🚨 [security] Update webpack-dev-server 5.2.2 → 5.2.4 (patch)

[depfu]

---

🚨 Your current dependencies have known security vulnerabilities 🚨

This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!

---

Here is everything you need to know about this update. Please take a good look at what changed and the test results before merging this pull request.

What changed?

✳️ webpack-dev-server (5.2.2 → 5.2.4) · Repo · Changelog

Security Advisories 🚨

🚨 webpack-dev-server vulnerable to cross-origin source code exposure on non-HTTPS origins

Impact

When webpack-dev-server is running on a non-HTTPS origin (the default), cross-origin requests from malicious websites can load the dev server's JavaScript bundles via <script> tags. The fix introduced in v5.2.1 (CVE-2025-30359) relied on Sec-Fetch-Mode and Sec-Fetch-Site request headers to block these requests, but browsers only send these headers for potentially trustworthy origins. Over plain HTTP, the headers are absent and the check is bypassed.

An attacker who knows the dev server's host, port, and output path can exfiltrate all module source code by intercepting the webpack runtime's module registration.

This does not affect Chrome 142+ (and other Chromium-based browsers) due to local network access restrictions.

Patches

Patched in webpack-dev-server >= 5.2.4 by setting Cross-Origin-Resource-Policy: same-origin on responses.

Workarounds

Run the dev server with HTTPS enabled (--https or server.type: 'https' in config).

Resources

• GHSA-4v9v-hfq4-rm2v (CVE-2025-30359) - original vulnerability
• GHSA-9jgg-88mc-972h (CVE-2025-30360) - prior bypass

Release Notes

5.2.4

5.2.4 (2026-05-11)

Bug Fixes

• set Cross-Origin-Resource-Policy header to prevent source code theft over HTTP

5.2.3

5.2.3 (2026-01-12)

Bug Fixes

• add cause for errorObject (#5518) (37b033d)
• compatibility with event target and universal target and lazy compilation (574026c)
• overlay: add ESC key to dismiss overlay (#5598) (f91baa8)
• progress indicator styles (#5557) (41a53a1)
• upgrade selfsigned to v5

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ @​types/express (indirect, 4.17.23 → 4.17.25) · Repo

Sorry, we couldn't find anything useful about this release.

↗️ body-parser (indirect, 1.20.3 → 1.20.5) · Repo · Changelog

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ cookie (indirect, 0.7.1 → 0.7.2) · Repo · Changelog

Release Notes

0.7.2

Fixed

• Fix object assignment of hasOwnProperty (#177) bc38ffd

v0.7.1...v0.7.2

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ cookie-signature (indirect, 1.0.6 → 1.0.7) · Repo · Changelog

Release Notes

1.0.7 (from changelog)

Later release for older node.js versions. See the v1.0.x branch notes.

Does any of this look wrong? Please let us know.

↗️ express (indirect, 4.21.2 → 4.22.2) · Repo · Changelog

Release Notes

4.22.2

What's Changed

• fix: restore >20 array parsing for req.query repeated keys (8d09bfe6)
  • This also unifies array-cap behavior across notations. Indexed notation (a[0]=...) was historically capped at qs's default arrayLimit of 20 even in older qs versions; after this change it also allows up to 1000 items.
• deps: qs@~6.15.1
• deps: body-parser@~1.20.5

New Contributors

• @suuuuuuminnnnnn made their first contribution in #7021
• @SAY-5 made their first contribution in #7181

Full Changelog: v4.22.1...v4.22.2

4.22.1

What's Changed

• Release: 4.22.1 by @UlisesGascon in #6934

Full Changelog: 4.22.0...v4.22.1

4.22.0

Important: Security

• Security fix for CVE-2024-51999 (GHSA-pj86-cfqh-vqx6)

What's Changed

• Refactor: improve readability by @sazk07 in #6190
• ci: add support for Node.js@23.0 by @UlisesGascon in #6080
• Method functions with no path should error by @wesleytodd in #5957
• ci: updated github actions ci workflow by @Phillip9587 in #6323
• ci: reorder npm i steps to fix ci for older node versions by @Phillip9587 in #6336
• Backport: ci: add node.js 24 to test matrix by @Phillip9587 in #6506
• chore(4.x): wider range for query test skip by @jonchurch in #6513
• use tilde notation for certain dependencies by @UlisesGascon in #6905
• deps: qs@6.14.0 by @UlisesGascon in #6909
• deps: use tilde notation for qs by @Phillip9587 in #6919
• Release: 4.22.0 by @UlisesGascon in #6921

Full Changelog: 4.21.2...4.22.0

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ finalhandler (indirect, 1.3.1 → 1.3.2) · Repo · Changelog

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ path-to-regexp (indirect, 0.1.12 → 0.1.13) · Repo · Changelog

Security Advisories 🚨

🚨 path-to-regexp vulnerable to Regular Expression Denial of Service via multiple route parameters

Impact

A bad regular expression is generated any time you have three or more parameters within a single segment, separated by something that is not a period (.). For example, /:a-:b-:c or /:a-:b-:c-:d. The backtrack protection added in path-to-regexp@0.1.12 only prevents ambiguity for two parameters. With three or more, the generated lookahead does not block single separator characters, so capture groups overlap and cause catastrophic backtracking.

Patches

Upgrade to path-to-regexp@0.1.13

Custom regex patterns in route definitions (e.g., /:a-:b([^-/]+)-:c([^-/]+)) are not affected because they override the default capture group.

Workarounds

All versions can be patched by providing a custom regular expression for parameters after the first in a single segment. As long as the custom regular expression does not match the text before the parameter, you will be safe. For example, change /:a-:b-:c to /:a-:b([^-/]+)-:c([^-/]+).

If paths cannot be rewritten and versions cannot be upgraded, another alternative is to limit the URL length.

References

• GHSA-9wv6-86v2-598j
• Detailed blog post: ReDoS the web

↗️ qs (indirect, 6.13.0 → 6.15.2) · Repo · Changelog

Security Advisories 🚨

🚨 qs's arrayLimit bypass in comma parsing allows denial of service

Summary

The arrayLimit option in qs does not enforce limits for comma-separated values when comma: true is enabled, allowing attackers to cause denial-of-service via memory exhaustion. This is a bypass of the array limit enforcement, similar to the bracket notation bypass addressed in GHSA-6rw7-vpxm-498p (CVE-2025-15284).

Details

When the comma option is set to true (not the default, but configurable in applications), qs allows parsing comma-separated strings as arrays (e.g., ?param=a,b,c becomes ['a', 'b', 'c']). However, the limit check for arrayLimit (default: 20) and the optional throwOnLimitExceeded occur after the comma-handling logic in parseArrayValue, enabling a bypass. This permits creation of arbitrarily large arrays from a single parameter, leading to excessive memory allocation.

Vulnerable code (lib/parse.js: lines ~40-50):

if (val && typeof val === 'string' && options.comma && val.indexOf(',') > -1) {
    return val.split(',');
}
if (options.throwOnLimitExceeded && currentArrayLength >= options.arrayLimit) {

throw new RangeError('Array limit exceeded. Only ' + options.arrayLimit + ' element' + (options.arrayLimit === 1 ? '' : 's') + ' allowed in an array.');

}
return val;

The split(',') returns the array immediately, skipping the subsequent limit check. Downstream merging via utils.combine does not prevent allocation, even if it marks overflows for sparse arrays.This discrepancy allows attackers to send a single parameter with millions of commas (e.g., ?param=,,,,,,,,...), allocating massive arrays in memory without triggering limits. It bypasses the intent of arrayLimit, which is enforced correctly for indexed (a[0]=) and bracket (a[]=) notations (the latter fixed in v6.14.1 per GHSA-6rw7-vpxm-498p).

PoC

Test 1 - Basic bypass:

npm install qs

const qs = require('qs');
const payload = 'a=' + ','.repeat(25);  // 26 elements after split (bypasses arrayLimit: 5)

const options = { comma: true, arrayLimit: 5, throwOnLimitExceeded: true };
try {

const result = qs.parse(payload, options);

console.log(result.a.length);  // Outputs: 26 (bypass successful)

} catch (e) {

console.log('Limit enforced:', e.message);  // Not thrown

}

Configuration:

• comma: true
• arrayLimit: 5
• throwOnLimitExceeded: true

Expected: Throws "Array limit exceeded" error.
Actual: Parses successfully, creating an array of length 26.

Impact

Denial of Service (DoS) via memory exhaustion.

Suggested Fix

Move the arrayLimit check before the comma split in parseArrayValue, and enforce it on the resulting array length. Use currentArrayLength (already calculated upstream) for consistency with bracket notation fixes.

Current code (lib/parse.js: lines ~40-50):

if (val && typeof val === 'string' && options.comma && val.indexOf(',') > -1) {
    return val.split(',');
}
if (options.throwOnLimitExceeded && currentArrayLength >= options.arrayLimit) {

throw new RangeError('Array limit exceeded. Only ' + options.arrayLimit + ' element' + (options.arrayLimit === 1 ? '' : 's') + ' allowed in an array.');

}
return val;

Fixed code:

if (val && typeof val === 'string' && options.comma && val.indexOf(',') > -1) {
    const splitArray = val.split(',');
    if (splitArray.length > options.arrayLimit - currentArrayLength) {  // Check against remaining limit
        if (options.throwOnLimitExceeded) {
            throw new RangeError('Array limit exceeded. Only ' + options.arrayLimit + ' element' + (options.arrayLimit === 1 ? '' : 's') + ' allowed in an array.');
        } else {
            // Optionally convert to object or truncate, per README
            return splitArray.slice(0, options.arrayLimit - currentArrayLength);
        }
    }
    return splitArray;
}
if (options.throwOnLimitExceeded && currentArrayLength >= options.arrayLimit) {

throw new RangeError('Array limit exceeded. Only ' + options.arrayLimit + ' element' + (options.arrayLimit === 1 ? '' : 's') + ' allowed in an array.');

}
return val;

This aligns behavior with indexed and bracket notations, reuses currentArrayLength, and respects throwOnLimitExceeded. Update README to note the consistent enforcement.

🚨 qs's arrayLimit bypass in its bracket notation allows DoS via memory exhaustion

Summary

The arrayLimit option in qs did not enforce limits for bracket notation (a[]=1&a[]=2), only for indexed notation (a[0]=1). This is a consistency bug; arrayLimit should apply uniformly across all array notations.

Note: The default parameterLimit of 1000 effectively mitigates the DoS scenario originally described. With default options, bracket notation cannot produce arrays larger than parameterLimit regardless of arrayLimit, because each a[]=value consumes one parameter slot. The severity has been reduced accordingly.

Details

The arrayLimit option only checked limits for indexed notation (a[0]=1&a[1]=2) but did not enforce it for bracket notation (a[]=1&a[]=2).

Vulnerable code (lib/parse.js:159-162):

if (root === '[]' && options.parseArrays) {
    obj = utils.combine([], leaf);  // No arrayLimit check
}

Working code (lib/parse.js:175):

else if (index <= options.arrayLimit) {  // Limit checked here
    obj = [];
    obj[index] = leaf;
}

The bracket notation handler at line 159 uses utils.combine([], leaf) without validating against options.arrayLimit, while indexed notation at line 175 checks index <= options.arrayLimit before creating arrays.

PoC

const qs = require('qs');
const result = qs.parse('a[]=1&a[]=2&a[]=3&a[]=4&a[]=5&a[]=6', { arrayLimit: 5 });
console.log(result.a.length);  // Output: 6 (should be max 5)

Note on parameterLimit interaction: The original advisory's "DoS demonstration" claimed a length of 10,000, but parameterLimit (default: 1000) caps parsing to 1,000 parameters. With default options, the actual output is 1,000, not 10,000.

Impact

Consistency bug in arrayLimit enforcement. With default parameterLimit, the practical DoS risk is negligible since parameterLimit already caps the total number of parsed parameters (and thus array elements from bracket notation). The risk increases only when parameterLimit is explicitly set to a very high value.

Release Notes

6.15.2 (from changelog)

• [Fix] stringify: skip null/undefined entries in arrayFormat: 'comma' + encodeValuesOnly instead of crashing in encoder
• [Fix] stringify: use configured delimiter after charsetSentinel (#555)
• [Fix] stringify: apply formatter to encoded key under strictNullHandling (#554)
• [Fix] stringify: skip null/undefined filter-array entries instead of crashing in encoder (#551)
• [Fix] parse: handle nested bracket groups and add regression tests (#530)
• [readme] fix grammar (#550)
• [Dev Deps] update @ljharb/eslint-config
• [Tests] add regression tests for keys containing percent-encoded bracket text

6.15.1 (from changelog)

• [Fix] parse: parameterLimit: Infinity with throwOnLimitExceeded: true silently drops all parameters
• [Deps] update @ljharb/eslint-config
• [Dev Deps] update @ljharb/eslint-config, iconv-lite
• [Tests] increase coverage

6.15.0 (from changelog)

• [New] parse: add strictMerge option to wrap object/primitive conflicts in an array (#425, #122)
• [Fix] duplicates option should not apply to bracket notation keys (#514)

6.14.2 (from changelog)

• [Fix] parse: mark overflow objects for indexed notation exceeding arrayLimit (#546)
• [Fix] arrayLimit means max count, not max index, in combine/merge/parseArrayValue
• [Fix] parse: throw on arrayLimit exceeded with indexed notation when throwOnLimitExceeded is true (#529)
• [Fix] parse: enforce arrayLimit on comma-parsed values
• [Fix] parse: fix error message to reflect arrayLimit as max index; remove extraneous comments (#545)
• [Robustness] avoid .push, use void
• [readme] document that addQueryPrefix does not add ? to empty output (#418)
• [readme] clarify parseArrays and arrayLimit documentation (#543)
• [readme] replace runkit CI badge with shields.io check-runs badge
• [meta] fix changelog typo (arrayLength → arrayLimit)
• [actions] fix rebase workflow permissions

6.14.1 (from changelog)

• [Fix] ensure arrayLength applies to [] notation as well
• [Fix] parse: when a custom decoder returns null for a key, ignore that key
• [Refactor] parse: extract key segment splitting helper
• [meta] add threat model
• [actions] add workflow permissions
• [Tests] stringify: increase coverage
• [Dev Deps] update eslint, @ljharb/eslint-config, npmignore, es-value-fixtures, for-each, object-inspect

6.14.0 (from changelog)

• [New] parse: add throwOnParameterLimitExceeded option (#517)
• [Refactor] parse: use utils.combine more
• [patch] parse: add explicit throwOnLimitExceeded default
• [actions] use shared action; re-add finishers
• [meta] Fix changelog formatting bug
• [Deps] update side-channel
• [Dev Deps] update es-value-fixtures, has-bigints, has-proto, has-symbols
• [Tests] increase coverage

6.13.1 (from changelog)

• [Fix] stringify: avoid a crash when a filter key is null
• [Fix] utils.merge: functions should not be stringified into keys
• [Fix] parse: avoid a crash with interpretNumericEntities: true, comma: true, and iso charset
• [Fix] stringify: ensure a non-string filter does not crash
• [Refactor] use __proto__ syntax instead of Object.create for null objects
• [Refactor] misc cleanup
• [Tests] utils.merge: add some coverage
• [Tests] fix a test case
• [actions] split out node 10-20, and 20+
• [Dev Deps] update es-value-fixtures, mock-property, object-inspect, tape

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ raw-body (indirect, 2.5.2 → 2.5.3) · Repo · Changelog

Release Notes

2.5.3

What's Changed

Dependencies

• deps: http-errors@2.0.1 by @bjohansebas in #126
  • deps: statuses@2.0.2
  • deps: use tilde notation for dependencies
• deps: use tilde notation for dependencies by @bjohansebas in #126

Documentation

• chore: remove history.md and security.md from being packaged on publish (#122) by @bjohansebas in #129

Other changes

• ci: restore ci for v2 by @bjohansebas in #127
• release 2.5.3 by @bjohansebas in #130

Full Changelog: 2.5.2...2.5.3

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ selfsigned (indirect, 2.4.1 → 5.5.0) · Repo · Changelog

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

🆕 @​noble/hashes (added, 1.4.0)

🆕 @​peculiar/asn1-cms (added, 2.7.0)

🆕 @​peculiar/asn1-csr (added, 2.7.0)

🆕 @​peculiar/asn1-ecc (added, 2.7.0)

🆕 @​peculiar/asn1-pfx (added, 2.7.0)

🆕 @​peculiar/asn1-pkcs8 (added, 2.7.0)

🆕 @​peculiar/asn1-pkcs9 (added, 2.7.0)

🆕 @​peculiar/asn1-rsa (added, 2.7.0)

🆕 @​peculiar/asn1-schema (added, 2.7.0)

🆕 @​peculiar/asn1-x509 (added, 2.7.0)

🆕 @​peculiar/asn1-x509-attr (added, 2.7.0)

🆕 @​peculiar/utils (added, 2.0.3)

🆕 @​peculiar/x509 (added, 1.14.3)

🆕 asn1js (added, 3.0.10)

🆕 bytestreamjs (added, 2.0.1)

🆕 pkijs (added, 3.4.0)

🆕 pvtsutils (added, 1.3.6)

🆕 pvutils (added, 1.1.5)

🆕 reflect-metadata (added, 0.2.2)

🆕 tsyringe (added, 4.10.0)

🆕 statuses (added, 2.0.2)

🆕 http-errors (added, 2.0.1)

🗑️ @​types/node-forge (removed)

🗑️ node-forge (removed)

---

Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.

All Depfu comment commands

@​depfu rebase

Rebases against your default branch and redoes this update

@​depfu recreate

Recreates this PR, overwriting any edits that you've made to it

@​depfu merge

Merges this PR once your tests are passing and conflicts are resolved

@​depfu cancel merge

Cancels automatic merging of this PR

@​depfu close

Closes this PR and deletes the branch

@​depfu reopen

Restores the branch and reopens this PR (if it's closed)

@​depfu pause

Ignores all future updates for this dependency and closes this PR

@​depfu pause [minor|major]

Ignores all future minor/major updates for this dependency and closes this PR

@​depfu resume

Future versions of this dependency will create PRs again (leaves this PR as is)