Tsup, a zero-config bundler powered by Rollup and esbuild, released version 1.4.11 shortly after 1.4.10, offering subtle but important improvements for developers. Both versions maintain the core functionality of streamlining the bundling process, providing a fast and efficient solution for modern JavaScript and TypeScript projects. Developers relying on the straightforward configuration and speedy build times that Tsup offers will find value in these refinements.
A key difference lies in the updated dependencies. While both versions share core dependencies like joycon, rollup, and rollup-plugin-esbuild, version 1.4.11 updates rollup-plugin-dts from 1.4.3 to 1.4.4. This update likely includes bug fixes and potential enhancements in generating declaration files, which is significant for TypeScript users wanting to distribute type definitions alongside their JavaScript code. The dist metadata also reveals a slight increase in the unpacked size from 386711 to 388768 bytes reflecting code changes. The minimal file count remains constant. Finally the releaseDate differs by a day from one version to another.
For developers seeking a reliable bundler with minimal configuration, these two versions of Tsup offer compelling choices. The update to rollup-plugin-dts would make version 1.4.11 preferable, especially for libraries exporting TypeScript definitions. Users may prefer version 1.4.10 if no issues were found in that version, but keeping up to date is generally recommended. As with any update, it's good practice to review the changelog and conduct tests to ensure compatibility with existing projects.
All the vulnerabilities related to the version 1.4.11 of the package
tsup DOM Clobbering vulnerability
A DOM Clobbering vulnerability in tsup v8.3.4 allows attackers to execute arbitrary code via a crafted script in the import.meta.url to document.currentScript in cjs_shims.js components
esbuild enables any website to send any requests to the development server and read the response
esbuild allows any websites to send any request to the development server and read the response due to default CORS settings.
esbuild sets Access-Control-Allow-Origin: * header to all requests, including the SSE connection, which allows any websites to send any request to the development server and read the response.
https://github.com/evanw/esbuild/blob/df815ac27b84f8b34374c9182a93c94718f8a630/pkg/api/serve_other.go#L121 https://github.com/evanw/esbuild/blob/df815ac27b84f8b34374c9182a93c94718f8a630/pkg/api/serve_other.go#L363
Attack scenario:
http://malicious.example.com).fetch('http://127.0.0.1:8000/main.js') request by JS in that malicious web page. This request is normally blocked by same-origin policy, but that's not the case for the reasons above.http://127.0.0.1:8000/main.js.In this scenario, I assumed that the attacker knows the URL of the bundle output file name. But the attacker can also get that information by
/index.html: normally you have a script tag here/assets: it's common to have a assets directory when you have JS files and CSS files in a different directory and the directory listing feature tells the attacker the list of files/esbuild SSE endpoint: the SSE endpoint sends the URL path of the changed files when the file is changed (new EventSource('/esbuild').addEventListener('change', e => console.log(e.type, e.data)))The scenario above fetches the compiled content, but if the victim has the source map option enabled, the attacker can also get the non-compiled content by fetching the source map file.
npm inpm run watchfetch('http://127.0.0.1:8000/app.js').then(r => r.text()).then(content => console.log(content)) in a different website's dev tools.Users using the serve feature may get the source code stolen by malicious websites.