Security update esbuild & Astro #11149
Conversation
✅ Deploy Preview for astro-docs-2 ready!Built without sensitive environment variables
To edit notification comments on pull requests, go to your Netlify site configuration. |
package.json
Outdated
| }, | ||
| "overrides": { | ||
| "esbuild": "^0.25.0" |
There was a problem hiding this comment.
Thanks for looking into this @debiru! This shouldn‘t be needed though. Can you explain why you added it?
There was a problem hiding this comment.
Oh, sorry, I skipped over the line in the PR comment:
The
overridessection is for thetsmpackage.
Do you think this upgrade is necessary? tsm is only used to execute a few scripts we have in CI, not run esbuild’s dev server, so I suspect it’s likely harmless to leave in place.
There was a problem hiding this comment.
Do you think this upgrade is necessary? tsm is only used to execute a few scripts we have in CI, not run esbuild’s dev server, so I suspect it’s likely harmless to leave in place.
That is certainly true from that perspective.
I ran pnpm audit locally and even updated the tsm dependency package to avoid the warning, which is why I included the diff.
If you say it is unnecessary, it may be unnecessary. Should I not add this overrides section?
Note: The original writing style would no longer result in a version newer than 0.25.0, so this has been corrected in 65d3959.
The result of pnpm audit
| key | value |
|---|---|
| moderate | esbuild enables any website to send any requests to the development server and read the response |
| Package | esbuild |
| Vulnerable versions | <=0.24.2 |
| Patched versions | >=0.25.0 |
| Paths | . > [email protected] > [email protected] |
| More info | GHSA-67mh-4wv8-2f99 |
1 vulnerabilities found
Severity: 1 moderate
There was a problem hiding this comment.
npm audit isn't perfect because often a vulnerability only exists in a specific scenario, so if you're not using code in that way, the vulnerability doesn't impact you.
If I understood correctly, that seems to be the case here? Just updating Astro would be enough to solve the vulnerable case (running a dev server). It is safe to continue depending on the older, "vulnerable" version of esbuild via tsm, because that does not run a dev server, so is not impacted by the vulnerability.
There was a problem hiding this comment.
Thank you. I think that is true.
The question that remains is whether it is ok to keep getting warnings when running pnpm audit.
If this is deemed not to be a problem, then I will remove the overrides section.
... I would remove the overrides section, as it seemed to say that there is no problem.
Description (required)
This PR updates esbuild and the packages that depend on esbuild.
Changed to use esbuild 0.25.0
The
overridessection is for thetsmpackage.Related issues & labels (optional)