Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

chore(deps): update esbuild and vite versions #13323

Merged
merged 4 commits into from
Feb 27, 2025
Merged

chore(deps): update esbuild and vite versions #13323

merged 4 commits into from
Feb 27, 2025

Conversation

ematipico
Copy link
Member

@ematipico ematipico commented Feb 26, 2025
edited
Loading

Changes

Closes #13322

This PR updates various packages to use the latest of, vite and esbuild, which are affected by the recent security advisory of esbuild

Testing

CI should pass

Docs

N/A

@changeset-bot changeset-bot
Copy link

changeset-bot bot commented Feb 26, 2025
edited
Loading

🦋 Changeset detected

Latest commit: 61eecbf

The changes in this PR will be included in the next version bump.

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

natemoo-re
natemoo-re approved these changes Feb 26, 2025
View reviewed changes
Copy link
Member

@natemoo-re natemoo-re left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This should also update the esbuild version that astro depends on since it's currently throwing an npm audit warning (see GHSA-67mh-4wv8-2f99, doesn't actually apply to us, but is still an annoying warning for users)
https://github.com/withastro/astro/blob/5b6df02c8802bd963b4a466f2785fe0992ab722a/packages/astro/package.json#L144C1-L144C26

@ematipico
Copy link
Member Author

Oh, that's the version I should update... I definitely didn't know that. It explains the issue

@github-actions github-actions bot added pkg: svelte Related to Svelte (scope) pkg: vue Related to Vue (scope) pkg: react Related to React (scope) pkg: preact Related to Preact (scope) pkg: solid Related to Solid (scope) pkg: integration Related to any renderer integration (scope) pkg: astro Related to the core `astro` package (scope) labels Feb 27, 2025
@ematipico ematipico changed the title chore(deps): update our internal version of esbuild chore(deps): update esbuild and vite versions Feb 27, 2025
@ematipico ematipico force-pushed the chore/update-esbuild branch from 68236e9 to fad3e51 Compare February 27, 2025 09:40
@github-actions github-actions bot added the feat: markdown Related to Markdown (scope) label Feb 27, 2025
@ematipico ematipico force-pushed the chore/update-esbuild branch from fad3e51 to 9eeb35c Compare February 27, 2025 09:57
@github-actions github-actions bot removed the feat: markdown Related to Markdown (scope) label Feb 27, 2025
Jisu-Woniu
Jisu-Woniu reviewed Feb 27, 2025
View reviewed changes
Copy link
Contributor

@Jisu-Woniu Jisu-Woniu left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The esbuild's in packages directory are still out of date, aren't they?

@Jisu-Woniu
Copy link
Contributor

Jisu-Woniu commented Feb 27, 2025
edited
Loading

They seem to be reverted with this force-push: https://github.com/withastro/astro/compare/fad3e518b6d23fcf8bef6630ebce1512b0d2a06b..9eeb35c43ec74d446389ed8b920d99f7d1f8c178

@ematipico ematipico merged commit 80926fa into main Feb 27, 2025
15 checks passed
@ematipico ematipico deleted the chore/update-esbuild branch February 27, 2025 10:44
@astrobot-houston astrobot-houston mentioned this pull request Feb 27, 2025
Merged
# for free to join this conversation on GitHub. Already have an account? # to comment
Reviewers

@Jisu-Woniu Jisu-Woniu Jisu-Woniu left review comments

@ascorbic ascorbic ascorbic approved these changes

@natemoo-re natemoo-re natemoo-re approved these changes

@florian-lefebvre florian-lefebvre florian-lefebvre approved these changes

Assignees
No one assigned
Labels
pkg: astro Related to the core `astro` package (scope) pkg: integration Related to any renderer integration (scope) pkg: preact Related to Preact (scope) pkg: react Related to React (scope) pkg: solid Related to Solid (scope) pkg: svelte Related to Svelte (scope) pkg: vue Related to Vue (scope)
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Astro 5.3.1 still uses esbuild 0.24, which has known vulnerability
5 participants
@ematipico @Jisu-Woniu @ascorbic @natemoo-re @florian-lefebvre