react-scripts/ webpack-dev-server #19599

hilalevx · 2025-06-10T08:48:10Z

hilalevx
Jun 10, 2025

I'm using react-scripts@5.0.1, which is locked to webpack-dev-server@4.x.
A vulnerability was found: CVE-2025-30360
While webpack5.2.1 fixes the CVE (using override), the upgrade doesn't let me run the app. I get this error on npm start:
Invalid options object. Dev Server has been initialized using an options object that does not match the API schema.
options has an unknown property 'onAfterSetupMiddleware'. These properties are valid:
object { allowedHosts?, bonjour?, client?, compress?, devMiddleware?, headers?, historyApiFallback?, host?, hot?, ipc?, liveReload?, onListening?, open?, port?, proxy?, server?, app?, setupExitSignals?, setupMiddlewares?, static?, watchFiles?, webSocketServer? }

any solutions?

alexander-akait · 2025-06-10T11:46:31Z

alexander-akait
Jun 10, 2025
Maintainer

Unfortunately react-scripts is not supported webpack-dev-server@5, we are preparing security fixes for v4

4 replies

dongnguyen-au Jun 25, 2025

@alexander-akait any update?

chris-hook Jul 2, 2025

@alexander-akait Bump

alexander-akait Jul 3, 2025
Maintainer

Still WIP, ETA around this week or early next week

chris-hook Jul 3, 2025

@alexander-akait you're awesome. Appreciate all of your hard work

Wajih-Ul-Hasan · 2025-07-10T11:41:59Z

Wajih-Ul-Hasan
Jul 10, 2025

@alexander-akait can you provide the any alternative to resolve this issue we need to fix it for our client by the end of the next Monday.

2 replies

alexander-akait Jul 10, 2025
Maintainer

You can send a PR with backporting fixes to v4, I am planning to do it, but can't find time right now

Wajih-Ul-Hasan Jul 11, 2025

@alexander-akait PR created with backporting fixes to v4.

Wajih-Ul-Hasan · 2025-07-14T07:56:46Z

Wajih-Ul-Hasan
Jul 14, 2025

@alexander-akait I simply override "webpack-dev-server" to version "^5.2.2", and it fixed my issue. Since webpack-dev-server is only used for local development, and production environments serve only static files, this override does not affect the app’s behavior in production — at least as far as I understand it.

1 reply

alexander-akait Jul 14, 2025
Maintainer

Yeah, webpack-dev-server is only for development env

Uh oh!

react-scripts/ webpack-dev-server #19599

Uh oh!

hilalevx Jun 10, 2025

Replies: 3 comments · 7 replies

Uh oh!

alexander-akait Jun 10, 2025 Maintainer

Uh oh!

dongnguyen-au Jun 25, 2025

Uh oh!

Uh oh!

chris-hook Jul 2, 2025

Uh oh!

alexander-akait Jul 3, 2025 Maintainer

Uh oh!

chris-hook Jul 3, 2025

Uh oh!

Wajih-Ul-Hasan Jul 10, 2025

Uh oh!

alexander-akait Jul 10, 2025 Maintainer

Uh oh!

Uh oh!

Wajih-Ul-Hasan Jul 11, 2025

Uh oh!

Uh oh!

Wajih-Ul-Hasan Jul 14, 2025

Uh oh!

alexander-akait Jul 14, 2025 Maintainer

hilalevx
Jun 10, 2025

Replies: 3 comments 7 replies

alexander-akait
Jun 10, 2025
Maintainer

alexander-akait Jul 3, 2025
Maintainer

Wajih-Ul-Hasan
Jul 10, 2025

alexander-akait Jul 10, 2025
Maintainer

Wajih-Ul-Hasan
Jul 14, 2025

alexander-akait Jul 14, 2025
Maintainer