From 1c8f964c33aefa447f8983537d4f8d92897518b8 Mon Sep 17 00:00:00 2001
From: Benjamin Cabanes <3447705+bcabanes@users.noreply.github.com>
Date: Wed, 18 Jun 2025 14:17:25 -0400
Subject: [PATCH] docs(nx-dev): add CVE reference on security (#31627)
Improved the clarity of caching risks, added detailed explanations on CREEP vulnerability, and linked to the CVE-2025-36852 publication.
---
.../security/cache-poisoning-protection.tsx | 8 +-
.../src/lib/security/failing-compliance.tsx | 92 +++++++++++++++----
.../src/lib/security/personal-access.tsx | 1 +
.../lib/security/why-ci-security-matters.tsx | 4 +-
.../platform/cost-efficient-compute.tsx | 2 +-
.../src/lib/solutions/solutions-faq.tsx | 4 +-
6 files changed, 86 insertions(+), 25 deletions(-)
diff --git a/nx-dev/ui-enterprise/src/lib/security/cache-poisoning-protection.tsx b/nx-dev/ui-enterprise/src/lib/security/cache-poisoning-protection.tsx
index 6c3353d59f..5f9a45895e 100644
--- a/nx-dev/ui-enterprise/src/lib/security/cache-poisoning-protection.tsx
+++ b/nx-dev/ui-enterprise/src/lib/security/cache-poisoning-protection.tsx
@@ -28,7 +28,7 @@ export function CachePoisoningProtection(): ReactElement {
Cache Poisoning Protection, By Design
- Protect your main branch – and your customers – from compromised
+ Protect your main branch — and your customers — from compromised
builds.
@@ -61,7 +61,7 @@ export function CachePoisoningProtection(): ReactElement {
/>
Writes only from trusted CI branches{' '}
- – By default, the cache artifacts are reused within each pull
+ — By default, the cache artifacts are reused within each pull
request. Only artifacts from trusted CI pipelines should enter
the shared cache used by everyone. PR environments can't poison
main.
@@ -74,7 +74,7 @@ export function CachePoisoningProtection(): ReactElement {
/>
Artifact traceability{' '}
- – Artifacts are tied to the identity and permissions of the user
+ — Artifacts are tied to the identity and permissions of the user
or process that created them.
@@ -85,7 +85,7 @@ export function CachePoisoningProtection(): ReactElement {
/>
Automatic invalidation{' '}
- – Revoke a token and every artifact it produced becomes
+ — Revoke a token and every artifact it produced becomes
unusable.
diff --git a/nx-dev/ui-enterprise/src/lib/security/failing-compliance.tsx b/nx-dev/ui-enterprise/src/lib/security/failing-compliance.tsx
index 80a3d1350b..fe8f3060b2 100644
--- a/nx-dev/ui-enterprise/src/lib/security/failing-compliance.tsx
+++ b/nx-dev/ui-enterprise/src/lib/security/failing-compliance.tsx
@@ -1,12 +1,7 @@
'use client';
import {
- BugAntIcon,
- DocumentCheckIcon,
ExclamationTriangleIcon,
- EyeSlashIcon,
- FingerPrintIcon,
- LinkSlashIcon,
- ServerIcon,
+ ShieldExclamationIcon,
} from '@heroicons/react/24/outline';
import {
ButtonLink,
@@ -27,26 +22,79 @@ export function FailingCompliance(): ReactElement {
Rolling Your Own Cache Fails in Regulated Sectors
- Unmanaged caching may be convenient now—but it’s a liability down
- the road.
+ Unmanaged caching may be convenient now — but it’s a liability
+ down the road.
- If you operate in a regulated sector—
+ If you operate in a regulated sector —{' '}
finance, healthcare, government, defense, aerospace, or
pharmaceuticals
+ {' '}
+ — self-hosting your remote cache may expose you to{' '}
+
+ serious risks like the{' '}
+
+ CREEP
+ {' '}
+ cache poisoning vulnerability
- —self-hosting your remote cache may expose you to{' '}
- serious risks like cache poisoning.
