Skip to content

Bump webpack-dev-server from 5.2.5 to 6.0.0 in the webpack group across 1 directory#9368

Open
dependabot[bot] wants to merge 2 commits into
developmentfrom
dependabot/npm_and_yarn/webpack-aeb94540c5
Open

Bump webpack-dev-server from 5.2.5 to 6.0.0 in the webpack group across 1 directory#9368
dependabot[bot] wants to merge 2 commits into
developmentfrom
dependabot/npm_and_yarn/webpack-aeb94540c5

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jul 3, 2026

Copy link
Copy Markdown
Contributor

Bumps the webpack group with 1 update in the / directory: webpack-dev-server.

Updates webpack-dev-server from 5.2.5 to 6.0.0

Release notes

Sourced from webpack-dev-server's releases.

v6.0.0

Major Changes

  • Bump Express to v5. See the Express 5 migration guide for the full list of breaking changes. (by @​bjohansebas in #5674)

  • Bump the webpack peer dependency range from ^5.0.0 to ^5.101.0. (by @​bjohansebas in #5674)

  • Drop support for Node.js < 22.15.0. (by @​bjohansebas in #5674)

  • Convert the source to native ES modules. The package keeps "type": "module" and now exposes both an ESM and a CommonJS build via the exports field: ESM consumers import the native lib/, while CommonJS consumers require() a transpiled dist/ build, allowing the package to be consumed from both ESM and CommonJS without relying on require(ESM) for CommonJS consumers. (by @​bjohansebas in #5674)

  • Remove CLI flags. Use the serve command from webpack-cli together with a configuration file or the programmatic API instead. (by @​bjohansebas in #5674)

  • Remove the internalIP and internalIPSync static methods from Server. Resolve the local IP yourself if you need it. (by @​bjohansebas in #5674)

  • Remove the bypass option from proxy configuration. Use the router or context options provided by http-proxy-middleware instead. (by @​bjohansebas in #5674)

  • Remove SockJS support. The webSocketServer option no longer accepts "sockjs"; use the default "ws" transport instead. (by @​bjohansebas in #5674)

  • Remove the spdy dependency. Use the built-in node:http2 module via the server option for HTTP/2 support. (by @​bjohansebas in #5674)

  • Update http-proxy-middleware to v4. See the http-proxy-middleware v3 release notes and v4 release notes for the full list of breaking changes. (by @​bjohansebas in #5674)

  • Update webpack-dev-middleware to v8 and sync originalUrl for middleware compatibility. server.middleware.getFilenameFromUrl() is now asynchronous and resolves to { filename, extra: { stats, outputFileSystem } }. See the webpack-dev-middleware v8 release notes for details. (by @​bjohansebas in #5674)

Minor Changes

  • Add plugin support. webpack-dev-server can now be used as a webpack plugin, integrating with the compiler lifecycle without explicitly passing a compiler, preventing multiple server starts on recompilation, ensuring clean shutdown, and supporting MultiCompiler setups with multiple independent plugin servers. (by @​bjohansebas in #5674)

  • Enable the compression middleware for HTTP/2 connections. (by @​bjohansebas in #5674)

  • Remove the colorette dependency in favor of native ANSI styling. (by @​bjohansebas in #5674)

  • Update chokidar to v5 and extend watchFiles.options.ignored to support glob string patterns via tinyglobby. (by @​bjohansebas in #5674)

  • Use compiler.platform to determine the target environment instead of inspecting the resolved target string. Universal targets ("universal" or ["web", "node"], where compiler.platform.universal is true since webpack 5.108.0) are treated as web targets so the client runtime is injected. (by @​bjohansebas in #5674)

  • Use the WHATWG URL API instead of the deprecated url.parse. (by @​bjohansebas in #5674)

Patch Changes

  • Bump production dependencies, notably open to v11 and p-retry to v8. (by @​bjohansebas in #5674)

  • Reject cross-site requests to the internal open-editor and invalidate endpoints. They performed state-changing actions (opening a file in the editor, forcing a recompilation) on any GET request, so a page the developer visited could trigger them. They now require a same-origin request, validated via Sec-Fetch-Site with an Origin/Host fallback. (by @​bjohansebas in #5691)

  • Treat loopback aliases (127.0.0.1, ::1, localhost) as equivalent in isSameOrigin so the WebSocket client does not reject valid same-origin connections. (by @​bjohansebas in #5674)

  • Migrate the test suite from Jest to node:test and set up the jsdom environment. (by @​bjohansebas in #5674)

... (truncated)

Changelog

Sourced from webpack-dev-server's changelog.

6.0.0

Major Changes

  • Bump Express to v5. See the Express 5 migration guide for the full list of breaking changes. (by @​bjohansebas in #5674)

  • Bump the webpack peer dependency range from ^5.0.0 to ^5.101.0. (by @​bjohansebas in #5674)

  • Drop support for Node.js < 22.15.0. (by @​bjohansebas in #5674)

  • Convert the source to native ES modules. The package keeps "type": "module" and now exposes both an ESM and a CommonJS build via the exports field: ESM consumers import the native lib/, while CommonJS consumers require() a transpiled dist/ build — so the package works from both ESM and CommonJS, including environments where require(ESM) is not supported. (by @​bjohansebas in #5674)

  • Remove CLI flags. Use the serve command from webpack-cli together with a configuration file or the programmatic API instead. (by @​bjohansebas in #5674)

  • Remove the internalIP and internalIPSync static methods from Server. Resolve the local IP yourself if you need it. (by @​bjohansebas in #5674)

  • Remove the bypass option from proxy configuration. Use the router or context options provided by http-proxy-middleware instead. (by @​bjohansebas in #5674)

  • Remove SockJS support. The webSocketServer option no longer accepts "sockjs"; use the default "ws" transport instead. (by @​bjohansebas in #5674)

  • Remove the spdy dependency. Use the built-in node:http2 module via the server option for HTTP/2 support. (by @​bjohansebas in #5674)

  • Update http-proxy-middleware to v4. See the http-proxy-middleware v3 release notes and v4 release notes for the full list of breaking changes. (by @​bjohansebas in #5674)

  • Update webpack-dev-middleware to v8 and sync originalUrl for middleware compatibility. server.middleware.getFilenameFromUrl() is now asynchronous and resolves to { filename, extra: { stats, outputFileSystem } }. See the webpack-dev-middleware v8 release notes for details. (by @​bjohansebas in #5674)

Minor Changes

  • Add plugin support. webpack-dev-server can now be used as a webpack plugin, integrating with the compiler lifecycle without explicitly passing a compiler, preventing multiple server starts on recompilation, ensuring clean shutdown, and supporting MultiCompiler setups with multiple independent plugin servers. (by @​bjohansebas in #5674)

  • Enable the compression middleware for HTTP/2 connections. (by @​bjohansebas in #5674)

  • Remove the colorette dependency in favor of native ANSI styling. (by @​bjohansebas in #5674)

  • Update chokidar to v5 and extend watchFiles.options.ignored to support glob string patterns via tinyglobby. (by @​bjohansebas in #5674)

  • Use compiler.platform to determine the target environment instead of inspecting the resolved target string. Universal targets ("universal" or ["web", "node"], where compiler.platform.universal is true since webpack 5.108.0) are treated as web targets so the client runtime is injected. (by @​bjohansebas in #5674)

  • Use the WHATWG URL API instead of the deprecated url.parse. (by @​bjohansebas in #5674)

Patch Changes

  • Bump production dependencies, notably open to v11 and p-retry to v8. (by @​bjohansebas in #5674)

  • Reject cross-site requests to the internal open-editor and invalidate endpoints. They performed state-changing actions (opening a file in the editor, forcing a recompilation) on any GET request, so a page the developer visited could trigger them. They now require a same-origin request, validated via Sec-Fetch-Site with an Origin/Host fallback. (by @​bjohansebas in #5691)

  • Treat loopback aliases (127.0.0.1, ::1, localhost) as equivalent in isSameOrigin so the WebSocket client does not reject valid same-origin connections. (by @​bjohansebas in #5674)

  • Migrate the test suite from Jest to node:test and set up the jsdom environment. (by @​bjohansebas in #5674)

... (truncated)

Commits
  • 05cb792 chore(release): new release (#5692)
  • a451839 fix: handle middleware teardown in plugin mode (#5703)
  • c2d23a7 fix: load ESM-only dependencies with native import() in the CommonJS build (#...
  • ba54764 fix: reject cross-site requests to open-editor and invalidate endpoints (#5691)
  • 2b369b3 fixup!
  • 08a0ea7 fix: ensure undefined options default to an empty object in Server constructor
  • 797b9e7 fix: handle undefined options in Server constructor
  • e90221c feat: plugin support (#5650)
  • 4c351e1 feat: support universal platform as a web target (#5690)
  • 2236aa4 chore: update http-proxy-middleware to version 4.1.1 and add tests for pathRe...
  • Additional commits viewable in compare view

@dependabot dependabot Bot added PR: dependencies Pull requests that update a dependency file PR: waiting for review For PRs that are complete, tested, and ready for review labels Jul 3, 2026
@FreeTubeBot FreeTubeBot enabled auto-merge (squash) July 3, 2026 08:53
@dependabot dependabot Bot changed the title Bump webpack-dev-server from 5.2.5 to 6.0.0 in the webpack group Bump webpack-dev-server from 5.2.5 to 6.0.0 in the webpack group across 1 directory Jul 3, 2026
@dependabot dependabot Bot force-pushed the dependabot/npm_and_yarn/webpack-aeb94540c5 branch from 3e57614 to 17252fa Compare July 3, 2026 16:57
Bumps the webpack group with 1 update in the / directory: [webpack-dev-server](https://github.com/webpack/webpack-dev-server).


Updates `webpack-dev-server` from 5.2.5 to 6.0.0
- [Release notes](https://github.com/webpack/webpack-dev-server/releases)
- [Changelog](https://github.com/webpack/webpack-dev-server/blob/main/CHANGELOG.md)
- [Commits](webpack/webpack-dev-server@v5.2.5...v6.0.0)

---
updated-dependencies:
- dependency-name: webpack-dev-server
  dependency-version: 6.0.0
  dependency-type: direct:development
  update-type: version-update:semver-major
  dependency-group: webpack
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot force-pushed the dependabot/npm_and_yarn/webpack-aeb94540c5 branch from 17252fa to a225fdd Compare July 3, 2026 23:26
PikachuEXE
PikachuEXE previously approved these changes Jul 5, 2026

@PikachuEXE PikachuEXE left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

dev boots

@absidue

absidue commented Jul 5, 2026

Copy link
Copy Markdown
Member

While pnpm run dev does launch FreeTube correctly, updating any file while it is running glitches and loops gendlessly, with the only way to get out of it being to close FreeTube entirely.

I'm looking into how we can fix that.

@absidue absidue left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fixed!

I left migrating the script to ESM for a future pull request, to keep the changes here minimal.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

PR: dependencies Pull requests that update a dependency file PR: waiting for review For PRs that are complete, tested, and ready for review

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants