Webpack: Bump webpack-dev-middleware to patch high security issue

[jwilliams-met]

webpack-dev-middleware 6.1.1 contains logged high risk,

GHSA-wr3j-pwj9-hqq6

Closes #

What I did

Checklist for Contributors

Testing

The changes in this PR are covered in the following automated tests:

• stories
• unit tests
• integration tests
• end-to-end tests

Manual testing

This section is mandatory for all contributions. If you believe no manual test is necessary, please state so explicitly. Thanks!

Documentation

• Add or update documentation reflecting your changes
• If you are deprecating/removing a feature, make sure to update
  MIGRATION.MD

Checklist for Maintainers

• When this PR is ready for testing, make sure to add ci:normal, ci:merged or ci:daily GH label to it to run a specific set of sandboxes. The particular set of sandboxes can be found in code/lib/cli/src/sandbox-templates.ts

• Make sure this PR contains one of the labels below:

  Available labels

  • bug: Internal changes that fixes incorrect behavior.
  • maintenance: User-facing maintenance tasks.
  • dependencies: Upgrading (sometimes downgrading) dependencies.
  • build: Internal-facing build tooling & test updates. Will not show up in release changelog.
  • cleanup: Minor cleanup style change. Will not show up in release changelog.
  • documentation: Documentation only changes. Will not show up in release changelog.
  • feature request: Introducing a new feature.
  • BREAKING CHANGE: Changes that break compatibility in some way with current major version.
  • other: Changes that don't fit in the above categories.

🦋 Canary release

This PR does not have a canary release associated. You can request a canary release of this pull request by mentioning the @storybookjs/core team here.

core team members can create a canary release here or locally with gh workflow run --repo storybookjs/storybook canary-release-pr.yml --field pr=<PR_NUMBER>

[nx-cloud]

☁️ Nx Cloud Report

CI is running/has finished running commands for commit 91d7a7f. As they complete they will appear below. Click to see the status, the terminal output, and the build insights.

📂 See all runs for this CI Pipeline Execution

---

✅ Successfully ran 1 target

• nx run-many -t build -c production --parallel=3

---

Sent with 💌 from NxCloud.

[JinCoreana]

Hello, Storybook team! Thank you for addressing this issue. What's the ETA for the release? Thank you!

[JinCoreana]

Hi @valentinpalkovic ,
I am waiting for this fix to resolve a vulnerability issue in my project.
When would this be released? Is it safe that I just override to patched version myself in package.json? Thank you :)

[valentinpalkovic]

Hi @JinCoreana

You don't have to override the version; just update your lock file because webpack-dev-middleware version 6.1.2 is in the allowed defined version range ^6.1.1.

Using yarn >= v2, you can just run yarn up webpack-dev-middleware -R.

I will merge this as soon as CI is green. The next patch version should be released in a couple of days.

[JinCoreana]

Hi @JinCoreana

You don't have to override the version; just update your lock file because webpack-dev-middleware version 6.1.2 is in the allowed defined version range ^6.1.1.

Using yarn >= v2, you can just run yarn up webpack-dev-middleware -R.

I will merge this as soon as CI is green. The next patch version should be released in a couple of days.

Thanks for the response :)
This does not seem to resolve the nested dep here

storybook/code/builders/builder-webpack5/package.json

Line 97 in 3c645b5

"webpack-dev-middleware": "^6.1.1",

We will wait for the official patch as it's expected in the next few days. Thank you!