Summary
The published npm tarball for @module-federation/bridge-react-webpack-plugin@2.3.2 (and likely prior versions) includes test fixture package.json files from __tests__/mockRouterDir/. Security scanners (e.g. JFrog Xray, Snyk) scan every package.json inside a tarball and treat these mock stubs as real installed packages. This causes the entire tarball to be blocked from download by any organization with a CVE-blocking policy, completely breaking pnpm install / npm install in CI/CD.
Reproduction
curl -s https://registry.npmjs.org/@module-federation/bridge-react-webpack-plugin/-/bridge-react-webpack-plugin-2.3.2.tgz | tar -tzf - | grep package.json
Output:
package/__tests__/mockRouterDir/router-v5/react-router-dom/package.json
package/__tests__/mockRouterDir/router-v6/react-router-dom/package.json
package/__tests__/mockRouterDir/router-v7/react-router/package.json
package/package.json
The file package/__tests__/mockRouterDir/router-v7/react-router/package.json declares:
{
"name": "react-router",
"version": "7.0.0"
}This is a mock stub used by the test suite to simulate router v7. It is not a real dependency — the real root package.json has no react-router dependency at all. However, JFrog Xray (and similar scanners) find this file inside the tarball and flag it with all CVEs affecting react-router@7.0.0.
Impact
With a CVE-blocking download policy enabled (common in enterprise environments), JFrog Xray returns a hard HTTP 403 on the tarball:
ERR_PNPM_FETCH_403 GET .../bridge-react-webpack-plugin-2.3.2.tgz: 403
npm-notice: Artifact download request rejected: bridge-react-webpack-plugin-2.3.2.tgz
was not downloaded due to the download blocking policy configured in Xray
X-Artifactory-Xray-Origin: true
The 6 CVEs in react-router@7.0.0 that trigger the block (all fixed in ≥7.12.0):
This completely breaks CI/CD pipelines — pnpm install exits with code 1 and the build cannot proceed. The pnpm.overrides workaround ("react-router": ">=7.13.0") does not help because Xray blocks the tarball before pnpm can even download it — the override never gets a chance to apply.
Note: This is distinct from issue #4474 which described react-router as an actual runtime dependency. In this package, react-router is not a real dependency at all — the block is a false positive caused solely by test fixtures being included in the published tarball.
Root Cause
The package.json for this package has no files field and no .npmignore, so npm publishes the entire project directory including __tests__/:
// packages/bridge/bridge-react-webpack-plugin/package.json
{
"name": "@module-federation/bridge-react-webpack-plugin",
"version": "2.3.2"
// no "files" field — everything gets published, including __tests__/
}
Suggested Fix
Add a files field to packages/bridge/bridge-react-webpack-plugin/package.json to allowlist only the dist output:
{
"files": [
"dist/",
"README.md",
"LICENSE"
]
}Or add a .npmignore in packages/bridge/bridge-react-webpack-plugin/:
__tests__/
*.test.*
*.spec.*
vitest.config.ts
vite.config.ts
Either approach prevents test fixture files (and their mock package.json stubs declaring old CVE-affected router versions) from being included in the published tarball, eliminating the false-positive security scan blocks.
Environment
- Package:
@module-federation/bridge-react-webpack-plugin@2.3.2
- Package manager: pnpm
- Security scanner: JFrog Xray
- Upstream chain:
@module-federation/nextjs-mf@8.8.64 → @module-federation/enhanced@2.3.2 → @module-federation/bridge-react-webpack-plugin@2.3.2
Used Package Manager
pnpm
Validations
Summary
The published npm tarball for
@module-federation/bridge-react-webpack-plugin@2.3.2(and likely prior versions) includes test fixturepackage.jsonfiles from__tests__/mockRouterDir/. Security scanners (e.g. JFrog Xray, Snyk) scan everypackage.jsoninside a tarball and treat these mock stubs as real installed packages. This causes the entire tarball to be blocked from download by any organization with a CVE-blocking policy, completely breakingpnpm install/npm installin CI/CD.Reproduction
Output:
The file
package/__tests__/mockRouterDir/router-v7/react-router/package.jsondeclares:{ "name": "react-router", "version": "7.0.0" }This is a mock stub used by the test suite to simulate router v7. It is not a real dependency — the real root
package.jsonhas noreact-routerdependency at all. However, JFrog Xray (and similar scanners) find this file inside the tarball and flag it with all CVEs affectingreact-router@7.0.0.Impact
With a CVE-blocking download policy enabled (common in enterprise environments), JFrog Xray returns a hard HTTP 403 on the tarball:
The 6 CVEs in
react-router@7.0.0that trigger the block (all fixed in ≥7.12.0):This completely breaks CI/CD pipelines —
pnpm installexits with code 1 and the build cannot proceed. Thepnpm.overridesworkaround ("react-router": ">=7.13.0") does not help because Xray blocks the tarball before pnpm can even download it — the override never gets a chance to apply.Root Cause
The
package.jsonfor this package has nofilesfield and no.npmignore, so npm publishes the entire project directory including__tests__/:Suggested Fix
Add a
filesfield topackages/bridge/bridge-react-webpack-plugin/package.jsonto allowlist only the dist output:{ "files": [ "dist/", "README.md", "LICENSE" ] }Or add a
.npmignoreinpackages/bridge/bridge-react-webpack-plugin/:Either approach prevents test fixture files (and their mock
package.jsonstubs declaring old CVE-affected router versions) from being included in the published tarball, eliminating the false-positive security scan blocks.Environment
@module-federation/bridge-react-webpack-plugin@2.3.2@module-federation/nextjs-mf@8.8.64→@module-federation/enhanced@2.3.2→@module-federation/bridge-react-webpack-plugin@2.3.2Used Package Manager
pnpm
Validations
filesfield inpackage.jsonofbridge-react-webpack-plugin)