Skip to content

Nx 19.8.14: critical security issue with koa 2.0.0 - 2.15.3 #30502

New issue
New issue
Open
Bug
#30806
Open
Nx 19.8.14: critical security issue with koa 2.0.0 - 2.15.3#30502
Bug
#30806
Assignees
ndcunningham
Labels
priority: highHigh Priority (important issues which affect many people severely)scope: nodeIssues related to Node, Express, NestJS support for Nxtype: bug
@adam-fu

Description

@adam-fu
adam-fu
opened on Mar 25, 2025

Current Behavior

npm audit tells me about a critical security issue with koa before 2.15.4 library

Expected Behavior

I can upgrade nx/angular to a version that uses 2.15.4

GitHub Repo

No response

Steps to Reproduce

  1. use nx/angular with 19.8.14 and run npm install or npm audit

Nx Report

NX   Report complete - copy this into the issue template

Node           : 22.14.0
OS             : win32-x64
Native Target  : x86_64-windows
npm            : 10.9.2

nx                 : 19.8.14
@nx/js             : 19.8.14
@nx/jest           : 19.8.14
@nx/linter         : 19.8.14
@nx/eslint         : 19.8.14
@nx/workspace      : 19.8.14
@nx/angular        : 19.8.14
@nx/cypress        : 19.8.14
@nx/devkit         : 19.8.14
@nx/eslint-plugin  : 19.8.14
@nx/storybook      : 19.8.14
@nrwl/tao          : 19.8.14
@nx/web            : 19.8.14
@nx/webpack        : 19.8.14
typescript         : 5.5.4
---------------------------------------
Registered Plugins:
@nx/storybook/plugin
---------------------------------------
Community plugins:
@storybook/angular       : 8.6.9
@testing-library/angular : 16.0.0
ng-mocks                 : 14.13.4

Failure Logs

koa  2.0.0 - 2.15.3
Severity: critical
Inefficient Regular Expression Complexity in koa - https://github.com/advisories/GHSA-593f-38f6-jp5m
fix available via `npm audit fix --force`
Will install @nx/[email protected], which is a breaking change
node_modules/koa
  @module-federation/dts-plugin  <=0.8.12
  Depends on vulnerable versions of koa
  node_modules/@module-federation/dts-plugin
    @module-federation/enhanced  <=0.0.1-rc.0 || 0.1.2 - 0.8.12
    Depends on vulnerable versions of @module-federation/dts-plugin
    Depends on vulnerable versions of @module-federation/manifest
    Depends on vulnerable versions of @module-federation/rspack
    node_modules/@module-federation/enhanced
      @nx/webpack  <=0.0.0-pr-28859-d05a640 || 19.5.1 - 20.2.0-rc.0
      Depends on vulnerable versions of @module-federation/enhanced
      Depends on vulnerable versions of @nrwl/webpack
      node_modules/@nx/webpack
        @nrwl/webpack  <=0.0.0-pr-27957-a99d5ea || >=19.5.1
        Depends on vulnerable versions of @nx/webpack
        node_modules/@nrwl/webpack
    @module-federation/manifest  <=0.0.0-next-20250325035711 || 0.1.3 - 0.8.12
    Depends on vulnerable versions of @module-federation/dts-plugin
    node_modules/@module-federation/manifest
      @module-federation/rspack  <=0.8.12
      Depends on vulnerable versions of @module-federation/dts-plugin
      Depends on vulnerable versions of @module-federation/manifest
      node_modules/@module-federation/rspack

Package Manager Version

No response

Operating System

  • macOS
  • Linux
  • Windows
  • Other (Please specify)

Additional Information

I tried using nx/angular 19.8.15 but that version tells me that it cannot find nrwl/19.8.15.

The proposes solution to upgrade nx to 20.x is not the best solution, since I want to stick with the version of nx that is related to angular 18.

The relation between nx/angular and koa is shown here

Kind regards,
Adam

Metadata

Metadata

Assignees

Labels

priority: highHigh Priority (important issues which affect many people severely)scope: nodeIssues related to Node, Express, NestJS support for Nxtype: bug

Type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions