Security vulnerability webpack-dev-server in @nx/webpack (CVE-2024-21536)

[gurisko]

Current Behavior

┌─────────────────────┬────────────────────────────────────────────────────────┐
│ high                │ Denial of service in http-proxy-middleware             │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Package             │ http-proxy-middleware                                  │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Vulnerable versions │ <2.0.7                                                 │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Patched versions    │ >=2.0.7                                                │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Paths               │ . > @nx/[email protected] > @nx/[email protected] >             │
│                     │ [email protected] > [email protected] │
│                     │                                                        │
│                     │ . > @nx/[email protected] > [email protected] >    │
│                     │ [email protected]                            │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ More info           │ https://github.com/advisories/GHSA-c7qv-q95q-8v27      │
└─────────────────────┴────────────────────────────────────────────────────────┘

Expected Behavior

No reported vulnerability.

GitHub Repo

No response

Steps to Reproduce

1. Run pnpm audit (or similar)

Nx Report

Node           : 22.9.0
OS             : linux-x64
Native Target  : x86_64-linux
pnpm           : 9.12.3

nx                 : 20.1.0
@nx/js             : 20.1.0
@nx/jest           : 20.1.0
@nx/linter         : 19.5.0
@nx/eslint         : 20.1.0
@nx/workspace      : 20.1.0
@nx/devkit         : 20.1.0
@nx/eslint-plugin  : 20.1.0
@nx/express        : 20.1.0
@nx/nest           : 20.1.0
@nx/next           : 20.1.0
@nx/node           : 20.1.0
@nx/react          : 20.1.0
@nx/web            : 20.1.0
@nx/webpack        : 20.1.0
typescript         : 5.6.3
---------------------------------------
Registered Plugins:
@nx/next/plugin
@nx/eslint/plugin
@nx/webpack/plugin
---------------------------------------
Community plugins:
@nx-extend/shadcn-ui : 4.1.2
---------------------------------------
The following packages should match the installed version of nx
  - @nx/[email protected]

To fix this, run `nx migrate [email protected]`

Failure Logs

Package Manager Version

No response

Operating System

• macOS
• Linux
• Windows
• Other (Please specify)

Additional Information

No response

[FrozenPandaz]

The issue from webpack-dev-server has been resolved but a version has not been published yet.

If you want to get rid of this vulnerability for yourself, you can regenerate your lockfile and the version range should pick up the patched version.

When webpack-dev-server releases a new version we can update our dependency.