Nx
Enterprise
Nx
Sign in / Sign up
Open main menu
Nx
GitHub
Overview
Runs
Analytics
Loading workspace stats
Loading workspace insights...
Statistics interval
7 days
30 days
Latest CI Pipeline Executions
Status
Fix filter
Filter
Fuzzy
Filter range
Sort by
Sort by
Start time
Sort ascending
Sort descending
Succeeded
34708
50918995 fix(misc): address security CVE cluster (copy-webpack-plugin, koa, minimatch) 1. `@nx/webpack` and `@nx/next` depend on `copy-webpack-plugin@^10.2.4` which pulls `fast-glob` (supply-chain risk) and `serialize-javascript@^6.0.2` (GHSA-5c6j-r48x-rmvq, RCE). 2. `@nx/module-federation` depends on `@module-federation/enhanced@^0.21.2` (4 minor versions behind, transitively pulls vulnerable `koa@3.0.3`). 3. `@nx/node` scaffolds projects with `koa@^3.0.3` (CVE-2026-27959). 1. copy-webpack-plugin bumped to `^14.0.0`: drops `fast-glob` for `tinyglobby`, bumps `serialize-javascript` to `^7.0.3`. Verified clean via `npm audit`. 2. `@module-federation/enhanced` and `@module-federation/sdk` bumped to `^2.0.1`. Includes `resolveShare` resolver return type fix for 2.x compatibility. 3. `koaVersion` in `@nx/node` bumped to `^3.1.2` so new projects get the patched version. Note: koa CVE in `@module-federation/dts-plugin` remains an upstream issue (module-federation/core#4419 merged but not yet released). Will be resolved when upstream publishes a new version. Fixes #34632 Fixes #34621 Fixes #34701
16 days ago
by Jack Hsu
J
Failed
34708
60e221cb fix(misc): address security CVE cluster (copy-webpack-plugin, koa, minimatch) 1. `@nx/webpack` and `@nx/next` depend on `copy-webpack-plugin@^10.2.4` which pulls `fast-glob` (supply-chain risk) and `serialize-javascript@^6.0.2` (GHSA-5c6j-r48x-rmvq, RCE). 2. `@nx/module-federation` depends on `@module-federation/enhanced@^0.21.2` (4 minor versions behind, transitively pulls vulnerable `koa@3.0.3`). 3. `@nx/node` scaffolds projects with `koa@^3.0.3` (CVE-2026-27959). 1. copy-webpack-plugin bumped to `^14.0.0`: drops `fast-glob` for `tinyglobby`, bumps `serialize-javascript` to `^7.0.3`. Verified clean via `npm audit`. 2. `@module-federation/enhanced` and `@module-federation/sdk` bumped to `^2.0.1`. Includes `resolveShare` resolver return type fix for 2.x compatibility. 3. `koaVersion` in `@nx/node` bumped to `^3.1.2` so new projects get the patched version. Note: koa CVE in `@module-federation/dts-plugin` remains an upstream issue (module-federation/core#4419 merged but not yet released). Will be resolved when upstream publishes a new version. Fixes #34632 Fixes #34621 Fixes #34701
17 days ago
by Jack Hsu
J
Canceled
34708
006acbcf fix(misc): address security CVE cluster (copy-webpack-plugin, koa, minimatch) 1. `@nx/webpack` and `@nx/next` depend on `copy-webpack-plugin@^10.2.4` which pulls `fast-glob` (supply-chain risk) and `serialize-javascript@^6.0.2` (GHSA-5c6j-r48x-rmvq, RCE). 2. `@nx/module-federation` depends on `@module-federation/enhanced@^0.21.2` (4 minor versions behind, transitively pulls vulnerable `koa@3.0.3`). 3. `@nx/node` scaffolds projects with `koa@^3.0.3` (CVE-2026-27959). 1. copy-webpack-plugin bumped to `^14.0.0`: drops `fast-glob` for `tinyglobby`, bumps `serialize-javascript` to `^7.0.3`. Verified clean via `npm audit`. 2. `@module-federation/enhanced` and `@module-federation/sdk` bumped to `^2.0.1`. Includes `resolveShare` resolver return type fix for 2.x compatibility. 3. `koaVersion` in `@nx/node` bumped to `^3.1.2` so new projects get the patched version. Note: koa CVE in `@module-federation/dts-plugin` remains an upstream issue (module-federation/core#4419 merged but not yet released). Will be resolved when upstream publishes a new version. Fixes #34632 Fixes #34621 Fixes #34701
17 days ago
by Jack Hsu
J
Failed
34708
37816668 fix(misc): address security CVE cluster (copy-webpack-plugin, koa, minimatch) 1. `@nx/webpack` and `@nx/next` depend on `copy-webpack-plugin@^10.2.4` which pulls `fast-glob` (supply-chain risk) and `serialize-javascript@^6.0.2` (GHSA-5c6j-r48x-rmvq, RCE). 2. `@nx/module-federation` depends on `@module-federation/enhanced@^0.21.2` (4 minor versions behind, transitively pulls vulnerable `koa@3.0.3`). 3. `@nx/node` scaffolds projects with `koa@^3.0.3` (CVE-2026-27959). 1. copy-webpack-plugin bumped to `^14.0.0`: drops `fast-glob` for `tinyglobby`, bumps `serialize-javascript` to `^7.0.3`. Verified clean via `npm audit`. 2. `@module-federation/enhanced` and `@module-federation/sdk` bumped to `^2.0.1`. Includes `resolveShare` resolver return type fix for 2.x compatibility. 3. `koaVersion` in `@nx/node` bumped to `^3.1.2` so new projects get the patched version. Note: koa CVE in `@module-federation/dts-plugin` remains an upstream issue (module-federation/core#4419 merged but not yet released). Will be resolved when upstream publishes a new version. Fixes #34632 Fixes #34621 Fixes #34701
17 days ago
by Jack Hsu
J
Failed
34708
0f65682a fix(misc): address security CVE cluster (copy-webpack-plugin, koa, minimatch) 1. `@nx/webpack` and `@nx/next` depend on `copy-webpack-plugin@^10.2.4` which pulls `fast-glob` (supply-chain risk) and `serialize-javascript@^6.0.2` (GHSA-5c6j-r48x-rmvq, RCE). 2. `@nx/module-federation` depends on `@module-federation/enhanced@^0.21.2` (4 minor versions behind, transitively pulls vulnerable `koa@3.0.3`). 3. `@nx/node` scaffolds projects with `koa@^3.0.3` (CVE-2026-27959). 1. copy-webpack-plugin bumped to `^14.0.0`: drops `fast-glob` for `tinyglobby`, bumps `serialize-javascript` to `^7.0.3`. Verified clean via `npm audit`. 2. `@module-federation/enhanced` and `@module-federation/sdk` bumped to `^2.0.1`. Includes `resolveShare` resolver return type fix for 2.x compatibility. 3. `koaVersion` in `@nx/node` bumped to `^3.1.2` so new projects get the patched version. Note: koa CVE in `@module-federation/dts-plugin` remains an upstream issue (module-federation/core#4419 merged but not yet released). Will be resolved when upstream publishes a new version. Fixes #34632 Fixes #34621 Fixes #34701
17 days ago
by Jack Hsu
J
Failed
34708
eea27970 fix(misc): address security CVE cluster (copy-webpack-plugin, koa, minimatch) 1. `@nx/webpack` and `@nx/next` depend on `copy-webpack-plugin@^10.2.4` which pulls `fast-glob` (supply-chain risk) and `serialize-javascript@^6.0.2` (GHSA-5c6j-r48x-rmvq, RCE). 2. `@nx/module-federation` depends on `@module-federation/enhanced@^0.21.2` (4 minor versions behind, transitively pulls vulnerable `koa@3.0.3`). 3. `@nx/node` scaffolds projects with `koa@^3.0.3` (CVE-2026-27959). 1. copy-webpack-plugin bumped to `^14.0.0`: drops `fast-glob` for `tinyglobby`, bumps `serialize-javascript` to `^7.0.3`. Verified clean via `npm audit`. 2. `@module-federation/enhanced` and `@module-federation/sdk` bumped to `^2.0.1`. Includes `resolveShare` resolver return type fix for 2.x compatibility. 3. `koaVersion` in `@nx/node` bumped to `^3.1.2` so new projects get the patched version. Note: koa CVE in `@module-federation/dts-plugin` remains an upstream issue (module-federation/core#4419 merged but not yet released). Will be resolved when upstream publishes a new version. Fixes #34632 Fixes #34621 Fixes #34701
17 days ago
by Jack Hsu
J
Canceled
34708
bc5ef997 fix(misc): address security CVE cluster (copy-webpack-plugin, koa, minimatch) 1. `@nx/webpack` and `@nx/next` depend on `copy-webpack-plugin@^10.2.4` which pulls `fast-glob` (supply-chain risk) and `serialize-javascript@^6.0.2` (GHSA-5c6j-r48x-rmvq, RCE). 2. `@nx/module-federation` depends on `@module-federation/enhanced@^0.21.2` (4 minor versions behind, transitively pulls vulnerable `koa@3.0.3`). 3. `@nx/node` scaffolds projects with `koa@^3.0.3` (CVE-2026-27959). 1. copy-webpack-plugin bumped to `^14.0.0`: drops `fast-glob` for `tinyglobby`, bumps `serialize-javascript` to `^7.0.3`. Verified clean via `npm audit`. 2. `@module-federation/enhanced` and `@module-federation/sdk` bumped to `^2.0.1`. Includes `resolveShare` resolver return type fix for 2.x compatibility. 3. `koaVersion` in `@nx/node` bumped to `^3.1.2` so new projects get the patched version. Note: koa CVE in `@module-federation/dts-plugin` remains an upstream issue (module-federation/core#4419 merged but not yet released). Will be resolved when upstream publishes a new version. Fixes #34632 Fixes #34621 Fixes #34701
17 days ago
by Jack Hsu
J
Canceled
34708
d9064a37 fix(misc): address security CVE cluster (copy-webpack-plugin, koa, minimatch) 1. `@nx/webpack` and `@nx/next` depend on `copy-webpack-plugin@^10.2.4` which pulls `fast-glob` (supply-chain risk) and `serialize-javascript@^6.0.2` (GHSA-5c6j-r48x-rmvq, RCE). 2. `@nx/module-federation` depends on `@module-federation/enhanced@^0.21.2` (4 minor versions behind, transitively pulls vulnerable `koa@3.0.3`). 3. `@nx/node` scaffolds projects with `koa@^3.0.3` (CVE-2026-27959). 1. copy-webpack-plugin bumped to `^14.0.0`: drops `fast-glob` for `tinyglobby`, bumps `serialize-javascript` to `^7.0.3`. Verified clean via `npm audit`. 2. `@module-federation/enhanced` and `@module-federation/sdk` bumped to `^2.0.1`. Includes `resolveShare` resolver return type fix for 2.x compatibility. 3. `koaVersion` in `@nx/node` bumped to `^3.1.2` so new projects get the patched version. Note: koa CVE in `@module-federation/dts-plugin` remains an upstream issue (module-federation/core#4419 merged but not yet released). Will be resolved when upstream publishes a new version. Fixes #34632 Fixes #34621 Fixes #34701
17 days ago
by Jack Hsu
J
Canceled
34708
3dfe6d1e fix(misc): address security CVE cluster (copy-webpack-plugin, koa, minimatch) 1. `@nx/webpack` and `@nx/next` depend on `copy-webpack-plugin@^10.2.4` which pulls `fast-glob` (supply-chain risk) and `serialize-javascript@^6.0.2` (GHSA-5c6j-r48x-rmvq, RCE). 2. `@nx/module-federation` depends on `@module-federation/enhanced@^0.21.2` (4 minor versions behind, transitively pulls vulnerable `koa@3.0.3`). 3. `@nx/node` scaffolds projects with `koa@^3.0.3` (CVE-2026-27959). 1. copy-webpack-plugin bumped to `^14.0.0`: drops `fast-glob` for `tinyglobby`, bumps `serialize-javascript` to `^7.0.3`. Verified clean via `npm audit`. 2. `@module-federation/enhanced` and `@module-federation/sdk` bumped to `^2.0.1`. Includes `resolveShare` resolver return type fix for 2.x compatibility. 3. `koaVersion` in `@nx/node` bumped to `^3.1.2` so new projects get the patched version. Note: koa CVE in `@module-federation/dts-plugin` remains an upstream issue (module-federation/core#4419 merged but not yet released). Will be resolved when upstream publishes a new version. Fixes #34632 Fixes #34621 Fixes #34701
17 days ago
by Jack Hsu
J
Failed
34708
e2d8f021 fix(misc): address security CVE cluster (copy-webpack-plugin, koa, minimatch) 1. `@nx/webpack` and `@nx/next` depend on `copy-webpack-plugin@^10.2.4` which pulls `fast-glob` (supply-chain risk) and `serialize-javascript@^6.0.2` (GHSA-5c6j-r48x-rmvq, RCE). 2. `@nx/module-federation` depends on `@module-federation/enhanced@^0.21.2` (4 minor versions behind, transitively pulls vulnerable `koa@3.0.3`). 3. `@nx/node` scaffolds projects with `koa@^3.0.3` (CVE-2026-27959). 1. copy-webpack-plugin bumped to `^14.0.0`: drops `fast-glob` for `tinyglobby`, bumps `serialize-javascript` to `^7.0.3`. Verified clean via `npm audit`. 2. `@module-federation/enhanced` and `@module-federation/sdk` bumped to `^2.0.1`. Includes `resolveShare` resolver return type fix for 2.x compatibility. 3. `koaVersion` in `@nx/node` bumped to `^3.1.2` so new projects get the patched version. Note: koa CVE in `@module-federation/dts-plugin` remains an upstream issue (module-federation/core#4419 merged but not yet released). Will be resolved when upstream publishes a new version. Fixes #34632 Fixes #34621 Fixes #34701
17 days ago
by Jack Hsu
J
Canceled
34708
3650581d fix(misc): address security CVE cluster (copy-webpack-plugin, koa, minimatch) 1. `@nx/webpack` and `@nx/next` depend on `copy-webpack-plugin@^10.2.4` which pulls `fast-glob` (supply-chain risk) and `serialize-javascript@^6.0.2` (GHSA-5c6j-r48x-rmvq, RCE). 2. `@nx/module-federation` depends on `@module-federation/enhanced@^0.21.2` (4 minor versions behind, transitively pulls vulnerable `koa@3.0.3`). 3. `@nx/node` scaffolds projects with `koa@^3.0.3` (CVE-2026-27959). 1. copy-webpack-plugin bumped to `^14.0.0`: drops `fast-glob` for `tinyglobby`, bumps `serialize-javascript` to `^7.0.3`. Verified clean via `npm audit`. 2. `@module-federation/enhanced` and `@module-federation/sdk` bumped to `^2.0.1`. Includes `resolveShare` resolver return type fix for 2.x compatibility. 3. `koaVersion` in `@nx/node` bumped to `^3.1.2` so new projects get the patched version. Note: koa CVE in `@module-federation/dts-plugin` remains an upstream issue (module-federation/core#4419 merged but not yet released). Will be resolved when upstream publishes a new version. Fixes #34632 Fixes #34621 Fixes #34701
17 days ago
by Jack Hsu
J
Failed
34708
d682af5d fix(module-federation): add pnpm override for koa >=3.1.2 ## Current Behavior `@module-federation/dts-plugin` pins `koa@3.0.3` which is vulnerable to CVE-2026-27959 (Host Header Injection, fixed in koa 3.1.2). The upstream `@module-federation` project has not bumped their dependency. ## Expected Behavior A pnpm override forces koa resolution to `>=3.1.2`, addressing the CVE for Nx users. This is a workaround until the upstream dependency is updated. ## Related Issue(s) Fixes #34621
18 days ago
by Jack Hsu
J
Previous page
Previous
Next
Next page