-
Notifications
You must be signed in to change notification settings - Fork 1.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Request to update Go dependency to fix security vulnerabilities #3802
Comments
One more application/node_modules/@esbuild/linux-x64/bin/esbuild (gobinary)
|
Does anyone know how to solve it while there's no update? I have a ci/cd that is using TrivyDB, and I can't deploy the application. |
I'll start by saying, you should consider this suggestion only if you're confident you're not really impacted by the vulnerability. By ignoring the CVE you're "accepting" the risk, willfully. Trivy will respect a https://aquasecurity.github.io/trivy/v0.48/docs/configuration/filtering/#trivyignore |
Note that esbuild's network features are not security sensitive as they are intended to only be used in development, not in production. You're welcome to DoS your own development server if you'd like to, but you're only harming yourself. None of these CVEs are actually relevant for esbuild. This is all just noise and false positives. |
@evanw, by when can we expect these changes to be published to npm? |
I have no specific date, but now that it's in |
I saw the bump related to For better or for worse, TypeScript still builds/tests on Node 14, so I was planning on re-applying that before importing esbuild for our build. Are you planning on using any other new syntax from newer versions of Node now that the engines has bumped to Node v18? I'm hoping not, but I totally understand that there's no guarantee of that anymore. |
The requirement is specifically from the
What exactly is TypeScript using node 14 for? From what I understand, the published code in the
I'm not currently using any newer syntax. The syntax target is actually still locked to node 10. So I think as long as you aren't using WebAssembly, esbuild's API should still work in old versions of node without you needing to shim anything related to |
TypeScript itself still supports running within Node 14, but since our build uses esbuild's API, it would be a little awkward to restructure things like the testing task to build with one version of Node then switch to another for the tests.
Oh, duh, of course, I forgot that we just use the binary, nevermind. Not using the wasm there at all. I'm not sure how I made that mistake! So it's just the syntax, of course. |
Our project is utilising Esbuild. However there is an issue with the Go dependency at the latest Esbuild version of v0.21.5, as it us being flagged out with a number of vulnerabilities. It would be really nice to push the Go dependency version to newer version and resolve this.
This affects the credibility of esbuild, we do not want to use something else but we may have to only for this issue.
List of vulnerabilities for reference -
CVE-2023-45288, CVE-2023-45289, CVE-2023-45290, CVE-2024-24783, CVE-2024-24784, CVE-2024-24785, CVE-2024-24789, CVE-2024-24790
The text was updated successfully, but these errors were encountered: