Update esbuild to address GHSA-67mh-4wv8-2f99
#7070
Comments
|
Relates a bit to #6731, though in this particular case not using shrinkwrap might not have helped since this is a 0.x version of a build tool so it would be fair to use Also, I didn't feel this was a "bug" or a "feature" so I used the "blank issue" option - let me know if in future you'd prefer I open these types of tickets as one of the mentioned types :) |
|
Thanks for reporting this, @G-Rath! We do see the security alert internally. It looks like we'll need to update some dependencies in some other Netlify repos to be able to address this in Netlify CLI. We'll get this prioritized. |
|
Note that this pinning of dependencies results in hundreds of duplicate packages across your netlify packages... Related #3941. Quickly check the duplicate packages: https://npmgraph.js.org/?q=netlify-cli |
|
@serhalp any update on this? |
|
IMHO there shouldn't be any pinning at least for Netlify's own packages. Assuming you guys follow semver, there's no gain from pinning your own packages. It should help with deduplication a bit. Third-party packages is a whole other situation, though, and requires making sure you just don't bump major deps blindly across your own packages so that they can be deduplicated when possible. |
It looks like as of v19
netlify-clipulls in v0.19.11 and v0.21.2 ofesbuildwhich are both vulnerable to GHSA-67mh-4wv8-2f99 - while I would be surprised if this is exploitable, but it would still be good to have addressed for security compliance.Note also it would be good to have all netlify packages using the same version especially since
esbuildis a binary-based package, so having multiple versions of it in the tree is annoying.The text was updated successfully, but these errors were encountered: