Update @quasar/app-webpack - esbuild 0.24.2 to 0.25.0

[tinohager]

Please note: A new version of esbuild, v0.25.0, has been released to address a security vulnerability identified in previous versions. The vulnerability, detailed in GitHub Advisory GHSA-67mh-4wv8-2f99, allowed any website to send requests to the esbuild development server and read the responses due to default CORS settings. This issue has been resolved in v0.25.0 by restricting access to the development server.

[yusufkandemir]

app-webpack uses webpack-dev-server, app-vite uses Vite's devserver. app-webpack/app-vite uses esbuild separately only to build separate files like PWA custom service worker, Electron preload script, etc. So, neither of them are affected. But, we will upgrade it regardless, just stating the fact that it's not urgent.

[JamieMcDonnell]

Guys, any idea when this patch will be pushed please @yusufkandemir ? My production build is failing because of this yarn audit security flaw... I've updated quasar in full, but still waiting on "@quasar/app-vite": "2.1.0", to consume the appropriate version of vite. Thanks!

[tinohager]

In my view, it's not just about whether the problem affects Quasar directly. But if I update Quasar and then only get error messages about security vulnerabilities, that doesn't reflect well on the product. And if it makes sense to run an audit at the same time, it makes perfect sense to install the updates promptly. Regardless of whether it affects Quasar directly or not.

[JamieMcDonnell]

Can anyone suggest a workaround for this? I have hacked yarn lock to use esbuild "^0.25.0"but replacing all 0.24.2 references with 0.25.0 results in other build errors. this is a burning issue for me - thanks

[yusufkandemir]

It's not about whether it's affecting Quasar or not, you are effectively safe from the security vulnerability, it's just an illusion of something being bad at this point.

Audit command exists to make you aware of the potential problems. It can't be certain whether you are affected or not. The fact that you are getting something in the audit command doesn't necessarily mean you are in danger. If you are so kind, you can test it and make a PR to make the process go faster, which would be way easier than writing a lot of opinions, same goes for me. Otherwise, this is just a matter of getting annoyed by a command output, not a security concern.

Just to share an alternative "solution", in case you have the audit command in your workflows, pnpm allows ignoring certain CVEs/GHSAs which you know not to be problematic: https://pnpm.io/package_json#pnpmauditconfigignorecves
You might not care about it, or insist on using yarn, or whatever, but just know that is the nature of security problems in a big supply chain.

[JamieMcDonnell]

thanks Yusuf, much appreciated - I will look into moving to pnpm for this project pipeline then.
Kind regards.

[tinohager]

@rstoenescu Thanks for the update

• feat(app-webpack): use latest esbuild (v0.25)
• feat(app-vite): use latest esbuild (v0.25)