-
-
Notifications
You must be signed in to change notification settings - Fork 160
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: upgrade esbuild to 0.23 #615
feat: upgrade esbuild to 0.23 #615
Conversation
@SuperchupuDev Are there any major difference between esbuild versions? I mostly found code formatting changes. |
evanw/esbuild#3802 It fixes these vulnerabilities. |
How are those vulnerabilities exposed in tsx? The response from the maintainer in that thread explains how that vulnerability report is a false alarm for esbuild. (Am I missing something?) |
It may not be directly relevant, but many projects rely on automated vulnerability checks and it's a good practice to try to get those vulnerabilities down. But it's also understandable if tsx doesn't want to risk an upgrade for the sake of a number. In our case, we've worked around it by adding this to our
|
Sounds like an issue with your vulnerability checker. Please report the issue to them—there's a pattern of these security tools that leverage FUD to pressure unimpactful work on others. And we're back to the first question: what practical impact does this upgrade have on tsx? |
+1 to updating esbuild and comments in the thread. This specific vulnerability might be irrelevant to tsx, but handling CVE is a must for a lot of companies and a best practice in general. It is common to use something like https://github.com/openvex/vexctl to track identified vulnerabilities and either suppress them with description or track progress for fixes. |
@privatenumber esbuild 0.22.0 comes with some ES2024 features such as the regular expression |
Doesn't it raise any eyebrows for ya'll that no one can explain the practical impact of this work? This is your time being wasted because of some security tool that profits from enterprise clients by blasting CVEs to create FUD. Please don't involve my free open source projects into this. @yegortokmakov Would your company be open to an enterprise sponsorship? I'd be happy to do work for sponsors. @SuperchupuDev I'm not against this PR, but I don't want to set the precedent of making releases without a reason. And it feels especially strange that no one can give a good reason. Are you able to demonstrate how a TS feature currently broken in tsx can be fixed with this upgrade? |
Looks like a matter of principle for you. At the end it's your package and you do what you see fit. |
It's more confusion that people are really trying to pressure strangers online to do free work to scratch their own itch without even scrutinizing the validity of the issue. Anyway, to move forward, all I need is one demonstration of how a bug can be fixed with this change. Not much to ask for, I think. I will be hiding all comments that are not relevant to this. |
@privatenumber here is repro code for something that's supposed to be fixed in esbuild 0.22.0, passes in typescript and fails in current tsx (see microsoft/TypeScript#58624, evanw/esbuild@6475aea) code
export const output: any[] = [];
export async function main() {
const promiseDispose = new Promise<void>(resolve => {
setTimeout(() => {
output.push('y dispose promise body');
resolve();
}, 0);
});
{
await using x = {
async [Symbol.asyncDispose]() {
output.push('x asyncDispose body');
}
};
await using y = {
[Symbol.dispose]() {
output.push('y dispose body');
return promiseDispose;
}
};
}
output.push('body');
await promiseDispose;
return output;
}
export const a = async () => {
const output2 = await main();
const expected = ['y dispose body', 'x asyncDispose body', 'body', 'y dispose promise body'];
if (output2.join(',') !== expected.join(',')) {
throw `fail: ${output}`;
}
console.log('pass');
};
await a(); |
Thanks @SuperchupuDev, I appreciate you demonstrating a real impact of this PR 🙌 Will look into releasing this tomorrow! |
This issue is now resolved in v4.17.0. If you're able to, your sponsorship would be very much appreciated. |
mainly to avoid duplicated dependencies, also bumped pkgroll so that it uses esbuild 0.23.0 as well
closes #606