npm audit fix: esbuild enables any website to send any requests to the development server and read the response

[cforce]

I can't get the audit fixed. It seem like esbuild is newest 0.21.5 and vite latets for 5.x. Only vite 6 would be never

 npm audit fix

up to date, audited 392 packages in 5s

npm audit report

esbuild <=0.24.2
Severity: moderate
esbuild enables any website to send any requests to the development server and read the response - GHSA-67mh-4wv8-2f99
fix available via npm audit fix --force
Will install vite@0.10.3, which is a breaking change
node_modules/vite/node_modules/esbuild
vite 0.11.0 - 6.1.1
Depends on vulnerable versions of esbuild
node_modules/vite
@vitejs/plugin-react >=2.0.0-alpha.0
Depends on vulnerable versions of vite
node_modules/@vitejs/plugin-react

3 moderate severity vulnerabilities

To address all issues (including breaking changes), run:
npm audit fix --force
 npm list esbuild

frontend@0.0.0 /mnt/c/git/openai/MIC_DocBot-Backend/app/frontend
├── esbuild@0.25.0
├─┬ frontend@0.0.0 -> ./
│ └── esbuild@0.25.0 deduped
└─┬ vite@5.4.14
└── esbuild@0.21.5

[atkhssn]

** I CANNOT GET RESOLVE IT VIA YARN AND NPM FOR ANGULAR PROJECT **

npm audit report

esbuild <=0.24.2
Severity: moderate
esbuild enables any website to send any requests to the development server and read the response - GHSA-67mh-4wv8-2f99
fix available via npm audit fix --force
Will install @angular-devkit/build-angular@0.1101.2, which is a breaking change
node_modules/@angular-devkit/build-angular/node_modules/esbuild
@angular-devkit/build-angular 12.2.0-next.0 - 19.2.0-next.1
Depends on vulnerable versions of @angular/build
Depends on vulnerable versions of esbuild
node_modules/@angular-devkit/build-angular
@angular/build <=19.2.0-next.1
Depends on vulnerable versions of esbuild
node_modules/@angular-devkit/build-angular/node_modules/@angular/build

3 moderate severity vulnerabilities

To address all issues (including breaking changes), run:
npm audit fix --force

[atkhssn]

Finally, it's been resolved by manually. Try it process

[cforce]

How exactly die you fix it

[brend8c]

How exactly die you fix it

I solved the problem with esbuild <=0.24.2 as follows:

In "dependencies" I specify that I need version ^0.25.0 for common dependencies.
In "overrides" I force the correct version for all nested dependencies that use esbuild, in case they suddenly install an older version.

I installed in the project, the latest version: npm install esbuild@latest
Then in the package.json file, I added an entry:

"overrides": {
  "esbuild": "^0.25.0"
}

Then deleted node_modules and package-lock.json:
rm -rf node_modules package-lock.json
Reinstalled the dependencies: npm install

It's not necessary, I've updated all dependencies:

Installed the package: npm install -g npm-check-updates

1. npx npm-check-updates -u
2. npm install

[cforce]

I have added

"overrides": {
"esbuild": "^0.25.0"
}

but still it shows 2 left

npm audit fix

up to date, audited 389 packages in 4s

npm audit report

esbuild <=0.24.2
Severity: moderate
esbuild enables any website to send any requests to the development server and read the response - GHSA-67mh-4wv8-2f99
fix available via npm audit fix --force
Will install vite@6.2.0, which is a breaking change
node_modules/esbuild
vite 0.11.0 - 6.1.1
Depends on vulnerable versions of esbuild
node_modules/vite

2 moderate severity vulnerabilities

--
npm list vite

frontend@0.0.0 /mnt/c/git/openai/MIC_DocBot-Backend/app/frontend
├─┬ @vitejs/plugin-react@4.3.4
│ └── vite@5.4.14 deduped
└── vite@5.4.14

npm install vite@latest esbuild@latest

changed 3 packages, and audited 389 packages in 6s

---

fixed the issue