Module Federation: Koajs vulnerable to Cross-Site Scripting (XSS) at ctx.redirect() function

[techfg]

Current Behavior

npm audit warns of a security vulnerability Koajs vulnerable to Cross-Site Scripting (XSS) at ctx.redirect() function:

koa  <2.16.1
Severity: moderate
Koajs vulnerable to Cross-Site Scripting (XSS) at ctx.redirect() function - https://github.com/advisories/GHSA-x2rg-q646-7m2v
fix available via `npm audit fix --force`
Will install @nx/react@20.1.4, which is a breaking change
node_modules/koa
  @module-federation/dts-plugin  <=0.11.4
  Depends on vulnerable versions of koa
  node_modules/@module-federation/dts-plugin
    @module-federation/enhanced  <=0.0.1-rc.0 || 0.1.2 - 0.11.4
    Depends on vulnerable versions of @module-federation/dts-plugin
    Depends on vulnerable versions of @module-federation/manifest
    Depends on vulnerable versions of @module-federation/rspack
    node_modules/@module-federation/enhanced
      @nx/module-federation  *
      Depends on vulnerable versions of @module-federation/enhanced
      node_modules/@nx/module-federation
        @nx/react  <=0.0.0-pr-30702-1a3e277 || >=20.2.0-beta.0
        Depends on vulnerable versions of @nx/module-federation
        node_modules/@nx/react
    @module-federation/manifest  <=0.0.0-next-20250415111630 || 0.1.3 - 0.11.4
    Depends on vulnerable versions of @module-federation/dts-plugin
    node_modules/@module-federation/manifest
      @module-federation/rspack  <=0.11.4
      Depends on vulnerable versions of @module-federation/dts-plugin
      Depends on vulnerable versions of @module-federation/manifest
      node_modules/@module-federation/rspack

Expected Behavior

@nx/module-federation should not depend on a vulnerable dependency.

GitHub Repo

https://github.com/techfg/nx-koajs-xss-repro.git

Steps to Reproduce

1. clone repo
2. npm install
3. npm audit

Nx Report

NX   Report complete - copy this into the issue template

Node           : 22.14.0
OS             : linux-x64
Native Target  : x86_64-linux
npm            : 10.9.2

nx                     : 20.8.0
@nx/js                 : 20.8.0
@nx/eslint             : 20.8.0
@nx/workspace          : 20.8.0
@nx/devkit             : 20.8.0
@nx/module-federation  : 20.8.0
@nx/react              : 20.8.0
@nx/vite               : 20.8.0
@nx/web                : 20.8.0
typescript             : 5.7.3
---------------------------------------
Registered Plugins:
@nx/js/typescript
@nx/react/router-plugin
@nx/vite/plugin
---------------------------------------
Cache Usage: 0.00 B / 25.09 GB

Failure Logs

Package Manager Version

npm 10.9.2

Operating System

• macOS
• Linux
• Windows
• Other (Please specify)

Additional Information

Seems to be due to @module-federation/enhanced referencing ^0.9.0 which is an outdated and unpatched version.

@module-federation/dts-plugin has been patched and was released in v0.12.0.

Related: #30502

[ctranstrum]

Would love to see this one addressed. Our CI pipeline is failing because of this unnecessary vulnerability.