Nx
Enterprise
Nx
fix(misc): address security CVE cluster (copy-webpack-plugin, koa, minimatch) 1. `@nx/webpack` and `@nx/next` depend on `copy-webpack-plugin@^10.2.4` which pulls `fast-glob` (supply-chain risk) and `serialize-javascript@^6.0.2` (GHSA-5c6j-r48x-rmvq, RCE). 2. `@nx/module-federation` depends on `@module-federation/enhanced@^0.21.2` (4 minor versions behind, transitively pulls vulnerable `koa@3.0.3`). 3. `@nx/node` scaffolds projects with `koa@^3.0.3` (CVE-2026-27959). 1. copy-webpack-plugin bumped to `^14.0.0`: drops `fast-glob` for `tinyglobby`, bumps `serialize-javascript` to `^7.0.3`. Verified clean via `npm audit`. 2. `@module-federation/enhanced` and `@module-federation/sdk` bumped to `^2.0.1`. Includes `resolveShare` resolver return type fix for 2.x compatibility. 3. `koaVersion` in `@nx/node` bumped to `^3.1.2` so new projects get the patched version. Note: koa CVE in `@module-federation/dts-plugin` remains an upstream issue (module-federation/core#4419 merged but not yet released). Will be resolved when upstream publishes a new version. Fixes #34632 Fixes #34621 Fixes #34701
nx-cloud record -- nx sync:check
Sign in / Sign up
Open main menu
Succeeded
CI Pipeline Execution
nx-cloud record -- nx sync:check
Click to copy
Linux
4 CPU cores
7a9e143c
34708