[Snyk] Security upgrade webpack-dev-server from 3.7.1 to 4.0.0

[q1blue]

Snyk has created this PR to fix 2 vulnerabilities in the yarn dependencies of this project.

Snyk changed the following file(s):

• www/build_common/package.json
• www/build_common/yarn.lock

Note for zero-installs users

If you are using the Yarn feature zero-installs that was introduced in Yarn V2, note that this PR does not update the .yarn/cache/ directory meaning this code cannot be pulled and immediately developed on as one would expect for a zero-install project - you will need to run yarn to update the contents of the ./yarn/cache directory.
If you are not using zero-install you can ignore this as your flow should likely be unchanged.

Vulnerabilities that will be fixed with an upgrade:

	Issue	Score
	Directory Traversal SNYK-JS-TAR-15032660	149
	Directory Traversal SNYK-JS-TAR-15127355	129

---

Important

• Check the changes in this PR to ensure they won't cause issues with your project.
• Max score is 1000. Note that the real score may have changed since the PR was raised.
• This PR was automatically created by Snyk using the credentials of a real user.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Directory Traversal

---

Important

Upgrade webpack-dev-server to 4.0.0 to fix directory traversal vulnerabilities in package.json and yarn.lock.

• Dependencies:
  • Upgrade webpack-dev-server from 3.7.1 to 4.0.0 in package.json and yarn.lock to fix directory traversal vulnerabilities.
• Security:
  • Addresses vulnerabilities SNYK-JS-TAR-15032660 and SNYK-JS-TAR-15127355 with scores 149 and 129 respectively.
• Misc:
  • Note for zero-installs users: .yarn/cache/ not updated, requires running yarn to update cache.

^{This description was created by for 4fd38f3. You can customize this summary. It will automatically update as commits are pushed.}

[bolt-new-by-stackblitz]

Run & review this pull request in StackBlitz Codeflow.

[codesandbox]

Review or Edit in CodeSandbox

Open the branch in Web Editor • VS Code • Insiders

Open Preview

[changeset-bot]

⚠️ No Changeset found

Latest commit: 4fd38f3

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
buildbot	Error		Jan 30, 2026 6:37am
csb-b6x6kw	Ready	Preview, Comment	Jan 30, 2026 6:37am

[ellipsis-dev]

Important

Looks good to me! 👍

Reviewed everything up to 4fd38f3 in 7 seconds. Click for details.

• Reviewed 13 lines of code in 1 files
• Skipped 1 files when reviewing.
• Skipped posting 0 draft comments. View those below.
• Modify your settings and rules to customize what types of comments Ellipsis leaves. And don't forget to react with 👍 or 👎 to teach Ellipsis.

Workflow ID: wflow_Uizrrpa4sXRfHDKW

^{You can customize by changing your verbosity settings, reacting with 👍 or 👎, replying to comments, or adding code review rules.}