webpack-dev-server: Proxy with broad context and ws:true leaks HMR WebSocket

A security advisory was published for webpack-dev-server. A user-configured proxy with a broad context (e.g., '/') and ws: true intercepts the dev server's own HMR WebSocket, leaking cookies and Origin header, bypassing Host/Origin validation, and corrupting the HMR socket.

Users of webpack-dev-server who configure a proxy with a broad context (e.g., '/') and ws: true.

Update webpack-dev-server to version 5.2.5 or later. Alternatively, scope user-defined proxy context to specific paths instead of '/', or omit ws: true from the proxy entry when WebSocket forwarding is not required.