Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: [M3-9438] - ESBuild Vulnerability #89

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

fix: [M3-9438] - ESBuild Vulnerability #89

wants to merge 1 commit into from

Conversation

bill-akamai
Copy link

@bill-akamai bill-akamai commented Feb 27, 2025
edited
Loading

Description 📝

This PR addresses a security vulnerability in esbuild that allows any website to send requests to the development server and read the response due to default CORS settings. https://github.com/linode/design-language-system/security/dependabot/46

Major Changes 🔄

  • Added resolution in package.json to enforce esbuild 0.25.0+

@bill-akamai bill-akamai self-assigned this Feb 27, 2025
@bill-akamai bill-akamai marked this pull request as ready for review February 27, 2025 23:04
bill-akamai
bill-akamai commented Feb 27, 2025
View reviewed changes
package.json
Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@abailly-akamai would we also want to bump the version of this repo to "version": "4.0.1" to reflect this security fix?

abailly-akamai
abailly-akamai reviewed Feb 28, 2025
View reviewed changes
package.json
@@ -86,7 +86,8 @@
},
"resolutions": {
"cookie": "^0.7.0",
"nanoid": "^3.3.8"
"nanoid": "^3.3.8",
"esbuild": "^0.25.0"
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@bill-akamai Have you gone through the dependency tree before adding a resolution? Usually a resolution is the very last recourse (they are hard to manage and easy to forget) and updating a parent package is preferred when possible. It may or not may not blow up the scope, but we ought to explore that option first.

Copy link
Author

@bill-akamai bill-akamai Feb 28, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@abailly-akamai Understood. Running yarn up on the relevant packages (vite, tsup, storybook) was only partially successful in upgrading their esbuild dependecies to 0.25.0:

bcoloe@dfw-mp0f2 design-language-system % yarn why esbuild
├─ @storybook/core@npm:8.4.7
│  └─ esbuild@npm:0.24.2 (via npm:^0.18.0 || ^0.19.0 || ^0.20.0 || ^0.21.0 || ^0.22.0 || ^0.23.0 || ^0.24.0)
│
├─ @storybook/core@npm:8.4.7 [4ac60]
│  └─ esbuild@npm:0.24.2 (via npm:^0.18.0 || ^0.19.0 || ^0.20.0 || ^0.21.0 || ^0.22.0 || ^0.23.0 || ^0.24.0)
│
├─ tsup@npm:8.4.0
│  └─ esbuild@npm:0.25.0 (via npm:^0.25.0)
│
├─ tsup@npm:8.4.0 [d3936]
│  └─ esbuild@npm:0.25.0 (via npm:^0.25.0)
│
├─ vite@npm:6.1.1
│  └─ esbuild@npm:0.24.2 (via npm:^0.24.2)
│
├─ vite@npm:6.2.0
│  └─ esbuild@npm:0.25.0 (via npm:^0.25.0)
│
├─ vite@npm:6.1.1 [29ffd]
│  └─ esbuild@npm:0.24.2 (via npm:^0.24.2)
│
├─ vite@npm:6.2.0 [d3936]
│  └─ esbuild@npm:0.25.0 (via npm:^0.25.0)
│
└─ vite@npm:6.1.1 [ee5a6]
   └─ esbuild@npm:0.24.2 (via npm:^0.24.2)

So I suppose our options are to:

  1. Use a resolution (admittedly, I don't know hard hard it is to manage these if they produce incompatibility issues)
    or
  2. Periodically upgrade parent packages individually until they all use esbuild 0.25.0.

Sounds like option 2 is safer albeit more drawn out. What do you think?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@abailly-akamai abailly-akamai abailly-akamai left review comments

Assignees

@bill-akamai bill-akamai

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@bill-akamai @abailly-akamai