Last 12 weeks · 10 commits
3 of 6 standards met
Repository: vercel/microfrontends. Description: Build microfrontends on Vercel Stars: 34, Forks: 8. Primary language: TypeScript. Languages: TypeScript (98.9%), JavaScript (1.1%). License: MIT. Homepage: https://vercel.com/docs/microfrontends Topics: micro-frontends, microfrontends, multi-zones, nextjs, react, sveltekit, vercel, vite. Latest release: @vercel/microfrontends@2.3.1 (1w ago). Open PRs: 6, open issues: 0. Last activity: 1d ago. Community health: 75%. Top contributors: kitfoster, vercel-release-bot, mknichel, tonypan2, vercel[bot].
TypeScript
Based on the original PR https://github.com/vercel/microfrontends/pull/35 by @SferaDev to fix https://github.com/vercel/microfrontends/issues/34 This PR upgrade which fixes a security vulnerability This PR supports the change in behaviour of the default regex used by , https://github.com/pillarjs/path-to-regexp/commit/f1253b47b347dcb909e3e80b0eb2649109e59894
Describe the bug @vercel/microfrontends@2.2.2 depends on , which has a known high-severity ReDoS vulnerability (CVE-2024-45296, GHSA-9wv6-86v2-598j). When users apply the recommended pnpm security override to patch this vulnerability, pnpm resolves it to 8.3.0, which has a breaking API change. This causes Next.js static page generation to fail with on any page using the microfrontends Link component. Steps to reproduce issue 1. Create a Next.js 16 project with @vercel/microfrontends@2.2.2 2. Use the Link component from @vercel/microfrontends/next/client in any page (e.g., not-found.tsx) 3. Run pnpm audit and observe the high-severity vulnerability warning for path-to-regexp 4. Add the recommended override to package.json: 5. Run pnpm install && pnpm build 6. Build fails during static page generation Expected behavior 1. @vercel/microfrontends should ship with path-to-regexp@6.3.0 (the patched version) instead of 6.2.1 (vulnerable) so users don't need to add overrides 2. If users do add a security override, the build should not break Additional context