build(deps): Bump webpack-dev-server from 5.2.2 to 5.2.4

[dependabot]

Bumps webpack-dev-server from 5.2.2 to 5.2.4.

Release notes

Sourced from webpack-dev-server's releases.

v5.2.4

5.2.4 (2026-05-11)

Bug Fixes

• set Cross-Origin-Resource-Policy header to prevent source code theft over HTTP

v5.2.3

5.2.3 (2026-01-12)

Bug Fixes

• add cause for errorObject (#5518) (37b033d)
• compatibility with event target and universal target and lazy compilation (574026c)
• overlay: add ESC key to dismiss overlay (#5598) (f91baa8)
• progress indicator styles (#5557) (41a53a1)
• upgrade selfsigned to v5

Changelog

Sourced from webpack-dev-server's changelog.

5.2.4 (2026-05-11)

Bug Fixes

• set Cross-Origin-Resource-Policy header to prevent source code theft over HTTP

5.2.3 (2026-01-12)

Bug Fixes

• add cause for errorObject (#5518) (37b033d)
• compatibility with event target and universal target and lazy compilation (574026c)
• overlay: add ESC key to dismiss overlay (#5598) (f91baa8)
• progress indicator styles (#5557) (41a53a1)
• upgrade selfsigned to v5

Commits

• fd40130 chore(release): 5.2.4
• ece4f36 chore: update deps (#5661)
• a216144 ci: fix test (#5658)
• df073c5 Merge commit from fork
• b550a70 chore(release): 5.2.3
• 9704dc5 chore: upgrade selfsigned to v5 and remove node-forge dependency (#5618)
• 92bf644 chore: bump express to update qs (#5621)
• 792b2f0 chore(deps-dev): bump the dependencies group with 4 updates (#5606)
• 6d587ca chore(deps): bump the dependencies group across 1 directory with 27 updates (...
• f91baa8 fix(overlay): add ESC key to dismiss overlay (#5598)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.

---

Note

Low Risk
Low risk dependency-only change limited to local dev server tooling; main impact is updated transitive deps (notably selfsigned v5 with new crypto libs) and their Node engine requirements.

Overview
Updates webpack-dev-server from 5.2.2 to 5.2.4 in package-lock.json.

This refreshes several transitive dependencies, including upgrading selfsigned to v5 (dropping node-forge/@types/node-forge in favor of pkijs/@peculiar/x509 and related ASN.1 utilities), plus minor bumps to express/compression and type packages pulled in by the dev server.

^{Reviewed by Cursor Bugbot for commit 254c917. Bugbot is set up for automated code reviews on this repo. Configure here.}

[github-actions]

🤖 Cursor Dependency Analysis

Supply-Chain Malware Review

Reviewing how this dependency is used in the repo and what changed in the lockfile.
Verdict: benign

This Dependabot PR is a normal patch bump of an official webpack package, driven by a documented security fix—not supply-chain compromise.

Scanner vs. interpretation

The malware scan reports warn with 76 heuristic hits, but 0 unicode/confusable/IOC findings after allowlisting. Those heuristics are false positives on upstream source, not evidence of compromise:

Finding	Actual meaning
codepoint_decoder in client-src/overlay.js	HTML-entity encoding for the error overlay (surrogate-pair handling), not hidden payload assembly
shell_process_spawn in bin/webpack-dev-server.js	Long-standing CLI wrapper: spawns webpack-cli (or prompts to install it)—expected for a dev server binary
.exec() in tests	RegExp.exec, not child_process.exec
IP / password strings	Example output in DOCUMENTATION-v4.md and changelog text
.github/workflows in changed-files list	Upstream repo dev CI scanned across the tag range; not modified in chia-docs’ lockfile-only PR

Dependency integrity

• chia-docs impact: webpack-dev-server is transitive via @docusaurus/core (used by docusaurus start), not a direct dependency in package.json.
• PR change: package-lock.json pins webpack-dev-server@5.2.4 from registry.npmjs.org with a standard sha512 integrity hash.
• Versions: 5.2.2 → 5.2.4 matches tagged upstream releases (195a7e6f..fd401308); no skipped/ghost version.
• No install hooks: Published package has no preinstall/postinstall/install scripts; prepare is dev-repo-only.

Upstream intent (matches release notes)

The meaningful security change is commit df073c53, tied to GHSA-79cf-xcqc-c78w: sets Cross-Origin-Resource-Policy: same-origin on dev-server responses to reduce cross-origin source theft over HTTP. Other changes (overlay ESC, selfsigned v5, express/qs bumps) are routine maintenance.

Checklist (no red flags)

• No obfuscation, eval/Function, or suspicious dynamic imports in lib/ or bin/
• No new exfiltration URLs or unexpected network behavior in runtime code
• No GlassWorm-style Unicode/homoglyph issues (scanner: 0)
• No new suspicious npm lifecycle scripts in the published artifact
• Typosquatting: package name/repo/funding point to webpack/webpack-dev-server

Recommendation

Approve from a supply-chain perspective. The scan warn status reflects noisy heuristics over 191 upstream files in warn-only mode, not malicious content. After merge, a quick npm run start smoke test is reasonable since this affects local dev only, not production docusaurus build output.

Compatibility Analysis

Analyzing how webpack-dev-server is used in this repo and what changed upstream.

Compatibility & adoption — webpack-dev-server 5.2.2 → 5.2.4

1) Where it’s used

Layer	Detail
Direct dependency	None — not listed in package.json.
Transitive	@docusaurus/core@3.10.0 declares webpack-dev-server: ^5.2.2; lockfile resolves 5.2.4.
Runtime	npm start (docusaurus start) — local dev server, HMR, error overlay.
Not used	npm run build, npm run serve, CI deploy (deploy-pages.yml runs npm ci + npm run build only).
App code	No imports, no devServer / configureWebpack in docusaurus.config.js or other project sources.

2) Intersection with upstream changes

No overlap with custom APIs — the repo does not call webpack-dev-server directly.

Version	Notable changes	Relevance to chia-docs
5.2.4	Default Cross-Origin-Resource-Policy: same-origin on dev responses (source-theft fix)	Dev-only; standard Docusaurus local usage is unaffected.
5.2.3	Large internal refactor; overlay ESC; lazy-compilation fixes; selfsigned v5	Only matters if you rely on custom webpack targets or HTTPS dev certs — neither appears configured here.

Upstream diff 5.2.3 → 5.2.4 is small (~9 files, mainly lib/Server.js + security test). The big diff is 5.2.2 → 5.2.3, but it stays within the same major/minor line Docusaurus already accepts (^5.2.2).

3) Risks / unknowns

• Production / CI: Very low — deploy path does not start the dev server.
• Local dev: Low — possible edge case if you load dev assets cross-origin from another site without CORS (CORP hardening); uncommon for a docs site.
• HTTPS dev: selfsigned v5 only affects optional HTTPS dev-server setup (not used in this repo).
• Verification gap: CI does not run npm start; confidence rests on lockfile-only change + Docusaurus’s supported range.

Malware scan: warn heuristics only; no IOC/confusable hits — consistent with a normal security patch release (Merge commit from fork for CORP fix).

4) Recommendation

Merge

Patch bump within Docusaurus’s existing range, security-motivated (5.2.4), no direct usage or custom webpack config. npm run build in CI is the meaningful gate; optional smoke test: npm start locally if you want extra assurance for contributors.

---

Malware Scan Summary

• Status: warn
• Warn only mode: true
• Changed upstream files scanned: 191
• Resolution strategy: tag_range
• Changed node/vendor paths: 0
• Changed lockfiles: 1
• Resolved upstream range: 195a7e6f7102e48725b1b1fbc3bb80c5df0efedf..fd401308f1cc026262880e2dab810004d6444282
• Resolved refs: from=195a7e6f7102e48725b1b1fbc3bb80c5df0efedf to=fd401308f1cc026262880e2dab810004d6444282
• Unicode findings (post-allowlist): 0
• Confusable findings (post-allowlist): 0
• IOC findings (post-allowlist): 0
• Heuristic findings (post-allowlist): 76

Top findings

• client-src/overlay.js:14 codepoint_decoder :: (input, position) => input.codePointAt(position)
• client-src/overlay.js:16 codepoint_decoder :: (input.charCodeAt(position) - 0xd800) * 0x400 +
• client-src/overlay.js:17 codepoint_decoder :: input.charCodeAt(position + 1) -
• client-src/overlay.js:73 codepoint_decoder :: input.length > 1 ? getCodePoint(input, 0) : input.charCodeAt(0);
• test/helpers/test-bin.js:24 shell_process_spawn :: // exec(taskkill /pid ${process.pid} /T /F);
• test/helpers/test-bin.js:57 shell_process_spawn :: const subprocess = execa("node", args, {
• test/helpers/test-bin.js:66 shell_process_spawn :: subprocess.stdout.pipe(
• test/helpers/test-bin.js:73 shell_process_spawn :: processKill(subprocess);
• test/helpers/test-bin.js:81 shell_process_spawn :: subprocess.stderr.pipe(
• test/helpers/test-bin.js:88 shell_process_spawn :: processKill(subprocess);
• test/helpers/test-bin.js:96 shell_process_spawn :: subprocess
• test/cli/basic.test.js:352 shell_process_spawn :: /Project is running at http:\/\/localhost:(\d*)\//.exec(bits);
• test/cli/basic.test.js:367 shell_process_spawn :: /Project is running at http:\/\/localhost:(\d*)\//.exec(bits);
• bin/webpack-dev-server.js:13 shell_process_spawn :: const cp = require("node:child_process");
• bin/webpack-dev-server.js:16 shell_process_spawn :: const executedCommand = cp.spawn(command, args, {
• client-src/overlay.js:29 shell_process_spawn :: let replaceMatch = macroRegExp.exec(macroText);
• client-src/overlay.js:41 shell_process_spawn :: } while ((replaceMatch = macroRegExp.exec(macroText)));
• package-lock.json:9251 shell_process_spawn :: "node_modules/cross-spawn": {
• package-lock.json:9253 shell_process_spawn :: "resolved": "https://registry.npmjs.org/cross-spawn/-/cross-spawn-7.0.6.tgz",
• package-lock.json:10606 shell_process_spawn :: "cross-spawn": "^7.0.6",

[BrandtH22]

lgtm