🚨 [security] [js] Update esbuild 0.14.54 → 0.25.0 (major)

[depfu]

---

🚨 Your current dependencies have known security vulnerabilities 🚨

This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!

---

Here is everything you need to know about this upgrade. Please take a good look at what changed and the test results before merging this pull request.

What changed?

✳️ esbuild (0.14.54 → 0.25.0) · Repo · Changelog

Security Advisories 🚨

🚨 esbuild enables any website to send any requests to the development server and read the response

Summary

esbuild allows any websites to send any request to the development server and read the response due to default CORS settings.

Details

esbuild sets Access-Control-Allow-Origin: * header to all requests, including the SSE connection, which allows any websites to send any request to the development server and read the response.

esbuild/pkg/api/serve_other.go

Line 121 in df815ac

    <tbody>

res.Header().Set("Access-Control-Allow-Origin", "*")

esbuild/pkg/api/serve_other.go

Line 363 in df815ac

    <tbody>

res.Header().Set("Access-Control-Allow-Origin", "*")

Attack scenario:

1. The attacker serves a malicious web page (http://malicious.example.com).
2. The user accesses the malicious web page.
3. The attacker sends a fetch('http://127.0.0.1:8000/main.js') request by JS in that malicious web page. This request is normally blocked by same-origin policy, but that's not the case for the reasons above.
4. The attacker gets the content of http://127.0.0.1:8000/main.js.

In this scenario, I assumed that the attacker knows the URL of the bundle output file name. But the attacker can also get that information by

• Fetching /index.html: normally you have a script tag here
• Fetching /assets: it's common to have a assets directory when you have JS files and CSS files in a different directory and the directory listing feature tells the attacker the list of files
• Connecting /esbuild SSE endpoint: the SSE endpoint sends the URL path of the changed files when the file is changed (new EventSource('/esbuild').addEventListener('change', e => console.log(e.type, e.data)))
• Fetching URLs in the known file: once the attacker knows one file, the attacker can know the URLs imported from that file

The scenario above fetches the compiled content, but if the victim has the source map option enabled, the attacker can also get the non-compiled content by fetching the source map file.

PoC

1. Download reproduction.zip
2. Extract it and move to that directory
3. Run npm i
4. Run npm run watch
5. Run fetch('http://127.0.0.1:8000/app.js').then(r => r.text()).then(content => console.log(content)) in a different website's dev tools.

Impact

Users using the serve feature may get the source code stolen by malicious websites.

Release Notes

Too many releases to show here. View the full release notes.

Commits

See the full diff on Github. The new version differs by 37 commits:

• publish 0.25.0 to npm
• fix `hosts` in `plugin-tests.js`
• fix `hosts` in `node-unref-tests.js`
• Merge commit from fork
• fix #4065: bitwise operators can return bigints
• switch case liveness: `default` is always last
• fix #4028: minify live/dead `switch` cases better
• minify: more constant folding for strict equality
• fix #4053: reordering of `.tsx` in `node_modules`
• fix #3692: `0` now picks a random ephemeral port
• fix #4064: label + try + for regression in v0.21.4
• fix #1745, fix #3183: sources are URLs, not paths
• fix #3982: `sourceMappingURL` is a URL, not a path
• populate the output directory in unit tests
• refactor source map verification to use `outfile`
• fix #4041: keep `void x` when minify is off
• fix #4055: direct `eval` stops constant inlining
• fix #4034: emit `/* @__KEY__ */` for string names
• fix #4005: minify bug that removed `&` in `:where`
• fix additional comment on #3877 about `:has(> &)`
• fix #3877, fix #3933: keep `>` in `:has(> a)`
• fix #3997, fix #4038: `&&` should add specificity
• fix #3620, fix #4037: remove wrong `:is()` nesting
• failing tests for various css issues
• css printer: trim some dead code
• separate out CSS browser tests
• release notes for #4056 and #4057
• fix #4056: update go 1.23.1 => 1.23.5 (#4057)
• allow bigint literals as `define` values
• fix #4020: change how `console` API dropping works
• fix #4049: unsupported bigint usage is now allowed
• fix #3643: delete outputs if a watch build fails
• fix #3670: omit legal comment output when empty
• fix #3935: strip the UTF8 BOM
• fix #4018: fix for `async as boolean` edge case
• split off `CHANGELOG-2024.md`
• fix #4018: copy+paste bug for netbsd arm64

---

Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.

All Depfu comment commands

@​depfu rebase

Rebases against your default branch and redoes this update

@​depfu recreate

Recreates this PR, overwriting any edits that you've made to it

@​depfu merge

Merges this PR once your tests are passing and conflicts are resolved

@​depfu cancel merge

Cancels automatic merging of this PR

@​depfu close

Closes this PR and deletes the branch

@​depfu reopen

Restores the branch and reopens this PR (if it's closed)

@​depfu pause

Ignores all future updates for this dependency and closes this PR

@​depfu pause [minor|major]

Ignores all future minor/major updates for this dependency and closes this PR

@​depfu resume

Future versions of this dependency will create PRs again (leaves this PR as is)

[codeclimate]

Code Climate has analyzed commit 66bcd3a and detected 0 issues on this pull request.

View more on Code Climate.

[github-actions]

This PR has been merged into main. The functionality will be available in the next release.

Please check the release guide for more information.