+
Skip to content

ESbuild and Koa vulnerabilities #1617

New issue
New issue
Closed
#1641
Closed
ESbuild and Koa vulnerabilities#1617
#1641
Labels
bugSomething isn't working
@Martinspire

Description

@Martinspire
Martinspire
opened on Feb 18, 2025

Please provide the environment you discovered this bug in.

When installing the newest version of platform, vite-plugin-angular and vitest-angular there will be an issue with npm audit.

It shows:
esbuild <=0.24.2
Severity: moderate
esbuild enables any website to send any requests to the development server and read the response - GHSA-67mh-4wv8-2f99

koa 2.0.0 - 2.15.3
Severity: critical
Inefficient Regular Expression Complexity in koa - GHSA-593f-38f6-jp5m
fix available via npm audit fix --force

(as a fix it wants to install analogjs platform 1.4.0 which is not gonna fly well)

For ESBuild the fix is present in version 0.25.0:
https://github.com/evanw/esbuild/releases/tag/v0.25.0

But there are a few breaking changes that I'm not entirely sure is safe to upgrade to.

Which area/package is the issue in?

platform

Description

Latest

Please provide the exception or error you saw

λ npm audit
# npm audit report

esbuild  <=0.24.2
Severity: moderate
esbuild enables any website to send any requests to the development server and read the response - https://github.com/advisories/GHSA-67mh-4wv8-2f99
No fix available
node_modules/@angular-devkit/build-angular/node_modules/esbuild
node_modules/@angular/build/node_modules/esbuild
node_modules/esbuild
node_modules/nitropack/node_modules/esbuild
node_modules/vite/node_modules/esbuild
  @analogjs/vite-plugin-nitro  *
  Depends on vulnerable versions of esbuild
  Depends on vulnerable versions of nitropack
  node_modules/@analogjs/vite-plugin-nitro
    @analogjs/platform  *
    Depends on vulnerable versions of @analogjs/vite-plugin-angular
    Depends on vulnerable versions of @analogjs/vite-plugin-nitro
    Depends on vulnerable versions of @nx/angular
    Depends on vulnerable versions of @nx/vite
    Depends on vulnerable versions of nitropack
    Depends on vulnerable versions of vitefu
    node_modules/@analogjs/platform
  @angular-devkit/build-angular  >=12.2.0-next.0
  Depends on vulnerable versions of @angular/build
  Depends on vulnerable versions of @vitejs/plugin-basic-ssl
  Depends on vulnerable versions of esbuild
  node_modules/@angular-devkit/build-angular
    @analogjs/vite-plugin-angular  *
    Depends on vulnerable versions of @angular-devkit/build-angular
    Depends on vulnerable versions of @angular/build
    node_modules/@analogjs/vite-plugin-angular
    @nx/angular  *
    Depends on vulnerable versions of @angular-devkit/build-angular
    Depends on vulnerable versions of @nx/module-federation
    node_modules/@nx/angular
    @storybook/angular  <=0.0.0-pr-30534-sha-e6f5d6b7 || >=6.5.17-alpha.0
    Depends on vulnerable versions of @angular-devkit/build-angular
    Depends on vulnerable versions of @storybook/builder-webpack5
    Depends on vulnerable versions of @storybook/components
    Depends on vulnerable versions of @storybook/core-webpack
    Depends on vulnerable versions of @storybook/manager-api
    Depends on vulnerable versions of @storybook/preview-api
    Depends on vulnerable versions of @storybook/theming
    Depends on vulnerable versions of storybook
    node_modules/@storybook/angular
  @angular/build  *
  Depends on vulnerable versions of @vitejs/plugin-basic-ssl
  Depends on vulnerable versions of esbuild
  Depends on vulnerable versions of vite
  node_modules/@angular/build
  ...
  nitropack  >=0.1.0
  Depends on vulnerable versions of esbuild
  node_modules/nitropack
  vite  >=0.11.0
  Depends on vulnerable versions of esbuild
  node_modules/@angular/build/node_modules/vite
  node_modules/vite
    @nx/vite  *
    Depends on vulnerable versions of vite
    Depends on vulnerable versions of vitest
    node_modules/@nx/vite
    @tailwindcss/vite  *
    Depends on vulnerable versions of vite
    node_modules/@tailwindcss/vite
    @vitejs/plugin-basic-ssl  *
    Depends on vulnerable versions of vite
    node_modules/@vitejs/plugin-basic-ssl
    @vitest/mocker  *
    Depends on vulnerable versions of vite
    node_modules/@vitest/mocker
      @vitest/browser  >=0.29.4
      Depends on vulnerable versions of @vitest/mocker
      Depends on vulnerable versions of vitest
      node_modules/@vitest/browser
        @vitest/coverage-v8  *
        Depends on vulnerable versions of @vitest/browser
        Depends on vulnerable versions of vitest
        node_modules/@vitest/coverage-v8
      vitest  0.0.1 - 0.0.12 || >=0.0.29
      Depends on vulnerable versions of @vitest/browser
      Depends on vulnerable versions of @vitest/mocker
      Depends on vulnerable versions of @vitest/ui
      Depends on vulnerable versions of vite
      Depends on vulnerable versions of vite-node
      node_modules/vitest
        @analogjs/vitest-angular  *
        Depends on vulnerable versions of vitest
        node_modules/@analogjs/vitest-angular
        @vitest/coverage-istanbul  *
        Depends on vulnerable versions of vitest
        node_modules/@vitest/coverage-istanbul
        @vitest/ui  <=0.0.130 || >=0.31.0
        Depends on vulnerable versions of vitest
        node_modules/@vitest/ui
    vite-node  *
    Depends on vulnerable versions of vite
    node_modules/vite-node
    vitefu  *
    Depends on vulnerable versions of vite
    node_modules/vitefu

