chore: remove universal-hot-reload and webpack-serve from examples

[kparkinson-ld]

Requirements

• I have added test coverage for new or changed functionality
• I have followed the repository's pull request submission guidelines
• I have validated my changes against all supported platform versions

Related issues

Resolves Dependabot alerts #250, #249 (uuid), #248, #247 (webpack-dev-server).

Describe the solution you've provided

Removes universal-hot-reload and webpack-serve from both example apps' devDependencies. These packages pulled in vulnerable transitive deps (webpack-dev-server@3.x, uuid@3.4.0, node-forge@0.10.0).

Replaces with explicit webpack CLI build scripts:

• npm run build — compiles client + server bundles via webpack CLI
• npm start — builds then runs the server bundle

HMR is removed since these examples are for a deprecated SDK.

Describe alternatives you've considered

Upgrading universal-hot-reload to a version that uses webpack-dev-server@5 would require also upgrading to webpack 5, which is a larger migration.

Additional context

This is one of two follow-up PRs to #401. The other is #402 (react-router-dom v5→v6).

Link to Devin session: https://app.devin.ai/sessions/381e0dd095a446e49ba0e8a9c9022c0c
Requested by: @kparkinson-ld

---

Note

Low Risk
Dev-only example tooling and scripts; no SDK or production runtime behavior changes.

Overview
Removes universal-hot-reload and webpack-serve from the example apps (async-provider, hoc) to drop vulnerable transitive dependencies. Example workflows now use npm run build (webpack CLI for client + server) and npm start (build then node dist/serverBundle.js); the serve script is gone and HMR is no longer used.

Server bootstrapping is simplified: src/server/index.js only requires the compiled dist/serverBundle instead of wiring hot reload. Client assets are served from the same Express app via /dist/bundle.js (replacing a separate dev-server URL), with webpack publicPath set to /dist/.

^{Reviewed by Cursor Bugbot for commit c2b3f2b. Bugbot is set up for automated code reviews on this repo. Configure here.}

[devin-ai-integration]

🤖 Devin AI Engineer

I'll be helping with this pull request! Here's what you should know:

✅ I will automatically:

• Address comments on this PR. Add '(aside)' to your comment to have me ignore it.
• Look at CI failures and help fix them

Note: I can only respond to comments from users who have write access to this repository.

⚙️ Control Options:

• Disable automatic comment, CI, and merge conflict monitoring

[cursor]

Cursor Bugbot has reviewed your changes using default effort and found 1 potential issue.

^{❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, have a team admin enable autofix in the Cursor dashboard.}

^{Reviewed by Cursor Bugbot for commit 22a56e9. Configure here.}

[cursor]

Client script port no longer served

High Severity

The updated start script only builds assets and runs dist/serverBundle.js on port 3000. The server HTML still requests bundle.js from http://localhost:3002, which webpack-serve used to provide. With that dev server removed, nothing listens on 3002, so the example page renders without client JavaScript.

 

^{Reviewed by Cursor Bugbot for commit 22a56e9. Configure here.}

[devin-ai-integration]

Good catch — fixed in c2b3f2b. Updated both server.js HTML templates to use /dist/bundle.js (served by Express on the same port) and removed the stale localhost:3002 webpack publicPath from both webpack.config.client.js files.

[joker23]

since these are examples, we do not need to bump a patch version. The PR title should be prefixed with chore instead of fix

[devin-ai-integration]

Good call — updated the title to chore: on both this PR and #402 since they only touch examples.