Skip to content

Fix esbuild vulnerability by upgrading dependency constraints #161

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
Copilot wants to merge 6 commits into
base: main
Choose a base branch
from
+1,504 −2,160
Open

Fix esbuild vulnerability by upgrading dependency constraints #161

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
40da4d7
Initial plan
Copilot Jan 12, 2026
1e8e545
Fix esbuild vulnerability by adding override for esbuild ^0.25.0
Copilot Jan 12, 2026
ea5d1e5
Add comprehensive fix summary documentation
Copilot Jan 12, 2026
4c66177
Merge branch 'main' into copilot/upgrade-storybook-and-vite
73junito Jan 16, 2026
c851140
Update package.json
73junito Jan 17, 2026
d1c5953
Update documentation to reflect esbuild ^0.27.2 override
Copilot Jan 17, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
123 changes: 123 additions & 0 deletions ESBUILD_VULNERABILITY_FIX_SUMMARY.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,123 @@
# esbuild Vulnerability Fix Summary

## Issue
Security advisory GHSA-67mh-4wv8-2f99 for esbuild <=0.24.2

## Resolution
Fixed by updating npm overrides to force esbuild ^0.27.2 throughout the dependency tree.

## Changes Made

### 1. Root package.json
```diff
"overrides": {
"vitest": "4.0.16",
"unbuild": "3.6.1",
- "esbuild": "0.27.2"
+ "esbuild": "^0.27.2"
}
```

### 2. packages/ui/package.json
```diff
"devDependencies": {
"@storybook/addon-vitest": "^10.1.11",
...
- "esbuild": "^0.27.2",
...
}
```

### 3. Git Submodules
Initialized ollama-js submodule:
```bash
git submodule update --init --recursive
```

## Verification

### Root Package
```bash
$ cd /home/runner/work/autolearnpro/autolearnpro
$ npm audit
found 0 vulnerabilities

$ npm ls esbuild
lms-ai-mcp-server@1.0.0
└─┬ ollama-js@npm:ollama@0.0.0 -> ./lib/ollama-js
├─┬ unbuild@2.0.0 overridden
│ ├── esbuild@0.27.2 overridden ✅ SAFE
│ └─┬ mkdist@1.6.0
│ └── esbuild@0.27.2 deduped ✅ SAFE
└─┬ vitest@2.1.9 overridden
└─┬ vite@5.4.21
└── esbuild@0.27.2 deduped ✅ SAFE
```

### packages/ui
```bash
$ cd packages/ui
$ pnpm install
# Successfully installed

$ pnpm list --depth 0
devDependencies:
vite 7.3.0 ✅
vitest 4.0.16 ✅
@storybook/builder-vite 10.1.11 ✅
@storybook/react-vite 10.1.11 ✅
```

## Security Impact

**Before:**
- esbuild versions: 0.19.12, 0.21.5, 0.24.2 (all vulnerable)
- npm audit: 7 moderate vulnerabilities

**After:**
- esbuild versions: 0.27.2 (root), 0.27.2 (packages/ui via Vite 7)
- npm audit: **0 vulnerabilities** ✅

## Compatibility

### Storybook + Vite 7
Storybook 10.1.11 supports Vite 7.x:
```json
// @storybook/builder-vite@10.1.11 peer dependencies
{
"vite": "^5.0.0 || ^6.0.0 || ^7.0.0"
}
```

### Dependency Versions
- Vite: 7.3.0 (latest, safe)
- Storybook: 10.1.11 (Vite 7 compatible)
- vitest: 4.0.16 (Vite 7 compatible)
- esbuild: 0.27.2 (latest, patched, safe)

## Known Issues (Pre-existing)

Storybook build fails due to syntax errors in story files:
- `packages/ui/src/components/common/FormInput.stories.tsx`
- `packages/ui/src/components/home/SiteHeader.stories.tsx`

These files contain duplicate content starting at line 15 and need to be fixed separately.

## Rollback Plan

If issues occur, revert the commit:
```bash
git revert 1e8e545
npm install
```

## References

- Advisory: https://github.com/advisories/GHSA-67mh-4wv8-2f99
- Affected versions: esbuild <=0.24.2
- Fixed in: esbuild 0.25.0+
- Severity: Moderate
- Issue: CORS settings vulnerability allowing any website to send requests to dev server

## Date
2026-01-12
Loading
Loading