Patch Changes
-
fix: allow
undefinedas theServerconstructoroptionsargument again (by @bjohansebas in #5695)Restores accepting
undefined(defaulting it to{}) for theoptions
argument, so passing a webpack config's optionaldevServerfield type-checks and works as before. -
Protect the built-in state-changing routes (
/webpack-dev-server/invalidateand/webpack-dev-server/open-editor) against cross-site request forgery. Requests are now checked withSec-Fetch-Site(falling back to anOrigin/Hostcomparison when it is absent), so a cross-site page can no longer trigger a rebuild or open a file in the editor. Same-origin requests, user-initiated navigations, and non-browser clients (e.g. curl) are unaffected. (by @bjohansebas in #5698) -
Handle malformed
HostandOriginheader values gracefully when validating requests. (by @bjohansebas in #5699)