Security vulnerability `webpack-dev-server` in `@nx/webpack` (CVE-2024-21536)

[gurisko]

Current Behavior

┌─────────────────────┬────────────────────────────────────────────────────────┐
│ high                │ Denial of service in http-proxy-middleware             │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Package             │ http-proxy-middleware                                  │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Vulnerable versions │ <2.0.7                                                 │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Patched versions    │ >=2.0.7                                                │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Paths               │ . > @nx/next@20.1.0 > @nx/webpack@20.1.0 >             │
│                     │ webpack-dev-server@5.0.4 > http-proxy-middleware@2.0.6 │
│                     │                                                        │
│                     │ . > @nx/webpack@20.1.0 > webpack-dev-server@5.0.4 >    │
│                     │ http-proxy-middleware@2.0.6                            │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ More info           │ https://github.com/advisories/GHSA-c7qv-q95q-8v27      │
└─────────────────────┴────────────────────────────────────────────────────────┘

Expected Behavior

No reported vulnerability.

GitHub Repo

No response

Steps to Reproduce

1. Run pnpm audit (or similar)

Nx Report

Node           : 22.9.0
OS             : linux-x64
Native Target  : x86_64-linux
pnpm           : 9.12.3

nx                 : 20.1.0
@nx/js             : 20.1.0
@nx/jest           : 20.1.0
@nx/linter         : 19.5.0
@nx/eslint         : 20.1.0
@nx/workspace      : 20.1.0
@nx/devkit         : 20.1.0
@nx/eslint-plugin  : 20.1.0
@nx/express        : 20.1.0
@nx/nest           : 20.1.0
@nx/next           : 20.1.0
@nx/node           : 20.1.0
@nx/react          : 20.1.0
@nx/web            : 20.1.0
@nx/webpack        : 20.1.0
typescript         : 5.6.3
---------------------------------------
Registered Plugins:
@nx/next/plugin
@nx/eslint/plugin
@nx/webpack/plugin
---------------------------------------
Community plugins:
@nx-extend/shadcn-ui : 4.1.2
---------------------------------------
The following packages should match the installed version of nx
  - @nx/linter@19.5.0

To fix this, run `nx migrate nx@20.1.0`

Failure Logs

Package Manager Version

No response

Operating System

• macOS
• Linux
• Windows
• Other (Please specify)

Additional Information

No response

[FrozenPandaz]

The issue from webpack-dev-server has been resolved but a version has not been published yet.

If you want to get rid of this vulnerability for yourself, you can regenerate your lockfile and the version range should pick up the patched version.

When webpack-dev-server releases a new version we can update our dependency.

[github-actions]

This issue has been closed for more than 30 days. If this issue is still occuring, please open a new issue with more recent context.