[Enhancement] Bump esbuild to v0.25.x #1634
Comments
|
When vite v6.2.0 is released, dependent libraries and applications in this repo will also need to be updated so as to fully move over to esbuild 0.25.x. |
|
Thank for reporting, but the vulnerability was a false positive to us. Make sure you fully understand such things before opening next time :) It's about https://esbuild.github.io/api/#serve, while we are not using it. Esbuild is only used to transpire ts config file to js so that node can load it. Also, vite and webpack's esbuild-load are also not using this api, so you can see that vite bump this as bug fixes for certain CSS, rather than releasing a security patch immediately. We will keep the version with Vite to avoid duplicate deps. |
Mister-Hope
changed the title
|
Yeah I figured that yall were not vulnerable to it, but the CVE scanners pick it up regardless, so wanted to just resolve the problem haha. Understood re: waiting for the vite release before updating. |
|
Thanks for reporting! |
Description
Esbuild <= v0.25.0 is vulnerable.
See: GHSA-67mh-4wv8-2f99 and https://github.com/evanw/esbuild/releases/tag/v0.25.0
The @vuepress/cli uses v0.24.2.
Reproduction
n/a
Used Package Manager
npm
System Info
The text was updated successfully, but these errors were encountered: