Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update esbuild dependency for vulnerability scanners #17996

Closed
4 tasks done
tzyl opened this issue Sep 2, 2024 · 1 comment
Closed
4 tasks done

Update esbuild dependency for vulnerability scanners #17996

tzyl opened this issue Sep 2, 2024 · 1 comment
Labels
enhancement: pending triage

Comments

@tzyl
Copy link

tzyl commented Sep 2, 2024

Description

Older esbuild versions use versions of Go which flag a number of CVEs on vulnerability scanners.

evanw/esbuild#3802
evanw/esbuild#3853

Vite currently has a dependency on esbuild ^0.21.3:

vite/packages/vite/package.json

Line 88 in 0ca53cf

"esbuild": "^0.21.3",

Suggested solution

Bump dependency on esbuild to latest (^0.23.1) which uses later versions of Go and addresses the CVEs described in the GitHub issues above.

Alternative

No response

Additional context

No response

Validations
@bluwy
Copy link
Member

bluwy commented Sep 2, 2024

We have received many reports of this but this is not a vulnerability in Vite. They only affect esbuild's server, which we don't use. Please update this in the scanner instead.

@bluwy bluwy closed this as not planned Won't fix, can't repro, duplicate, stale Sep 2, 2024
@github-actions github-actions bot locked and limited conversation to collaborators Sep 18, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
enhancement: pending triage
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@tzyl @bluwy