Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Vulnerabilities Right after a Fresh Setup #19455

Closed
7 tasks done
Clotho-ex opened this issue Feb 17, 2025 · 5 comments
Closed
7 tasks done

Vulnerabilities Right after a Fresh Setup #19455

Clotho-ex opened this issue Feb 17, 2025 · 5 comments
Labels
pending triage

Comments

@Clotho-ex
Copy link

Clotho-ex commented Feb 17, 2025
edited
Loading

3 Vulnerabilities After Fresh Setup

After running the npm create vite@latest command and then npm install, I'm having 3 moderate severity vulnerabilities. Moreover, when I run npm install tailwindcss @tailwindcss/vite, the vulnerability count goes to 4. A week ago when I started a project, I didn't have any issue. I saw another Issue about this but that person did not give extensive information.

Reproduction

https://github.com/Clotho-ex/note-taking-app.git

Steps to reproduce

  • Create a new file for a new project
  • Run npm create vite@latest
  • Then run npm install

System Info

#

Used Package Manager

npm

Logs

$ npm audit

npm audit report

esbuild <=0.24.2
Severity: moderate
esbuild enables any website to send any requests to the development server and read the response - GHSA-67mh-4wv8-2f99
fix available via npm audit fix --force
Will install [email protected], which is a breaking change
node_modules/esbuild
vite >=0.11.0
Depends on vulnerable versions of esbuild
node_modules/vite
@vitejs/plugin-react >=2.0.0-alpha.0
Depends on vulnerable versions of vite
node_modules/@vitejs/plugin-react

3 moderate severity vulnerabilities

To address all issues (including breaking changes), run:
npm audit fix --force

Validations
@Clotho-ex
Copy link
Author

I'm stupid I didn't read it thoroughly. Apologies.

@daniel-res
Copy link

@Clotho-ex what did you do to fix this? fix --force ?

@xsjcTony
Copy link

I don't think there's a way to fix it currently. The force fix will break everything

@anricoj1
Copy link

What's the solution to this? Are we chalking this up as "no fix"? I ran in npm install with a brand new vite + react/swc app...I was greeted with this error

# npm audit report

esbuild  <=0.24.2
Severity: moderate
esbuild enables any website to send any requests to the development server and read the response - https://github.com/advisories/GHSA-67mh-4wv8-2f99      
No fix available
node_modules/esbuild
  vite  >=0.11.0
  Depends on vulnerable versions of esbuild
  node_modules/vite
    @vitejs/plugin-react-swc  *
    Depends on vulnerable versions of vite
    node_modules/@vitejs/plugin-react-swc

3 moderate severity vulnerabilities

Some issues need review, and may require choosing   
a different dependency.

@Seb33300
Copy link

The answer is here: #19412

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
pending triage
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@Seb33300 @xsjcTony @anricoj1 @Clotho-ex @daniel-res