Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

update go 1.22.5 => 1.23.0 #3902

Closed
wants to merge 1 commit into from
Closed

update go 1.22.5 => 1.23.0 #3902

wants to merge 1 commit into from

Conversation

Nemikolh
Copy link

@Nemikolh Nemikolh commented Sep 3, 2024

In version of the go compiler prior to 1.23.0, esbuild-wasm can crash with the following stack trace:

✘ [ERROR] panic: runtime error: slice bounds out of range [:-4294967295]
(while printing "<some module>")

  debug.Stack (runtime/debug/stack.go:24)
  helpers.PrettyPrintedStack (internal/helpers/stack.go:9)
  linker.(*linkerContext).recoverInternalError
(internal/linker/linker.go:7084)
  panic (runtime/panic.go:884)
  js_printer.(*printer).printNonNegativeFloat
(internal/js_printer/js_printer.go:3524)
  js_printer.(*printer).printNumber (internal/js_printer/js_printer.go:522)
  js_printer.(*printer).printExpr (internal/js_printer/js_printer.go:3030)
  js_printer.(*binaryExprVisitor).visitRightAndFinish
(internal/js_printer/js_printer.go:3381)
  js_printer.(*printer).printExpr (internal/js_printer/js_printer.go:3231)
  js_printer.(*binaryExprVisitor).visitRightAndFinish
(internal/js_printer/js_printer.go:3381)
  js_printer.(*printer).printExpr (internal/js_printer/js_printer.go:3206)
  js_printer.(*printer).printStmt (internal/js_printer/js_printer.go:4782)
  js_printer.(*printer).printBlock (internal/js_printer/js_printer.go:3662)
  js_printer.(*printer).printBody (internal/js_printer/js_printer.go:3644)
  js_printer.(*printer).printStmt (internal/js_printer/js_printer.go:4530)
  js_printer.(*printer).printBlock (internal/js_printer/js_printer.go:3662)
  js_printer.(*printer).printFn (internal/js_printer/js_printer.go:898)
  js_printer.(*printer).printStmt (internal/js_printer/js_printer.go:4045)
  js_printer.Print (internal/js_printer/js_printer.go:4888)
  linker.(*linkerContext).generateCodeForFileInChunkJS
(internal/linker/linker.go:4919)
  linker.(*linkerContext).generateChunkJS (internal/linker/linker.go:5546)

This was due to a bug in memchr which was incorrectly treating memory addresses as signed integers.

It's now fixed in Go 1.23.0: golang/go@90c6558

Original issue on the golang repository golang/go#65571

@velll
Copy link

velll commented Sep 10, 2024

Good stuff! This will also fix two supply chain vulnerabilities (fix version 1.22.7)

I'm not qualified to say whether they apply at all to esbuild, but they do get picked up by the vulnerability scanner in our CI

@migmartri
Copy link

Yes please, let's release a patch for this. Thanks!

app/node_modules/@esbuild/linux-arm64/bin/esbuild (gobinary)

Total: 3 (UNKNOWN: 0, LOW: 0, MEDIUM: 2, HIGH: 1, CRITICAL: 0)

┌─────────┬────────────────┬──────────┬────────┬───────────────────┬────────────────┬─────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability  │ Severity │ Status │ Installed Version │ Fixed Version  │                            Title                            │
├─────────┼────────────────┼──────────┼────────┼───────────────────┼────────────────┼─────────────────────────────────────────────────────────────┤
│ stdlib  │ CVE-2024-34156 │ HIGH     │ fixed  │ 1.22.5            │ 1.22.7, 1.23.1 │ encoding/gob: golang: Calling Decoder.Decode on a message   │
│         │                │          │        │                   │                │ which contains deeply nested structures...                  │
│         │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2024-34156                  │
│         ├────────────────┼──────────┤        │                   │                ├─────────────────────────────────────────────────────────────┤
│         │ CVE-2024-34155 │ MEDIUM   │        │                   │                │ go/parser: golang: Calling any of the Parse functions       │
│         │                │          │        │                   │                │ containing deeply nested literals...                        │
│         │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2024-34155                  │
│         ├────────────────┤          │        │                   │                ├─────────────────────────────────────────────────────────────┤
│         │ CVE-2024-34158 │          │        │                   │                │ go/build/constraint: golang: Calling Parse on a "// +build" │
│         │                │          │        │                   │                │ build tag line with...                                      │
│         │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2024-34158                  │
└─────────┴────────────────┴──────────┴────────┴───────────────────┴────────────────┴──────────────────────────────────────────────────────────

@luka-papez
Copy link

If possible, I'd encourage going one step further and updating to 1.23.1 instead of 1.23.0

Doing that would also get rid of CVE-2024-34156 which has been fixed in 1.23.1

In any case, thanks for preparing the patch!

@evanw evanw mentioned this pull request Sep 21, 2024
Closed
2 tasks
@evanw evanw closed this in 11d3196 Sep 21, 2024
@BrewTestBot BrewTestBot mentioned this pull request Sep 22, 2024
Merged
@Nemikolh Nemikolh deleted the joan/update-go-compiler branch September 22, 2024 07:54
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@Nemikolh @velll @migmartri @luka-papez