chore(deps-dev): Bump webpack-dev-server from 5.2.1 to 5.2.3#2767
Merged
ankita10119 merged 1 commit intomasterfrom Apr 2, 2026
Merged
Conversation
dependabot
bot
added
dependencies
dependabot
bot
added
dependencies
dependabot
bot
force-pushed
the
dependabot/npm_and_yarn/webpack-dev-server-5.2.3
branch
from
e7a15f8 to
e56f581
Compare
Contributor
|
@dependabot rebase |
Bumps [webpack-dev-server](https://github.com/webpack/webpack-dev-server) from 5.2.1 to 5.2.3. - [Release notes](https://github.com/webpack/webpack-dev-server/releases) - [Changelog](https://github.com/webpack/webpack-dev-server/blob/main/CHANGELOG.md) - [Commits](webpack/webpack-dev-server@v5.2.1...v5.2.3) --- updated-dependencies: - dependency-name: webpack-dev-server dependency-version: 5.2.3 dependency-type: direct:development update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>
dependabot
bot
force-pushed
the
dependabot/npm_and_yarn/webpack-dev-server-5.2.3
branch
from
e56f581 to
907f399
Compare
ankita10119
approved these changes
Apr 2, 2026
7 tasks
ankita10119
added a commit
that referenced
this pull request
Apr 6, 2026
…s to 3.1.0, and fix dev setup (#2771) ### Changes This PR consolidates three related dependency upgrades and fixes the local development setup that had been broken since PR #2622 . It supersedes #2769 (which will be closed). 1. **webpack-dev-server** `v4 `→ `v5` (`package.json`, `webpack.config.js`) PR #2622 bumped **webpack-dev-server** from `4.15.2` to `5.2.1`. This was a breaking change that went unnoticed because CI only runs tests, it never starts the dev server. Running npm start after that bump resulted in: _ValidationError: Invalid options object. Dev Server has been initialized using an options object that does not match the API schema. - options has an unknown property 'https'._ **Root cause**: webpack-dev-server v5 removed the https shorthand option that existed in v4. The replacement is the server object API. Fix in `webpack.config.js`: // Before (v4 API — broken in v5) `https: getDevCerts() || true` // After (v5 API) ``` server: { type: 'https', options: getDevCerts() || {} } ``` `package.json`: Version constraint updated from ^4.15.2 back to ^5.2.1 (resolves to 5.2.3, also covering PR #2767's bump). 2. Fix 403 Forbidden when loading bundle from Auth0 hosted pages (webpack.config.js) After fixing the startup crash, a second issue surfaced when testing against a custom hosted login page on manage.auth0.com: the browser reported Auth0Lock is not defined.Inspecting the Network tab showed the bundle request returning 403 Forbidden. **Root cause**: webpack-dev-server v5 introduced a security middleware (cross-origin-header-check) that blocks any request where both of these are true: - `sec-fetch-mode: no-cors` — always set by <script> tags - `sec-fetch-site: cross-site` — always set when an external origin (e.g. manage.auth0.com) loads a resource from localhost:3000 The combination of these two headers causes webpack-dev-server to return 403 before the bundle is served. **Fix**: ` allowedHosts: 'all'` This disables the cross-origin host check. It is safe for a local dev server — it has no effect on production builds and only applies when npm start is running. The original v4 server had no such restriction. 3. **auth0-password-policies** `1.0.2` → `3.1.0` and password-sheriff `1.1.1` → `2.0.0` (`package.json`, `webpack.config.js`) `auth0-password-policies@1.0.2` was published in November 2018. After 7 years of inactivity, versions 1.1.0 through 3.1.0 were released between August 2025 and February 2026.Dependabot opened PR #2705 targeting 1.1.1 (the first post-gap release), but that PR failed CI and was superseded by two further major versions before it could be merged. This PR jumps directly to the current latest (3.1.0). **Why password-sheriff is also bumped**: `auth0-password-policies@3.x` declares `password-sheriff@^2.0.0` as a peer/dependency. Lock also uses password-sheriff directly in src/field/password.js and `src/ui/input/password/password_strength.jsx `via `password-sheriff/lib/policy`. The `lib/policy.js` API is identical between `v1` and `v2` , the only additions are two