esbuild 0.24.2 upgrade vulnerabilities
Just installing a new version of tanstack start and I get hit with this audit:
pnpm audit: screenshot
I'm able to fix the warning with "pnpm audit --fix", but all this does is add this to my package.json:
"pnpm": {
"overrides": {
"esbuild@<=0.24.2": ">=0.25.0"
}
}
Is there any way to update the tanstack packages to esbuild 0.25.0 to avoid this? Instead of bypassing the issue like this?
13 Replies
flat-fuchsia•6mo ago
can you provide a PR to bump the packages in the router repo?
compatible-crimsonOP•6mo ago
I barely know what I'm doing here, probably not the best person for this
flat-fuchsia•6mo ago
cc @Sean Cassiere
foreign-sapphire•6mo ago
@Alm did the
pnpm install/pnpm dev/pnpm build scripts fail?foreign-sapphire•6mo ago
If not, I'd rather it be tied to this issue and have it be addressed after
devinxi without having to introduce conflicts into the lockfile.
https://github.com/TanStack/router/issues/3776GitHub
Root tsconfig.json is used in addition to tsConfigPaths · Issue #37...
Which project does this relate to? Start Describe the bug I'm trying to add TanStack Start to an existing project where the root tsconfig.json declares "target": "ES2023", T...
compatible-crimsonOP•6mo ago
It didn’t fail, just a vulnerability warning
foreign-sapphire•6mo ago
In that case, I think it'd be worth keeping this till devinxi.
This shouldn't affect runtime, since esbuild is only really being used during build/dev.
compatible-crimsonOP•6mo ago
Do you know when the estimated time is expected to move away from devinxi?
foreign-sapphire•6mo ago
Not a specific date. But I'd reckon, less than a couple weeks maybe.
compatible-crimsonOP•6mo ago
@Sean Cassiere Any updates on the shift with devinxi? Is there a good place to see updates for this because I can't seem to find anything other than the announcements channel in discord, which is different.
flat-fuchsia•6mo ago
no we don't have any updates
working on this heads down
I hope for it to be soon done
compatible-crimsonOP•6mo ago
Could I ask, what are you switching to from vinxi for the server side functions / ssr? I'm just really curious about it, thanks for working on this!
flat-fuchsia•6mo ago
it will just be a vite plugin
and be based on h3/nitro (similar to now)