Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

esbuild security issue #700

Closed
mfulton26 opened this issue Feb 12, 2025 · 6 comments
Closed

esbuild security issue #700

mfulton26 opened this issue Feb 12, 2025 · 6 comments

Comments

@mfulton26
Copy link

May we get esbuild updated to 0.25.0 to address GHSA-67mh-4wv8-2f99?
@luhn
Copy link

luhn commented Feb 12, 2025

Open PR: #698

@nwalters512
Copy link
Contributor

tsx isn't impacted by the vulnerability reported in esbuild. tsx only uses esbuild's transformation API, it doesn't use the development server.

@xsjcTony
Copy link

Although it's kind of a false positive report regarding the vulnerability, I'd say it is still worth it to bump esbuild to 0.25.0 as long as there are no breaking changes.

Any packages in the dependency tree that rely on tsx will be flagged as vulnerable, and I believe this is going to violate a large number of businesses' security policies.

Especially it's impacting vite, which is huge.
Those are my only usage of tsx in the dependency tree but it reports such a large number of false positives😂
Image
Image

@xsjcTony xsjcTony mentioned this issue Feb 18, 2025
Closed
7 tasks
@kmturley
Copy link

kmturley commented Feb 18, 2025
edited
Loading

This issue blocks any pipeline which includes esbuild or upstream packages such as vitest along the command:
npm audit

The npm audit command will exit with a 0 exit code if no vulnerabilities were found. The npm audit fix command will exit with 0 exit code if no vulnerabilities are found or if the remediation is able to successfully fix all vulnerabilities.
If vulnerabilities were found the exit code will depend on the audit-level config.
https://docs.npmjs.com/cli/v9/commands/npm-audit#exit-code

The exit code is to prevent builds from being deployed with vulnerable code. Even though in this case the code is not used, the pipeline will still be blocked until either:

  1. Package is updated
  2. Command is updated to: npm audit --audit-level high to ignore moderate issues.

@mdmower-csnw
Copy link
Contributor

While I also hope #698 is accepted, the maintainer seems to have a stance on these kinds of updates, so I don't hold my breath. See comments in #615.

A workaround that I use when package versions are compatible is to override the transitive dependency version in package.json. See npm doc or pnpm doc, depending on your package manager.

For example, add this to package.json if you use npm to manage packages:

"overrides": {
  "esbuild": "0.25.0"
}

and then run npm install.

@privatenumber
Copy link
Owner

Closed via #698

@badeball badeball mentioned this issue Feb 19, 2025
Closed
3 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
7 participants
@privatenumber @nwalters512 @luhn @kmturley @mfulton26 @xsjcTony @mdmower-csnw