@docusaurus/code latest version used webpack-dev-server@4.15.2, which has Security Vulnerability

[naico-wang]

Have you read the Contributing Guidelines on issues?

• I have read the Contributing Guidelines on issues.

Prerequisites

• I'm using the latest version of Docusaurus.
• I have tried the npm run clear or yarn clear command.
• I have tried rm -rf node_modules yarn.lock package-lock.json and re-installing packages.
• I have tried creating a repro with https://new.docusaurus.io.
• I have read the console error message carefully (if applicable).

Description

Security Vulnerability found by Trivy:

Of course we can override the reference, but can we fix this officially?

Thanks.

Reproducible demo

No response

Steps to reproduce

1. npm ls webpack-dev-server
2. find the result

Expected behavior

Use the version which is higher than 5.2.1

Actual behavior

No functional affect, but for the security issue.

Trivy report shows the vulnerability

Your environment

• Public source code:
• Public site URL:
• Docusaurus version used:
• Environment name and version (e.g. Chrome 89, Node.js 16.4):
• Operating system and version (e.g. Ubuntu 20.04.2 LTS):

Self-service

• I'd be willing to fix this bug myself.

[slorber]

We will fix it if there is a backport to dev server v4 (looks planned: webpack/webpack-dev-server#5514), otherwise it requires a breaking change since this upgrades our minimum Node.js version.

See also #11252 (comment)