Skip to content

Vulnerability reported for esbuild #10539

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
drewB opened this issue Mar 17, 2025 · 2 comments
Open

Vulnerability reported for esbuild #10539

drewB opened this issue Mar 17, 2025 · 2 comments
Labels
bug:unverified

Comments

@drewB
Copy link

drewB commented Mar 17, 2025
edited
Loading

Reproduction

npm audit returns:

esbuild  <=0.24.2
Severity: moderate
esbuild enables any website to send any requests to the development server and read the response - https://github.com/advisories/GHSA-67mh-4wv8-2f99

Looks like remix is several versions behind on esbuild so concerned about just doing a simple override.

System Info

System:
    OS: Windows 11 10.0.26100
    CPU: (16) x64 AMD Ryzen 9 5900HS with Radeon Graphics
    Memory: 1.36 GB / 15.41 GB
  Binaries:
    Node: 20.15.1 - C:\Program Files\nodejs\node.EXE
    Yarn: 1.22.22 - C:\Program Files\nodejs\yarn.CMD
    npm: 10.8.2 - C:\Program Files\nodejs\npm.CMD
    pnpm: 9.14.4 - C:\Program Files\nodejs\pnpm.CMD
  Browsers:
    Edge: Chromium (133.0.3065.92)
    Internet Explorer: 11.0.26100.1882
  npmPackages:
    @remix-run/dev: ^2.16.0 => 2.16.1
    @remix-run/node: ^2.16.0 => 2.16.1
    @remix-run/react: ^2.16.0 => 2.16.1
    @remix-run/serve: ^2.16.0 => 2.16.1
    vite: ^6.2.0 => 6.2.0

Used Package Manager

npm

Expected Behavior

No vulnerabilities. esbuild is updated to at least 0.25.0 (https://github.com/evanw/esbuild/releases/tag/v0.25.0)

Actual Behavior

Getting

esbuild  <=0.24.2
Severity: moderate
esbuild enables any website to send any requests to the development server and read the response - https://github.com/advisories/GHSA-67mh-4wv8-2f99
@ngbrown
Copy link
Contributor

ngbrown commented Mar 21, 2025

It is @remix-run/dev's dependancy on "@vanilla-extract/integration": "^6.2.0", that is bringing in the vite v5 that is then bringing in the old version of esbuild. So just @vanilla-extract/integration needs updated, but it looks like recent versions have changed their API around.

@ngbrown
Copy link
Contributor

ngbrown commented Mar 23, 2025
edited
Loading

I attempted to resolve this issue by updating to @vanilla-extract/integration@8.0.1, @vanilla-extract/vite-plugin@5.0.1, and adding the new @vanilla-extract/compiler. See branch and changes here:

dev...ngbrown-forks:remix:update-vanilla-extract-dependancy

However the @vanilla-extract/compiler library will need a simple patch (also at PR vanilla-extract-css/vanilla-extract#1562) to allow the option not inline small files and I could only get the tests to pass with an unsatisfying hack around trying to pass relative paths into what now wants absolute paths.

https://github.com/ngbrown-forks/remix/blob/baf180e3f2a6ed7645bc61d7d921e9fccbba41f3/packages/remix-dev/compiler/plugins/vanillaExtract.ts#L51-L53

If someone has a better idea, then this can be the start of your effort.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug:unverified
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@drewB @ngbrown