Skip to content

Update vulnerable esbuild dependency #746

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Update vulnerable esbuild dependency #746

wants to merge 1 commit into from

Conversation

nhardy
Copy link
Contributor

@nhardy nhardy commented Feb 18, 2025

Updates esbuild to resolve GHSA-67mh-4wv8-2f99

@changeset-bot changeset-bot
Copy link

changeset-bot bot commented Feb 18, 2025
edited
Loading

⚠️ No Changeset found

Latest commit: fb3e223

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

@nhardy nhardy force-pushed the chore/update-esbuild branch from 5334b19 to fb3e223 Compare February 18, 2025 23:18
@pkg-pr-new pkg.pr.new
Copy link

pkg-pr-new bot commented Feb 18, 2025

Open in Stackblitz

pnpm add https://pkg.pr.new/@opennextjs/aws@746

commit: fb3e223

conico974
conico974 reviewed Feb 19, 2025
View reviewed changes
Copy link
Contributor

@conico974 conico974 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We'd have to run some test on this one and be aware of the implication here.

  • First of all moving to 0.25 means that esbuild may not work for older platform where they dropped support (Windows 8 and before, Macos catalina and before).
  • There was a bunch of breaking change between 0.19 and 0.25
  • Lastly we are not affected by the vulnerabilities, it only affect people using esbuild for serving which is not something we use

@khuezy khuezy mentioned this pull request Mar 17, 2025
Closed
@khuezy khuezy mentioned this pull request May 1, 2025
Open
@khuezy
Copy link
Contributor

khuezy commented May 1, 2025

@nhardy are you using windows 8 or < macOS catalina? There are other people who are blocked b/c of the outdated esbuild.

Due to the breaking changes, this one might be tricky to merge in - eg it'll unblock others but also brick users on incompatible environments.

cc @vicb @conico974

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@conico974 conico974 conico974 left review comments

@vicb vicb vicb approved these changes

@khuezy khuezy khuezy approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@nhardy @khuezy @vicb @conico974