This is basically an entire open door to harass any code on a developer's machine.
I noted that React18 still has Express and webpack-dev-server in its default package-lock.json file (even though people say create-react-app abstracts away the need for a compiler, stating using Webpack with React would be to "migrate" from create-react-app defaults to Webpack).
Please see this latest Github Dependabot report "Path traversal in webpack-dev-middleware #12" stating "When the project is started, an attacker might access any file on the developer's machine and exfiltrate the content (e.g. password, configuration files, private source code, ...)." (https://github.com/secretLabHQ389/react18-travel-app/security/dependabot/12).
Do Vite or ESBuild have any similar vulnerability?
Or does only Webpack have this vulnerability?
Any suggestions for other bundlers?
Top comments (0)