Skip to content

Update webpack-dev-server 5.2.5 → 6.0.0 (major)#426

Merged
canova merged 1 commit into
masterfrom
depfu/update/yarn/webpack-dev-server-6.0.0
Jul 10, 2026
Merged

Update webpack-dev-server 5.2.5 → 6.0.0 (major)#426
canova merged 1 commit into
masterfrom
depfu/update/yarn/webpack-dev-server-6.0.0

Conversation

@depfu

@depfu depfu Bot commented Jul 10, 2026

Copy link
Copy Markdown

Here is everything you need to know about this upgrade. Please take a good look at what changed and the test results before merging this pull request.

What changed?

✳️ webpack-dev-server (5.2.5 → 6.0.0) · Repo · Changelog

Release Notes

6.0.0

Major Changes

  • Bump Express to v5. See the Express 5 migration guide for the full list of breaking changes. (by @bjohansebas in #5674)

  • Bump the webpack peer dependency range from ^5.0.0 to ^5.101.0. (by @bjohansebas in #5674)

  • Drop support for Node.js < 22.15.0. (by @bjohansebas in #5674)

  • Convert the source to native ES modules. The package keeps "type": "module" and now exposes both an ESM and a CommonJS build via the exports field: ESM consumers import the native lib/, while CommonJS consumers require() a transpiled dist/ build, allowing the package to be consumed from both ESM and CommonJS without relying on require(ESM) for CommonJS consumers. (by @bjohansebas in #5674)

  • Remove CLI flags. Use the serve command from webpack-cli together with a configuration file or the programmatic API instead. (by @bjohansebas in #5674)

  • Remove the internalIP and internalIPSync static methods from Server. Resolve the local IP yourself if you need it. (by @bjohansebas in #5674)

  • Remove the bypass option from proxy configuration. Use the router or context options provided by http-proxy-middleware instead. (by @bjohansebas in #5674)

  • Remove SockJS support. The webSocketServer option no longer accepts "sockjs"; use the default "ws" transport instead. (by @bjohansebas in #5674)

  • Remove the spdy dependency. Use the built-in node:http2 module via the server option for HTTP/2 support. (by @bjohansebas in #5674)

  • Update http-proxy-middleware to v4. See the http-proxy-middleware v3 release notes and v4 release notes for the full list of breaking changes. (by @bjohansebas in #5674)

  • Update webpack-dev-middleware to v8 and sync originalUrl for middleware compatibility. server.middleware.getFilenameFromUrl() is now asynchronous and resolves to { filename, extra: { stats, outputFileSystem } }. See the webpack-dev-middleware v8 release notes for details. (by @bjohansebas in #5674)

Minor Changes

  • Add plugin support. webpack-dev-server can now be used as a webpack plugin, integrating with the compiler lifecycle without explicitly passing a compiler, preventing multiple server starts on recompilation, ensuring clean shutdown, and supporting MultiCompiler setups with multiple independent plugin servers. (by @bjohansebas in #5674)

  • Enable the compression middleware for HTTP/2 connections. (by @bjohansebas in #5674)

  • Remove the colorette dependency in favor of native ANSI styling. (by @bjohansebas in #5674)

  • Update chokidar to v5 and extend watchFiles.options.ignored to support glob string patterns via tinyglobby. (by @bjohansebas in #5674)

  • Use compiler.platform to determine the target environment instead of inspecting the resolved target string. Universal targets ("universal" or ["web", "node"], where compiler.platform.universal is true since webpack 5.108.0) are treated as web targets so the client runtime is injected. (by @bjohansebas in #5674)

  • Use the WHATWG URL API instead of the deprecated url.parse. (by @bjohansebas in #5674)

Patch Changes

  • Bump production dependencies, notably open to v11 and p-retry to v8. (by @bjohansebas in #5674)

  • Reject cross-site requests to the internal open-editor and invalidate endpoints. They performed state-changing actions (opening a file in the editor, forcing a recompilation) on any GET request, so a page the developer visited could trigger them. They now require a same-origin request, validated via Sec-Fetch-Site with an Origin/Host fallback. (by @bjohansebas in #5691)

  • Treat loopback aliases (127.0.0.1, ::1, localhost) as equivalent in isSameOrigin so the WebSocket client does not reject valid same-origin connections. (by @bjohansebas in #5674)

  • Migrate the test suite from Jest to node:test and set up the jsdom environment. (by @bjohansebas in #5674)

  • Update webpack-cli to v7.0.2. (by @bjohansebas in #5674)

5.2.6

Patch Changes

  • fix: allow undefined as the Server constructor options argument again (by @bjohansebas in #5695)

    Restores accepting undefined (defaulting it to {}) for the options
    argument, so passing a webpack config's optional devServer field type-checks and works as before.

  • Protect the built-in state-changing routes (/webpack-dev-server/invalidate and /webpack-dev-server/open-editor) against cross-site request forgery. Requests are now checked with Sec-Fetch-Site (falling back to an Origin/Host comparison when it is absent), so a cross-site page can no longer trigger a rebuild or open a file in the editor. Same-origin requests, user-initiated navigations, and non-browser clients (e.g. curl) are unaffected. (by @bjohansebas in #5698)

  • Handle malformed Host and Origin header values gracefully when validating requests. (by @bjohansebas in #5699)

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 37 commits:


Depfu Status

Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.

All Depfu comment commands
@​depfu rebase
Rebases against your default branch and redoes this update
@​depfu recreate
Recreates this PR, overwriting any edits that you've made to it
@​depfu merge
Merges this PR once your tests are passing and conflicts are resolved
@​depfu cancel merge
Cancels automatic merging of this PR
@​depfu close
Closes this PR and deletes the branch
@​depfu reopen
Restores the branch and reopens this PR (if it's closed)
@​depfu pause
Ignores all future updates for this dependency and closes this PR
@​depfu pause [minor|major]
Ignores all future minor/major updates for this dependency and closes this PR
@​depfu resume
Future versions of this dependency will create PRs again (leaves this PR as is)

@depfu depfu Bot added the dependencies Pull requests that update a dependency file label Jul 10, 2026
@depfu depfu Bot requested review from canova and fatadel as code owners July 10, 2026 03:40
@netlify

netlify Bot commented Jul 10, 2026

Copy link
Copy Markdown

Deploy Preview for firefox-devtools-react-contextmenu ready!

Name Link
🔨 Latest commit f6429db
🔍 Latest deploy log https://app.netlify.com/projects/firefox-devtools-react-contextmenu/deploys/6a5069ca5a98cc0008bfa99d
😎 Deploy Preview https://deploy-preview-426--firefox-devtools-react-contextmenu.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.
🤖 Make changes Run an agent on this branch

To edit notification comments on pull requests, go to your Netlify project configuration.

@canova canova left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM.

@canova canova merged commit ceb92fb into master Jul 10, 2026
6 checks passed
@depfu depfu Bot deleted the depfu/update/yarn/webpack-dev-server-6.0.0 branch July 10, 2026 10:48
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant