Hi Strapi Community. I was wondering if there’s plans for an esbuild-loader update in the admin module (c.f. strapi/packages/core/admin/package.json at 28515f333803ef8ef5ccb671171cac96399a4412 · strapi/strapi · GitHub). Our security scanner is providing several hits on go related CVEs.
As a side-note I’m not an FE dev so I might get a bunch of things wrong.
I saw on the esbuild website that such should be disregarded due to the backwards compatible build of esbuild for go 1.13, that is however not the version that is detected by our scanner. I think it’s rather the case that the currently linked version 2.21.0 is fairly old by now.
I was also wondering whether esbuild-loader has to be a runtime dependency or if it could be a build dependency, that would make life easier as well since we can then just drop it in our images.
Here’s a non-exhaustive list of CVEs. I ordered it by my best guess of applicability:
- NVD - CVE-2023-24538
- NVD - CVE-2023-24540
- NVD - CVE-2023-29402 (as well as NVD - CVE-2023-29404 and NVD - CVE-2023-29405) though there relate to cgo which I assume is a non-issue or a question I should address to the esbuild team.
This topic has been created from a Discord post (1247166527459954690) to give it more visibility.
It will be on Read-Only mode here.
Join the conversation on Discord