refactor(dts-plugin): replace Koa dev server with native HTTP#4419
Merged
ScriptedAlchemy merged 14 commits intomainfrom Feb 12, 2026
Merged
refactor(dts-plugin): replace Koa dev server with native HTTP#4419ScriptedAlchemy merged 14 commits intomainfrom
ScriptedAlchemy merged 14 commits intomainfrom
Conversation
Co-authored-by: Zack Jackson <ScriptedAlchemy@users.noreply.github.com>
|
Cursor Agent can help with this pull request. Just |
✅ Deploy Preview for module-federation-docs ready!
To edit notification comments on pull requests, go to your Netlify project configuration. |
🦋 Changeset detectedLatest commit: b254200 The changes in this PR will be included in the next version bump. This PR includes changesets to release 43 packages
Not sure what this means? Click here to learn what changesets are. Click here if you're a maintainer who wants to add another changeset to this PR |
…lacement-2f9b Co-authored-by: Zack Jackson <ScriptedAlchemy@users.noreply.github.com>
Contributor
iOS Release APP for simulatorsNote: if the download link expires, please re-run the workflow to generate a new build. Generated at 2026-02-12T09:30:24.073Z UTC |
Contributor
Bundle Size Report1 package(s) changed, 37 unchanged.
Total dist: 6.66 MB (+777 B (+0.0%)) |
Contributor
Android Release APK for all devicesNote: if the download link expires, please re-run the workflow to generate a new build. Generated at 2026-02-12T09:22:35.728Z UTC |
…lacement-2f9b Co-authored-by: Cursor <cursoragent@cursor.com>
…om/module-federation/core into cursor/koa-server-replacement-2f9b
5 tasks
jaysoo
added a commit
to nrwl/nx
that referenced
this pull request
Mar 4, 2026
…nimatch) ## Current Behavior 1. `@nx/webpack` and `@nx/next` depend on `copy-webpack-plugin@^10.2.4` which pulls `fast-glob` (supply-chain risk) and `serialize-javascript@^6.0.2` (GHSA-5c6j-r48x-rmvq, RCE). 2. `@nx/module-federation` depends on `@module-federation/enhanced@^0.21.2` (4 minor versions behind, transitively pulls vulnerable `koa@3.0.3`). 3. `@nx/node` scaffolds projects with `koa@^3.0.3` (CVE-2026-27959). ## Expected Behavior 1. copy-webpack-plugin bumped to `^14.0.0`: drops `fast-glob` for `tinyglobby`, bumps `serialize-javascript` to `^7.0.3`. Verified clean via `npm audit`. 2. `@module-federation/enhanced` and `@module-federation/sdk` bumped to `^2.0.1`. Includes `resolveShare` resolver return type fix for 2.x compatibility. 3. `koaVersion` in `@nx/node` bumped to `^3.1.2` so new projects get the patched version. Note: koa CVE in `@module-federation/dts-plugin` remains an upstream issue (module-federation/core#4419 merged but not yet released). Will be resolved when upstream publishes a new version. ## Related Issue(s) Fixes #34632 Fixes #34621 Fixes #34701
jaysoo
added a commit
to nrwl/nx
that referenced
this pull request
Mar 4, 2026
…nimatch) 1. `@nx/webpack` and `@nx/next` depend on `copy-webpack-plugin@^10.2.4` which pulls `fast-glob` (supply-chain risk) and `serialize-javascript@^6.0.2` (GHSA-5c6j-r48x-rmvq, RCE). 2. `@nx/module-federation` depends on `@module-federation/enhanced@^0.21.2` (4 minor versions behind, transitively pulls vulnerable `koa@3.0.3`). 3. `@nx/node` scaffolds projects with `koa@^3.0.3` (CVE-2026-27959). 1. copy-webpack-plugin bumped to `^14.0.0`: drops `fast-glob` for `tinyglobby`, bumps `serialize-javascript` to `^7.0.3`. Verified clean via `npm audit`. 2. `@module-federation/enhanced` and `@module-federation/sdk` bumped to `^2.0.1`. Includes `resolveShare` resolver return type fix for 2.x compatibility. 3. `koaVersion` in `@nx/node` bumped to `^3.1.2` so new projects get the patched version. Note: koa CVE in `@module-federation/dts-plugin` remains an upstream issue (module-federation/core#4419 merged but not yet released). Will be resolved when upstream publishes a new version. Fixes #34632 Fixes #34621 Fixes #34701
