Planning ugrade to webpack-dev-server 4

[Julien-Marcou]

🚀 Feature request

Description

webpack-dev-server 3 depends on -> chokidar 2 which depends on -> glob-parent 3 which has -> a security issue.

(you can learn more about it here : webpack/webpack-dev-server#3407)

webpack-dev-server 3 could update to chokidar 3 which fixes this security issue by upgrading glob-parent to 5.1.2 but because webpack-dev-server 3 is targeting nodejs >= 6 and chokidar 3 has dropped the support for nodejs 6, they can't fix the security issue without dropping the support for nodejs 6 too, so they needed a major update to do it.

Introducing webpack-dev-server 4... which is already using chokidar 3 and fixes the security issue mentioned above.

(well at the moment of writing this issue, webpack-dev-server 4 is still in beta 3)

Describe the solution you'd like

Angular CLI should make a plan to upgrade to webpack-dev-server 4.

Describe alternatives you've considered

I don't think there is an alternative solution.

Here is the report of the security issue involved :

# npm audit report

glob-parent  <5.1.2
Severity: moderate
Regular expression denial of service - https://npmjs.com/advisories/1751
No fix available
node_modules/webpack-dev-server/node_modules/glob-parent
  chokidar  1.0.0-rc1 - 2.1.8
  Depends on vulnerable versions of glob-parent
  node_modules/webpack-dev-server/node_modules/chokidar
    webpack-dev-server  2.1.0-beta.9 - 3.11.2
    Depends on vulnerable versions of chokidar
    node_modules/webpack-dev-server
      @angular-devkit/build-angular  *
      Depends on vulnerable versions of @angular-devkit/build-webpack
      Depends on vulnerable versions of webpack-dev-server
      node_modules/@angular-devkit/build-angular
      @angular-devkit/build-webpack  *
      Depends on vulnerable versions of webpack-dev-server
      node_modules/@angular-devkit/build-webpack

[alan-agius4]

This vulnerability doesn’t really effect the Angular CLI since we don’t expect the CLI to be executed on production environments were arbitrary maliciously crafted globs are provided.

Upgrading web-dev-server to version 4 is definitely something that we want to do, but when this is released as stable.

This also seems to be more of an issue that needs to be addressed upstream by the webpack-dev-server team before it’s actionable by us.

[Julien-Marcou]

Yes I agree this is not a real vulnerability, that's why I opened this issue as a feature request ^^ but I'm glad to hear you are looking forward to upgrade to webpack-dev-server 4.

Just to let you know, it seems like they are close to a release : webpack/webpack-dev-server#3444 (comment) and there will be quite a bit of breaking changes.

[angular-automatic-lock-bot]

This issue has been automatically locked due to inactivity.
Please file a new issue if you are encountering a similar or related problem.

Read more about our automatic conversation locking policy.

_{This action has been performed automatically by a bot.}