Skip to content

Conversation

joshhunt
Copy link
Contributor

@joshhunt joshhunt commented Feb 11, 2025

Updates esbuild to mitigate the security advisory GHSA-67mh-4wv8-2f99.

It's not clear to me whether esbuild-loader is actually impacted by this, or whether the changes to this are breaking for the loader?

Starting with this release, CORS will now be disabled, and requests will now be denied if the host does not match the one provided to --serve=. The default host is 0.0.0.0, which refers to all of the IP addresses that represent the local machine (e.g. both 127.0.0.1 and 192.168.0.1). If you want to customize anything about esbuild's development server, you can put a proxy in front of esbuild and modify the incoming and/or outgoing requests.

In addition, the serve() API call has been changed to return an array of hosts instead of a single host string. This makes it possible to determine all of the hosts that esbuild's development server will accept.

I don't think this impacts esbuild-loader, as presumably webpack handles the development server rather than esbuild?

@joshhunt
Copy link
Contributor Author

Other breaking changes included in this:

  • v0.24.0 drops support for macOS 10.15 Catalina
  • v0.22.0 omits packages from bundles by default when targeting node, and then v0.23.0 reverted that change
  • v0.22.0 also drops support for Windows 7, Windows 8, Windows Server 2008, and Windows Server 2012

@privatenumber
Copy link
Owner

Thanks!

@privatenumber privatenumber merged commit 42ec34f into privatenumber:master Feb 11, 2025
1 check passed
@privatenumber
Copy link
Owner

🎉 This PR is included in version 4.3.0 🎉

The release is available on:

Your semantic-release bot 📦🚀

DennisRasey pushed a commit to DennisRasey/forgejo that referenced this pull request Feb 12, 2025
This PR contains the following updates:

| Package | Type | Update | Change |
|---|---|---|---|
| [esbuild-loader](https://github.com/privatenumber/esbuild-loader) | dependencies | minor | [`4.2.2` -> `4.3.0`](https://renovatebot.com/diffs/npm/esbuild-loader/4.2.2/4.3.0) |

---

### Release Notes

<details>
<summary>privatenumber/esbuild-loader (esbuild-loader)</summary>

### [`v4.3.0`](https://github.com/privatenumber/esbuild-loader/releases/tag/v4.3.0)

[Compare Source](privatenumber/esbuild-loader@v4.2.2...v4.3.0)

##### Features

-   upgrade esbuild to `^0.25` ([#&#8203;382](privatenumber/esbuild-loader#382)) ([42ec34f](privatenumber/esbuild-loader@42ec34f))

</details>

---

### Configuration

📅 **Schedule**: Branch creation - "* 0-3 * * *" (UTC), Automerge - "* 0-3 * * *" (UTC).

🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update again.

---

 - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box

---

This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzOS4xNjQuMSIsInVwZGF0ZWRJblZlciI6IjM5LjE2NC4xIiwidGFyZ2V0QnJhbmNoIjoiZm9yZ2VqbyIsImxhYmVscyI6WyJkZXBlbmRlbmN5LXVwZ3JhZGUiLCJ0ZXN0L25vdC1uZWVkZWQiXX0=-->

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/6903
Reviewed-by: Gusted <[email protected]>
Co-authored-by: Renovate Bot <[email protected]>
Co-committed-by: Renovate Bot <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants