Vulnerability reported for esbuild

[drewB]

Reproduction

npm audit returns:

esbuild  <=0.24.2
Severity: moderate
esbuild enables any website to send any requests to the development server and read the response - https://github.com/advisories/GHSA-67mh-4wv8-2f99

Looks like remix is several versions behind on esbuild so concerned about just doing a simple override.

System Info

System:
    OS: Windows 11 10.0.26100
    CPU: (16) x64 AMD Ryzen 9 5900HS with Radeon Graphics
    Memory: 1.36 GB / 15.41 GB
  Binaries:
    Node: 20.15.1 - C:\Program Files\nodejs\node.EXE
    Yarn: 1.22.22 - C:\Program Files\nodejs\yarn.CMD
    npm: 10.8.2 - C:\Program Files\nodejs\npm.CMD
    pnpm: 9.14.4 - C:\Program Files\nodejs\pnpm.CMD
  Browsers:
    Edge: Chromium (133.0.3065.92)
    Internet Explorer: 11.0.26100.1882
  npmPackages:
    @remix-run/dev: ^2.16.0 => 2.16.1
    @remix-run/node: ^2.16.0 => 2.16.1
    @remix-run/react: ^2.16.0 => 2.16.1
    @remix-run/serve: ^2.16.0 => 2.16.1
    vite: ^6.2.0 => 6.2.0

Used Package Manager

npm

Expected Behavior

No vulnerabilities. esbuild is updated to at least 0.25.0 (https://github.com/evanw/esbuild/releases/tag/v0.25.0)

Actual Behavior

Getting

esbuild  <=0.24.2
Severity: moderate
esbuild enables any website to send any requests to the development server and read the response - https://github.com/advisories/GHSA-67mh-4wv8-2f99

[ngbrown]

It is @remix-run/dev's dependancy on "@vanilla-extract/integration": "^6.2.0", that is bringing in the vite v5 that is then bringing in the old version of esbuild. So just @vanilla-extract/integration needs updated, but it looks like recent versions have changed their API around.

[ngbrown]

I attempted to resolve this issue by updating to @vanilla-extract/[email protected], @vanilla-extract/[email protected], and adding the new @vanilla-extract/compiler. See branch and changes here:

dev...ngbrown-forks:remix:update-vanilla-extract-dependancy

However the @vanilla-extract/compiler library will need a simple patch (also at PR vanilla-extract-css/vanilla-extract#1562) to allow the option not inline small files and I could only get the tests to pass with an unsatisfying hack around trying to pass relative paths into what now wants absolute paths.

https://github.com/ngbrown-forks/remix/blob/baf180e3f2a6ed7645bc61d7d921e9fccbba41f3/packages/remix-dev/compiler/plugins/vanillaExtract.ts#L51-L53

If someone has a better idea, then this can be the start of your effort.

[github-actions]

Thank you for opening this issue, and our apologies we haven't gotten around to it yet!

With the release of React Router v7 we are sun-setting continued development/maintenance on Remix v2. If you have not already upgraded to React Router v7, we recommend you do so. We've tried to make the upgrade process as smooth as possible with our Future Flags. We are now in the process of cleaning up outdated issues and pull requests to improve the overall hygiene of our repositories.

We plan to continue to address 2 types of issues in Remix v2:

• Bugs that pose security concerns
• Bugs that prevent upgrading to React Router v7

If you believe this issue meets one of those criteria, please respond or create a new issue.

For all other issues, ongoing maintenance will be happening in React Router v7, so:

• If this is a bug, please reopen this issue in that repo with a new minimal reproduction against v7
• If this is a feature request, please open a new Proposal Discussion in React Router, and if it gets enough community support it can be considered for implementation

If you have any questions you can always reach out on Discord. Thanks again for providing feedback and helping us make our framework even better!