npm - @module-federation/modern-js - Versions diffs - 0.0.0-next-20250401023940 → 0.0.0-next-20250401085244 - Mend

@module-federation/modern-js 0.0.0-next-20250401023940 → 0.0.0-next-20250401085244

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (4) hide show

package/dist/cjs/cli/configPlugin.js +22 -6
package/dist/esm/cli/configPlugin.js +23 -6
package/dist/esm-node/cli/configPlugin.js +22 -6
package/package.json +7 -7

package/dist/cjs/cli/configPlugin.js CHANGED Viewed

@@ -37,6 +37,7 @@ __export(configPlugin_exports, {
 module.exports = __toCommonJS(configPlugin_exports);
 var import_path = __toESM(require("path"));
 var import_utils = require("./utils");
+var import_logger = __toESM(require("./logger"));
 function setEnv(enableSSR) {
   if (enableSSR) {
     process.env["MF_DISABLE_EMIT_STATS"] = "true";
@@ -81,7 +82,7 @@ const moduleFederationConfigPlugin = (userConfig) => ({
       userConfig.distOutputDir = chain.output.get("path") || import_path.default.resolve(process.cwd(), "dist");
     });
     api.config(() => {
-      var _modernjsConfig_source, _modernjsConfig_source1, _modernjsConfig_dev;
+      var _modernjsConfig_tools, _devServerConfig_headers, _userConfig_csrConfig, _modernjsConfig_source, _modernjsConfig_source1, _modernjsConfig_dev;
       const bundlerType = api.getAppContext().bundlerType === "rspack" ? "rspack" : "webpack";
       const ipv4 = (0, import_utils.getIPV4)();
       if (userConfig.remoteIpStrategy === void 0) {
@@ -91,15 +92,30 @@ const moduleFederationConfigPlugin = (userConfig) => ({
           userConfig.remoteIpStrategy = "ipv4";
         }
       }
+      const devServerConfig = (_modernjsConfig_tools = modernjsConfig.tools) === null || _modernjsConfig_tools === void 0 ? void 0 : _modernjsConfig_tools.devServer;
+      const corsWarnMsgs = [
+        ", which exposes your dev server to all origins, potentially compromising your source code security. It is recommended to specify an allowlist of trusted origins instead."
+      ];
+      if (typeof devServerConfig !== "object" || !("headers" in devServerConfig)) {
+        corsWarnMsgs.unshift('Detect devServer.headers is empty, mf modern plugin will add default cors header: devServer.headers["Access-Control-Allow-Headers"] = "*"');
+      } else if (((_devServerConfig_headers = devServerConfig.headers) === null || _devServerConfig_headers === void 0 ? void 0 : _devServerConfig_headers["Access-Control-Allow-Headers"]) === "*") {
+        corsWarnMsgs.unshift('Detect devServer.headers["Access-Control-Allow-Headers"] is *');
+      }
+      const exposes = (_userConfig_csrConfig = userConfig.csrConfig) === null || _userConfig_csrConfig === void 0 ? void 0 : _userConfig_csrConfig.exposes;
+      const hasExposes = exposes && Array.isArray(exposes) ? exposes.length : Object.keys(exposes !== null && exposes !== void 0 ? exposes : {}).length;
+      if (corsWarnMsgs.length > 1 && hasExposes) {
+        import_logger.default.warn(corsWarnMsgs.join(""));
+      }
+      const corsHeaders = hasExposes ? {
+        "Access-Control-Allow-Origin": "*",
+        "Access-Control-Allow-Methods": "GET, POST, PUT, DELETE, PATCH, OPTIONS",
+        "Access-Control-Allow-Headers": "*"
+      } : void 0;
       var _modernjsConfig_source_enableAsyncEntry;
       return {
         tools: {
           devServer: {
-            headers: {
-              "Access-Control-Allow-Origin": "*",
-              "Access-Control-Allow-Methods": "GET, POST, PUT, DELETE, PATCH, OPTIONS",
-              "Access-Control-Allow-Headers": "*"
-            }
+            headers: corsHeaders
           }
         },
         source: {