koa  2.0.0 - 2.15.3
Severity: critical
Inefficient Regular Expression Complexity in koa - https://github.com/advisories/GHSA-593f-38f6-jp5m
fix available via `npm audit fix --force`
Will install @analogjs/platform@1.4.0, which is a breaking change
node_modules/koa
  @module-federation/dts-plugin  *
  Depends on vulnerable versions of koa
  node_modules/@module-federation/dts-plugin
    @module-federation/enhanced  <=0.0.1-rc.0 || >=0.1.2
    Depends on vulnerable versions of @module-federation/dts-plugin
    Depends on vulnerable versions of @module-federation/manifest
    Depends on vulnerable versions of @module-federation/rspack
    node_modules/@module-federation/enhanced
      @module-federation/node  >=2.1.2
      Depends on vulnerable versions of @module-federation/enhanced
      node_modules/@nx/module-federation/node_modules/@module-federation/node
      @nx/module-federation  *
      Depends on vulnerable versions of @module-federation/enhanced
      Depends on vulnerable versions of @module-federation/node
      node_modules/@nx/module-federation
    @module-federation/manifest  <=0.0.0-next-20250218022700 || >=0.1.3
    Depends on vulnerable versions of @module-federation/dts-plugin
    node_modules/@module-federation/manifest
      @module-federation/rspack  *
      Depends on vulnerable versions of @module-federation/dts-plugin
      Depends on vulnerable versions of @module-federation/manifest
      node_modules/@module-federation/rspack

59 vulnerabilities (51 moderate, 8 critical)

To address issues that do not require attention, run:
  npm audit fix

To address all issues possible (including breaking changes), run:
  npm audit fix --force

Some issues need review, and may require choosing
a different dependency.

Other information

I think the esbuild issue is a bit overrated if you don't serve your stuff in production, but alas.

I would be willing to submit a PR to fix this issue

  • Yes
  • No

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't working

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions
      点击 这是indexloc提供的php浏览器服务,不要输入任何密码和下载