Esbuild version 0.8.13, released on November 23, 2020, follows closely on the heels of version 0.8.12, which was released just two days prior on November 21, 2020. Both versions maintain the core promise of esbuild: to provide an extremely fast JavaScript bundler and minifier, licensed under the MIT license and hosted on GitHub.
While the descriptive metadata remains consistent between the two versions, subtle differences emerge in their unpacked sizes. Version 0.8.13 registers a slightly smaller unpacked size of 56336 bytes compared to version 0.8.12's 56341 bytes. This indicates potential optimizations or minor adjustments within the codebase that resulted in a reduction of 5 bytes.
For developers, this difference, while incredibly small, highlights the ongoing commitment to efficiency and optimization within the esbuild project. When choosing between the two versions, most developers will likely see negligible performance differences in the bundling process. The most recent version, 0.8.13, should be favored simply because it usually incorporates any bug fixes or small refinements made since the prior version. Both versions share the same core functionality for fast bundling and minifying of JavaScript, ensuring projects using either version are able to improve their build times.
All the vulnerabilities related to the version 0.8.13 of the package
esbuild enables any website to send any requests to the development server and read the response
esbuild allows any websites to send any request to the development server and read the response due to default CORS settings.
esbuild sets Access-Control-Allow-Origin: * header to all requests, including the SSE connection, which allows any websites to send any request to the development server and read the response.
https://github.com/evanw/esbuild/blob/df815ac27b84f8b34374c9182a93c94718f8a630/pkg/api/serve_other.go#L121 https://github.com/evanw/esbuild/blob/df815ac27b84f8b34374c9182a93c94718f8a630/pkg/api/serve_other.go#L363
Attack scenario:
http://malicious.example.com).fetch('http://127.0.0.1:8000/main.js') request by JS in that malicious web page. This request is normally blocked by same-origin policy, but that's not the case for the reasons above.http://127.0.0.1:8000/main.js.In this scenario, I assumed that the attacker knows the URL of the bundle output file name. But the attacker can also get that information by
/index.html: normally you have a script tag here/assets: it's common to have a assets directory when you have JS files and CSS files in a different directory and the directory listing feature tells the attacker the list of files/esbuild SSE endpoint: the SSE endpoint sends the URL path of the changed files when the file is changed (new EventSource('/esbuild').addEventListener('change', e => console.log(e.type, e.data)))The scenario above fetches the compiled content, but if the victim has the source map option enabled, the attacker can also get the non-compiled content by fetching the source map file.
npm inpm run watchfetch('http://127.0.0.1:8000/app.js').then(r => r.text()).then(content => console.log(content)) in a different website's dev tools.Users using the serve feature may get the source code stolen by malicious websites.