package/dist/esm/cli/configPlugin.js CHANGED Viewed

@@ -1,7 +1,9 @@
 import { _ as _async_to_generator } from "@swc/helpers/_/_async_to_generator";
+import { _ as _type_of } from "@swc/helpers/_/_type_of";
 import { _ as _ts_generator } from "@swc/helpers/_/_ts_generator";
 import path from "path";
 import { patchBundlerConfig, getIPV4, getMFConfig, patchMFConfig, addMyTypes2Ignored, isWebTarget, skipByTarget } from "./utils";
+import logger from "./logger";
 function setEnv(enableSSR) {
   if (enableSSR) {
     process.env["MF_DISABLE_EMIT_STATS"] = "true";
@@ -55,7 +57,7 @@ var moduleFederationConfigPlugin = function(userConfig) {
                 userConfig.distOutputDir = chain.output.get("path") || path.resolve(process.cwd(), "dist");
               });
               api.config(function() {
-                var _modernjsConfig_source, _modernjsConfig_source1, _modernjsConfig_dev;
+                var _modernjsConfig_tools, _devServerConfig_headers, _userConfig_csrConfig, _modernjsConfig_source, _modernjsConfig_source1, _modernjsConfig_dev;
                 var bundlerType = api.getAppContext().bundlerType === "rspack" ? "rspack" : "webpack";
                 var ipv4 = getIPV4();
                 if (userConfig.remoteIpStrategy === void 0) {
@@ -65,15 +67,30 @@ var moduleFederationConfigPlugin = function(userConfig) {
                     userConfig.remoteIpStrategy = "ipv4";
                   }
                 }
+                var devServerConfig = (_modernjsConfig_tools = modernjsConfig.tools) === null || _modernjsConfig_tools === void 0 ? void 0 : _modernjsConfig_tools.devServer;
+                var corsWarnMsgs = [
+                  ", which exposes your dev server to all origins, potentially compromising your source code security. It is recommended to specify an allowlist of trusted origins instead."
+                ];
+                if ((typeof devServerConfig === "undefined" ? "undefined" : _type_of(devServerConfig)) !== "object" || !("headers" in devServerConfig)) {
+                  corsWarnMsgs.unshift('Detect devServer.headers is empty, mf modern plugin will add default cors header: devServer.headers["Access-Control-Allow-Headers"] = "*"');
+                } else if (((_devServerConfig_headers = devServerConfig.headers) === null || _devServerConfig_headers === void 0 ? void 0 : _devServerConfig_headers["Access-Control-Allow-Headers"]) === "*") {
+                  corsWarnMsgs.unshift('Detect devServer.headers["Access-Control-Allow-Headers"] is *');
+                }
+                var exposes = (_userConfig_csrConfig = userConfig.csrConfig) === null || _userConfig_csrConfig === void 0 ? void 0 : _userConfig_csrConfig.exposes;
+                var hasExposes = exposes && Array.isArray(exposes) ? exposes.length : Object.keys(exposes !== null && exposes !== void 0 ? exposes : {}).length;
+                if (corsWarnMsgs.length > 1 && hasExposes) {
+                  logger.warn(corsWarnMsgs.join(""));
+                }
+                var corsHeaders = hasExposes ? {
+                  "Access-Control-Allow-Origin": "*",
+                  "Access-Control-Allow-Methods": "GET, POST, PUT, DELETE, PATCH, OPTIONS",
+                  "Access-Control-Allow-Headers": "*"
+                } : void 0;
                 var _modernjsConfig_source_enableAsyncEntry;
                 return {
                   tools: {
                     devServer: {
-                      headers: {
-                        "Access-Control-Allow-Origin": "*",
-                        "Access-Control-Allow-Methods": "GET, POST, PUT, DELETE, PATCH, OPTIONS",
-                        "Access-Control-Allow-Headers": "*"
-                      }
+                      headers: corsHeaders
                     }
                   },
                   source: {

