webpack / webpack-dev-server

Serves a webpack app. Updates the browser on changes. Documentation https://webpack.js.org/configuration/dev-server/.

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Urgent: Potential Security Vulnerabilities Detected in 'webpack-dev-server' Package

davidz1337 opened this issue · comments

Dear Team,

I trust this note finds you in good health. I am reaching out to discuss a potential security concern that I've identified in the recently installed 'webpack-dev-server' package. A vulnerability scan I conducted using Vulert on the lock file has alerted me to the presence of more than 3 potentially vulnerable dependencies.

Recognizing the significant threat these vulnerabilities may present to our project, I am uncertain of the appropriate protocol for responsible disclosure. It's important to remember that while some of these dependencies are development-only, their presence in the lock file means they might surface in the vendor folder, and therefore their management is essential.

To gain a complete overview, you can access the vulnerability scan report of the package-lock file via this link: https://vulert.com/vuln-scan/list/892de142-db05-41ee-8765-6756273e28d9

I strongly urge us to take immediate action to address these vulnerabilities to preserve the security of our project. Should you require additional details or a more comprehensive explanation, please don't hesitate to get in touch with me.

For your reference, you can find the scanned lock file at this location: https://github.com/webpack/webpack-dev-server/blob/master/package-lock.json

I am eagerly waiting for your prompt attention and response to this matter.

Best regards.