Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ci: ignore GHSA-67mh-4wv8-2f99 #778

Closed
wants to merge 1 commit into from
Closed

ci: ignore GHSA-67mh-4wv8-2f99 #778

wants to merge 1 commit into from

Conversation

ppvg
Copy link
Member

@ppvg ppvg commented Feb 24, 2025
edited
Loading

GHSA-67mh-4wv8-2f99 only affects esbuild's own built-in dev server, not vite's dev server which this project uses.

NB: Vite is our only dependency that depends on esbuild:

pnpm why -r esbuild 
Legend: production dependency, optional only, dev only

/home/ppvg/code/minvws/nl-rdo-manon/docs (PRIVATE)

devDependencies:
@sveltejs/adapter-static 3.0.8
└─┬ @sveltejs/kit 2.17.2 peer
  ├─┬ @sveltejs/vite-plugin-svelte 5.0.3 peer
  │ ├─┬ @sveltejs/vite-plugin-svelte-inspector 4.0.1
  │ │ └─┬ vite 6.1.0 peer
  │ │   └── esbuild 0.24.2
  │ ├─┬ vite 6.1.0 peer
  │ │ └── esbuild 0.24.2
  │ └─┬ vitefu 1.0.5
  │   └─┬ vite 6.1.0 peer
  │     └── esbuild 0.24.2
  └─┬ vite 6.1.0 peer
    └── esbuild 0.24.2
@sveltejs/kit 2.17.2
├─┬ @sveltejs/vite-plugin-svelte 5.0.3 peer
│ ├─┬ @sveltejs/vite-plugin-svelte-inspector 4.0.1
│ │ └─┬ vite 6.1.0 peer
│ │   └── esbuild 0.24.2
│ ├─┬ vite 6.1.0 peer
│ │ └── esbuild 0.24.2
│ └─┬ vitefu 1.0.5
│   └─┬ vite 6.1.0 peer
│     └── esbuild 0.24.2
└─┬ vite 6.1.0 peer
  └── esbuild 0.24.2
@sveltejs/vite-plugin-svelte 5.0.3
├─┬ @sveltejs/vite-plugin-svelte-inspector 4.0.1
│ └─┬ vite 6.1.0 peer
│   └── esbuild 0.24.2
├─┬ vite 6.1.0 peer
│ └── esbuild 0.24.2
└─┬ vitefu 1.0.5
  └─┬ vite 6.1.0 peer
    └── esbuild 0.24.2
vite 6.1.0
└── esbuild 0.24.2

/home/ppvg/code/minvws/nl-rdo-manon/examples/vite (PRIVATE)

devDependencies:
vite 6.1.0
└── esbuild 0.24.2

...so this PR can be reverted after updating vite to 6.2, which will bump its esbuild dependency to 0.25.

Edit: at the moment the CI job still fails due to a bug in pnpm 9.6. Recents versions of pnpm 9 and pnpm 10 do correctly apply "ignoreGhsas". I've opened a PR to update pnpm: #779.

@ppvg
ci: ignore GHSA-67mh-4wv8-2f99
5fe2a99 
This vulnerability only affects users of esbuild's own [dev server](https://esbuild.github.io/api/#serve), not
vite's dev server which this project uses.
@ppvg ppvg requested a review from a team as a code owner February 24, 2025 16:50
@ppvg ppvg closed this Feb 25, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@randh1r randh1r randh1r approved these changes

@reinschaap reinschaap reinschaap approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@ppvg @randh1r @reinschaap