Backport security fix from v5.2.1: disable dev client for non-Chromium browsers

Wajih-Ul-Hasan · Wajih-Ul-Hasan · commit c0c647f77de0 · 2025-07-11T18:04:48.000+05:00
diff --git a/lib/Server.js b/lib/Server.js
@@ -1,5 +1,9 @@
 "use strict";
 
+function isChromiumBased(userAgentHeader) {
+  return Boolean(userAgentHeader && userAgentHeader.includes('Chrome'));
+}
+
 const os = require("os");
 const path = require("path");
 const url = require("url");
@@ -2103,6 +2107,12 @@ class Server {
         /** @type {import("webpack-dev-middleware").API<Request, Response>}*/
         (middleware).waitUntilValid((stats) => {
           res.setHeader("Content-Type", "text/html");
+
+          if (!isChromiumBased(req.headers['user-agent'])) {
+            res.end('<!DOCTYPE html><html><body><h2>Access blocked: Please use a Chromium-based browser (Chrome, Edge, etc.).</h2></body></html>');
+            return;
+          }
+
           res.write(
             '<!DOCTYPE html><html><head><meta charset="utf-8"/></head><body>'
           );
diff --git a/package.json b/package.json
@@ -1,6 +1,6 @@
 {
-  "name": "webpack-dev-server",
-  "version": "4.15.2",
+  "name": "webpack-dev-server-wajih",
+  "version": "4.6.0-patched",
   "description": "Serves a webpack app. Updates the browser on changes.",
   "bin": "bin/webpack-dev-server.js",
   "main": "lib/Server.js",

Original file line number	Diff line number	Diff line change
`@@ -1,6 +1,6 @@`
`1`	`1`	`{`
`2`		`- "name": "webpack-dev-server",`
`3`		`- "version": "4.15.2",`
	`2`	`+ "name": "webpack-dev-server-wajih",`
	`3`	`+ "version": "4.6.0-patched",`
`4`	`4`	`"description": "Serves a webpack app. Updates the browser on changes.",`
`5`	`5`	`"bin": "bin/webpack-dev-server.js",`
`6`	`6`	`"main": "lib/Server.js",`