerability
is classified as “HIGH severity” under the CVSS v3.0 score.
A patch has been released and included in version 3.1.11.
However, version 3.1.11 of the package requires
webpack>=4
, whichentails significant breaking changes from Webpack 3 and prior versions,
as well as major version bumps to transitive peer dependencies,
including
@babel/core^7
. It is not trivial for users of the 2.xseries to upgrade to a patched version of webpack-dev-server.
As such, please backport the fix to version 2 and release a new version,
to protect the security of users who are unable to upgrade.
Thank you for the hard work that you put into developing and maintaining
this library. We appreciate it.
The text was updated successfully, but these errors were encountered: