Esbuild version 0.6.3 and 0.6.2 are both extremely fast JavaScript bundlers and minifiers, licensed under the MIT license and developed by Evan Wallace. They share the same core functionality as indicated by their identical descriptions. Both versions are available through the npm registry and the source code is accessible on GitHub. From a technical standpoint both versions share the same number of files and the same unpacked size.
The key difference between esbuild 0.6.2 and esbuild 0.6.3 lies in their release dates. Version 0.6.3 was released on July 16, 2020, whereas 0.6.2 was released on July 12, 2020. This indicates that version 0.6.3 is a newer release, likely containing bug fixes, performance improvements, or minor feature additions that were not present in version 0.6.2.
For developers choosing between the two, the slight difference in release date is something in favor of choosing the latest version. Esbuild is known for bundling and minifying code, and version 0.6.3 might have introduced changes to make it even faster, or more compliant to ES standards by fixing potential bugs.
While the core description and file sizes remaining consistent suggests the updates were likely focused on refining existing functionalities rather than introducing major new features, developers should opt for version 0.6.3 unless the older version fixes an edge case that the latest does not.
All the vulnerabilities related to the version 0.6.3 of the package
esbuild enables any website to send any requests to the development server and read the response
esbuild allows any websites to send any request to the development server and read the response due to default CORS settings.
esbuild sets Access-Control-Allow-Origin: * header to all requests, including the SSE connection, which allows any websites to send any request to the development server and read the response.
https://github.com/evanw/esbuild/blob/df815ac27b84f8b34374c9182a93c94718f8a630/pkg/api/serve_other.go#L121 https://github.com/evanw/esbuild/blob/df815ac27b84f8b34374c9182a93c94718f8a630/pkg/api/serve_other.go#L363
Attack scenario:
http://malicious.example.com).fetch('http://127.0.0.1:8000/main.js') request by JS in that malicious web page. This request is normally blocked by same-origin policy, but that's not the case for the reasons above.http://127.0.0.1:8000/main.js.In this scenario, I assumed that the attacker knows the URL of the bundle output file name. But the attacker can also get that information by
/index.html: normally you have a script tag here/assets: it's common to have a assets directory when you have JS files and CSS files in a different directory and the directory listing feature tells the attacker the list of files/esbuild SSE endpoint: the SSE endpoint sends the URL path of the changed files when the file is changed (new EventSource('/esbuild').addEventListener('change', e => console.log(e.type, e.data)))The scenario above fetches the compiled content, but if the victim has the source map option enabled, the attacker can also get the non-compiled content by fetching the source map file.
npm inpm run watchfetch('http://127.0.0.1:8000/app.js').then(r => r.text()).then(content => console.log(content)) in a different website's dev tools.Users using the serve feature may get the source code stolen by malicious websites.