new built-in rule types (sequentialChars, maxLength) which Lock does not use. Bumping Lock's direct constraint to ^2.0.0 avoids having two copies of password-sheriff in the install tree. **Why webpack.config.js needed a new babel-loader rule**: `auth0-password-policies@3.1.0` ships its source with ES2020 syntax (optional chaining ?.). The project runs es-check es2017 against the built bundle as a CI gate. The existing webpack babel rule has `exclude: node_modules`, so third-party packages are bundled as-is. For most packages this is fine since they ship pre-built ES5, but auth0-password-policies does not. A dedicated babel-loader rule for `auth0-password-policies` is added before the main rule. There is one non-obvious subtlety: Babel 7's `.babelrc` is file-relative, it only applies to files within the same package root and is silently ignored when Babel processes files in a different package under node_modules. This means Babel would run but apply no transforms, leaving ?. in the output. The fix is to pass presets explicitly in the rule's options alongside configFile: false and `babelrc: false`, so Babel uses exactly those presets regardless of config file boundaries: ``` { test: /\.js$/, include: path.join(__dirname, 'node_modules', 'auth0-password-policies'), loader: 'babel-loader', options: { presets: [['@babel/preset-env', { useBuiltIns: 'entry', corejs: '3.26.1' }]], configFile: false, babelrc: false } } ``` 4. Fix webpack 5 compilation warning for CordovaAuth0Plugin (`src/core/web_api/p2_api.js`) After the auth0-js bump in PR #2766 (9.30.1 → 9.32.0), webpack emitted two warnings on every build: ``` WARNING in ./src/core/web_api/p2_api.js export 'default' (imported as 'CordovaAuth0Plugin') was not found in 'auth0-js/dist/cordova-auth0-plugin.min.js' (module has no exports) ``` **Root cause**: `cordova-auth0-plugin.min.js` uses a UMD format (module.exports = factory()). Webpack 5's static analysis cannot resolve a default export from a module.exports assignment inside a UMD IIFE, so it warns when the file is imported with ES module import default syntax. **Fix**: Replace the ES module import with require(), which webpack handles correctly for CommonJS/UMD modules: // Before `import CordovaAuth0Plugin from 'auth0-js/dist/cordova-auth0-plugin.min.js';` // After `const CordovaAuth0Plugin = require('auth0-js/dist/cordova-auth0-plugin.min.js');` Runtime behaviour is unchanged, the `typeof CordovaAuth0Plugin === 'function'` guard already in place handles the case where the plugin is unavailable. ### References - Supersedes #2769 - Supersedes #2705 - Fixes dev setup broken by #2622 - Related to #2767 (webpack-dev-server 5.2.1 → 5.2.3, covered by ^5.2.1 range) - Related to #2766 (auth0-js 9.30.1 → 9.32.0, source of the CordovaAuth0Plugin warning) ### Testing Tested with local development setup. * [ ] This change adds unit test coverage * [ ] This change adds integration test coverage * [ ] This change has been tested on the latest version of the platform/language ### Checklist * [ ] I have read the [Auth0 general contribution guidelines](https://github.com/auth0/open-source-template/blob/master/GENERAL-CONTRIBUTING.md) * [ ] I have read the [Auth0 Code of Conduct](https://github.com/auth0/open-source-template/blob/master/CODE-OF-CONDUCT.md) * [ ] All code quality tools/guidelines have been run/followed * [ ] All relevant assets have been compiled
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Bumps webpack-dev-server from 5.2.1 to 5.2.3.
Release notes
Sourced from webpack-dev-server's releases.
Changelog
Sourced from webpack-dev-server's changelog.
Commits
b550a70chore(release): 5.2.39704dc5chore: upgrade selfsigned to v5 and remove node-forge dependency (#5618)92bf644chore: bump express to update qs (#5621)792b2f0chore(deps-dev): bump the dependencies group with 4 updates (#5606)6d587cachore(deps): bump the dependencies group across 1 directory with 27 updates (...f91baa8fix(overlay): add ESC key to dismiss overlay (#5598)574026cfix: compatibility with event target and universal target and lazy compilationc53955ddocs: remove unused filesefe0aeatest: fixb6bb50cchore(deps): update