esbuild Vulnerability and Compatibility Issue #846
Comments
|
See: #746 This doesn't affect opennext, since the vulnerability only applies to If this vulnerability does impact OpenNext, please provide the details so we can address. |
|
While the vulnerability may not directly affect OpenNext's usage of esbuild, the compatibility issue with newer esbuild versions (0.25.x) still exists. The invalid regex pattern (?g)\.(mjs|wasm)$ prevents users from upgrading esbuild globally in their projects. Could you update this pattern to be compatible with newer esbuild versions?" |
|
Are you referring to this line? The regex looks valid in the source code, how are you getting the |
|
Thank you for investigating this issue. After further analysis, I believe you're right that this isn't an OpenNext problem. The regex in your source code is |
|
Feel free to close this issue. Thank you for your time and assistance. |
|
If it is a blocker, we can try to merge the PR above in. But I'm not sure if that's been tested yet - we can bump that up in priority if it's an issue for more people. I understand that any vulnerability can make people feel unease, but in this scenario it's safe to ignore. |
|
Thank you for your response. I would definitely be interested in having this PR prioritized and merged in. While I understand the security vulnerability doesn't affect production builds, having compatibility with esbuild 0.25.x would simplify our dependency management and align with our security policies that require using the patched version across our projects. |
|
I'll try to take a look at it this week-end. The thing is, updating esbuild is not as straightforward for us as it is for most people. |
|
Thank you for taking the time to look into this issue. I really appreciate your willingness to investigate the esbuild compatibility problem, especially considering the complexity of maintaining support across multiple Next.js versions. Your explanation helps me understand the challenges involved. I look forward to any updates you might have after your weekend investigation. No rush - quality and Thanks again for your help and transparency throughout this process. |
|
@conico974 thanks for working on this issue, could you make any progress so far? |
|
@patlachance Sorry, didn't get the time. |
|
Latest OpenNext version 3.6.2 is using latest |
|
@sommeeeer Thank you for all your effort and yeah everything is looking good now. |
Uh oh!
There was an error while loading. Please reload this page.
I'm encountering a critical security and compatibility issue with OpenNext and esbuild:
Security Vulnerability: OpenNext requires esbuild 0.19.2, which has a known security vulnerability ([GHSA-67mh-4wv8-2f99](https://github.com/advisories/GHSA-
67mh-4wv8-2f99)) allowing any website to send requests to the development server and read responses.
Compatibility Problem: When attempting to follow the suggestion to "update your version of esbuild" to a secure version (0.25.x), OpenNext 3.6.0 fails with
the error:
Error: [opennext-edge] "onResolve" filter is not a valid Go regular expression: "(?g)\.(mjs|wasm)$"
Regression Issue: OpenNext 3.5.3 works with esbuild 0.25.x override (though still depends on 0.19.2), but 3.6.0 breaks with the same override.
This creates a no-win situation where we must choose between:
• Using a version with a known security vulnerability
• Breaking our build process
Request: Please update the regex pattern in OpenNext to be compatible with newer esbuild versions, allowing users to secure their build environments while continuing to use OpenNext.
The text was updated successfully, but these errors were encountered: