Skip to content

chore(deps-dev): bump webpack-dev-server from 5.2.5 to 6.0.0 in /examples/webpack#328

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/examples/webpack/webpack-dev-server-6.0.0
Open

chore(deps-dev): bump webpack-dev-server from 5.2.5 to 6.0.0 in /examples/webpack#328
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/examples/webpack/webpack-dev-server-6.0.0

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jul 3, 2026

Copy link
Copy Markdown

Bumps webpack-dev-server from 5.2.5 to 6.0.0.

Release notes

Sourced from webpack-dev-server's releases.

v6.0.0

Major Changes

  • Bump Express to v5. See the Express 5 migration guide for the full list of breaking changes. (by @​bjohansebas in #5674)

  • Bump the webpack peer dependency range from ^5.0.0 to ^5.101.0. (by @​bjohansebas in #5674)

  • Drop support for Node.js < 22.15.0. (by @​bjohansebas in #5674)

  • Convert the source to native ES modules. The package keeps "type": "module" and now exposes both an ESM and a CommonJS build via the exports field: ESM consumers import the native lib/, while CommonJS consumers require() a transpiled dist/ build — so the package works from both ESM and CommonJS, including environments where require(ESM) is not supported. (by @​bjohansebas in #5674)

  • Remove CLI flags. Use the serve command from webpack-cli together with a configuration file or the programmatic API instead. (by @​bjohansebas in #5674)

  • Remove the internalIP and internalIPSync static methods from Server. Resolve the local IP yourself if you need it. (by @​bjohansebas in #5674)

  • Remove the bypass option from proxy configuration. Use the router or context options provided by http-proxy-middleware instead. (by @​bjohansebas in #5674)

  • Remove SockJS support. The webSocketServer option no longer accepts "sockjs"; use the default "ws" transport instead. (by @​bjohansebas in #5674)

  • Remove the spdy dependency. Use the built-in node:http2 module via the server option for HTTP/2 support. (by @​bjohansebas in #5674)

  • Update http-proxy-middleware to v4. See the http-proxy-middleware v3 release notes and v4 release notes for the full list of breaking changes. (by @​bjohansebas in #5674)

  • Update webpack-dev-middleware to v8 and sync originalUrl for middleware compatibility. server.middleware.getFilenameFromUrl() is now asynchronous and resolves to { filename, extra: { stats, outputFileSystem } }. See the webpack-dev-middleware v8 release notes for details. (by @​bjohansebas in #5674)

Minor Changes

  • Add plugin support. webpack-dev-server can now be used as a webpack plugin, integrating with the compiler lifecycle without explicitly passing a compiler, preventing multiple server starts on recompilation, ensuring clean shutdown, and supporting MultiCompiler setups with multiple independent plugin servers. (by @​bjohansebas in #5674)

  • Enable the compression middleware for HTTP/2 connections. (by @​bjohansebas in #5674)

  • Remove the colorette dependency in favor of native ANSI styling. (by @​bjohansebas in #5674)

  • Update chokidar to v5 and extend watchFiles.options.ignored to support glob string patterns via tinyglobby. (by @​bjohansebas in #5674)

  • Use compiler.platform to determine the target environment instead of inspecting the resolved target string. Universal targets ("universal" or ["web", "node"], where compiler.platform.universal is true since webpack 5.108.0) are treated as web targets so the client runtime is injected. (by @​bjohansebas in #5674)

  • Use the WHATWG URL API instead of the deprecated url.parse. (by @​bjohansebas in #5674)

Patch Changes

  • Bump production dependencies, notably open to v11 and p-retry to v8. (by @​bjohansebas in #5674)

  • Reject cross-site requests to the internal open-editor and invalidate endpoints. They performed state-changing actions (opening a file in the editor, forcing a recompilation) on any GET request, so a page the developer visited could trigger them. They now require a same-origin request, validated via Sec-Fetch-Site with an Origin/Host fallback. (by @​bjohansebas in #5691)

  • Treat loopback aliases (127.0.0.1, ::1, localhost) as equivalent in isSameOrigin so the WebSocket client does not reject valid same-origin connections. (by @​bjohansebas in #5674)

  • Migrate the test suite from Jest to node:test and set up the jsdom environment. (by @​bjohansebas in #5674)

  • Update webpack-cli to v7.0.2. (by @​bjohansebas in #5674)

... (truncated)

Changelog

Sourced from webpack-dev-server's changelog.

6.0.0

Major Changes

  • Bump Express to v5. See the Express 5 migration guide for the full list of breaking changes. (by @​bjohansebas in #5674)

  • Bump the webpack peer dependency range from ^5.0.0 to ^5.101.0. (by @​bjohansebas in #5674)

  • Drop support for Node.js < 22.15.0. (by @​bjohansebas in #5674)

  • Convert the source to native ES modules. The package keeps "type": "module" and now exposes both an ESM and a CommonJS build via the exports field: ESM consumers import the native lib/, while CommonJS consumers require() a transpiled dist/ build — so the package works from both ESM and CommonJS, including environments where require(ESM) is not supported. (by @​bjohansebas in #5674)

  • Remove CLI flags. Use the serve command from webpack-cli together with a configuration file or the programmatic API instead. (by @​bjohansebas in #5674)

  • Remove the internalIP and internalIPSync static methods from Server. Resolve the local IP yourself if you need it. (by @​bjohansebas in #5674)

  • Remove the bypass option from proxy configuration. Use the router or context options provided by http-proxy-middleware instead. (by @​bjohansebas in #5674)

  • Remove SockJS support. The webSocketServer option no longer accepts "sockjs"; use the default "ws" transport instead. (by @​bjohansebas in #5674)

  • Remove the spdy dependency. Use the built-in node:http2 module via the server option for HTTP/2 support. (by @​bjohansebas in #5674)

  • Update http-proxy-middleware to v4. See the http-proxy-middleware v3 release notes and v4 release notes for the full list of breaking changes. (by @​bjohansebas in #5674)

  • Update webpack-dev-middleware to v8 and sync originalUrl for middleware compatibility. server.middleware.getFilenameFromUrl() is now asynchronous and resolves to { filename, extra: { stats, outputFileSystem } }. See the webpack-dev-middleware v8 release notes for details. (by @​bjohansebas in #5674)

Minor Changes

  • Add plugin support. webpack-dev-server can now be used as a webpack plugin, integrating with the compiler lifecycle without explicitly passing a compiler, preventing multiple server starts on recompilation, ensuring clean shutdown, and supporting MultiCompiler setups with multiple independent plugin servers. (by @​bjohansebas in #5674)

  • Enable the compression middleware for HTTP/2 connections. (by @​bjohansebas in #5674)

  • Remove the colorette dependency in favor of native ANSI styling. (by @​bjohansebas in #5674)

  • Update chokidar to v5 and extend watchFiles.options.ignored to support glob string patterns via tinyglobby. (by @​bjohansebas in #5674)

  • Use compiler.platform to determine the target environment instead of inspecting the resolved target string. Universal targets ("universal" or ["web", "node"], where compiler.platform.universal is true since webpack 5.108.0) are treated as web targets so the client runtime is injected. (by @​bjohansebas in #5674)

  • Use the WHATWG URL API instead of the deprecated url.parse. (by @​bjohansebas in #5674)

Patch Changes

  • Bump production dependencies, notably open to v11 and p-retry to v8. (by @​bjohansebas in #5674)

  • Reject cross-site requests to the internal open-editor and invalidate endpoints. They performed state-changing actions (opening a file in the editor, forcing a recompilation) on any GET request, so a page the developer visited could trigger them. They now require a same-origin request, validated via Sec-Fetch-Site with an Origin/Host fallback. (by @​bjohansebas in #5691)

  • Treat loopback aliases (127.0.0.1, ::1, localhost) as equivalent in isSameOrigin so the WebSocket client does not reject valid same-origin connections. (by @​bjohansebas in #5674)

  • Migrate the test suite from Jest to node:test and set up the jsdom environment. (by @​bjohansebas in #5674)

... (truncated)

Commits
  • 05cb792 chore(release): new release (#5692)
  • a451839 fix: handle middleware teardown in plugin mode (#5703)
  • c2d23a7 fix: load ESM-only dependencies with native import() in the CommonJS build (#...
  • ba54764 fix: reject cross-site requests to open-editor and invalidate endpoints (#5691)
  • 2b369b3 fixup!
  • 08a0ea7 fix: ensure undefined options default to an empty object in Server constructor
  • 797b9e7 fix: handle undefined options in Server constructor
  • e90221c feat: plugin support (#5650)
  • 4c351e1 feat: support universal platform as a web target (#5690)
  • 2236aa4 chore: update http-proxy-middleware to version 4.1.1 and add tests for pathRe...
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Bumps [webpack-dev-server](https://github.com/webpack/webpack-dev-server) from 5.2.5 to 6.0.0.
- [Release notes](https://github.com/webpack/webpack-dev-server/releases)
- [Changelog](https://github.com/webpack/webpack-dev-server/blob/main/CHANGELOG.md)
- [Commits](webpack/webpack-dev-server@v5.2.5...v6.0.0)

---
updated-dependencies:
- dependency-name: webpack-dev-server
  dependency-version: 6.0.0
  dependency-type: direct:development
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Jul 3, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants