feat: add security.allowedRemoteOrigins

[2heal1]

Description

add an optional remote origin allowlist for remote entry loading without changing the default behavior

Related Issue

Types of changes

• Docs change / refactoring / dependency upgrade
• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)

Checklist

• I have added tests to cover my changes.
• All new and existing tests passed.
• I have updated the documentation.

[changeset-bot]

🦋 Changeset detected

Latest commit: 543aea9

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 45 packages

Name	Type
@module-federation/enhanced	Patch
@module-federation/runtime	Patch
@module-federation/runtime-core	Patch
@module-federation/modern-js-v3	Patch
@module-federation/modern-js	Patch
@module-federation/nextjs-mf	Patch
@module-federation/node	Patch
@module-federation/rsbuild-plugin	Patch
@module-federation/rspress-plugin	Patch
@module-federation/storybook-addon	Patch
shared-tree-shaking-no-server-host	Patch
shared-tree-shaking-no-server-provider	Patch
@module-federation/devtools	Patch
@module-federation/data-prefetch	Patch
@module-federation/dts-plugin	Patch
@module-federation/esbuild	Patch
@module-federation/metro	Patch
@module-federation/retry-plugin	Patch
@module-federation/runtime-tools	Patch
@module-federation/webpack-bundler-runtime	Patch
@module-federation/bridge-react	Patch
@module-federation/bridge-vue3	Patch
shared-tree-shaking-with-server-host	Patch
shared-tree-shaking-with-server-provider	Patch
node-dynamic-remote-new-version	Patch
node-dynamic-remote	Patch
remote5	Patch
remote6	Patch
website-new	Patch
@module-federation/metro-plugin-rnc-cli	Patch
@module-federation/metro-plugin-rnef	Patch
@module-federation/rspack	Patch
@module-federation/inject-external-runtime-core-plugin	Patch
@module-federation/sdk	Patch
@module-federation/managers	Patch
@module-federation/manifest	Patch
@module-federation/third-party-dts-extractor	Patch
@module-federation/bridge-shared	Patch
@module-federation/bridge-react-webpack-plugin	Patch
@module-federation/error-codes	Patch
create-module-federation	Patch
@module-federation/cli	Patch
@module-federation/treeshake-server	Patch
@module-federation/treeshake-frontend	Patch
@module-federation/utilities	Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

[netlify]

✅ Deploy Preview for module-federation-docs ready!

Name	Link
🔨 Latest commit	543aea9
🔍 Latest deploy log	https://app.netlify.com/projects/module-federation-docs/deploys/69ef4ea2f843f800081b5402
😎 Deploy Preview	https://deploy-preview-4692--module-federation-docs.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify project configuration.

[pkg-pr-new]

Open in StackBlitz

@module-federation/devtools

pnpm add https://pkg.pr.new/@module-federation/devtools@543aea9

@module-federation/cli

pnpm add https://pkg.pr.new/@module-federation/cli@543aea9

create-module-federation

pnpm add https://pkg.pr.new/create-module-federation@543aea9

@module-federation/data-prefetch

pnpm add https://pkg.pr.new/@module-federation/data-prefetch@543aea9

@module-federation/dts-plugin

pnpm add https://pkg.pr.new/@module-federation/dts-plugin@543aea9

@module-federation/enhanced

pnpm add https://pkg.pr.new/@module-federation/enhanced@543aea9

@module-federation/error-codes

pnpm add https://pkg.pr.new/@module-federation/error-codes@543aea9

@module-federation/esbuild

pnpm add https://pkg.pr.new/@module-federation/esbuild@543aea9

@module-federation/managers

pnpm add https://pkg.pr.new/@module-federation/managers@543aea9

@module-federation/manifest

pnpm add https://pkg.pr.new/@module-federation/manifest@543aea9

@module-federation/metro

pnpm add https://pkg.pr.new/@module-federation/metro@543aea9

@module-federation/metro-plugin-rnc-cli

pnpm add https://pkg.pr.new/@module-federation/metro-plugin-rnc-cli@543aea9

@module-federation/metro-plugin-rnef

pnpm add https://pkg.pr.new/@module-federation/metro-plugin-rnef@543aea9

@module-federation/modern-js

pnpm add https://pkg.pr.new/@module-federation/modern-js@543aea9

@module-federation/modern-js-v3

pnpm add https://pkg.pr.new/@module-federation/modern-js-v3@543aea9

@module-federation/native-federation-tests

pnpm add https://pkg.pr.new/@module-federation/native-federation-tests@543aea9

@module-federation/native-federation-typescript

pnpm add https://pkg.pr.new/@module-federation/native-federation-typescript@543aea9

@module-federation/nextjs-mf

pnpm add https://pkg.pr.new/@module-federation/nextjs-mf@543aea9

@module-federation/node

pnpm add https://pkg.pr.new/@module-federation/node@543aea9

@module-federation/retry-plugin

pnpm add https://pkg.pr.new/@module-federation/retry-plugin@543aea9

@module-federation/rsbuild-plugin

pnpm add https://pkg.pr.new/@module-federation/rsbuild-plugin@543aea9

@module-federation/rspack

pnpm add https://pkg.pr.new/@module-federation/rspack@543aea9

@module-federation/rspress-plugin

pnpm add https://pkg.pr.new/@module-federation/rspress-plugin@543aea9

@module-federation/runtime

pnpm add https://pkg.pr.new/@module-federation/runtime@543aea9

@module-federation/runtime-core

pnpm add https://pkg.pr.new/@module-federation/runtime-core@543aea9

@module-federation/runtime-tools

pnpm add https://pkg.pr.new/@module-federation/runtime-tools@543aea9

@module-federation/sdk

pnpm add https://pkg.pr.new/@module-federation/sdk@543aea9

@module-federation/storybook-addon

pnpm add https://pkg.pr.new/@module-federation/storybook-addon@543aea9

@module-federation/third-party-dts-extractor

pnpm add https://pkg.pr.new/@module-federation/third-party-dts-extractor@543aea9

@module-federation/treeshake-frontend

pnpm add https://pkg.pr.new/@module-federation/treeshake-frontend@543aea9

@module-federation/treeshake-server

pnpm add https://pkg.pr.new/@module-federation/treeshake-server@543aea9

@module-federation/typescript

pnpm add https://pkg.pr.new/@module-federation/typescript@543aea9

@module-federation/utilities

pnpm add https://pkg.pr.new/@module-federation/utilities@543aea9

@module-federation/webpack-bundler-runtime

pnpm add https://pkg.pr.new/@module-federation/webpack-bundler-runtime@543aea9

@module-federation/bridge-react

pnpm add https://pkg.pr.new/@module-federation/bridge-react@543aea9

@module-federation/bridge-react-webpack-plugin

pnpm add https://pkg.pr.new/@module-federation/bridge-react-webpack-plugin@543aea9

@module-federation/bridge-shared

pnpm add https://pkg.pr.new/@module-federation/bridge-shared@543aea9

@module-federation/bridge-vue3

pnpm add https://pkg.pr.new/@module-federation/bridge-vue3@543aea9

@module-federation/inject-external-runtime-core-plugin

pnpm add https://pkg.pr.new/@module-federation/inject-external-runtime-core-plugin@543aea9

commit: 543aea9

[github-actions]

Bundle Size Report

19 package(s) changed, 21 unchanged.

Package dist + ESM entry

Package	Total dist (raw)	Delta	ESM gzip	Delta
@module-federation/bridge-react	368.0 kB	+5.8 kB (+1.6%)	1.3 kB	+1 B (+0.1%)
@module-federation/bridge-vue3	151.4 kB	+4.1 kB (+2.8%)	23.1 kB	+619 B (+2.7%)
@module-federation/cli	26.3 kB	no change	786 B	no change
@module-federation/core	39.1 kB	no change	173 B	no change
@module-federation/devtools	487.9 kB	no change	3.9 kB	no change
@module-federation/dts-plugin	306.7 kB	+528 B (+0.2%)	4.6 kB	no change
@module-federation/enhanced	818.3 kB	+4.2 kB (+0.5%)	672 B	no change
@module-federation/managers	69.8 kB	no change	334 B	no change
@module-federation/manifest	138.0 kB	no change	182 B	no change
@module-federation/metro-plugin-rnc-cli	0 B	no change	314 B	no change
@module-federation/node	193.4 kB	no change	217 B	no change
@module-federation/retry-plugin	62.2 kB	+528 B (+0.8%)	2.8 kB	no change
@module-federation/rsbuild-plugin	120.0 kB	+97 B (+0.1%)	91 B	no change
@module-federation/runtime	19.5 kB	+13 B (+0.1%)	616 B	no change
@module-federation/runtime-core	260.0 kB	+7.2 kB (+2.8%)	477 B	no change
@module-federation/sdk	121.1 kB	+242 B (+0.2%)	798 B	no change
@module-federation/storybook-addon	77.6 kB	no change	100 B	no change
@module-federation/utilities	110.6 kB	no change	328 B	no change
@module-federation/webpack-bundler-runtime	94.7 kB	+562 B (+0.6%)	405 B	no change

Bundle targets

Package	Web bundle (gzip)	Delta	Node bundle (gzip)	Delta
@module-federation/bridge-react	17.9 kB	+408 B (+2.3%)	18.2 kB	+372 B (+2.0%)
@module-federation/bridge-vue3	17.7 kB	+471 B (+2.7%)	17.4 kB	+453 B (+2.6%)
@module-federation/cli	2.3 kB	-31 B (-1.3%)	2.3 kB	-31 B (-1.3%)
@module-federation/core	1.1 kB	-30 B (-2.7%)	1.0 kB	-29 B (-2.7%)
@module-federation/devtools	21.3 kB	-28 B (-0.1%)	21.3 kB	-28 B (-0.1%)
@module-federation/dts-plugin	14.3 kB	no change	14.3 kB	no change
@module-federation/enhanced	2.6 kB	-43 B (-1.6%)	2.6 kB	-43 B (-1.6%)
@module-federation/managers	2.4 kB	-25 B (-1.0%)	2.4 kB	-25 B (-1.0%)
@module-federation/manifest	6.2 kB	-36 B (-0.6%)	6.2 kB	-36 B (-0.6%)
@module-federation/metro-plugin-rnc-cli	411 B	-25 B (-5.7%)	411 B	-25 B (-5.7%)
@module-federation/node	9.2 kB	-27 B (-0.3%)	9.2 kB	-27 B (-0.3%)
@module-federation/retry-plugin	1.8 kB	no change	1.8 kB	no change
@module-federation/rsbuild-plugin	4.5 kB	no change	4.5 kB	no change
@module-federation/runtime	625 B	no change	625 B	no change
@module-federation/runtime-core	14.2 kB	+482 B (+3.4%)	13.9 kB	+485 B (+3.5%)
@module-federation/sdk	4.7 kB	no change	5.5 kB	no change
@module-federation/storybook-addon	1.9 kB	-23 B (-1.2%)	1.7 kB	-23 B (-1.3%)
@module-federation/utilities	2.6 kB	-31 B (-1.2%)	2.6 kB	-31 B (-1.2%)
@module-federation/webpack-bundler-runtime	4.0 kB	no change	4.0 kB	no change

Consumer scenarios

Scenario	Web output (gzip)	Delta	Node output (gzip)	Delta	Gap (node-web)	Delta
Enhanced remoteEntry	20.3 kB	+455 B (+2.2%)	21.3 kB	+429 B (+2.0%)	+1007 B	-26 B

Total dist (raw): 6.35 MB (+23.2 kB (+0.4%))
Total ESM gzip: 74.6 kB (+620 B (+0.8%))
Total web bundle (gzip): 180.9 kB (+1.0 kB (+0.6%))
Total node bundle (gzip): 181.2 kB (+1012 B (+0.5%))
Tracked ./bundler entry gzip: 556 B (no change)
Tracked ./bundler web bundle (gzip): 4.8 kB (no change)
Tracked ./bundler node bundle (gzip): 4.8 kB (no change)

Bundle sizes are generated with rslib (Rspack). Package-root metrics preserve the historical report. Tracked subpath exports such as ./bundler are measured separately so ENV_TARGET-driven tree-shaking is visible. Bare imports are externalized to keep package-level sizes consistent, and assets are emitted as resources.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 95fbbeaadf

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Normalize URL scheme before allowlist classification

parseNetworkRemoteUrl only classifies inputs as network URLs when they start with lowercase http://, https://, or //. URL schemes are case-insensitive, so an entry like HTTP://evil.example/remoteEntry.js parses and loads as HTTP but returns undefined here, causing assertRemoteOriginAllowed to skip enforcement and allowing security.allowedRemoteOrigins to be bypassed for those inputs.

Useful? React with 👍 / 👎.

[chatgpt-codex-connector]

Validate final entry URL after rewrite hooks

getRemoteEntry validates remoteInfo.entry before checking the remoteEntryExports fast path and before any getEntryUrl rewrite is applied, so flows that depend on URL rewriting (for example retry-domain rotation via getEntryUrl in packages/retry-plugin/src/script-retry.ts) are rejected on the original URL even when the rewritten URL would be allowed. This also throws for callers that already provide remoteEntryExports and do not need a network fetch.

Useful? React with 👍 / 👎.