Security Enhancement Opportunity: @nx/module-federation webpack version

[nxpatterns]

Current Behavior

Security Enhancement Opportunity: @nx/module-federation webpack version

Dear Nx team,

First, thank you for maintaining this fantastic module federation package that powers many of our enterprise applications! 🚀

Observation

While working with @nx/module-federation (20.3.3), I noticed an opportunity for a security enhancement regarding the webpack dependency (currently at 5.88.0).

Details

• Current webpack version has a reported vulnerability (GHSA-4vvj-4cpr-p986)
• Nature: DOM Clobbering Gadget in AutoPublicPathRuntimeModule (potential XSS)
• Suggested update: webpack 5.89.0+

Verification Steps Taken

I've validated this enhancement by testing with a local package copy:

• Updated webpack to ^5.89.0
• Ran full test suite
• Confirmed vulnerability resolution via npm audit
• No breaking changes observed

Would you consider this update for a future release? Happy to provide any additional information or testing support if helpful!

Thank you for considering this enhancement. Keep up the great work! ⭐️

Labels

security, package: module-federation

Expected Behavior

Current Behavior

@nx/module-federation (20.3.3) ships with webpack 5.88.0, which contains a known security vulnerability (GHSA-4vvj-4cpr-p986). This creates a potential XSS risk via webpack's AutoPublicPathRuntimeModule.

Expected Behavior

The package should use webpack 5.89.0+ to eliminate this security vulnerability, providing the same functionality but with enhanced security. Like upgrading your home security system while keeping all your favorite features! 🏰

GitHub Repo

No response

Steps to Reproduce

Steps to Reproduce

1. Create new Nx workspace with @nx/[email protected]
2. Run npm audit
3. Observe webpack vulnerability report

Nx Report

NX   Report complete - copy this into the issue template

Node           : 23.5.0
OS             : darwin-arm64
Native Target  : aarch64-macos
npm            : 10.9.2

nx (global)            : 20.3.2
nx                     : 20.3.3
@nx/js                 : 20.3.3
@nx/jest               : 20.3.3
@nx/eslint             : 20.3.3
@nx/workspace          : 20.3.3
@nx/angular            : 20.3.3
@nx/devkit             : 20.3.3
@nx/module-federation  : 20.3.3
@nx/nest               : 20.3.3
@nx/node               : 20.3.3
@nx/web                : 20.3.3
@nx/webpack            : 20.3.3
typescript             : 5.7.3
---------------------------------------
Registered Plugins:
@nx/playwright/plugin
@nx/eslint/plugin
@nx/webpack/plugin
---------------------------------------
Community plugins:
angular-eslint : 19.0.2

Failure Logs

Package Manager Version

npm --version 10.9.2

Operating System

• macOS
• Linux
• Windows
• Other (Please specify)

Additional Information

Additional Context

I've validated the fix locally by updating webpack to ^5.89.0 - all tests pass, and the vulnerability is gone.

[ardokirsipuu]

The package should use webpack 5.89.0+ to eliminate this security vulnerability

Why 5.89.0? The referred security vulnerability (GHSA-4vvj-4cpr-p986) states that the fixed version is 5.94.0.

[nxpatterns]

Oh, thank you. Yes, you're right, v5.94.0 would be completely fine too, although I haven't tested it yet. I suggested v5.89.0 because it's the next version after the security vulnerability fix that has the least changes.