Esbuild version 0.12.0 marks a subtle yet potentially impactful update compared to its predecessor, version 0.11.23. Both versions maintain the core functionality of esbuild as an exceptionally fast JavaScript bundler and minifier, licensed under the MIT license and hosted on GitHub. While the description and fundamental purpose remain consistent, some differences invite closer inspection for developers seeking optimal performance and the most up-to-date features.
The release date indicates a prompt update, with 0.12.0 arriving just two days after 0.11.23, suggesting a rapid response to identified needs or improvements. Both versions feature the same number of files in their distributions (6). However, the unpacked size differs slightly: version 0.12.0 has an unpacked size of 87979 bytes, just less than version 0.11.23 which has an unpacked size of 87986 bytes. While minor, this detail might indicate optimizations in space. This small decrease, though insignificant, should improve loading and usage performance.
For developers, this suggests that upgrading to 0.12.0 should yield slightly improved performance and efficiency during bundling and minification. These improvements demonstrateesbuild's ongoing commitment to performance. Developers should consider reviewing the changelog to identify specific bug fixes or enhancements that may directly address their workflows or project requirements. This incremental update emphasizes esbuild's dedication to remaining a top choice for JavaScript build tooling by constantly pushing the boundaries of speed and efficiency.
All the vulnerabilities related to the version 0.12.0 of the package
esbuild enables any website to send any requests to the development server and read the response
esbuild allows any websites to send any request to the development server and read the response due to default CORS settings.
esbuild sets Access-Control-Allow-Origin: * header to all requests, including the SSE connection, which allows any websites to send any request to the development server and read the response.
https://github.com/evanw/esbuild/blob/df815ac27b84f8b34374c9182a93c94718f8a630/pkg/api/serve_other.go#L121 https://github.com/evanw/esbuild/blob/df815ac27b84f8b34374c9182a93c94718f8a630/pkg/api/serve_other.go#L363
Attack scenario:
http://malicious.example.com).fetch('http://127.0.0.1:8000/main.js') request by JS in that malicious web page. This request is normally blocked by same-origin policy, but that's not the case for the reasons above.http://127.0.0.1:8000/main.js.In this scenario, I assumed that the attacker knows the URL of the bundle output file name. But the attacker can also get that information by
/index.html: normally you have a script tag here/assets: it's common to have a assets directory when you have JS files and CSS files in a different directory and the directory listing feature tells the attacker the list of files/esbuild SSE endpoint: the SSE endpoint sends the URL path of the changed files when the file is changed (new EventSource('/esbuild').addEventListener('change', e => console.log(e.type, e.data)))The scenario above fetches the compiled content, but if the victim has the source map option enabled, the attacker can also get the non-compiled content by fetching the source map file.
npm inpm run watchfetch('http://127.0.0.1:8000/app.js').then(r => r.text()).then(content => console.log(content)) in a different website's dev tools.Users using the serve feature may get the source code stolen by malicious websites.