koa high severity vurneability not fixed yet - @angular-architects/module-federation versions: 21.2.1 / possible migration to @module-federation/enhanced@2.1.0? #1080
Description
For which library do you need help?
module-federation
Question
Hi, in the previous release it was an attempt to fix the security vulnerability of the koa in the @angular-architects/module-federation version: 21.2.1. Unfortunately, this didn't solve the issue - #1078.
- github advisory - GHSA-7gcc-r8m5-44qm
- npm - https://www.npmjs.com/package/koa
From the dependency tree is the "koa": "3.0.3", defined in the @module-federation/dts-plugin.
Dependency tree:
{
"node_modules/@angular-architects/module-federation": {
"version": "21.2.1",
"resolved": "https://registry.npmjs.org/@angular-architects/module-federation/-/module-federation-21.2.1.tgz",
"integrity": "sha512-VP+YOz5BzM7LM3GiPO6hv0cdTiPUMtO3G7pQ4sXNT6FyEdSVQuBaWkz69Fn5mkIo6OgkqUdaSBR8nAYMCbPUYA==",
"license": "MIT",
"dependencies": {
"@angular-architects/module-federation-runtime": "~21.2.1",
"callsite": "^1.0.0",
"node-fetch": "^3.3.2",
"semver": "~7.7.1",
"word-wrap": "^1.2.5"
}
},
}
...
{
"node_modules/@angular-architects/module-federation-runtime": {
"version": "21.2.1",
"resolved": "https://registry.npmjs.org/@angular-architects/module-federation-runtime/-/module-federation-runtime-21.2.1.tgz",
"integrity": "sha512-W3U1KZTM2ssBU4mU/dFmYG7jhg0Rig00waLUqNxWxqNLU4slTN5k/iLxc0WJ585RNBnXcjsyB1cAYXoUuLjg4A==",
"license": "MIT",
"dependencies": {
"tslib": "^2.3.0"
},
"peerDependencies": {
"@angular/common": "^21.2.0",
"@angular/core": "^21.2.0",
"@module-federation/enhanced": "^0.21.4",
"@module-federation/runtime-core": "^0.21.4"
}
},
}
...
{
"node_modules/@module-federation/enhanced": {
"version": "0.21.6",
"resolved": "https://registry.npmjs.org/@module-federation/enhanced/-/enhanced-0.21.6.tgz",
"integrity": "sha512-8PFQxtmXc6ukBC4CqGIoc96M2Ly9WVwCPu4Ffvt+K/SB6rGbeFeZoYAwREV1zGNMJ5v5ly6+AHIEOBxNuSnzSg==",
"license": "MIT",
"peer": true,
"dependencies": {
"@module-federation/bridge-react-webpack-plugin": "0.21.6",
"@module-federation/cli": "0.21.6",
"@module-federation/data-prefetch": "0.21.6",
"@module-federation/dts-plugin": "0.21.6",
"@module-federation/error-codes": "0.21.6",
"@module-federation/inject-external-runtime-core-plugin": "0.21.6",
"@module-federation/managers": "0.21.6",
"@module-federation/manifest": "0.21.6",
"@module-federation/rspack": "0.21.6",
"@module-federation/runtime-tools": "0.21.6",
"@module-federation/sdk": "0.21.6",
"btoa": "^1.2.1",
"schema-utils": "^4.3.0",
"upath": "2.0.1"
},
"bin": {
"mf": "bin/mf.js"
},
"peerDependencies": {
"typescript": "^4.9.0 || ^5.0.0",
"vue-tsc": ">=1.0.24",
"webpack": "^5.0.0"
},
"peerDependenciesMeta": {
"typescript": {
"optional": true
},
"vue-tsc": {
"optional": true
},
"webpack": {
"optional": true
}
}
},
}
...
{
"node_modules/@module-federation/dts-plugin": {
"version": "0.21.6",
"resolved": "https://registry.npmjs.org/@module-federation/dts-plugin/-/dts-plugin-0.21.6.tgz",
"integrity": "sha512-YIsDk8/7QZIWn0I1TAYULniMsbyi2LgKTi9OInzVmZkwMC6644x/ratTWBOUDbdY1Co+feNkoYeot1qIWv2L7w==",
"license": "MIT",
"peer": true,
"dependencies": {
"@module-federation/error-codes": "0.21.6",
"@module-federation/managers": "0.21.6",
"@module-federation/sdk": "0.21.6",
"@module-federation/third-party-dts-extractor": "0.21.6",
"adm-zip": "^0.5.10",
"ansi-colors": "^4.1.3",
"axios": "^1.12.0",
"chalk": "3.0.0",
"fs-extra": "9.1.0",
"isomorphic-ws": "5.0.0",
"koa": "3.0.3",
"lodash.clonedeepwith": "4.5.0",
"log4js": "6.9.1",
"node-schedule": "2.1.1",
"rambda": "^9.1.0",
"ws": "8.18.0"
},
"peerDependencies": {
"typescript": "^4.9.0 || ^5.0.0",
"vue-tsc": ">=1.0.24"
},
"peerDependenciesMeta": {
"vue-tsc": {
"optional": true
}
}
},
}Would it be possible to migrate to a new version of the @module-federation/dts-plugin?
Thank you for your support.