When using create-nx-workspace@latest with the --preset=react-monorepo option and setting Vite as the bundler, Webpack is added as a dependency for @nx/module-federation.

[VinoSakthiv]

Current Behavior

Webpack is added as dependency for @nx/module-federation.
this package has vulnerability from npm audit
webpack 5.0.0-alpha.0 - 5.93.0
Severity: moderate
Webpack's AutoPublicPathRuntimeModule has a DOM Clobbering Gadget that leads to XSS - GHSA-4vvj-4cpr-p986
fix available via npm audit fix --force
Will install @nx/[email protected], which is a breaking change
node_modules/webpack
@nx/module-federation *
Depends on vulnerable versions of webpack
node_modules/@nx/module-federation
@nx/react <=0.0.0-pr-29636-e3c31b7 || >=20.2.0-beta.0
Depends on vulnerable versions of @nx/module-federation
node_modules/@nx/react

Expected Behavior

as we are using Vite as bundler , this should add @originjs/vite-plugin-federation for module federation instead of @nx/module-federation

GitHub Repo

No response

Steps to Reproduce

1. create a new Mono repo using the command below and with the below choices.

npx create-nx-workspace@latest react-monorepo --preset=react-monorepo

√ Application name · image-generator
√ Which bundler would you like to use? · vite
√ Test runner to use for end to end (E2E) tests · cypress
√ Default stylesheet format · scss
√ Which CI provider would you like to use? · skip
√ Would you like remote caching to make your build faster? · skip

this creates a react monorepo with Vite as bundler. but it also adds @nx/module-federation. which adds webpack as dependency which is not required for Vite bundler project

npm list webpack

-- @nx/[email protected] +-- @nx/[email protected] | +-- @module-federation/[email protected] | | -- [email protected] deduped
| +-- @module-federation/[email protected]
| | +-- @module-federation/[email protected]
| | | -- [email protected] deduped | | -- [email protected] deduped
| -- [email protected] | -- [email protected]
| -- [email protected] deduped -- [email protected]
`-- [email protected] deduped

Nx Report

Node           : 20.14.0
OS             : win32-x64
Native Target  : x86_64-windows
npm            : 10.7.0

nx (global)            : 20.2.2
nx                     : 20.3.2
@nx/js                 : 20.3.2
@nx/jest               : 20.3.2
@nx/eslint             : 20.3.2
@nx/workspace          : 20.3.2
@nx/cypress            : 20.3.2
@nx/devkit             : 20.3.2
@nx/eslint-plugin      : 20.3.2
@nx/module-federation  : 20.3.2
@nx/react              : 20.3.2
@nx/vite               : 20.3.2
@nx/web                : 20.3.2
typescript             : 5.6.3
---------------------------------------
Registered Plugins:
@nx/vite/plugin
@nx/eslint/plugin
@nx/cypress/plugin
@nx/jest/plugin

Failure Logs

Package Manager Version

10.7.0

Operating System

• macOS
• Linux
• Windows
• Other (Please specify)

Additional Information

No response