Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Nx currently has a critical dependency (audit) in the @nx/module-federation package #30083

Closed
1 of 4 tasks
Laurensvdw opened this issue Feb 18, 2025 · 2 comments
Closed
1 of 4 tasks

Nx currently has a critical dependency (audit) in the @nx/module-federation package #30083

Laurensvdw opened this issue Feb 18, 2025 · 2 comments
Labels
type: bug

Comments

@Laurensvdw
Copy link

Current Behavior

Our PR pipeline goes in error as a critical dependency was found. We also updated to the latest version of Nx and the problem is in that version as well. Full audit "trail" below :)

koa 2.0.0 - 2.15.3
Severity: critical
Inefficient Regular Expression Complexity in koa - GHSA-593f-38f6-jp5m
No fix available
node_modules/koa
@module-federation/dts-plugin *
Depends on vulnerable versions of koa
node_modules/@module-federation/dts-plugin
@module-federation/enhanced <=0.0.1-rc.0 || >=0.1.2
Depends on vulnerable versions of @module-federation/dts-plugin
Depends on vulnerable versions of @module-federation/manifest
Depends on vulnerable versions of @module-federation/rspack
node_modules/@module-federation/enhanced
@module-federation/node >=2.1.2
Depends on vulnerable versions of @module-federation/enhanced
node_modules/@module-federation/node
@nx/module-federation *
Depends on vulnerable versions of @module-federation/enhanced
Depends on vulnerable versions of @module-federation/node
node_modules/@nx/module-federation
@module-federation/manifest <=0.0.0-next-20250218022700 || >=0.1.3
Depends on vulnerable versions of @module-federation/dts-plugin
node_modules/@module-federation/manifest
@module-federation/rspack *
Depends on vulnerable versions of @module-federation/dts-plugin
Depends on vulnerable versions of @module-federation/manifest
node_modules/@module-federation/rspack

Expected Behavior

PR pipeline runs successfully due to having no critical dependencies in the project.

GitHub Repo

No response

Steps to Reproduce

  1. run npm audit

Nx Report

Node           : 20.17.0
OS             : win32-x64
Native Target  : x86_64-windows
npm            : 10.8.2

nx                     : 20.4.4
lerna                  : 8.1.9
@nx/js                 : 20.4.4
@nx/jest               : 20.4.4
@nx/eslint             : 20.4.4
@nx/workspace          : 20.4.4
@nx/angular            : 20.4.4
@nx/cypress            : 20.4.4
@nx/devkit             : 20.4.4
@nx/eslint-plugin      : 20.4.4
@nx/module-federation  : 20.4.4
@nx/plugin             : 20.4.4
@nx/storybook          : 20.4.4
@nx/web                : 20.4.4
@nx/webpack            : 20.4.4
typescript             : 5.5.4
---------------------------------------
Community plugins:
@storybook/angular : 8.5.6
nx-stylelint       : 13.5.3

Failure Logs

"C:\Program Files\nodejs\npm.cmd" run audit
The system cannot find the path specified.
The system cannot find the path specified.

> [email protected] audit
> npm audit --registry=https://registry.npmjs.org/

The system cannot find the path specified.
# npm audit report

@octokit/plugin-paginate-rest  <=11.4.0
Severity: moderate
@octokit/plugin-paginate-rest has a Regular Expression in iterator Leads to ReDoS Vulnerability Due to Catastrophic Backtracking - https://github.com/advisories/GHSA-h5c3-5r3r-rr8q
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/@octokit/plugin-paginate-rest
  @octokit/rest  16.39.0 - 21.0.0-beta.4
  Depends on vulnerable versions of @octokit/core
  Depends on vulnerable versions of @octokit/plugin-paginate-rest
  node_modules/@octokit/rest
    @lerna/create  >=7.1.5
    Depends on vulnerable versions of @octokit/rest
    node_modules/@lerna/create
      lerna  6.3.1-beta.0 - 6.3.1-beta.4 || >=6.4.2-beta.0
      Depends on vulnerable versions of @lerna/create
      Depends on vulnerable versions of @octokit/rest
      node_modules/lerna

@octokit/request  <=9.2.0
Severity: moderate
Depends on vulnerable versions of @octokit/request-error
@octokit/request has a Regular Expression in fetchWrapper that Leads to ReDoS Vulnerability Due to Catastrophic Backtracking - https://github.com/advisories/GHSA-rmvr-2pp2-xj38
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/@octokit/request
  @octokit/core  <=5.2.0
  Depends on vulnerable versions of @octokit/graphql
  Depends on vulnerable versions of @octokit/request
  Depends on vulnerable versions of @octokit/request-error
  node_modules/@octokit/core
  @octokit/graphql  <=2.1.3 || 3.0.0 - 7.1.0
  Depends on vulnerable versions of @octokit/request
  node_modules/@octokit/graphql

@octokit/request-error  <=5.1.0
Severity: moderate
@octokit/request-error has a Regular Expression in index that Leads to ReDoS Vulnerability Due to Catastrophic Backtracking - https://github.com/advisories/GHSA-xx4v-prfh-6cgc
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/@octokit/request-error

cross-spawn  <6.0.6 || >=7.0.0 <7.0.5
Severity: high
Regular Expression Denial of Service (ReDoS) in cross-spawn - https://github.com/advisories/GHSA-3xgq-45jj-v275
Regular Expression Denial of Service (ReDoS) in cross-spawn - https://github.com/advisories/GHSA-3xgq-45jj-v275
No fix available
node_modules/cross-spawn
node_modules/current-git-branch/node_modules/cross-spawn
node_modules/is-git-repository/node_modules/cross-spawn
  execa  0.5.0 - 0.9.0
  Depends on vulnerable versions of cross-spawn
  node_modules/current-git-branch/node_modules/execa
  node_modules/is-git-repository/node_modules/execa
    current-git-branch  <=1.1.0
    Depends on vulnerable versions of execa
    Depends on vulnerable versions of is-git-repository
    node_modules/current-git-branch
      @delen/cz-delen-changelog
      Depends on vulnerable versions of current-git-branch
      node_modules/@delen/cz-delen-changelog
    is-git-repository  <=1.1.1
    Depends on vulnerable versions of execa
    node_modules/is-git-repository

esbuild  <=0.24.2
Severity: moderate
esbuild enables any website to send any requests to the development server and read the response - https://github.com/advisories/GHSA-67mh-4wv8-2f99
No fix available
node_modules/esbuild
node_modules/tsx/node_modules/esbuild
node_modules/vite/node_modules/esbuild
  @angular-devkit/build-angular  12.2.0-next.0 - 19.2.0-next.1
  Depends on vulnerable versions of @angular/build
  Depends on vulnerable versions of esbuild
  Depends on vulnerable versions of ng-packagr
  Depends on vulnerable versions of vite
  node_modules/@angular-devkit/build-angular
    @nx/angular  *
    Depends on vulnerable versions of @angular-devkit/build-angular
    Depends on vulnerable versions of @nx/module-federation
    node_modules/@nx/angular
    @storybook/angular  <=0.0.0-pr-30534-sha-e6f5d6b7 || >=6.5.17-alpha.0
    Depends on vulnerable versions of @angular-devkit/build-angular
    Depends on vulnerable versions of @storybook/builder-webpack5
    Depends on vulnerable versions of @storybook/components
    Depends on vulnerable versions of @storybook/core-webpack
    Depends on vulnerable versions of @storybook/manager-api
    Depends on vulnerable versions of @storybook/preview-api
    Depends on vulnerable versions of @storybook/theming
    Depends on vulnerable versions of storybook
    node_modules/@storybook/angular
  @angular/build  <=19.2.0-next.1
  Depends on vulnerable versions of esbuild
  Depends on vulnerable versions of vite
  node_modules/@angular/build
  @storybook/core  <=0.0.0-pr-30534-sha-e6f5d6b7 || >=6.5.17-alpha.0
  Depends on vulnerable versions of esbuild
  node_modules/@storybook/core
    storybook  >=8.2.0-alpha.0
    Depends on vulnerable versions of @storybook/core
    node_modules/storybook
      @storybook/addon-actions  >=8.2.0-alpha.0
      Depends on vulnerable versions of storybook
      node_modules/@storybook/addon-actions
      @storybook/addon-backgrounds  >=8.2.0-alpha.0
      Depends on vulnerable versions of storybook
      node_modules/@storybook/addon-backgrounds
      @storybook/addon-controls  >=8.2.0-alpha.0
      Depends on vulnerable versions of storybook
      node_modules/@storybook/addon-controls
      @storybook/addon-docs  >=8.2.0-alpha.0
      Depends on vulnerable versions of @storybook/blocks
      Depends on vulnerable versions of @storybook/csf-plugin
      Depends on vulnerable versions of @storybook/react-dom-shim
      Depends on vulnerable versions of storybook
      node_modules/@storybook/addon-docs
      @storybook/addon-essentials  >=8.2.0-alpha.0
      Depends on vulnerable versions of @storybook/addon-actions
      Depends on vulnerable versions of @storybook/addon-backgrounds
      Depends on vulnerable versions of @storybook/addon-controls
      Depends on vulnerable versions of @storybook/addon-docs
      Depends on vulnerable versions of @storybook/addon-highlight
      Depends on vulnerable versions of @storybook/addon-measure
      Depends on vulnerable versions of @storybook/addon-outline
      Depends on vulnerable versions of @storybook/addon-toolbars
      Depends on vulnerable versions of @storybook/addon-viewport
      Depends on vulnerable versions of storybook
      node_modules/@storybook/addon-essentials
      @storybook/addon-highlight  >=8.2.0-alpha.0
      Depends on vulnerable versions of storybook
      node_modules/@storybook/addon-highlight
      @storybook/addon-interactions  >=8.2.0-alpha.0
      Depends on vulnerable versions of @storybook/instrumenter
      Depends on vulnerable versions of @storybook/test
      Depends on vulnerable versions of storybook
      node_modules/@storybook/addon-interactions
      @storybook/addon-mdx-gfm  >=8.2.0-alpha.0
      Depends on vulnerable versions of storybook
      node_modules/@storybook/addon-mdx-gfm
      @storybook/addon-measure  >=8.2.0-alpha.0
      Depends on vulnerable versions of storybook
      node_modules/@storybook/addon-measure
      @storybook/addon-outline  >=8.2.0-alpha.0
      Depends on vulnerable versions of storybook
      node_modules/@storybook/addon-outline
      @storybook/addon-toolbars  >=8.2.0-alpha.0
      Depends on vulnerable versions of storybook
      node_modules/@storybook/addon-toolbars
      @storybook/addon-viewport  >=8.2.0-alpha.0
      Depends on vulnerable versions of storybook
      node_modules/@storybook/addon-viewport
      @storybook/blocks  >=8.2.0-alpha.0
      Depends on vulnerable versions of storybook
      node_modules/@storybook/blocks
      @storybook/builder-webpack5  >=8.2.0-alpha.0
      Depends on vulnerable versions of @storybook/core-webpack
      Depends on vulnerable versions of storybook
      node_modules/@storybook/builder-webpack5
      @storybook/components  <=0.0.0-pr-30534-sha-e6f5d6b7 || >=8.2.0-alpha.0
      Depends on vulnerable versions of storybook
      node_modules/@storybook/components
      @storybook/core-events  <=0.0.0-pr-30534-sha-e6f5d6b7 || >=8.2.0-alpha.0
      Depends on vulnerable versions of storybook
      node_modules/@storybook/core-events
      @storybook/core-server  <=0.0.0-pr-30534-sha-e6f5d6b7 || >=8.2.0-alpha.0
      Depends on vulnerable versions of storybook
      node_modules/@storybook/core-server
      @storybook/core-webpack  >=8.2.0-alpha.0
      Depends on vulnerable versions of storybook
      node_modules/@storybook/core-webpack
      @storybook/csf-plugin  >=8.2.0-alpha.0
      Depends on vulnerable versions of storybook
      node_modules/@storybook/csf-plugin
      @storybook/instrumenter  >=8.2.0-alpha.0
      Depends on vulnerable versions of storybook
      node_modules/@storybook/instrumenter
      @storybook/manager-api  <=0.0.0-pr-30534-sha-e6f5d6b7 || >=8.2.0-alpha.0
      Depends on vulnerable versions of storybook
      node_modules/@storybook/manager-api
      @storybook/preview-api  <=0.0.0-pr-30534-sha-e6f5d6b7 || >=8.2.0-alpha.0
      Depends on vulnerable versions of storybook
      node_modules/@storybook/preview-api
      @storybook/react-dom-shim  >=8.2.0-alpha.0
      Depends on vulnerable versions of storybook
      node_modules/@storybook/react-dom-shim
      @storybook/test  >=8.2.0-alpha.0
      Depends on vulnerable versions of @storybook/instrumenter
      Depends on vulnerable versions of storybook
      node_modules/@storybook/test
      @storybook/theming  <=0.0.0-pr-30534-sha-e6f5d6b7 || >=8.2.0-alpha.0
      Depends on vulnerable versions of storybook
      node_modules/@storybook/theming
      @storybook/types  <=0.0.0-pr-30534-sha-e6f5d6b7 || >=8.2.0-alpha.0
      Depends on vulnerable versions of storybook
      node_modules/@storybook/types
  ng-packagr  12.2.0-next.0 - 19.2.0-next.1
  Depends on vulnerable versions of esbuild
  node_modules/ng-packagr
  tsx  >=3.13.0
  Depends on vulnerable versions of esbuild
  node_modules/tsx
  vite  >=0.11.0
  Depends on vulnerable versions of esbuild
  node_modules/vite

http-proxy-middleware  <2.0.7
Severity: high
Denial of service in http-proxy-middleware - https://github.com/advisories/GHSA-c7qv-q95q-8v27
fix available via `npm audit fix`
node_modules/http-proxy-middleware

koa  2.0.0 - 2.15.3
Severity: critical
Inefficient Regular Expression Complexity in koa - https://github.com/advisories/GHSA-593f-38f6-jp5m
No fix available
node_modules/koa
  @module-federation/dts-plugin  *
  Depends on vulnerable versions of koa
  node_modules/@module-federation/dts-plugin
    @module-federation/enhanced  <=0.0.1-rc.0 || >=0.1.2
    Depends on vulnerable versions of @module-federation/dts-plugin
    Depends on vulnerable versions of @module-federation/manifest
    Depends on vulnerable versions of @module-federation/rspack
    node_modules/@module-federation/enhanced
      @module-federation/node  >=2.1.2
      Depends on vulnerable versions of @module-federation/enhanced
      node_modules/@module-federation/node
      @nx/module-federation  *
      Depends on vulnerable versions of @module-federation/enhanced
      Depends on vulnerable versions of @module-federation/node
      node_modules/@nx/module-federation
    @module-federation/manifest  <=0.0.0-next-20250218022700 || >=0.1.3
    Depends on vulnerable versions of @module-federation/dts-plugin
    node_modules/@module-federation/manifest
      @module-federation/rspack  *
      Depends on vulnerable versions of @module-federation/dts-plugin
      Depends on vulnerable versions of @module-federation/manifest
      node_modules/@module-federation/rspack

nanoid  <3.3.8
Severity: moderate
Predictable results in nanoid generation when given non-integer values - https://github.com/advisories/GHSA-mwcw-c2x4-8c55
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/webpack-log/node_modules/nanoid
  webpack-log  >=3.0.0
  Depends on vulnerable versions of nanoid
  node_modules/webpack-log


59 vulnerabilities (45 moderate, 6 high, 8 critical)

To address issues that do not require attention, run:
  npm audit fix

To address all issues possible (including breaking changes), run:
  npm audit fix --force

Some issues need review, and may require choosing
a different dependency.

Process finished with exit code 1

Package Manager Version

No response

Operating System

  • macOS
  • Linux
  • Windows
  • Other (Please specify)

Additional Information

No response
@ahnpnl
Copy link
Contributor

ahnpnl commented Feb 18, 2025

The same for @nx/angular which depends on @nx/webpack and then depends on @module-federation

@Laurensvdw
Copy link
Author

#30016

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
type: bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@Laurensvdw @ahnpnl