Skip to content

esbuild has a vulnerability #7512

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
n9 opened this issue Apr 11, 2025 · 1 comment · May be fixed by #7522
Open

esbuild has a vulnerability #7512

n9 opened this issue Apr 11, 2025 · 1 comment · May be fixed by #7522
Assignees
@JerryWu1234
Labels
COMMUNITY: good first issue Good for newcomers COMMUNITY: PR is welcomed We think it's a good feature to have but would love for the community to help with the PR for it COMP: DX Developer Experience related issue

Comments

@n9
Copy link

n9 commented Apr 11, 2025

I am trying to setup a Qwik project without vulnerabilities:

$ npm audit

npm audit report

esbuild <=0.24.2
Severity: moderate
esbuild enables any website to send any requests to the development server
and read the response - GHSA-67mh-4wv8-2f99
fix available via npm audit fix --force
Will install [email protected], which is outside the stated dependency range
node_modules/esbuild
vite 0.11.0 - 6.1.5
Depends on vulnerable versions of esbuild
node_modules/vite

2 moderate severity vulnerabilities

To address all issues, run:
npm audit fix --force

$ npm audit fix --force

npm warn using --force Recommended protections disabled.
npm warn audit Updating vite to 5.4.18, which is outside your stated dependency range.

changed 1 package, and audited 392 packages in 4s

219 packages are looking for funding
run npm fund for details

npm audit report

esbuild <=0.24.2
Severity: moderate
esbuild enables any website to send any requests to the development server
and read the response - GHSA-67mh-4wv8-2f99
fix available via npm audit fix --force
Will install [email protected], which is a breaking change
node_modules/esbuild
vite 0.11.0 - 6.1.5
Depends on vulnerable versions of esbuild
node_modules/vite
@builder.io/qwik >=1.2.16
Depends on vulnerable versions of vite
node_modules/@builder.io/qwik
@builder.io/qwik-city >=1.2.16
Depends on vulnerable versions of vite
node_modules/@builder.io/qwik-city

4 moderate severity vulnerabilities

To address all issues (including breaking changes), run:
npm audit fix --force

$ npm audit fix --force

npm warn using --force Recommended protections disabled.
npm warn audit Updating vite to 6.2.6, which is a SemVer major change.
npm warn audit Updating @builder.io/qwik-city to 1.2.15, which is a SemVer
major change.
npm warn audit Updating @builder.io/qwik to 1.2.15, which is a SemVer major change.

added 59 packages, removed 15 packages, changed 73 packages, and audited 436 packages in 20s

222 packages are looking for funding
run npm fund for details

npm audit report

@builder.io/qwik <1.7.3
Severity: moderate
Qwik has a potential mXSS vulnerability due to improper HTML escaping - GHSA-2rwj-7xq8-4gx4
fix available via npm audit fix --force
Will install @builder.io/[email protected], which is outside the stated dependency range
node_modules/@builder.io/qwik

1 moderate severity vulnerability

To address all issues, run:
npm audit fix --force

$ npm audit fix --force

npm warn using --force Recommended protections disabled.
npm warn ERESOLVE overriding peer dependency
npm warn While resolving: @builder.io/[email protected]
npm warn Found: [email protected]
npm warn node_modules/vite
npm warn dev vite@"^6.2.6" from the root project
npm warn 1 more (vite-tsconfig-paths)
npm warn
npm warn Could not resolve dependency:
npm warn peer vite@"^5" from @builder.io/[email protected]
npm warn node_modules/@builder.io/qwik
npm warn dev @builder.io/qwik@"^1.2.15" from the root project
npm warn
npm warn Conflicting peer dependency: [email protected]
npm warn node_modules/vite
npm warn peer vite@"^5" from @builder.io/[email protected]
npm warn node_modules/@builder.io/qwik
npm warn dev @builder.io/qwik@"^1.2.15" from the root project

changed 1 package, and audited 436 packages in 7s

222 packages are looking for funding
run npm fund for details

found 0 vulnerabilities

What is a recommended setup?
@wmertens
Copy link
Member

ok, we'll upgrade esbuild and allow more recent vite, but I don't understand why it complains about qwik 1.7.3?

@wmertens wmertens changed the title Invurneable setup? esbuild has a vulnerability Apr 17, 2025
@wmertens wmertens added COMMUNITY: good first issue Good for newcomers COMP: DX Developer Experience related issue COMMUNITY: PR is welcomed We think it's a good feature to have but would love for the community to help with the PR for it labels Apr 17, 2025
@JerryWu1234 JerryWu1234 linked a pull request Apr 17, 2025 that will close this issue
Open
5 tasks
@JerryWu1234 JerryWu1234 self-assigned this Apr 17, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@JerryWu1234 JerryWu1234

Labels
COMMUNITY: good first issue Good for newcomers COMMUNITY: PR is welcomed We think it's a good feature to have but would love for the community to help with the PR for it COMP: DX Developer Experience related issue
Projects
Qwik Development
Status: Backlog
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

chore: update esbuild JerryWu1234/qwik
3 participants
@wmertens @n9 @JerryWu1234