Esbuild version 0.15.15 is a minor release over the previous version 0.15.14 of this extremely fast JavaScript and CSS bundler and minifier. Both versions share the same core functionality and licensing under the MIT license, with the source code repository residing on GitHub. The primary difference lies in the version numbers of their dependencies. Each dependency, like esbuild-linux-64, @esbuild/android-arm, and others tailored for specific operating systems and architectures, have been bumped from version 0.15.14 to 0.15.15. This coordinated version update across the board suggests a focus on bug fixes, performance enhancements or compatibility improvements within these platform-specific components.
Developers considering an upgrade from 0.15.14 to 0.15.15 should expect a smooth transition, provided their workflow doesn't heavily rely on undocumented internal behavior. The upgrade would bring under the hood improvements, potentially leading to more stable and performant builds. The unpackedSize has slightly changed from 120692 to 120851, indicating minor code modifications or addition of new build artifacts. Furthermore, a key indicator of production readiness is the release date being 2022-11-21T04:50:11.946Z this means that it is newer than 0.15.14 whose release date is 2022-11-15T04:47:16.017Z. It's always advisable to review the esbuild changelog on GitHub for exhaustive details on the specific changes introduced in 0.15.15 to ensure compatibility and understand the potential benefits for your build pipeline.
All the vulnerabilities related to the version 0.15.15 of the package
esbuild enables any website to send any requests to the development server and read the response
esbuild allows any websites to send any request to the development server and read the response due to default CORS settings.
esbuild sets Access-Control-Allow-Origin: * header to all requests, including the SSE connection, which allows any websites to send any request to the development server and read the response.
https://github.com/evanw/esbuild/blob/df815ac27b84f8b34374c9182a93c94718f8a630/pkg/api/serve_other.go#L121 https://github.com/evanw/esbuild/blob/df815ac27b84f8b34374c9182a93c94718f8a630/pkg/api/serve_other.go#L363
Attack scenario:
http://malicious.example.com).fetch('http://127.0.0.1:8000/main.js') request by JS in that malicious web page. This request is normally blocked by same-origin policy, but that's not the case for the reasons above.http://127.0.0.1:8000/main.js.In this scenario, I assumed that the attacker knows the URL of the bundle output file name. But the attacker can also get that information by
/index.html: normally you have a script tag here/assets: it's common to have a assets directory when you have JS files and CSS files in a different directory and the directory listing feature tells the attacker the list of files/esbuild SSE endpoint: the SSE endpoint sends the URL path of the changed files when the file is changed (new EventSource('/esbuild').addEventListener('change', e => console.log(e.type, e.data)))The scenario above fetches the compiled content, but if the victim has the source map option enabled, the attacker can also get the non-compiled content by fetching the source map file.
npm inpm run watchfetch('http://127.0.0.1:8000/app.js').then(r => r.text()).then(content => console.log(content)) in a different website's dev tools.Users using the serve feature may get the source code stolen by malicious websites.