Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore: bump esbuild to 0.25.0 #19389

Merged
merged 6 commits into from
Feb 20, 2025
Merged

chore: bump esbuild to 0.25.0 #19389

merged 6 commits into from
Feb 20, 2025

Conversation

btea
Copy link
Collaborator

@btea btea commented Feb 9, 2025
edited by sapphi-red
Loading

Description

close #18974
close #18843

@btea
Copy link
Collaborator Author

btea commented Feb 9, 2025

/ecosystem-ci run

@pkg-pr-new pkg.pr.new
Copy link

pkg-pr-new bot commented Feb 9, 2025
edited
Loading

Open in Stackblitz

npm i https://pkg.pr.new/vite@19389

commit: c2ec01e

@vite-ecosystem-ci
Copy link

📝 Ran ecosystem CI on 6e9bdff: Open

suite result latest scheduled
astro failure failure
histoire failure failure
ladle failure failure
nuxt success failure
previewjs failure failure
redwoodjs failure failure
vike success failure
vuepress success failure
waku failure success

analogjs, laravel, marko, quasar, qwik, rakkas, react-router, storybook, sveltekit, unocss, vite-environment-examples, vite-plugin-pwa, vite-plugin-react, vite-plugin-react-swc, vite-plugin-svelte, vite-plugin-vue, vite-setup-catalogue, vitepress, vitest

@btea
Copy link
Collaborator Author

btea commented Feb 9, 2025

astro/nuxt/vike/previewjs/vuepressfailed. According to the error message, it is related to nodejs/corepack#612.

@sapphi-red sapphi-red added this to the 6.2 milestone Feb 10, 2025
@bbougon bbougon mentioned this pull request Feb 11, 2025
Draft
@renatodeleao
Copy link

An extra note that, besides the CSS fix, this version bump is required to fix a security vulnerability on esbuild but apparently includes breaking changes.

@patak-dev
Copy link
Member

@renatodeleao that security vulnerability is for esbuild dev server, that Vite doesn't use. The CVE was reported by @sapphi-red after fixing a similar one on Vite's side:

@renatodeleao
Copy link

@renatodeleao that security vulnerability is for esbuild dev server, that Vite doesn't use. The CVE was reported by @sapphi-red after fixing a similar one on Vite's side:

@patak-dev thanks for clarifying, should have dug into details more thoroughly instead skimming through the dependabot alert.

@patak-dev patak-dev mentioned this pull request Feb 12, 2025
Closed
louischan-oursky added a commit to louischan-oursky/authgear-server that referenced this pull request Feb 18, 2025
@louischan-oursky
Use overrides to force esbuild to 0.25.0
0a9068e 
It is safe to do so because the pending PR does the same thing.
vitejs/vite#19389
vikram42003 added a commit to sahilwep/SCA-WebRTC that referenced this pull request Feb 18, 2025
@vikram42003
chore: frontend: override esbuild package in package.json to fix secu…
1ea9c0a 
…rity vulnerability

- MANUALLY OVERRIDE ESBUILD VERSION TO 0.25.0 to ADDRESS SECURITY VULNERABILITES ON 0.24.2
- I READ THE DISCUSSION DOCS ON GITHUB AND THE CONTRIBUTORS SAID THAT YOU'RE GOOD TO OVERRIDE IT
- LINK - 1) vitejs/vite#19389     2) louischan-oursky/authgear-server@0a9068e
- REMOVE THIS LINE WHEN THEY UPDATE THE PACKAGES
@btea btea mentioned this pull request Feb 18, 2025
Closed
@sapphi-red sapphi-red added the dependencies Pull requests that update a dependency file label Feb 19, 2025
sapphi-red
sapphi-red previously approved these changes Feb 19, 2025
View reviewed changes
@JReinhold
Copy link

@renatodeleao that security vulnerability is for esbuild dev server, that Vite doesn't use. The CVE was reported by @sapphi-red after fixing a similar one on Vite's side:

@patak-dev npm audit still reports Vite as vulnerable though, blocking many enterprise users that don't allow audit warnings in their CI. I don't know if there's a way to tell the package managers that Vite is in fact not vulnerable, even though it is depending on a vulnerable version of esbuild.

Reproduction:

  1. npm create vite
  2. Choose "Vanilla" and "JavaScript"
  3. cd into the project
  4. npm install
  5. npm audit
  6. See:
npm audit
# npm audit report

esbuild  <=0.24.2
Severity: moderate
esbuild enables any website to send any requests to the development server and read the response - https://github.com/advisories/GHSA-67mh-4wv8-2f99
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/esbuild
  vite  >=0.11.0
  Depends on vulnerable versions of esbuild
  node_modules/vite

2 moderate severity vulnerabilities

To address all issues (including breaking changes), run:
  npm audit fix --force

@JReinhold JReinhold mentioned this pull request Feb 19, 2025
Merged
8 tasks
@patak-dev
Copy link
Member

This in an issue with automated tools that need to be resolved. But we are going to release vite 6.2 soon to upgrade esbuild.

@clintcs clintcs mentioned this pull request Feb 19, 2025
Merged
@AshishDhama
Copy link

Are there no plans to back port it to version 5?

@RobinTail RobinTail mentioned this pull request Feb 20, 2025
Merged
RobinTail added a commit to RobinTail/express-zod-api that referenced this pull request Feb 20, 2025
@RobinTail
Forcing esbuild 0.25 (#2422)
ea807ff 
Will be fixed in vite 6.2 by vitejs/vite#19389
@sapphi-red sapphi-red merged commit 73987f2 into vitejs:main Feb 20, 2025
16 checks passed
@sapphi-red
Copy link
Member

sapphi-red commented Feb 20, 2025
edited
Loading

Are there no plans to back port it to version 5?

I think there are no plans. Vite 5 uses esbuild 0.21 and there're multiple breaking changes between 0.21 and 0.25.

@btea btea deleted the chore/bump-esbuild-to-0.25.0 branch February 20, 2025 03:50
@enzo-crance-statnett enzo-crance-statnett mentioned this pull request Feb 20, 2025
Merged
@dominikg
Copy link
Contributor

If you are confident your project does not use the esbuild dev server (eg you only use vite dev) and you use pnpm, you can also add the vulnerability id to the audit ignore list

package.json next to pnpm-lock.yaml

  "pnpm":{
    "auditConfig": {
      "ignoreGhsas": [
        "GHSA-67mh-4wv8-2f99"
      ]
    }
  }

@hi-ogawa hi-ogawa mentioned this pull request Feb 22, 2025
Closed
6 tasks
@torokati44 torokati44 mentioned this pull request Feb 25, 2025
Closed
@jrd-lewis jrd-lewis mentioned this pull request Feb 25, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Marujah Marujah Marujah approved these changes

@RobinTail RobinTail RobinTail approved these changes

@sapphi-red sapphi-red sapphi-red approved these changes

Assignees
No one assigned
Labels
dependencies Pull requests that update a dependency file trigger: preview
Projects
None yet
Milestone
6.2
Development

Successfully merging this pull request may close these issues.

vite build produces incorrectly flattened nested CSS css && selector is not working properly during build
9 participants
@btea @renatodeleao @patak-dev @JReinhold @AshishDhama @sapphi-red @dominikg @Marujah @RobinTail