fix(dts-plugin): update koa to 2.16.2 to fix CVE-2025-8129 (#3963)

ScriptedAlchemy · claude · web-flow · commit 08f089a434a9 · 2025-07-31T15:48:59.000-07:00
Co-authored-by: Claude &lt;noreply@anthropic.com&gt;
diff --git a/.changeset/fix-koa-security-vulnerability.md b/.changeset/fix-koa-security-vulnerability.md
@@ -0,0 +1,10 @@
+---
+"@module-federation/dts-plugin": patch
+---
+
+fix(dts-plugin): update koa to 2.16.2 to fix CVE-2025-8129
+
+Security fix for open redirect vulnerability (GHSA-jgmv-j7ww-jx2x) in koa dependency.
+Updates koa from 2.16.1 to 2.16.2 to prevent attackers from manipulating the Referrer 
+header in koa's back redirect functionality. Version 2.16.2 restricts redirects to 
+same-origin only, preventing malicious external redirects.
diff --git a/packages/dts-plugin/package.json b/packages/dts-plugin/package.json
@@ -60,7 +60,7 @@
     "chalk": "3.0.0",
     "fs-extra": "9.1.0",
     "isomorphic-ws": "5.0.0",
-    "koa": "2.16.1",
+    "koa": "2.16.2",
     "log4js": "6.9.1",
     "node-schedule": "2.1.1",
     "ws": "8.18.0"
diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml
