New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We鈥檒l occasionally send you account related emails.
Already on GitHub? Sign in to your account
Planning ugrade to webpack-dev-server 4 #21214
Comments
This vulnerability doesn鈥檛 really effect the Angular CLI since we don鈥檛 expect the CLI to be executed on production environments were arbitrary maliciously crafted globs are provided. Upgrading web-dev-server to version 4 is definitely something that we want to do, but when this is released as stable. This also seems to be more of an issue that needs to be addressed upstream by the webpack-dev-server team before it鈥檚 actionable by us. |
Yes I agree this is not a real vulnerability, that's why I opened this issue as a feature request ^^ but I'm glad to hear you are looking forward to upgrade to webpack-dev-server 4. Just to let you know, it seems like they are close to a release : webpack/webpack-dev-server#3444 (comment) and there will be quite a bit of breaking changes. |
This issue has been automatically locked due to inactivity. Read more about our automatic conversation locking policy. This action has been performed automatically by a bot. |
馃殌 Feature request
Description
webpack-dev-server 3
depends on ->chokidar 2
which depends on ->glob-parent 3
which has -> a security issue.(you can learn more about it here : webpack/webpack-dev-server#3407)
webpack-dev-server 3
could update tochokidar 3
which fixes this security issue by upgradingglob-parent
to5.1.2
but becausewebpack-dev-server 3
is targetingnodejs >= 6
andchokidar 3
has dropped the support for nodejs 6, they can't fix the security issue without dropping the support for nodejs 6 too, so they needed a major update to do it.Introducing
webpack-dev-server 4
... which is already usingchokidar 3
and fixes the security issue mentioned above.(well at the moment of writing this issue,
webpack-dev-server 4
is still inbeta 3
)Describe the solution you'd like
Angular CLI should make a plan to upgrade to
webpack-dev-server 4
.Describe alternatives you've considered
I don't think there is an alternative solution.
Here is the report of the security issue involved :
The text was updated successfully, but these errors were encountered: