{"id":21301716,"url":"https://github.com/funbox/webpack-dev-server-firewall","last_synced_at":"2026-02-21T07:02:21.691Z","repository":{"id":38419024,"uuid":"281399497","full_name":"funbox/webpack-dev-server-firewall","owner":"funbox","description":"Prevents access to dev server from unknown IPs","archived":false,"fork":false,"pushed_at":"2024-05-13T14:23:51.000Z","size":422,"stargazers_count":17,"open_issues_count":1,"forks_count":2,"subscribers_count":10,"default_branch":"master","last_synced_at":"2025-10-29T02:47:49.259Z","etag":null,"topics":["firewall","webpack","webpack-dev-server"],"latest_commit_sha":null,"homepage":"","language":"TypeScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/funbox.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2020-07-21T13:02:44.000Z","updated_at":"2024-05-13T14:23:58.000Z","dependencies_parsed_at":"2025-07-11T20:31:20.101Z","dependency_job_id":"6ba1de08-4cbc-4ab7-a3c9-bd9e8357d822","html_url":"https://github.com/funbox/webpack-dev-server-firewall","commit_stats":null,"previous_names":[],"tags_count":5,"template":false,"template_full_name":null,"purl":"pkg:github/funbox/webpack-dev-server-firewall","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/funbox%2Fwebpack-dev-server-firewall","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/funbox%2Fwebpack-dev-server-firewall/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/funbox%2Fwebpack-dev-server-firewall/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/funbox%2Fwebpack-dev-server-firewall/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/funbox","download_url":"https://codeload.github.com/funbox/webpack-dev-server-firewall/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/funbox%2Fwebpack-dev-server-firewall/sbom","scorecard":{"id":413740,"data":{"date":"2025-08-11","repo":{"name":"github.com/funbox/webpack-dev-server-firewall","commit":"40479d6815272cfb87c49b8760a66b89a411b23a"},"scorecard":{"version":"v5.2.1-40-gf6ed084d","commit":"f6ed084d17c9236477efd66e5b258b9d4cc7b389"},"score":3.1,"checks":[{"name":"Code-Review","score":4,"reason":"Found 2/5 approved changesets -- score normalized to 4","details":null,"documentation":{"short":"Determines if the project requires human code review before pull requests (aka merge requests) are merged.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#code-review"}},{"name":"Maintained","score":0,"reason":"0 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0","details":null,"documentation":{"short":"Determines if the project is \"actively maintained\".","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#maintained"}},{"name":"Token-Permissions","score":0,"reason":"detected GitHub workflow tokens with excessive permissions","details":["Warn: no topLevel permission defined: .github/workflows/node.js.yml:1","Warn: no topLevel permission defined: .github/workflows/publish.yml:1","Info: no jobLevel write permissions found"],"documentation":{"short":"Determines if the project's workflows follow the principle of least privilege.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#token-permissions"}},{"name":"Binary-Artifacts","score":10,"reason":"no binaries found in the repo","details":null,"documentation":{"short":"Determines if the project has generated executable (binary) artifacts in the source repository.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#binary-artifacts"}},{"name":"Dangerous-Workflow","score":10,"reason":"no dangerous workflow patterns detected","details":null,"documentation":{"short":"Determines if the project's GitHub Action workflows avoid dangerous patterns.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#dangerous-workflow"}},{"name":"Pinned-Dependencies","score":3,"reason":"dependency not pinned by hash detected -- score normalized to 3","details":["Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/node.js.yml:22: update your workflow using https://app.stepsecurity.io/secureworkflow/funbox/webpack-dev-server-firewall/node.js.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/node.js.yml:24: update your workflow using https://app.stepsecurity.io/secureworkflow/funbox/webpack-dev-server-firewall/node.js.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/publish.yml:15: update your workflow using https://app.stepsecurity.io/secureworkflow/funbox/webpack-dev-server-firewall/publish.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/publish.yml:16: update your workflow using https://app.stepsecurity.io/secureworkflow/funbox/webpack-dev-server-firewall/publish.yml/master?enable=pin","Info:   0 out of   4 GitHub-owned GitHubAction dependencies pinned","Info:   2 out of   2 npmCommand dependencies pinned"],"documentation":{"short":"Determines if the project has declared and pinned the dependencies of its build process.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#pinned-dependencies"}},{"name":"CII-Best-Practices","score":0,"reason":"no effort to earn an OpenSSF best practices badge detected","details":null,"documentation":{"short":"Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#cii-best-practices"}},{"name":"Security-Policy","score":0,"reason":"security policy file not detected","details":["Warn: no security policy file detected","Warn: no security file to analyze","Warn: no security file to analyze","Warn: no security file to analyze"],"documentation":{"short":"Determines if the project has published a security policy.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#security-policy"}},{"name":"Fuzzing","score":0,"reason":"project is not fuzzed","details":["Warn: no fuzzer integrations found"],"documentation":{"short":"Determines if the project uses fuzzing.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#fuzzing"}},{"name":"License","score":10,"reason":"license file detected","details":["Info: project has a license file: LICENSE:0","Info: FSF or OSI recognized license: MIT License: LICENSE:0"],"documentation":{"short":"Determines if the project has defined a license.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#license"}},{"name":"Signed-Releases","score":-1,"reason":"no releases found","details":null,"documentation":{"short":"Determines if the project cryptographically signs release artifacts.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#signed-releases"}},{"name":"Packaging","score":-1,"reason":"packaging workflow not detected","details":["Warn: no GitHub/GitLab publishing workflow detected."],"documentation":{"short":"Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#packaging"}},{"name":"Branch-Protection","score":0,"reason":"branch protection not enabled on development/release branches","details":["Warn: branch protection not enabled for branch 'master'"],"documentation":{"short":"Determines if the default and release branches are protected with GitHub's branch protection settings.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#branch-protection"}},{"name":"SAST","score":0,"reason":"SAST tool is not run on all commits -- score normalized to 0","details":["Warn: 0 commits out of 30 are checked with a SAST tool"],"documentation":{"short":"Determines if the project uses static code analysis.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#sast"}},{"name":"Vulnerabilities","score":0,"reason":"20 existing vulnerabilities detected","details":["Warn: Project is vulnerable to: GHSA-968p-4wvh-cqc8","Warn: Project is vulnerable to: GHSA-qwcr-r2fm-qrc7","Warn: Project is vulnerable to: GHSA-v6h2-p8h4-qcjw","Warn: Project is vulnerable to: GHSA-grv7-fg5c-xmjg","Warn: Project is vulnerable to: GHSA-pxg6-pf52-xh8x","Warn: Project is vulnerable to: GHSA-3xgq-45jj-v275","Warn: Project is vulnerable to: GHSA-qw6h-vgh9-j6wx","Warn: Project is vulnerable to: GHSA-c7qv-q95q-8v27","Warn: Project is vulnerable to: GHSA-4www-5p9h-95mh","Warn: Project is vulnerable to: GHSA-9gqv-wp59-fq42","Warn: Project is vulnerable to: GHSA-952p-6rrq-rcjv","Warn: Project is vulnerable to: GHSA-76c9-3jph-rj3q","Warn: Project is vulnerable to: GHSA-9wv6-86v2-598j","Warn: Project is vulnerable to: GHSA-rhx6-c78j-4q9w","Warn: Project is vulnerable to: GHSA-m6fv-jmcg-4jfg","Warn: Project is vulnerable to: GHSA-cm22-4g7w-348p","Warn: Project is vulnerable to: GHSA-4vvj-4cpr-p986","Warn: Project is vulnerable to: GHSA-4v9v-hfq4-rm2v","Warn: Project is vulnerable to: GHSA-9jgg-88mc-972h","Warn: Project is vulnerable to: GHSA-3h5v-q93c-6h6q"],"documentation":{"short":"Determines if the project has open, known unfixed vulnerabilities.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#vulnerabilities"}}]},"last_synced_at":"2025-08-18T23:18:10.609Z","repository_id":38419024,"created_at":"2025-08-18T23:18:10.609Z","updated_at":"2025-08-18T23:18:10.609Z"},"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":29675916,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-02-21T06:23:40.028Z","status":"ssl_error","status_checked_at":"2026-02-21T06:23:39.222Z","response_time":107,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.6:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["firewall","webpack","webpack-dev-server"],"created_at":"2024-11-21T15:50:31.247Z","updated_at":"2026-02-21T07:02:21.677Z","avatar_url":"https://github.com/funbox.png","language":"TypeScript","funding_links":[],"categories":[],"sub_categories":[],"readme":"# @funboxteam/webpack-dev-server-firewall\n\n[![npm](https://img.shields.io/npm/v/@funboxteam/webpack-dev-server-firewall.svg)](https://www.npmjs.com/package/@funboxteam/webpack-dev-server-firewall)\n\nThe package prevents uncontrollable access to dev server by asking manual approve from the developer when someone\nconnects to the server from unknown IP.\n\n[По-русски](./README.ru.md)\n\n## Rationale\n\nWhen frontend developers run webpack-dev-server on localhost they sometimes want to check the result on the different \ndevices (e.g. smartphones, tablets). By default it's hard to do, because the server is bound on `127.0.0.1` and isn't \nallowed to receive connections from other computers.  \n\nSo, most of the time developers rebind server to `0.0.0.0` (by setting `host` option in webpack config) to make \nit available over the local network. But at the same time it grants anyone from the same network \na permission to connect to the server, see the project and steal the code. Usually dev servers also serve source maps, \nwhich makes the source code fully visible too. \n\nSuch dev server setup may harm even pet-projects if there are any sensitive credentials in the source code. \n\nThis firewall prevents unwanted connection to the server. It intercepts all the incoming requests, \nchecks their hosts' IPs against the list of allowed ones, and passes them through or denies.  \n\n## Installation\n\n```bash\nnpm install --save-dev @funboxteam/webpack-dev-server-firewall\n```\n\n## Usage\n\nTo use the package add it into your project's webpack config in `devServer.setupMiddlewares`:\n\n```js\nconst firewall = require('@funboxteam/webpack-dev-server-firewall');\n\nor\n\nimport { firewall } from '@funboxteam/webpack-dev-server-firewall';\n\nmodule.exports = {\n  // ...\n  devServer: {\n    // ...\n    setupMiddlewares: (middlewares, devServer) =\u003e {\n      firewall(devServer);\n      // ...\n      return middlewares;\n    },\n  },\n};\n```\n\nFor older webpack-dev-server versions use:\n\n- `devServer.onBeforeSetupMiddleware` for [\u003c4.7.0](https://github.com/webpack/webpack-dev-server/releases/tag/v4.7.0);\n- `devServer.before` for [\u003c4.0.0](https://github.com/webpack/webpack-dev-server/releases/tag/v4.0.0);\n- `devServer.setup` for [\u003c2.9.0](https://github.com/webpack/webpack-dev-server/releases/tag/v2.9.0).\n\n`firewall` function expects an [Express application](https://expressjs.com/en/4x/api.html#app) as an argument.\n\nIt's important to run `firewall` before others hooks.\n\n## How it works\n\nBy default the package allows requests from `127.0.0.1` only.\nWhen the request from other IP appears the package asks for developer's approve in the terminal \nwhere webpack-dev-server is running:\n\n```text\nChild serviceworker-plugin:\n     1 asset\n    Entrypoint undefined = sw.js\n    [./src/app/sw.js] 2.82 KiB {0} [built]\nℹ ｢wdm｣: Compiled with warnings.\n# ↑ webpack log\n192.168.1.46 is trying to get access to the server. Allow? [yes / no]:\n``` \n\nIf the developer approves the connection, IP is added into the list of known hosts,\nand all the next connections will be allowed automatically.\n\n```text\n192.168.1.46 has been added to known hosts.\n``` \n\nIf the developer denies the connection, the client using that IP will get response with 403 HTTP code.\n\n### Important details\n\n1. The package **does not** work as a filter of unwanted connections.\n\n   If the developer denies the connection once, it doesn't mean that it will be ignored in the future.\n   In case of reconnection from the suspicious IP, the package will ask for developer's approval again.\n   \n   It works this way to be sure that the developer will be notified about all the suspicious incoming connections. \n\n2. The package **does not** guarantee complete protection against intruders.\n\n   The package doesn't check in any ways that the client IP belongs \n   to the same computer that it did when the IP was allowed. It means that when the DHCP settings are changed\n   (or much easier: when the developer connects to the different network) the rules of addresses distribution\n   will be changed too, and the earlier allowed address may be allocated to the new computer,\n   which may be used by the intruder. \n   \n   To improve the security level clear the list of allowed IPs every time you run the server.\n   Check out “[Additional](#additional)” section for details.\n   \n3. List of known IP addresses is stored in `~/.funbox_webpack_known_hosts`.\n\n   If you want to remove any IP from the known hosts, you can make it manually.\n   \n   Among other things, this means that the list of allowed IPs is the same for all projects running on the machine.\n\n4. To avoid confusion the package expects a clear `yes` as request confirmation.    \n\n   Short answer such as `y` is not allowed. Any other answer except `yes` means `no`.\n\n## Additional\n\n### CLI\n\nThe package has small CLI which allows to clear the list of allowed IPs:\n\n```bash\nwebpack-dev-server-firewall forget-known-hosts\n```\n\nIt's important to note that when the firewall starts the list of allowed IPs is loaded from the file and stored in RAM.\nSo, one should use the described above CLI command when the server is stopped. Otherwise the file may be overwritten \nby the firewall instance.\n\n### Methods\n\nBesides the `onBeforeSetupMiddleware` hook the packages exports `forgetKnownHosts` method that can be used for clearing \nthe list of allowed IPs from JS script.\n\nE.g. the code below clears the list on every server start:\n\n```js\nconst firewall = require('@funboxteam/webpack-dev-server-firewall');\n\nfirewall.forgetKnownHosts();\n\nmodule.exports = {\n  // ...\n  devServer: {\n    // ...\n    onBeforeSetupMiddleware: firewall,\n  },\n};\n```\n\n## Resources\n\n- [Protect your dev server](https://dev.to/igoradamenko/protect-your-dev-server-gob)\n\n[![Sponsored by FunBox](https://funbox.ru/badges/sponsored_by_funbox_centered.svg)](https://funbox.ru)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ffunbox%2Fwebpack-dev-server-firewall","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Ffunbox%2Fwebpack-dev-server-firewall","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ffunbox%2Fwebpack-dev-server-firewall/lists"}