Vulnerable `esbuild` version (<=0.24.2) introduced via `@modern-js/node-bundle-require`

[nxtwave-studios]

Clear and concise description of the problem

• Body: This is where you'll provide all the details. Copy and paste the following template, filling in any relevant information about your environment:
  Description:

Suggested solution

I'm encountering a persistent security vulnerability related to the esbuild package (specifically versions <=0.24.2) in my project when using @module-federation/nextjs-mf. After running npm audit, I'm consistently presented with a moderate severity warning related to the following vulnerability:

• Vulnerability: esbuild enables any website to send any requests to the development server and read the response

Alternative

• Advisory Link: GHSA-67mh-4wv8-2f99

Dependency Chain:

Additional context

Through npm ls esbuild, I've identified the dependency chain that's introducing the vulnerable version:

Validations

• Read the Contributing Guidelines.
• Check that there isn't already an issue that request the same feature to avoid creating a duplicate.

[Julien-Marcou]

This security issue cannot currently be resolved, see web-infra-dev/modern.js#6993 (comment)

TLDR, we need:

• Modern.js to release a breaking change (presumably in a v3), which is to drop support for Node.js v16, so that they can upgrade to esbuild >= v0.25
• Module-fedaration to upgrade Modern.js to this new version

I guess we'll have to wait a couple of months (after Jun 30), to see how it evolves

[techfg]

FYI - modern.js just released v2.68.0 which depends on esbuild 0.25.5 and resolves web-infra-dev/modern.js#6993 😄