Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: upgrade esbuild to ~0.25.0 to address vuln report #698

Merged
merged 1 commit into from
Feb 19, 2025
Merged

fix: upgrade esbuild to ~0.25.0 to address vuln report #698

merged 1 commit into from
Feb 19, 2025

Conversation

RobinTail
Copy link
Contributor

@RobinTail RobinTail commented Feb 11, 2025
edited
Loading

Fixes GHSA-67mh-4wv8-2f99

https://github.com/evanw/esbuild/releases/tag/v0.25.0

I ran the tests manually and they succeeded.

@RobinTail
Copy link
Contributor Author

@privatenumber , please review

@luhn luhn mentioned this pull request Feb 12, 2025
Closed
@nwalters512
Copy link
Contributor

nwalters512 commented Feb 12, 2025
edited
Loading

While I do want tsx to upgrade esbuild so that I can avoid duplicates in my own dependency tree, it's worth noting that tsx isn't impacted by the vulnerability reported in esbuild. tsx only uses esbuild's transformation API, it doesn't use the development server.

@LukeNotable
Copy link

How about specifying a broader range like >= 0.22.0 < 0.26.0 to support the latest without requiring everyone to upgrade through potentially breaking changes (if that's a concern)?

@casewalker
Copy link

@LukeNotable Sadly, that's kind of out of tsx's hands. Semver breaks down for versions < 1.0.0, and even though it is a little more than 5 years old, esbuild has not yet decided to go from from versions 0.y.z to an official released 1.0.0 version yet. Since there are no guarantees pre-1.0.0, tsx cannot trust that there won't be breaking changes even in the next patch version, i.e. 0.25.1. I find that pretty frustrating, so I just left a comment over there asking that esbuild reconsider their versioning strategy.

@nwalters512 nwalters512 mentioned this pull request Feb 13, 2025
Closed
@tats-u
Copy link

tats-u commented Feb 13, 2025
edited
Loading

Even though it's true tsx itself isn't affected by this vulnerability, no one can imagine the culprit that emitted security alerts in projects is tsx.

@tats-u
Copy link

tats-u commented Feb 13, 2025
edited
Loading

@privatenumber Changes in 0.24:

https://github.com/evanw/esbuild/releases/tag/v0.24.0

None of them or those in 0.25 affect on tsx, right?

@shinebayar-g
Copy link

shinebayar-g commented Feb 13, 2025
edited
Loading

tsx cannot trust that there won't be breaking changes even in the next patch version, i.e. 0.25.1.

Small correction. Before 1.0.0, Major = Minor. So patch versions should NOT introduce breaking changes, but minor versions can.

@benoitf benoitf mentioned this pull request Feb 14, 2025
Merged
1 task
@casewalker
Copy link

@shinebayar-g No, that's not how SemVer is defined. If you clicked the link I shared before, it says:

Major version zero (0.y.z) is for initial development. Anything MAY change at any time.

It doesn't say breaking changes are restricted to only minor version increases, it says anything may change at any time.

It may be true that some projects treat the Minor and Patch versions in this down-shifted way which you describe, and I agree it is super helpful when they do, but SemVer does not guarantee that.

@shinebayar-g
Copy link

Fair.

@luhn
Copy link

luhn commented Feb 14, 2025

tsx cannot trust that there won't be breaking changes even in the next patch version, i.e. 0.25.1

But tsx is already trusting this, it currently depends on esbuild ~0.23.0 which includes 0.23.1 and any possible future patch versions.

image

@tats-u

This comment has been minimized.

Sign in to view
@luhn
Copy link

luhn commented Feb 15, 2025

My point is that tsx is already assuming that patch releases are backwards compatible, so if 0.25.0 passes muster then <0.26 is a valid constraint

@tats-u
Copy link

tats-u commented Feb 15, 2025
edited
Loading

It depends on the packages. However esbuild doesn't seem to contaminate patch updates with breaking changes.
The current content of this PR is the best.

If someone insists that esbuild brings breaking changes even to patch updates, they must paste a link to the change log of one of versions other than 0.x.0 that included breaking changes here.

@naile
Copy link

naile commented Feb 18, 2025

Are there plans on merging this soon? Would be nice to get rid of this from our vulnerability reports.

@privatenumber privatenumber changed the title Upgrading esbuild to ~0.25.0 fix: upgrade esbuild to ~0.25.0 to address vuln report Feb 19, 2025
@privatenumber privatenumber merged commit e04e6c6 into privatenumber:master Feb 19, 2025
3 checks passed
@privatenumber
Copy link
Owner

This issue is now resolved in v4.19.3.

If you're able to, your sponsorship would be very much appreciated.

@triori triori mentioned this pull request Feb 20, 2025
Closed
3 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
released
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
9 participants
@RobinTail @nwalters512 @LukeNotable @casewalker @tats-u @shinebayar-g @luhn @naile @privatenumber