build(deps-dev): bump webpack-dev-server and @rspack/cli

[dependabot]

Bumps webpack-dev-server and @rspack/cli. These dependencies needed to be updated together.
Updates webpack-dev-server from 5.2.3 to 5.2.5

Release notes

Sourced from webpack-dev-server's releases.

v5.2.5

Patch Changes

• Skip the HMR WebSocket path when forwarding upgrade requests to user-defined proxies, so custom proxy WebSocket upgrades are no longer intercepted by the dev server. (by @​bjohansebas in #5680)

v5.2.4

5.2.4 (2026-05-11)

Bug Fixes

• set Cross-Origin-Resource-Policy header to prevent source code theft over HTTP

Changelog

Sourced from webpack-dev-server's changelog.

5.2.5

Patch Changes

• Skip the HMR WebSocket path when forwarding upgrade requests to user-defined proxies, so custom proxy WebSocket upgrades are no longer intercepted by the dev server. (by @​bjohansebas in #5680)

All notable changes to this project will be documented in this file. See standard-version for commit guidelines.

5.2.4 (2026-05-11)

Bug Fixes

• set Cross-Origin-Resource-Policy header to prevent source code theft over HTTP

Commits

• c3ee325 chore(release): new release (#5682)
• 60173be feat: add changeset validation and release workflow (#5680)
• 948d5e6 fix(proxy): match the HMR upgrade path exactly like the ws server (#5678)
• 93e8996 fix: skip HMR websocket path when forwarding upgrades to user-defined proxies...
• fd40130 chore(release): 5.2.4
• ece4f36 chore: update deps (#5661)
• a216144 ci: fix test (#5658)
• df073c5 Merge commit from fork
• See full diff in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for webpack-dev-server since your current version.

Updates @rspack/cli from 1.7.10 to 2.0.8

Release notes

Sourced from @​rspack/cli's releases.

v2.0.8

What's Changed

Bug Fixes 🐞

• fix: temporarily revert JS parser changes causing runtime errors by @​CPunisher in web-infra-dev/rspack#14343

Other Changes

• chore: bind walltime bench to dedicated CPUs by @​deanjingshui in web-infra-dev/rspack#14336
• chore(ci): update rsdoctor action by @​yifancong in web-infra-dev/rspack#14342

Full Changelog: web-infra-dev/rspack@v2.0.7...v2.0.8

v2.0.7

[!WARNING] v2.0.7 has been deprecated because it may generate incorrect Rspack build outputs.

Please do not install or use v2.0.7. Upgrade to v2.0.8 instead, which was released as the fix for this issue.

What's Changed

New Features 🎉

• feat: add SyncModuleIdsPlugin by @​intellild in web-infra-dev/rspack#14243
• feat(css): support CSS modules options container, function, grid and pure by @​intellild in web-infra-dev/rspack#14189
• feat: support source phase import for WebAssembly modules by @​magic-akari in web-infra-dev/rspack#13864
• feat(watcher): granularity-safe native watcher scan (watchpack FS_ACCURACY) by @​stormslowly in web-infra-dev/rspack#14306
• feat: better circular check plugin by @​ahabhgk in web-infra-dev/rspack#14319
• feat: support rspack magic comment prefix by @​intellild in web-infra-dev/rspack#14323

Performance 🚀

• perf(split-chunks): reduce module grouping overhead by @​LingyuCoder in web-infra-dev/rspack#14209
• perf(sources): preallocate source map mappings buffer by @​SyMind in web-infra-dev/rspack#14288
• perf(module-graph): store dependencies in dense map by @​hardfist in web-infra-dev/rspack#14290
• perf(core): use dense dependency id maps in module graph by @​hardfist in web-infra-dev/rspack#14322

Bug Fixes 🐞

• fix(copy): normalize glob common dir before adding as context dependency by @​stormslowly in web-infra-dev/rspack#14257
• fix: declarator nested webpack exports by @​ahabhgk in web-infra-dev/rspack#14253
• fix(css): preserve import render conditions by @​intellild in web-infra-dev/rspack#14218
• fix(lazy-compilation): reserve closure-library externals on inactive proxy by @​stormslowly in web-infra-dev/rspack#14228
• fix(css): align dashed idents with webpack by @​intellild in web-infra-dev/rspack#14261
• fix: preserve shared fallback versions by @​2heal1 in web-infra-dev/rspack#14219
• fix(library): implement JsonpLibraryPlugin for output.library.type: 'jsonp' by @​logonoff in web-infra-dev/rspack#14278
• fix(watcher): carry dependency deltas across coalesced rebuilds by @​stormslowly in web-infra-dev/rspack#14279
• fix(rstest): support mocking dynamic import() of external modules by @​fi3ework in web-infra-dev/rspack#14247
• fix(css): include local name in hash-only local idents by @​intellild in web-infra-dev/rspack#14334

Refactor 🔨

• refactor: parse magic comments with swc by @​intellild in web-infra-dev/rspack#14264
• refactor(devtool): propagate source map kind to generators by @​intellild in web-infra-dev/rspack#14283
• refactor: swc exp for javascript parser plugin by @​CPunisher in web-infra-dev/rspack#14256

Document 📖

• docs: add TanStack Start to ecosystem guide by @​chenjiahan in web-infra-dev/rspack#14259

... (truncated)

Commits

• d067a0c chore(release): release 2.0.8
• 2e16749 chore: release version 2.0.7 (#14338)
• c2bff8b chore: refactor js api bench by tinybench (#14258)
• 66e23b5 chore: release 2.0.6 (#14251)
• 8e2cfd4 chore(deps): update dependency @​rslib/core to ^0.22.0 (#14224)
• 1abc53d chore(deps): update patch npm dependencies (#14222)
• 783f31a chore: release version 2.0.5 (#14155)
• d05392f fix(cli): block prototype-pollution payloads in --env parsing (#14165)
• c93016a chore(deps): update patch npm dependencies (#14132)
• 556d466 chore: release v2.0.4 (#14094)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
react-forms	Ready	Preview, Comment	Jun 22, 2026 7:36am

[dependabot]

Looks like these dependencies are no longer updatable, so this is no longer needed.