Esbuild 0.21.5 uses binaries which contains known vulnerabilities #12360
Description
Astro Info
Astro v4.16.8
Node v20.16.0
System macOS (arm64)
Package Manager unknown
Output hybrid
Adapter @astrojs/node
Integrations @astrojs/react
@astrojs/starlight
@astrojs/tailwind
If this issue only occurs in one browser, which browser is a problem?
No response
Describe the Bug
Current astro v4.16.8 uses a version of esbuild which can contain some vulnerabilities. The current version pinned in the build is 0.21.5 aligned with vite.
Version 0.21.5 downloads some prebuilt binaries which, on some architecture (notably LInux), contain some vulnerabilities. In particular:
| Package | Version | Link | CVE |
|---|---|---|---|
| net/http | 1.20.12 | CVE-2023-45289 | https://pkg.go.dev/vuln/GO-2024-2600 |
| net/http | 1.20.12 | CVE-2024-24791 | https://pkg.go.dev/vuln/GO-2024-2963 |
| crypto/x509 | 1.20.12 | CVE-2024-24783 | https://pkg.go.dev/vuln/GO-2024-2598 |
| archive/zip | 1.20.12 | CVE-2024-24789 | https://pkg.go.dev/vuln/GO-2024-2888 |
What's the expected result?
Upgrading to esbuild 0.24 addresses the problem as esbuild team has already upgrade the version of go used to building the binaries.
Moreover, the current version of vite already uses the right version, so this change fit the approach of aligning esbuild to the same version as vite
└─┬ astro@4.16.8
├── esbuild@0.24.0
└─┬ vite@5.4.10
└── esbuild@0.24.0 deduped
Link to Minimal Reproducible Example
none
Participation
- I am willing to submit a pull request for this issue.