Why does webpack 5 throw an error when I manually add `new webpack.HotModuleReplacementPlugin()`?

Webpack 5 bundles HotModuleReplacementPlugin internally and auto-applies it when `devServer.hot: true` is set. Manually instantiating it creates a duplicate plugin conflict, which webpack 5 treats as a fatal configuration error. Remove the explicit plugin instantiation entirely — `hot: true` in devServer is sufficient.

I set `hot: true` but the browser still does a full reload. What am I missing?

HMR requires two things: (1) the server must have HMR enabled (`hot: true`), AND (2) the module code must call `module.hot.accept()` to handle updates. If your entry point or a parent module doesn't accept the hot update, webpack falls back to a full reload. If you're using React, install `react-refresh` and `@pmmmwh/react-refresh-webpack-plugin` to handle this automatically.

Does passing `--hot` on the webpack-dev-server CLI command replace the need for config-level setup?

Not reliably. The `--hot` CLI flag injects `hot: true` into the devServer config at runtime, but it does not persist to your config file and behaves inconsistently across webpack-dev-server versions 3, 4, and 5. Always define `hot: true` explicitly in `webpack.config.js` as the authoritative source of truth. Treat CLI flags as overrides for one-off debugging only.

How to Fix webpack-dev-server HMR 'HotModuleReplacementPlugin' Not Enabled Error

Threat/Impact Level: MEDIUM | Exploitability/Downtime Risk: HIGH (dev velocity blocker) | Time to Fix: 5 mins

TL;DR

What broke: webpack-dev-server cannot initialize HMR because HotModuleReplacementPlugin is either missing from the plugins array (webpack 4) or devServer.hot is explicitly disabled/absent (webpack 5), causing a full-page reload fallback or a hard crash.
How to fix it: In webpack 4, add new webpack.HotModuleReplacementPlugin() to the plugins array. In webpack 5, set hot: true in devServer — the plugin is built-in and auto-applied.
Fast path: Use our Client-Side Sandbox below to auto-refactor this — paste your webpack.config.js and get a corrected config without sending your code to any external server.

The Incident (What Does the Error Mean?)

Raw error output you will see in the terminal or browser console:

[webpack-dev-server] Hot Module Replacement is disabled.
Error: [HMR] The following modules couldn't be hot updated: (Full reload needed)
Webpack requires the HotModuleReplacementPlugin to be enabled in your webpack configuration.

or in older setups:

Error: No hot update chunks found.
[WDS] Disconnected!

Immediate consequence: Every code change triggers a full browser reload, destroying all in-memory application state. On large SPAs this means 3–15 second reload cycles per change. On teams of 10+ developers, this compounds into hours of lost productivity daily. In some configurations, webpack-dev-server refuses to start entirely.

The Attack Vector / Blast Radius

This is a developer environment availability failure, not a production security CVE — but the blast radius is non-trivial:

State destruction on every save. Redux store, form state, modal open/close, multi-step wizard progress — all wiped. Debugging stateful UI bugs becomes nearly impossible without HMR.
Masked misconfiguration in CI preview environments. Teams often copy webpack.config.js from dev to staging preview builds. A broken HMR config frequently signals a deeper misconfiguration — mode not set to development, devtool misconfigured, or target set incorrectly — which can silently degrade build output quality.
Webpack 4 → 5 migration trap. The single most common trigger: migrating to webpack 5 while keeping the explicit new webpack.HotModuleReplacementPlugin() call. Webpack 5 errors out if you manually instantiate this plugin while hot: true is set, creating a confusing double-failure mode.
--hot CLI flag false confidence. Passing --hot via CLI does NOT reliably substitute for config-level setup in all webpack-dev-server versions. Config is the source of truth.

How to Fix It (The Solution)

Basic Fix — Webpack 5 (Current Standard)

 // webpack.config.js
 const path = require('path');
-const webpack = require('webpack');
 
 module.exports = {
   mode: 'development',
   entry: './src/index.js',
   devServer: {
     static: path.join(__dirname, 'dist'),
     port: 3000,
-    hot: false,
+    hot: true,
   },
-  plugins: [
-    new webpack.HotModuleReplacementPlugin(), // ❌ DO NOT use in webpack 5
-  ],
+  plugins: [], // HMR plugin is built-in to webpack 5, no manual instantiation needed
 };

Basic Fix — Webpack 4 (Legacy)

 // webpack.config.js
 const path = require('path');
 const webpack = require('webpack');
 
 module.exports = {
   mode: 'development',
   entry: './src/index.js',
   devServer: {
     static: path.join(__dirname, 'dist'),
     port: 3000,
+    hot: true,
   },
   plugins: [
+    new webpack.HotModuleReplacementPlugin(), // ✅ Required explicitly in webpack 4
   ],
 };

Enterprise Best Practice

Environment-gate your HMR config. Never let HMR-related plugins bleed into production builds — it wastes bundle bytes and can expose internal module graph metadata.

 // webpack.config.js
 const path = require('path');
 const webpack = require('webpack');
 
+const isDev = process.env.NODE_ENV === 'development';
 
 module.exports = {
-  mode: 'development',
+  mode: isDev ? 'development' : 'production',
   entry: './src/index.js',
-  devServer: {
-    hot: true,
-  },
+  ...(isDev && {
+    devServer: {
+      static: path.join(__dirname, 'dist'),
+      port: 3000,
+      hot: true,
+      liveReload: false, // disable fallback full-reload; fail loudly if HMR breaks
+    },
+  }),
   plugins: [
-    new webpack.HotModuleReplacementPlugin(),
+    // webpack 5: no manual HMR plugin needed
+    // webpack 4: conditionally add below
+    // ...(isDev ? [new webpack.HotModuleReplacementPlugin()] : []),
   ].filter(Boolean),
 };

Also verify your entry point accepts HMR updates. Without this, webpack enables HMR at the server level but modules never accept updates:

 // src/index.js
 import App from './App';
 import { render } from 'react-dom';
 
 render(<App />, document.getElementById('root'));
 
+if (module.hot) {
+  module.hot.accept('./App', () => {
+    const NextApp = require('./App').default;
+    render(<NextApp />, document.getElementById('root'));
+  });
+}

Note: If you are using React Fast Refresh (react-refresh-webpack-plugin), the module.hot.accept block above is handled automatically. Do not duplicate it.

💡 Tired of pasting proprietary configs into ChatGPT? Generic AI tools log your company's ARNs, DB strings, and private keys. StackEngine is a zero-backend, pure Client-Side WASM utility. Drop your failing config into the sandbox above. We redact your secrets locally in the browser and auto-generate the refactored code using your own API key.

Prevention in CI/CD

1. Lint webpack configs in pre-commit hooks.

Use webpack-config-validator or a custom ESLint rule to assert devServer.hot === true is never committed with mode: 'production'.

# .husky/pre-commit
npx webpack --config webpack.config.js --dry-run 2>&1 | grep -i "HotModuleReplacement"

2. Fail fast in CI with explicit mode assertion.

# .github/workflows/build-check.yml
- name: Validate webpack config
  run: |
    NODE_ENV=development npx webpack --config webpack.config.js --dry-run
    NODE_ENV=production npx webpack --config webpack.config.js --dry-run

If either run throws an HMR-related error, the PR is blocked.

3. Pin webpack and webpack-dev-server versions together. Version skew between these two packages is the #1 cause of silent HMR breakage after dependency updates.

// package.json — lock major versions together
{
  "devDependencies": {
    "webpack": "5.91.0",
    "webpack-cli": "5.1.4",
    "webpack-dev-server": "5.0.4"
  }
}

4. Use Renovate or Dependabot with grouped webpack updates to ensure these three packages always bump together, never independently.

# renovate.json
{
  "packageRules": [
    {
      "matchPackageNames": ["webpack", "webpack-cli", "webpack-dev-server"],
      "groupName": "webpack core"
    }
  ]
}