security: scoped resolution @electron-forge/plugin-webpack/webpack-dev-server 5.2.4 (#1237, #691, #692)

webpack-dev-server is pulled only by @electron-forge/plugin-webpack (twenty-companion), and no electron-forge release — including 8.0.0-alpha — uses webpack-dev-server 5, so there is no parent-upgrade path. A resolution is the only mechanism. Scoped to @electron-forge/plugin-webpack/webpack-dev-server (not a global override) to limit blast radius. Verified it's safe: webpack-dev-server's constructor is `constructor(options, compiler)` in BOTH v4 and v5 (the argument swap was v3->v4, not v4->v5), matching plugin-webpack's `new WebpackDevServer(this.devServerOptions(), compiler)` call. The options it passes (hot, devMiddleware.writeToDisk, historyApiFallback, port, setupExitSignals, static, headers) are all unchanged in v5, and it uses none of the hooks v5 removed. webpack-dev-server is only exercised by `electron-forge start` (dev HMR); production make/package builds don't use it, and twenty-companion has no CI workflow.
2026-06-11 09:26:53 -04:00 · 2026-06-10 19:19:31 +02:00
parent 615c3d8dbe
commit 01be837d02
2 changed files with 686 additions and 108 deletions
--- a/package.json
+++ b/package.json
@@ -43,7 +43,8 @@
    "@electron/node-gyp/tar": "npm:^7.5.16",
    "pacote/tar": "npm:^7.5.16",
    "@angular-devkit/core": "19.2.24",
-    "yeoman-environment": "6.0.1"
+    "yeoman-environment": "6.0.1",
+    "@electron-forge/plugin-webpack/webpack-dev-server": "5.2.4"
  },
  "version": "0.2.1",
  "nx": {},
--- a/yarn.lock
+++ b/yarn.lock