@nx/module-federation pins webpack dependency to an exact version

[cbascom]

The https://github.com/nrwl/nx/blob/master/packages/module-federation/package.json file pins the webpack dependency to version 5.88.0 specifically. Is there a reason it needs to be a specific version like that?

CVE-2024-43788 was fixed in webpack 5.94.0 is the reason I am asking. We use @nx/react which has a dependency on @nx/module-federation which in turn depends on webpack. Our security scanners complain about the 5.88.0 version because of this CVE. It is only a dev dependency, so not really a security concern, but it would be nice to quiet down our security scanners if there is not some specific reason to pin to this specific version of webpack.

I'm happy to submit a PR to change the dependency version as well if there is no reason not to. I would like to understand the following before doing so though:

• Is anything special as far as testing required for a change like this?
• Should it still be pinned to an exact version again like it is now or can it be relaxed to allow the use of all compatible minor or patch releases in the future?