@nx/webpack uses sass-loader@^12.2.0 which is 3 years old. It includes node-sass as a peerDependency and since some npm 7+ installs peerDependencies by default, this leads to some pretty old software with several vulnerabilities getting auto-installed.

node-sass has the following vulnerabilities reported:

• Out-of-Bounds: medium severity, https://snyk.io/vuln/SNYK-JS-NODESASS-535498
• NULL Pointer Dereference – high severity, https://snyk.io/vuln/SNYK-JS-NODESASS-535500
• Out-of-bounds Read – medium severity, https://snyk.io/vuln/SNYK-JS-NODESASS-540958
• Uncontrolled Recursion – medium severity, https://snyk.io/vuln/SNYK-JS-NODESASS-540964
• Denial of Service (DoS) – medium severity, https://snyk.io/vuln/SNYK-JS-NODESASS-540978
• NULL Pointer Dereference – medium severity, https://snyk.io/vuln/SNYK-JS-NODESASS-540992
• Out-of-Bounds – medium severity, https://snyk.io/vuln/SNYK-JS-NODESASS-540998
• Use After Free – high severity, https://snyk.io/vuln/SNYK-JS-NODESASS-541000
• Out-of-bounds Read – medium severity, https://snyk.io/vuln/SNYK-JS-NODESASS-541002
• Subdependency request: Server-side Request Forgery (SSRF) – medium severity, https://snyk.io/vuln/SNYK-JS-REQUEST-3361831

The fix would be to update sass-loader to a recent version (14.2.1), and while the breaking changes are pretty small, I'm not sure how NX wants to handle them which is why I haven't opened a PR. That said, here is a cumulative list of breaking changes between v12 and v14:

• removed fibers support
• minimum supported Node.js version is 18.12.0 (627f55d)
• emit @warn at-rules as webpack warnings by default, if you want to revert behavior please use the warnRuleAsWarning option (webpack-contrib/sass-loader#1054) (58ffb68)