fix(misc): address security CVE cluster (copy-webpack-plugin, koa, minimatch)

[jaysoo]

Current Behavior

Several security-related issues reported:

1. copy-webpack-plugin (@nx/webpack still pins copy-webpack-plugin@^10.2.4 (keeps fast-glob in dependency tree) #34632): @nx/webpack and @nx/next pin copy-webpack-plugin@^10.2.4 which transitively depends on serialize-javascript@^6.0.1 (vulnerable) and fast-glob (supply-chain risk).

2. koa ([CSV koa 3.0.1] @nx/module-federation@21.6.10 #34621): @nx/module-federation transitively pulls koa@3.0.3 via @module-federation/dts-plugin, which is vulnerable to CVE-2026-27959 (Host Header Injection, fixed in koa 3.1.2).

3. css-minimizer-webpack-plugin: @nx/webpack pins ^5.0.0 which also depends on vulnerable serialize-javascript@^6.0.1.

4. @module-federation/enhanced: Versions <2.1.0 transitively install vulnerable koa via dts-plugin.

5. Next.js: Versions 16.0.x are vulnerable to GHSA-9g9p-9gw9-jx7f (Image Optimizer DoS) and GHSA-5f7q-jpqc-wp7h (PPR Resume memory consumption).

6. minimatch (minimatch still giving critical vulnerability in 10.2.1 #34701): User reports minimatch vulnerability, but the Nx pnpm catalog already pins the patched version 10.2.4. No code change needed — users should delete their lockfile and reinstall.

Expected Behavior

1. copy-webpack-plugin bumped to ^14.0.0 which uses serialize-javascript@^7.0.3 (patched). Added noErrorOnMissing: true to all 3 copy-webpack-plugin usage sites to handle the v14 breaking change where missing glob patterns now throw errors by default.

2. css-minimizer-webpack-plugin bumped to ^8.0.0 which uses serialize-javascript@^7.0.3 (patched).

3. koa bumped to ^3.1.2 in @nx/node versions.ts. @module-federation/dts-plugin@2.1.0 completely removes koa dependency.

4. @module-federation/enhanced, runtime, sdk bumped to ^2.1.0 across all packages (@nx/module-federation, @nx/react, @nx/angular, @nx/rspack). Added noErrorOnMissing fix for @module-federation/enhanced 2.x runtime-library-control.plugin.ts compatibility.

5. Next.js bumped to ~16.1.6 and eslint-config-next to ^16.1.6.

6. minimatch — no change needed, already resolved.

Migrations added (22.6.0-beta.10)

• @nx/module-federation: Bump MF packages to ^2.1.0
• @nx/react: Bump @module-federation/enhanced to ^2.1.0
• @nx/angular: Bump @module-federation/enhanced to ^2.1.0
• @nx/node: Bump koa to ^3.1.2
• @nx/next: Bump next to ~16.1.6

Skipped

• esbuild (<=0.24.2, moderate severity, dev server only): Fix requires breaking change jump from ^0.19.2 to 0.25+. Will address separately.

Testing

Created a fresh Nx workspace with all affected plugins to verify npm audit is clean after changes:

• @nx/next (nextapp)
• @nx/webpack (webpackapp)
• @nx/rspack (shell, remote1, remote2 via Module Federation)
• @nx/module-federation (shell + remotes with MF config)
• @nx/react (MF host/remotes)
• @nx/node + koa (api)

├── apps
│   ├── api                  # @nx/node (koa)
│   ├── nextapp              # @nx/next
│   ├── remote1              # @nx/react + rspack + MF
│   ├── remote2              # @nx/react + rspack + MF
│   ├── shell                # @nx/react + rspack + MF (host)
│   └── webpackapp           # @nx/webpack

Post-change audit result — only remaining issue is esbuild (moderate, skipped intentionally):

# npm audit report

esbuild  <=0.24.2
Severity: moderate
esbuild enables any website to send any requests to the development server
and read the response - https://github.com/advisories/GHSA-67mh-4wv8-2f99
fix available via `npm audit fix --force`
Will install esbuild@0.27.3, which is a breaking change

1 moderate severity vulnerability

Related Issue(s)

Fixes #34632
Fixes #34621
Fixes #34701

[netlify]

✅ Deploy Preview for nx-dev ready!

Name	Link
🔨 Latest commit	5091899
🔍 Latest deploy log	https://app.netlify.com/projects/nx-dev/deploys/69aa017a2051f10008395b6a
😎 Deploy Preview	https://deploy-preview-34708--nx-dev.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify project configuration.

[netlify]

✅ Deploy Preview for nx-docs ready!

Name	Link
🔨 Latest commit	5091899
🔍 Latest deploy log	https://app.netlify.com/projects/nx-docs/deploys/69aa017a447bac0008000905
😎 Deploy Preview	https://deploy-preview-34708--nx-docs.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify project configuration.

[nx-cloud]

View your CI Pipeline Execution ↗ for commit 5091899

Command	Status	Duration	Result
nx affected --targets=lint,test,build,e2e,e2e-c...	✅ Succeeded	12m 40s	View ↗
nx run-many -t check-imports check-lock-files c...	✅ Succeeded	3m 28s	View ↗
nx-cloud record -- nx-cloud conformance:check	✅ Succeeded	8s	View ↗
nx-cloud record -- nx format:check	✅ Succeeded	2s	View ↗
nx-cloud record -- nx sync:check	✅ Succeeded	<1s	View ↗

---

☁️ Nx Cloud last updated this comment at 2026-03-05 22:36:49 UTC

[vadimka123]

hi @jaysoo

there also security issue with serialize-javascript
in two places - copy-webpack-plugin and css-minimizer-webpack-plugin
can be css-minimizer-webpack-plugin updated please too?

[Mr-Jami]

can we get an update on this?

[jaysoo]

there also security issue with serialize-javascript
in two places - copy-webpack-plugin and css-minimizer-webpack-plugin
can be css-minimizer-webpack-plugin updated please too?

I'm taking a look.

[nx-cloud]

Important

At least one additional CI pipeline execution has run since the conclusion below was written and it may no longer be applicable.

Nx Cloud is proposing a fix for your failed CI:

We updated the test expectations in application.spec.ts to reflect the Next.js version bump from 16.0.1 to 16.1.6. The test was failing because it had hardcoded expectations for the old version numbers, but the PR intentionally upgraded to 16.1.6 to address critical security vulnerabilities (GHSA-9g9p-9gw9-jx7f and GHSA-5f7q-jpqc-wp7h).

Warning

❌ We could not verify this fix.

diff --git a/packages/next/src/generators/application/application.spec.ts b/packages/next/src/generators/application/application.spec.ts
index b83819564c..86b8fa31ba 100644
--- a/packages/next/src/generators/application/application.spec.ts
+++ b/packages/next/src/generators/application/application.spec.ts
@@ -644,8 +644,8 @@ describe('app', () => {
         const packageJson = readJson(tree, '/package.json');
         expect(packageJson).toMatchObject({
           devDependencies: {
-            'eslint-config-next': '^16.0.1',
-            '@next/eslint-plugin-next': '^16.0.1',
+            'eslint-config-next': '^16.1.6',
+            '@next/eslint-plugin-next': '^16.1.6',
           },
         });
       });

🔔 Heads up, your workspace has pending recommendations ↗ to auto-apply fixes for similar failures.

  

Or Apply changes locally with:

npx nx-cloud apply-locally vWhm-aAmI

Apply fix locally with your editor ↗   View interactive diff ↗

_{🎓 Learn more about Self-Healing CI on nx.dev}

[Mr-Jami]

@FrozenPandaz @jaysoo quick question, since the PR got merged, when would this be released?

[github-actions]

This pull request has already been merged/closed. If you experience issues related to these changes, please open a new issue referencing this pull request.