Esbuild version mismatch in npm repository posing security vulnerability #19484
Replies: 1 comment
-
|
vite@6.2.0-beta.0 updates to esbuild 0.25. 6.1.1 was released before that PR got merged. |
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
Recently github warned me about this particular security vulnerability about esbuild where a user was able to perform an attack on the dev server due to a misconfig in esbuild versions 0.24
GHSA-67mh-4wv8-2f99
So i was trying to mitigate the issue and i found that internally vite was using 0.24.2
This was the version 6.1.1 release in the npm repository however the issue in the repository was closed that esbuild was updated to latest.
So iam kind of confused as to why its 0.24.2 in npm and 0.25 in the code base but in the release of 6.1.1 the esbuild dependency for vite was the vulnerable version as well
Beta Was this translation helpful? Give feedback.
All reactions