Esbuild versions 0.12.5 and 0.12.4 offer developers an exceptionally fast JavaScript bundler and minifier, designed to streamline build processes and improve web performance. Both versions are licensed under the MIT license and are available via npm. While seemingly similar, subtle differences might influence a developer's choice between the two.
A key aspect to consider is the release date. Version 0.12.5 was released on May 28, 2021, a day after version 0.12.4. This suggests that 0.12.5 might contain bug fixes, or minor improvements implemented after the 0.12.4 release.
Both versions have an unpacked size of 89646 bytes and contain 6 files. The core functionality remains consistent: expect lightning-fast bundling and minification of JavaScript code, improving website loading times and overall user experience. Although the description remains identical between versions, developers should consult the changelog for details on specific fixes or enhancements introduced in the newer version. If encountering issues with 0.12.4, upgrading to 0.12.5 could resolve them. Conversely, sticking with the older version might be prudent if stability is paramount and no pressing issues exist and a simple upgrade is not possible for any reason. Always refer to the official esbuild documentation and release notes on GitHub for full insights into the nuances of each version. Especially important is ensuring compatibility with your wider tech stack.
All the vulnerabilities related to the version 0.12.5 of the package
esbuild enables any website to send any requests to the development server and read the response
esbuild allows any websites to send any request to the development server and read the response due to default CORS settings.
esbuild sets Access-Control-Allow-Origin: * header to all requests, including the SSE connection, which allows any websites to send any request to the development server and read the response.
https://github.com/evanw/esbuild/blob/df815ac27b84f8b34374c9182a93c94718f8a630/pkg/api/serve_other.go#L121 https://github.com/evanw/esbuild/blob/df815ac27b84f8b34374c9182a93c94718f8a630/pkg/api/serve_other.go#L363
Attack scenario:
http://malicious.example.com).fetch('http://127.0.0.1:8000/main.js') request by JS in that malicious web page. This request is normally blocked by same-origin policy, but that's not the case for the reasons above.http://127.0.0.1:8000/main.js.In this scenario, I assumed that the attacker knows the URL of the bundle output file name. But the attacker can also get that information by
/index.html: normally you have a script tag here/assets: it's common to have a assets directory when you have JS files and CSS files in a different directory and the directory listing feature tells the attacker the list of files/esbuild SSE endpoint: the SSE endpoint sends the URL path of the changed files when the file is changed (new EventSource('/esbuild').addEventListener('change', e => console.log(e.type, e.data)))The scenario above fetches the compiled content, but if the victim has the source map option enabled, the attacker can also get the non-compiled content by fetching the source map file.
npm inpm run watchfetch('http://127.0.0.1:8000/app.js').then(r => r.text()).then(content => console.log(content)) in a different website's dev tools.Users using the serve feature may get the source code stolen by malicious websites.