Support webpack-dev-server v5 in @cypress/webpack-dev-server

[AtofStryker]

What would you like?

I would like to @cypress/webpack-dev-server to support webpack-dev-server v5

Why is this needed?

new version of webpack-dev-server is available, which projects like angular v18 are using and others likely will use as well

Other

To make this not a breaking change to cypress nad @cypress/webpack-dev-server, webpack-dev-server version 4 still needs to be the default/shipped version, but webpack-dev-server 5 should be able to be sourced without error

[AtofStryker]

see #28926 for default wds 4 to 5 bump, which is a breaking change

[robcmills]

@AtofStryker The logic in npm/webpack-dev-server/src/helpers/sourceRelativeWebpackModules.ts according to its own comment:

// Source the webpack-dev-server module from the provided framework or projectRoot.
// If none is found, we fallback to the version bundled with this package.

Currently, when it finds that the parent project is using wds v5, it throws. Would it be possible to instead of throwing, fallback to the bundled version? Or is it necessary to fail because wds v5 running in the parent is going to cause issues with running a different version in component tests?

[robcmills]

Also, for "Why is this needed?" there is a high severity security vulnerability in wds <5.3.4 which puts contractual obligations on many companies to upgrade in order to conform with SOC2 compliance and other security audits.

┌───────────────┬──────────────────────────────────────────────────────────────┐
│ high          │ Path traversal in webpack-dev-middleware                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ webpack-dev-middleware                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=5.3.4                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ webpack-dev-server                                           │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ webpack-dev-server > webpack-dev-middleware                  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://www.npmjs.com/advisories/1096729                     │
└───────────────┴──────────────────────────────────────────────────────────────┘

[AtofStryker]

@AtofStryker The logic in npm/webpack-dev-server/src/helpers/sourceRelativeWebpackModules.ts according to its own comment:

// Source the webpack-dev-server module from the provided framework or projectRoot.
// If none is found, we fallback to the version bundled with this package.

Currently, when it finds that the parent project is using wds v5, it throws. Would it be possible to instead of throwing, fallback to the bundled version? Or is it necessary to fail because wds v5 running in the parent is going to cause issues with running a different version in component tests?

We would want to fail since we are sourcing whatever is installed in your project and is going to give you behavior you would otherwise expect. The bundled version could be incompatible with your configuration / set up

[AtofStryker]

Also, for "Why is this needed?" there is a high severity security vulnerability in wds <5.3.4 which puts contractual obligations on many companies to upgrade in order to conform with SOC2 compliance and other security audits.

┌───────────────┬──────────────────────────────────────────────────────────────┐
│ high          │ Path traversal in webpack-dev-middleware                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ webpack-dev-middleware                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=5.3.4                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ webpack-dev-server                                           │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ webpack-dev-server > webpack-dev-middleware                  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://www.npmjs.com/advisories/1096729                     │
└───────────────┴──────────────────────────────────────────────────────────────┘

when #29306 drops webpack-dev-server 4 will still be installed, so your dependency/vulnerability tool will likely still pick up this vulnerability, but the dependency will not be run since you have wds v5 installed (also another reason not to fall back to unexpected behavior 🙂 )

[cypress-bot]

Released in 13.8.0.

This comment thread has been locked. If you are still experiencing this issue after upgrading to
Cypress v13.8.0, please open a new issue.