jaysoo
added a commit
to nrwl/nx
that referenced
this pull request
Mar 4, 2026
…nimatch) 1. `@nx/webpack` and `@nx/next` depend on `copy-webpack-plugin@^10.2.4` which pulls `fast-glob` (supply-chain risk) and `serialize-javascript@^6.0.2` (GHSA-5c6j-r48x-rmvq, RCE). 2. `@nx/module-federation` depends on `@module-federation/enhanced@^0.21.2` (4 minor versions behind, transitively pulls vulnerable `koa@3.0.3`). 3. `@nx/node` scaffolds projects with `koa@^3.0.3` (CVE-2026-27959). 1. copy-webpack-plugin bumped to `^14.0.0`: drops `fast-glob` for `tinyglobby`, bumps `serialize-javascript` to `^7.0.3`. Verified clean via `npm audit`. 2. `@module-federation/enhanced` and `@module-federation/sdk` bumped to `^2.0.1`. Includes `resolveShare` resolver return type fix for 2.x compatibility. 3. `koaVersion` in `@nx/node` bumped to `^3.1.2` so new projects get the patched version. Note: koa CVE in `@module-federation/dts-plugin` remains an upstream issue (module-federation/core#4419 merged but not yet released). Will be resolved when upstream publishes a new version. Fixes #34632 Fixes #34621 Fixes #34701
Merged
jaysoo
added a commit
to nrwl/nx
that referenced
this pull request
Mar 5, 2026
…nimatch) 1. `@nx/webpack` and `@nx/next` depend on `copy-webpack-plugin@^10.2.4` which pulls `fast-glob` (supply-chain risk) and `serialize-javascript@^6.0.2` (GHSA-5c6j-r48x-rmvq, RCE). 2. `@nx/module-federation` depends on `@module-federation/enhanced@^0.21.2` (4 minor versions behind, transitively pulls vulnerable `koa@3.0.3`). 3. `@nx/node` scaffolds projects with `koa@^3.0.3` (CVE-2026-27959). 1. copy-webpack-plugin bumped to `^14.0.0`: drops `fast-glob` for `tinyglobby`, bumps `serialize-javascript` to `^7.0.3`. Verified clean via `npm audit`. 2. `@module-federation/enhanced` and `@module-federation/sdk` bumped to `^2.0.1`. Includes `resolveShare` resolver return type fix for 2.x compatibility. 3. `koaVersion` in `@nx/node` bumped to `^3.1.2` so new projects get the patched version. Note: koa CVE in `@module-federation/dts-plugin` remains an upstream issue (module-federation/core#4419 merged but not yet released). Will be resolved when upstream publishes a new version. Fixes #34632 Fixes #34621 Fixes #34701
jaysoo
added a commit
to nrwl/nx
that referenced
this pull request
Mar 5, 2026
…nimatch) 1. `@nx/webpack` and `@nx/next` depend on `copy-webpack-plugin@^10.2.4` which pulls `fast-glob` (supply-chain risk) and `serialize-javascript@^6.0.2` (GHSA-5c6j-r48x-rmvq, RCE). 2. `@nx/module-federation` depends on `@module-federation/enhanced@^0.21.2` (4 minor versions behind, transitively pulls vulnerable `koa@3.0.3`). 3. `@nx/node` scaffolds projects with `koa@^3.0.3` (CVE-2026-27959). 1. copy-webpack-plugin bumped to `^14.0.0`: drops `fast-glob` for `tinyglobby`, bumps `serialize-javascript` to `^7.0.3`. Verified clean via `npm audit`. 2. `@module-federation/enhanced` and `@module-federation/sdk` bumped to `^2.0.1`. Includes `resolveShare` resolver return type fix for 2.x compatibility. 3. `koaVersion` in `@nx/node` bumped to `^3.1.2` so new projects get the patched version. Note: koa CVE in `@module-federation/dts-plugin` remains an upstream issue (module-federation/core#4419 merged but not yet released). Will be resolved when upstream publishes a new version. Fixes #34632 Fixes #34621 Fixes #34701
jaysoo
added a commit
to nrwl/nx
that referenced
this pull request
Mar 5, 2026
…nimatch) 1. `@nx/webpack` and `@nx/next` depend on `copy-webpack-plugin@^10.2.4` which pulls `fast-glob` (supply-chain risk) and `serialize-javascript@^6.0.2` (GHSA-5c6j-r48x-rmvq, RCE). 2. `@nx/module-federation` depends on `@module-federation/enhanced@^0.21.2` (4 minor versions behind, transitively pulls vulnerable `koa@3.0.3`). 3. `@nx/node` scaffolds projects with `koa@^3.0.3` (CVE-2026-27959). 1. copy-webpack-plugin bumped to `^14.0.0`: drops `fast-glob` for `tinyglobby`, bumps `serialize-javascript` to `^7.0.3`. Verified clean via `npm audit`. 2. `@module-federation/enhanced` and `@module-federation/sdk` bumped to `^2.0.1`. Includes `resolveShare` resolver return type fix for 2.x compatibility. 3. `koaVersion` in `@nx/node` bumped to `^3.1.2` so new projects get the patched version. Note: koa CVE in `@module-federation/dts-plugin` remains an upstream issue (module-federation/core#4419 merged but not yet released). Will be resolved when upstream publishes a new version. Fixes #34632 Fixes #34621 Fixes #34701
jaysoo
added a commit
to nrwl/nx
that referenced
this pull request
Mar 5, 2026
…nimatch) 1. `@nx/webpack` and `@nx/next` depend on `copy-webpack-plugin@^10.2.4` which pulls `fast-glob` (supply-chain risk) and `serialize-javascript@^6.0.2` (GHSA-5c6j-r48x-rmvq, RCE). 2. `@nx/module-federation` depends on `@module-federation/enhanced@^0.21.2` (4 minor versions behind, transitively pulls vulnerable `koa@3.0.3`). 3. `@nx/node` scaffolds projects with `koa@^3.0.3` (CVE-2026-27959). 1. copy-webpack-plugin bumped to `^14.0.0`: drops `fast-glob` for `tinyglobby`, bumps `serialize-javascript` to `^7.0.3`. Verified clean via `npm audit`. 2. `@module-federation/enhanced` and `@module-federation/sdk` bumped to `^2.0.1`. Includes `resolveShare` resolver return type fix for 2.x compatibility. 3. `koaVersion` in `@nx/node` bumped to `^3.1.2` so new projects get the patched version. Note: koa CVE in `@module-federation/dts-plugin` remains an upstream issue (module-federation/core#4419 merged but not yet released). Will be resolved when upstream publishes a new version. Fixes #34632 Fixes #34621 Fixes #34701
jaysoo
added a commit
to nrwl/nx
that referenced
this pull request
Mar 5, 2026
…nimatch) 1. `@nx/webpack` and `@nx/next` depend on `copy-webpack-plugin@^10.2.4` which pulls `fast-glob` (supply-chain risk) and `serialize-javascript@^6.0.2` (GHSA-5c6j-r48x-rmvq, RCE). 2. `@nx/module-federation` depends on `@module-federation/enhanced@^0.21.2` (4 minor versions behind, transitively pulls vulnerable `koa@3.0.3`). 3. `@nx/node` scaffolds projects with `koa@^3.0.3` (CVE-2026-27959). 1. copy-webpack-plugin bumped to `^14.0.0`: drops `fast-glob` for `tinyglobby`, bumps `serialize-javascript` to `^7.0.3`. Verified clean via `npm audit`. 2. `@module-federation/enhanced` and `@module-federation/sdk` bumped to `^2.0.1`. Includes `resolveShare` resolver return type fix for 2.x compatibility. 3. `koaVersion` in `@nx/node` bumped to `^3.1.2` so new projects get the patched version. Note: koa CVE in `@module-federation/dts-plugin` remains an upstream issue (module-federation/core#4419 merged but not yet released). Will be resolved when upstream publishes a new version. Fixes #34632 Fixes #34621 Fixes #34701
jaysoo
added a commit
to nrwl/nx
that referenced
this pull request
Mar 5, 2026
…nimatch) 1. `@nx/webpack` and `@nx/next` depend on `copy-webpack-plugin@^10.2.4` which pulls `fast-glob` (supply-chain risk) and `serialize-javascript@^6.0.2` (GHSA-5c6j-r48x-rmvq, RCE). 2. `@nx/module-federation` depends on `@module-federation/enhanced@^0.21.2` (4 minor versions behind, transitively pulls vulnerable `koa@3.0.3`). 3. `@nx/node` scaffolds projects with `koa@^3.0.3` (CVE-2026-27959). 1. copy-webpack-plugin bumped to `^14.0.0`: drops `fast-glob` for `tinyglobby`, bumps `serialize-javascript` to `^7.0.3`. Verified clean via `npm audit`. 2. `@module-federation/enhanced` and `@module-federation/sdk` bumped to `^2.0.1`. Includes `resolveShare` resolver return type fix for 2.x compatibility. 3. `koaVersion` in `@nx/node` bumped to `^3.1.2` so new projects get the patched version. Note: koa CVE in `@module-federation/dts-plugin` remains an upstream issue (module-federation/core#4419 merged but not yet released). Will be resolved when upstream publishes a new version. Fixes #34632 Fixes #34621 Fixes #34701
jaysoo
added a commit
to nrwl/nx
that referenced
this pull request
Mar 5, 2026
…nimatch) 1. `@nx/webpack` and `@nx/next` depend on `copy-webpack-plugin@^10.2.4` which pulls `fast-glob` (supply-chain risk) and `serialize-javascript@^6.0.2` (GHSA-5c6j-r48x-rmvq, RCE). 2. `@nx/module-federation` depends on `@module-federation/enhanced@^0.21.2` (4 minor versions behind, transitively pulls vulnerable `koa@3.0.3`). 3. `@nx/node` scaffolds projects with `koa@^3.0.3` (CVE-2026-27959). 1. copy-webpack-plugin bumped to `^14.0.0`: drops `fast-glob` for `tinyglobby`, bumps `serialize-javascript` to `^7.0.3`. Verified clean via `npm audit`. 2. `@module-federation/enhanced` and `@module-federation/sdk` bumped to `^2.0.1`. Includes `resolveShare` resolver return type fix for 2.x compatibility. 3. `koaVersion` in `@nx/node` bumped to `^3.1.2` so new projects get the patched version. Note: koa CVE in `@module-federation/dts-plugin` remains an upstream issue (module-federation/core#4419 merged but not yet released). Will be resolved when upstream publishes a new version. Fixes #34632 Fixes #34621 Fixes #34701
jaysoo
added a commit
to nrwl/nx
that referenced
this pull request
Mar 5, 2026
…nimatch) 1. `@nx/webpack` and `@nx/next` depend on `copy-webpack-plugin@^10.2.4` which pulls `fast-glob` (supply-chain risk) and `serialize-javascript@^6.0.2` (GHSA-5c6j-r48x-rmvq, RCE). 2. `@nx/module-federation` depends on `@module-federation/enhanced@^0.21.2` (4 minor versions behind, transitively pulls vulnerable `koa@3.0.3`). 3. `@nx/node` scaffolds projects with `koa@^3.0.3` (CVE-2026-27959). 1. copy-webpack-plugin bumped to `^14.0.0`: drops `fast-glob` for `tinyglobby`, bumps `serialize-javascript` to `^7.0.3`. Verified clean via `npm audit`. 2. `@module-federation/enhanced` and `@module-federation/sdk` bumped to `^2.0.1`. Includes `resolveShare` resolver return type fix for 2.x compatibility. 3. `koaVersion` in `@nx/node` bumped to `^3.1.2` so new projects get the patched version. Note: koa CVE in `@module-federation/dts-plugin` remains an upstream issue (module-federation/core#4419 merged but not yet released). Will be resolved when upstream publishes a new version. Fixes #34632 Fixes #34621 Fixes #34701
jaysoo
added a commit
to nrwl/nx
that referenced
this pull request
Mar 5, 2026
…nimatch) 1. `@nx/webpack` and `@nx/next` depend on `copy-webpack-plugin@^10.2.4` which pulls `fast-glob` (supply-chain risk) and `serialize-javascript@^6.0.2` (GHSA-5c6j-r48x-rmvq, RCE). 2. `@nx/module-federation` depends on `@module-federation/enhanced@^0.21.2` (4 minor versions behind, transitively pulls vulnerable `koa@3.0.3`). 3. `@nx/node` scaffolds projects with `koa@^3.0.3` (CVE-2026-27959). 1. copy-webpack-plugin bumped to `^14.0.0`: drops `fast-glob` for `tinyglobby`, bumps `serialize-javascript` to `^7.0.3`. Verified clean via `npm audit`. 2. `@module-federation/enhanced` and `@module-federation/sdk` bumped to `^2.0.1`. Includes `resolveShare` resolver return type fix for 2.x compatibility. 3. `koaVersion` in `@nx/node` bumped to `^3.1.2` so new projects get the patched version. Note: koa CVE in `@module-federation/dts-plugin` remains an upstream issue (module-federation/core#4419 merged but not yet released). Will be resolved when upstream publishes a new version. Fixes #34632 Fixes #34621 Fixes #34701
4 tasks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
httpserverChanged Packages
@module-federation/dts-pluginChangesets
.changeset/bright-squids-float.md(@module-federation/dts-plugin: patch)Base
main