Security warning: esbuild

[zachbogart]

I'm getting a security warning from Dependabot via esbuild. Looks like Framework uses esbuild and there is a dependency in Framework that may be patched with a recent update.

The latest possible version that can be installed is 0.20.2 because of the following conflicting dependencies:

@observablehq/framework@1.13.2 requires esbuild@^0.20.1
@observablehq/framework@1.13.2 requires esbuild@~0.23.0 via tsx@4.19.2
No patched version available for esbuild
The earliest fixed version is 0.25.0.

Transitive dependency esbuild 0.20.2 is introduced via
@observablehq/framework 1.13.2 esbuild 0.20.2

Could this be updated internally?

Thanks!

[dkrasne]

This is still an issue; in addition, there are new (severe) issues with the node-tar dependency. Here's the results from npm audit (I ran npm update just before doing the audit):

esbuild  <=0.24.2
Severity: moderate
esbuild enables any website to send any requests to the development server and read the response - https://github.com/advisories/GHSA-67mh-4wv8-2f99
No fix available
node_modules/esbuild
  @observablehq/framework  *
  Depends on vulnerable versions of esbuild
  Depends on vulnerable versions of tar
  node_modules/@observablehq/framework

tar  <=7.5.6
Severity: high
node-tar is Vulnerable to Arbitrary File Overwrite and Symlink Poisoning via Insufficient Path Sanitization - https://github.com/advisories/GHSA-8qq5-rm4j-mr97
Race Condition in node-tar Path Reservations via Unicode Ligature Collisions on macOS APFS - https://github.com/advisories/GHSA-r6q2-hw4h-h46w
node-tar Vulnerable to Arbitrary File Creation/Overwrite via Hardlink Path Traversal - https://github.com/advisories/GHSA-34x7-hfp2-rc4v
No fix available
node_modules/tar

3 vulnerabilities (1 moderate, 2 high)

Some issues need review, and may require choosing
a different dependency.

[mbostock]

Fixed in #2049.