package/dist/esm-node/cli/configPlugin.js CHANGED Viewed

@@ -1,5 +1,6 @@
 import path from "path";
 import { patchBundlerConfig, getIPV4, getMFConfig, patchMFConfig, addMyTypes2Ignored, isWebTarget, skipByTarget } from "./utils";
+import logger from "./logger";
 function setEnv(enableSSR) {
   if (enableSSR) {
     process.env["MF_DISABLE_EMIT_STATS"] = "true";
@@ -44,7 +45,7 @@ const moduleFederationConfigPlugin = (userConfig) => ({
       userConfig.distOutputDir = chain.output.get("path") || path.resolve(process.cwd(), "dist");
     });
     api.config(() => {
-      var _modernjsConfig_source, _modernjsConfig_source1, _modernjsConfig_dev;
+      var _modernjsConfig_tools, _devServerConfig_headers, _userConfig_csrConfig, _modernjsConfig_source, _modernjsConfig_source1, _modernjsConfig_dev;
       const bundlerType = api.getAppContext().bundlerType === "rspack" ? "rspack" : "webpack";
       const ipv4 = getIPV4();
       if (userConfig.remoteIpStrategy === void 0) {
@@ -54,15 +55,30 @@ const moduleFederationConfigPlugin = (userConfig) => ({
           userConfig.remoteIpStrategy = "ipv4";
         }
       }
+      const devServerConfig = (_modernjsConfig_tools = modernjsConfig.tools) === null || _modernjsConfig_tools === void 0 ? void 0 : _modernjsConfig_tools.devServer;
+      const corsWarnMsgs = [
+        ", which exposes your dev server to all origins, potentially compromising your source code security. It is recommended to specify an allowlist of trusted origins instead."
+      ];
+      if (typeof devServerConfig !== "object" || !("headers" in devServerConfig)) {
+        corsWarnMsgs.unshift('Detect devServer.headers is empty, mf modern plugin will add default cors header: devServer.headers["Access-Control-Allow-Headers"] = "*"');
+      } else if (((_devServerConfig_headers = devServerConfig.headers) === null || _devServerConfig_headers === void 0 ? void 0 : _devServerConfig_headers["Access-Control-Allow-Headers"]) === "*") {
+        corsWarnMsgs.unshift('Detect devServer.headers["Access-Control-Allow-Headers"] is *');
+      }
+      const exposes = (_userConfig_csrConfig = userConfig.csrConfig) === null || _userConfig_csrConfig === void 0 ? void 0 : _userConfig_csrConfig.exposes;
+      const hasExposes = exposes && Array.isArray(exposes) ? exposes.length : Object.keys(exposes !== null && exposes !== void 0 ? exposes : {}).length;
+      if (corsWarnMsgs.length > 1 && hasExposes) {
+        logger.warn(corsWarnMsgs.join(""));
+      }
+      const corsHeaders = hasExposes ? {
+        "Access-Control-Allow-Origin": "*",
+        "Access-Control-Allow-Methods": "GET, POST, PUT, DELETE, PATCH, OPTIONS",
+        "Access-Control-Allow-Headers": "*"
+      } : void 0;
       var _modernjsConfig_source_enableAsyncEntry;
       return {
         tools: {
           devServer: {
-            headers: {
-              "Access-Control-Allow-Origin": "*",
-              "Access-Control-Allow-Methods": "GET, POST, PUT, DELETE, PATCH, OPTIONS",
-              "Access-Control-Allow-Headers": "*"
-            }
+            headers: corsHeaders
           }
         },
         source: {

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@module-federation/modern-js",
-  "version": "0.0.0-next-20250401023940",
+  "version": "0.0.0-next-20250401085244",
   "files": [
     "dist/",
     "types.d.ts",
@@ -89,11 +89,11 @@
     "@swc/helpers": "0.5.13",
     "node-fetch": "~3.3.0",
     "react-error-boundary": "4.1.2",
-    "@module-federation/rsbuild-plugin": "0.0.0-next-20250401023940",
-    "@module-federation/enhanced": "0.0.0-next-20250401023940",
-    "@module-federation/node": "0.0.0-next-20250401023940",
-    "@module-federation/sdk": "0.0.0-next-20250401023940",
-    "@module-federation/cli": "0.0.0-next-20250401023940"
+    "@module-federation/rsbuild-plugin": "0.0.0-next-20250401085244",
+    "@module-federation/enhanced": "0.0.0-next-20250401085244",
+    "@module-federation/node": "0.0.0-next-20250401085244",
+    "@module-federation/sdk": "0.0.0-next-20250401085244",
+    "@module-federation/cli": "0.0.0-next-20250401085244"
   },
   "devDependencies": {
     "@modern-js/app-tools": "2.65.1",
@@ -101,7 +101,7 @@
     "@modern-js/module-tools": "2.65.1",
     "@modern-js/runtime": "2.65.1",
     "@modern-js/tsconfig": "2.65.1",
-    "@module-federation/manifest": "0.0.0-next-20250401023940"
+    "@module-federation/manifest": "0.0.0-next-20250401085244"
   },
   "peerDependencies": {
     "react": ">=17",