+ .
-
+
+
+
Community-built cache solutions reading and writing directly from
- the file storage are vulnerable to the Cache Poisoning by
- Construction attack resulting in any contributor with pull request
- privileges being able to potentially inject compromised artifacts
- into production environments without detection.{' '}
+ the file storage are vulnerable to the{' '}
+
+ CREEP
+ {' '}
+ attack resulting in any contributor with pull request privileges
+ being able to potentially inject compromised artifacts into
+ production environments without detection.{' '}
This vulnerability completely circumvents conventional security
protections like encryption, access control and key management
@@ -129,11 +177,23 @@ export function FailingCompliance(): ReactElement {
+
+ Questions about{' '}
+
+ CREEP
+ {' '}
+ or your security posture?
+ Contact our team for a personalized assessment.
+
Talk to an expert
diff --git a/nx-dev/ui-enterprise/src/lib/security/personal-access.tsx b/nx-dev/ui-enterprise/src/lib/security/personal-access.tsx
index 477bc5515d..2ea14301bd 100644
--- a/nx-dev/ui-enterprise/src/lib/security/personal-access.tsx
+++ b/nx-dev/ui-enterprise/src/lib/security/personal-access.tsx
@@ -69,6 +69,7 @@ export function PersonalAccess(): ReactElement {
diff --git a/nx-dev/ui-enterprise/src/lib/security/why-ci-security-matters.tsx b/nx-dev/ui-enterprise/src/lib/security/why-ci-security-matters.tsx
index 28d4a0f252..2d878199da 100644
--- a/nx-dev/ui-enterprise/src/lib/security/why-ci-security-matters.tsx
+++ b/nx-dev/ui-enterprise/src/lib/security/why-ci-security-matters.tsx
@@ -29,7 +29,7 @@ export function WhyCiSecurityMatters(): ReactElement {
Why CI Security Matters
- CI pipelines are often an overlooked threat – and your cache is a
+ CI pipelines are often an overlooked threat — and your cache is a
critical entry point.
@@ -60,7 +60,7 @@ export function WhyCiSecurityMatters(): ReactElement {
/>
Build artifacts can be compromised and deployed{' '}
- – if left unprotected
+ — if left unprotected
diff --git a/nx-dev/ui-enterprise/src/lib/solutions/platform/cost-efficient-compute.tsx b/nx-dev/ui-enterprise/src/lib/solutions/platform/cost-efficient-compute.tsx
index 89a6e56a35..ff204202a3 100644
--- a/nx-dev/ui-enterprise/src/lib/solutions/platform/cost-efficient-compute.tsx
+++ b/nx-dev/ui-enterprise/src/lib/solutions/platform/cost-efficient-compute.tsx
@@ -74,7 +74,7 @@ export function CostEfficientCompute(): ReactElement {
variant="title"
id="cost-efficient-compute-without-sacrificing-speed-title"
>
- Cost-Efficient Compute – Without Sacrificing Speed
+ Cost-Efficient Compute — Without Sacrificing Speed
Reduce infrastructure costs without compromising performance.
diff --git a/nx-dev/ui-enterprise/src/lib/solutions/solutions-faq.tsx b/nx-dev/ui-enterprise/src/lib/solutions/solutions-faq.tsx
index e9b1fdc2fa..d565dc752d 100644
--- a/nx-dev/ui-enterprise/src/lib/solutions/solutions-faq.tsx
+++ b/nx-dev/ui-enterprise/src/lib/solutions/solutions-faq.tsx
@@ -32,12 +32,12 @@ export function SolutionsFaq(): ReactElement {
{
question: 'Do I need to migrate to Nx all at once?',
answerJson:
- 'Not at all. Nx can be incrementally adopted. You can start with just your team – and expand at your own pace.',
+ 'Not at all. Nx can be incrementally adopted. You can start with just your team — and expand at your own pace.',
answerUi: (
<>
Not at all. Nx can be incrementally adopted. You can start with just
- your team – and expand at your own pace.
+ your team — and expand at your own pace.