[Snyk] Security upgrade @module-federation/enhanced from 0.13.1 to 0.18.0

[zackarychapple]

Snyk has created this PR to fix 1 vulnerabilities in the npm dependencies of this project.

Snyk changed the following file(s):

• apps/mobile-checkout/package.json

Vulnerabilities that will be fixed with an upgrade:

	Issue	Score
	Open Redirect SNYK-JS-KOA-10944994	648

---

Important

• Check the changes in this PR to ensure they won't cause issues with your project.
• Max score is 1000. Note that the real score may have changed since the PR was raised.
• This PR was automatically created by Snyk using the credentials of a real user.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Open Redirect

[claude]

Claude finished @zackarychapple's task —— View job

---

Comprehensive PR Security Review 🔒

This PR upgrades @module-federation/enhanced from 0.13.1 to 0.18.0 to fix an Open Redirect vulnerability (SNYK-JS-KOA-10944994, score: 648).

📋 Review Findings & Recommendations

Severity	File/Line(s)	Issue	Recommendation
High	Multiple apps	Version Inconsistency Across Micro-frontends	Update all apps (mobile-host, mobile-cart, mobile-orders, mobile-inventory) to use 0.18.0 to maintain consistency in the Module Federation architecture
High	pnpm-lock.yaml	Lock File Not Updated	Run pnpm install to update lock file with new version constraints and security fixes
Medium	apps/mobile-checkout/	Missing Integration Tests	Add tests to verify Module Federation functionality still works after the major version upgrade
Medium	Root workspace	Breaking Change Risk	Test the upgrade thoroughly as this spans 5 major versions (0.13.1 → 0.18.0) and may introduce breaking changes
Low	rspack.config.mjs:53	ModuleFederationPluginV2 Usage	Verify the plugin API remains compatible with the new version, especially the dts: false and exposes configuration

🔍 Detailed Analysis

Architecture Impact:

• This is a micro-frontend React Native app using Module Federation
• The upgrade affects how this app exposes components (CheckoutSection, CheckoutSuccessScreen) to the host app
• Version mismatch with other micro-frontends could cause runtime federation issues

Security Benefits:

• ✅ Fixes Open Redirect vulnerability in the koa dependency chain
• ✅ Automated Snyk security upgrade
• ✅ Addresses a medium-high severity issue (score: 648/1000)

Testing Gaps:

• No unit tests found in apps/mobile-checkout/
• No integration tests to verify Module Federation compatibility
• Risk of federation runtime errors between apps with different versions

Code Quality Considerations:

// Current configuration in rspack.config.mjs:53
new Repack.plugins.ModuleFederationPluginV2({
  name: 'MobileCheckout',
  filename: 'MobileCheckout.container.js.bundle',
  dts: false,
  exposes: {
    './CheckoutSection': './src/components/CheckoutSection',
    './CheckoutSuccessScreen': './src/screens/CheckoutSuccessScreen',
  },
  shared: getSharedDependencies({eager: STANDALONE}),
})

Overall Quality Score: 6/10

Top 3 Next Steps:

1. Update all micro-frontend apps to use @module-federation/enhanced@0.18.0 for consistency
2. Run integration tests to ensure Module Federation still works across all apps
3. Update pnpm-lock.yaml by running pnpm install to lock in security fixes

Recommendation: ✅ Approve after addressing version consistency - The security fix is important, but should be applied consistently across all micro-frontends to avoid runtime federation issues.

---

Note: Writing @claude please review in a comment will trigger a full review.