Skip to content

v5.2.5 is dependent on http-proxy-middleware with vulnerability version #5687

Description

@hermanho

Have you used AI?

No

Bug Description

The current v5.2.5 is depended on http-proxy-middleware with a v2 version.
https://github.com/webpack/webpack-dev-server/blob/main/package.json#L63
http-proxy-middleware v2.0.9 has a vulnerability
GHSA-64mm-vxmg-q3vj
However, the fixed version is v3 and v4 which is a major release update.

Link to Minimal Reproduction and step to reproduce

GHSA-64mm-vxmg-q3vj

Expected Behavior

http-proxy-middleware should be installed with v3.0.6 or v4.1.0

Actual Behavior

Environment

System:
  OS: macOS 26.5.1
  CPU: (11) arm64 Apple M3 Pro
  Memory: 436.66 MB / 18.00 GB
Binaries:
  Node: 24.15.0 - /Users/herman/.nvm/versions/node/v24.15.0/bin/node
  npm: 11.12.1 - /Users/herman/.nvm/versions/node/v24.15.0/bin/npm
Browsers:
  Chrome: 149.0.7827.115
  Edge: 149.0.4022.80
  Safari: 26.5

Is this a regression?

None

Last Working Version

No response

Additional Context

No response

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions