Skip to content

chore: Update dependencies #976

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 10 commits into
base: main
Choose a base branch
from
Open

chore: Update dependencies #976

wants to merge 10 commits into from

Conversation

@Aukevanoost
Copy link
Collaborator

No description provided.

Aukevanoost
Aukevanoost commented Oct 28, 2025
View reviewed changes
libs/mf/src/rspack/with-federation.ts
import { ModuleFederationConfig, RsbuildConfig } from '@rsbuild/core';
import { pluginScriptModule } from './plugin-script-module';
import { applySkipList, normalizeSkipList, SkipList } from '../utils/skip-list';
import { SharedObject } from '@module-federation/enhanced/dist/src/declarations/plugins/sharing/SharePlugin';
Copy link
Collaborator Author

@Aukevanoost Aukevanoost Oct 28, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@manfredsteyer Small question, the interfaces appear to be identical, just typescript is not accepting using them intertwined. What's your take on this? Or anyone else? Which one should be used?

Achilles1515
Achilles1515 reviewed Oct 28, 2025
View reviewed changes
@Achilles1515
Copy link

@manfredsteyer Considering these changes, can we expect a new release of the @angular-architects/module-federation and @angular-architects/module-federation-runtime packages that include updating the @module-federation dependencies (similar to what was done here in this PR)?

Which should also address #911 -- I am also getting pinged by our DevOps group about needing to address this koa vulnerability.

And the reason why this vulnerability isn't just "fixing itself" is because these @module-federation packages have a 0 major version, essentially making the caret here act like a tilde, and these packages have long since jumped to new minor versions.

@Aukevanoost
Copy link
Collaborator Author

Hi @Achilles1515

I can see what I can do with the vulnerabilities.

And the reason why this vulnerability isn't just "fixing itself" is because these @module-federation packages have a 0 major version, essentially making the caret here act like a tilde, and these packages have long since jumped to new minor versions.

Could you help me a bit here? I struggle a bit to understand the first sentence, but ^ marks an acceptable range of minor and patch right? so it doesnt matter if there are no major releases.

@Aukevanoost
Copy link
Collaborator Author

Hi @Achilles1515

It took some tweaking and forcing certain versions but this should fix the CVE's you were encountering. Would you kindly check this build and see if it works fine for yous?

@Achilles1515
Copy link

Achilles1515 commented Oct 29, 2025
edited
Loading

@Aukevanoost

Could you help me a bit here? I struggle a bit to understand the first sentence, but ^ marks an acceptable range of minor and patch right? so it doesnt matter if there are no major releases.

That is the normal behavior of the caret, but the rules change when the major version is 0 (which is basically signifying the package is still in development). See here.

^0.2.3 := >=0.2.3 <0.3.0

So this package definition here:

"@module-federation/enhanced": "^0.9.0",

is only installing v0.9.1, even though 0.21.2 is available.

So those @module-federation/* entries in that mf-runtime/package.json file need to be updated, along with a new package version release for @angular-architects/module-federation-runtime and @angular-architects/module-federation.

Achilles1515
Achilles1515 reviewed Oct 29, 2025
View reviewed changes
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@Achilles1515 Achilles1515 Achilles1515 left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Aukevanoost @Achilles1515