fix(webpack): include devserverHost in allowedHosts for Docker environments

[mistercrunch]

User description

SUMMARY

When running webpack-dev-server with WEBPACK_DEVSERVER_HOST=0.0.0.0 in Docker environments, external IP access was blocked because allowedHosts was hardcoded to only allow localhost variants.

This adds devserverHost to the allowedHosts array so that accessing the dev server via external IPs works when explicitly configured to bind to all interfaces. The Set ensures deduplication if devserverHost happens to match an existing entry.

Before: Setting WEBPACK_DEVSERVER_HOST=0.0.0.0 binds the server to all interfaces, but requests from external IPs are rejected due to Host header validation.

After: The configured devserverHost is automatically included in allowedHosts, allowing access from the bound interface.

TESTING INSTRUCTIONS

1. Start the dev environment with external binding:

   WEBPACK_DEVSERVER_HOST=0.0.0.0 NODE_PORT=9001 docker compose -f docker-compose-light.yml up -d

2. Access from an external IP (e.g., http://<your-machine-ip>:9001/)
3. Verify the page loads instead of being blocked

ADDITIONAL INFORMATION

• Has associated issue:
• Required feature flags:
• Changes UI
• Includes DB Migration
• Introduces new feature or API
• Removes existing feature or API

🤖 Generated with Claude Code

---

CodeAnt-AI Description

Include configured dev server host in allowedHosts to permit external access

What Changed

• The dev server now adds the configured host (e.g., WEBPACK_DEVSERVER_HOST) to its allowed hosts, so requests using that host header are accepted.
• Duplicate host entries are deduplicated so adding the configured host won't create repeated entries.

Impact

✅ Access dev server from external IPs in Docker
✅ Fewer blocked requests to the dev server
✅ Easier local Docker development with custom dev server binding

💡 Usage Guide

Checking Your Pull Request

Every time you make a pull request, our system automatically looks through it. We check for security issues, mistakes in how you're setting up your infrastructure, and common code problems. We do this to make sure your changes are solid and won't cause any trouble later.

Talking to CodeAnt AI

Got a question or need a hand with something in your pull request? You can easily get in touch with CodeAnt AI right here. Just type the following in a comment on your pull request, and replace "Your question here" with whatever you want to ask:

@codeant-ai ask: Your question here

This lets you have a chat with CodeAnt AI about your pull request, making it easier to understand and improve your code.

Example

@codeant-ai ask: Can you suggest a safer alternative to storing this secret?

Preserve Org Learnings with CodeAnt

You can record team preferences so CodeAnt AI applies them in future reviews. Reply directly to the specific CodeAnt AI suggestion (in the same thread) and replace "Your feedback here" with your input:

@codeant-ai: Your feedback here

This helps CodeAnt AI learn and adapt to your team's coding style and standards.

Example

@codeant-ai: Do not flag unused imports.

Retrigger review

Ask CodeAnt AI to review the PR again, by typing:

@codeant-ai: review

Check Your Repository Health

To analyze the health of your code repository, visit our dashboard at https://app.codeant.ai. This tool helps you identify potential issues and areas for improvement in your codebase, ensuring your repository maintains high standards of code health.

[codeant-ai-for-open-source]

CodeAnt AI is reviewing your PR.

[bito-code-review]

Code Review Agent Run #fd9963

Actionable Suggestions - 0

Review Details

• Files reviewed - 1 · Commit Range: 03089fe..03089fe

  • superset-frontend/webpack.config.js
• Files skipped - 0
• Tools

  • Eslint (Linter) - ✔︎ Successful
  • Whispers (Secret Scanner) - ✔︎ Successful
  • Detect-secrets (Secret Scanner) - ✔︎ Successful

---

Bito Usage Guide

Commands

Type the following command in the pull request comment and save the comment.

• /review - Manually triggers a full AI review.

• /pause - Pauses automatic reviews on this pull request.

• /resume - Resumes automatic reviews.

• /resolve - Marks all Bito-posted review comments as resolved.

• /abort - Cancels all in-progress reviews.

Refer to the documentation for additional commands.

Configuration

This repository uses Default Agent You can customize the agent settings here or contact your Bito workspace admin at evan@preset.io.

Documentation & Help

• Customize agent settings
• Review rules
• General documentation
• FAQ

AI Code Review powered by

[codeant-ai-for-open-source]

Nitpicks 🔍

🔒 No security issues identified

⚡ Recommended areas for review Security Concern Broadening allowed hosts while running a dev server can allow Host header based requests from arbitrary remote hosts. Ensure this change is only applied in development and consider explicit opt-in or narrower rules to avoid unintentionally exposing the dev server to untrusted networks. Possible Bug If devserverHost is set to 0.0.0.0 (common in Docker), adding that literal value to allowedHosts will not match incoming requests whose Host header is an actual external IP (e.g. 192.168.x.x). In that case including 0.0.0.0 is ineffective. Consider special-casing 0.0.0.0/:: to allow hosts differently (e.g. allowedHosts: "all" or using auto) so external client Host headers are accepted when the server binds to all interfaces. Host Format Validation devserverHost may be provided through CLI/env and could include a protocol or port (e.g. http://host:9000). The current code inserts it directly into allowedHosts. Validate/sanitize the value to ensure only the hostname (no protocol/port) is added, otherwise match rules may fail.

[codeant-ai-for-open-source]

CodeAnt AI finished reviewing your PR.

[Vitor-Avila]

LGTM!