chore(deps): bump webpack-dev-server from 5.2.3 to 5.2.4 in /docs#355
chore(deps): bump webpack-dev-server from 5.2.3 to 5.2.4 in /docs#355dependabot[bot] wants to merge 1 commit into
Conversation
Bumps [webpack-dev-server](https://github.com/webpack/webpack-dev-server) from 5.2.3 to 5.2.4. - [Release notes](https://github.com/webpack/webpack-dev-server/releases) - [Changelog](https://github.com/webpack/webpack-dev-server/blob/main/CHANGELOG.md) - [Commits](webpack/webpack-dev-server@v5.2.3...v5.2.4) --- updated-dependencies: - dependency-name: webpack-dev-server dependency-version: 5.2.4 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com>
LabelsThe following labels could not be found: Please fix the above issues or remove invalid values from |
![claude[bot]](https://avatars.githubusercontent.com/in/1236702?s=60&v=4){kind=small}
There was a problem hiding this comment.
Dependabot patch bump of webpack-dev-server (dev-only dependency for docs site).
Extended reasoning...
Overview
This PR is an automated Dependabot patch bump of webpack-dev-server from 5.2.3 to 5.2.4 in /docs. The only file changed is docs/pnpm-lock.yaml. The new version is a security fix that sets the Cross-Origin-Resource-Policy header to prevent source code theft over HTTP. The lockfile also picks up incidental transitive bumps (caniuse-lite, baseline-browser-mapping, nanoid 3.3.11→3.3.12, semver 7.7.4→7.8.0, @emnapi/runtime) as normal pnpm resolution artifacts.
Security risks
None of concern. webpack-dev-server is a development-only dependency used by Docusaurus during local docs work; it does not ship to production. The bump is itself a security fix.
Level of scrutiny
Low. Patch-level dev-dependency bump in a docs subproject, lockfile-only, originated by Dependabot, with a documented upstream security improvement.
Other factors
The bug hunting system reported no findings. The only timeline noise is Dependabot complaining about a missing npm label in dependabot.yml — that's a repo-config nit, not a code concern.
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: c25ce5be0e
ℹ️ About Codex in GitHub
Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".
| version: 3.9.2(@mdx-js/react@3.1.1(@types/react@19.2.14)(react@19.2.4))(@types/react@19.2.14)(react-dom@19.2.4(react@19.2.4))(react@19.2.4)(typescript@5.9.3) | ||
| '@mdx-js/react': | ||
| specifier: ^3.0.0 | ||
| specifier: ^3.1.1 |
There was a problem hiding this comment.
This change updates importer specifier ranges in docs/pnpm-lock.yaml (for example @mdx-js/react to ^3.1.1, and similarly clsx, prism-react-renderer, eslint-plugin-react, and prettier) without updating docs/package.json, which still declares older ranges (^3.0.0, ^2.0.0, ^2.3.0, ^7.35.0, ^3.3.0). That leaves the lockfile metadata inconsistent with the manifest and can break reproducible installs in environments using pnpm install --frozen-lockfile for docs.
Useful? React with 👍 / 👎.
Bumps webpack-dev-server from 5.2.3 to 5.2.4.
Release notes
Sourced from webpack-dev-server's releases.
Changelog
Sourced from webpack-dev-server's changelog.
Commits
fd40130chore(release): 5.2.4ece4f36chore: update deps (#5661)a216144ci: fix test (#5658)df073c5Merge commit from forkDependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)You can disable automated security fix PRs for this repo from the Security Alerts page.