chore: Bump webpack-dev-server to resolve DOS vulnerability

[bo-carey]

Pre-flight checklist

• I have read the Contributing Guidelines on pull requests.
• If this is a code change: I have written unit tests and/or added dogfooding pages to fully verify the new behavior.
• If this is a new API or substantial change: the PR has an accompanying issue (closes #0000) and the maintainers have approved on my working plan.

Motivation

Test Plan

Test links

Deploy preview: https://deploy-preview-_____--docusaurus-2.netlify.app/

Related issues/PRs

[facebook-github-bot]

Hi @bo-carey!

Thank you for your pull request and welcome to our community.

Action Required

In order to merge any pull request (code, docs, etc.), we require contributors to sign our Contributor License Agreement, and we don't seem to have one on file for you.

Process

In order for us to review and merge your suggested changes, please sign at https://code.facebook.com/cla. If you are contributing on behalf of someone else (eg your employer), the individual CLA may not be sufficient and your employer may need to sign the corporate CLA.

Once the CLA is signed, our tooling will perform checks and validations. Afterwards, the pull request will be tagged with CLA signed. The tagging process may take up to 1 hour after signing. Please give it that time before contacting us about it.

If you have received this in error or have any questions, please contact us at [email protected]. Thanks!

[github-actions]

⚡️ Lighthouse report for the deploy preview of this PR

URL	Performance	Accessibility	Best Practices	SEO	Report
/	🟠 60	🟢 98	🟢 96	🟢 100	Report
/docs/installation	🟠 72	🟢 97	🟢 100	🟢 100	Report
/docs/category/getting-started	🟠 75	🟢 100	🟢 100	🟠 86	Report
/blog	🟠 69	🟢 100	🟢 100	🟠 86	Report
/blog/preparing-your-site-for-docusaurus-v3	🔴 48	🟢 96	🟢 100	🟢 100	Report
/blog/tags/release	🟠 69	🟢 100	🟢 100	🟠 86	Report
/blog/tags	🟠 75	🟢 100	🟢 100	🟠 86	Report

[facebook-github-bot]

Thank you for signing our Contributor License Agreement. We can now accept your code for this (and any) Meta Open Source project. Thanks!

[slorber]

Going to close this as a possible supply chain attack attempt @bo-carey

I'll report your account in 24h to GitHub unless you clearly explain what this PR is about, and explain what is this URL "https://nexus.use1.infra-pure.cloud/"

[bo-carey]

@slorber Oh, sorry that is due to my npm settings resolving to my own registry. Completely unintentional. I'll close the PRs and run them again from the default registry.

[slorber]

I understand the mistake, but can't just trust your words considering the possible harm this PR could do.

I'll also ask you to explain what vulnerability is fixed by upgrading what dependency. Please give external links to each 3 vulnerabilities you attempt to fix and give your motivations to get them fixed. How did you find about these vulnerabilities.

Otherwise I still have to report you.

We just added Socket security to the repo to prevent such possible issues in the future.

[Josh-Cena]

@bo-carey: there's absolutely no need to try to fix these issues. The ones you are fixing are dev dependencies and don't have actual attack vectors. Your bumps are across minor versions which means even if we don't change our package.json, users will automatically get the latest, vuln-free version, and we personally don't care.

[bo-carey]

I understand the mistake, but can't just trust your words considering the possible harm this PR could do.

I'll also ask you to explain what vulnerability is fixed by upgrading what dependency. Please give external links to each 3 vulnerabilities you attempt to fix and give your motivations to get them fixed. How did you find about these vulnerabilities.

Otherwise I still have to report you.

We just added Socket security to the repo to prevent such possible issues in the future.

Totally understand. I was just trying to be proactive to help with vulnerabilities marked by snyk, which is what I'm personally using as a security monitor. The vulnerabilities are documented on their site, but I'll link them here for posterity:

• micromatch - https://security.snyk.io/vuln/SNYK-JS-MICROMATCH-6838728
• webpack-dev-middleware - https://security.snyk.io/vuln/SNYK-JS-WEBPACKDEVMIDDLEWARE-6476555
• ws - https://security.snyk.io/vuln/SNYK-JS-WS-7266574

I realize that consumers can resolve these issues themselves. Sorry for the misunderstanding! I'll be sure to double check my changes in the future.

[slorber]

Thanks for the explanations

This looks like a legit mistake, I won't report it 👍

Indeed those vulnerabilities are probably not worth to be fixed, unless a proven attack vector exists to exploit them.

Related
https://overreacted.io/npm-audit-broken-by-design/