Example project - npm vulnerabilities / esbuild
I pulled this example project to start tinkering with tanstack start: Basic + React Query (start-basic-react-query)
But when I run the npm install or try to fix the versions I keep getting these vulnerabilitie warnings. Any solution for this or advice? I've tested updating all of the versions and no change.
Is everyone just ignoring it?
Are the example projects being kept up to date?
18 moderate severity vulnerabilities
npm audit report
esbuild <=0.24.2
Severity: moderate
esbuild enables any website to send any requests to the development server and read the response - https://github.com/advisories/GHSA-67mh-4wv8-2f99
No fix available
node_modules/@tanstack/directive-functions-plugin/node_modules/esbuild
node_modules/@tanstack/react-start-plugin/node_modules/esbuild
node_modules/nitropack/node_modules/esbuild
node_modules/vinxi/node_modules/esbuild
GitHub
GHSA-67mh-4wv8-2f99 - GitHub Advisory Database
esbuild enables any website to send any requests to the development server and read the response
5 Replies
xenogeneic-maroon•7mo ago
how did you install? via npm? we use pnpm and it looks like we have 0.25 in our lock file
typical-coralOP•7mo ago
I originally followed the website instructions, but this was after testing different version updates:
npx degit https://github.com/tanstack/router/examples/react/start-basic start-basic-react-query
cd start-basic
npm install
npm run dev
The warnings stayed the same the whole time, with 18 vulnerabilities
If you use pnpm, why do the docs show these instructions?
xenogeneic-maroon•7mo ago
it should work with any package manager. and npm is pobably still the most used
i am just saying we use pnpm for developing router/start
did not come across warnings
which might either because pnpm installs the updated version or does not show the warnings 😄
typical-coralOP•7mo ago
I switched to pnpm and everything seems to work fine. lock file shows the version you said for esbuild
xenogeneic-maroon•7mo ago
there might be a different peer deps / deps resolution happening between pnpm and npm