esbuild Vulnerability and Compatibility Issue

[Paulos-se]

I'm encountering a critical security and compatibility issue with OpenNext and esbuild:

1. Security Vulnerability: OpenNext requires esbuild 0.19.2, which has a known security vulnerability ([GHSA-67mh-4wv8-2f99](https://github.com/advisories/GHSA-
   67mh-4wv8-2f99)) allowing any website to send requests to the development server and read responses.

2. Compatibility Problem: When attempting to follow the suggestion to "update your version of esbuild" to a secure version (0.25.x), OpenNext 3.6.0 fails with
   the error:

   Error: [opennext-edge] "onResolve" filter is not a valid Go regular expression: "(?g)\.(mjs|wasm)$"

3. Regression Issue: OpenNext 3.5.3 works with esbuild 0.25.x override (though still depends on 0.19.2), but 3.6.0 breaks with the same override.

This creates a no-win situation where we must choose between:
• Using a version with a known security vulnerability
• Breaking our build process

Request: Please update the regex pattern in OpenNext to be compatible with newer esbuild versions, allowing users to secure their build environments while continuing to use OpenNext.

[khuezy]

See: #746

This doesn't affect opennext, since the vulnerability only applies to esbuild serve/watch. OpenNext only uses esbuild to build the production bundle. If you are using esbuild serve/watch somewhere in your stack, using pnpm should allow you to run 2 different versions for each package.

If this vulnerability does impact OpenNext, please provide the details so we can address.

[Paulos-se]

While the vulnerability may not directly affect OpenNext's usage of esbuild, the compatibility issue with newer esbuild versions (0.25.x) still exists. The invalid regex pattern (?g)\.(mjs|wasm)$ prevents users from upgrading esbuild globally in their projects. Could you update this pattern to be compatible with newer esbuild versions?"

[khuezy]

The invalid regex pattern (?g)\.(mjs|wasm)$

Are you referring to this line?
https://github.com/opennextjs/opennextjs-aws/blob/main/packages/open-next/src/plugins/edge.ts#L62

The regex looks valid in the source code, how are you getting the (?g) in front?

[Paulos-se]

Thank you for investigating this issue. After further analysis, I believe you're right that this isn't an OpenNext problem. The regex in your source code is
indeed correct, and the (?g) flag appearing in the error message seems to be related to how esbuild 0.25.x is processing the pattern rather than an issue with
your code.

[Paulos-se]

Feel free to close this issue. Thank you for your time and assistance.

[khuezy]

If it is a blocker, we can try to merge the PR above in. But I'm not sure if that's been tested yet - we can bump that up in priority if it's an issue for more people.

I understand that any vulnerability can make people feel unease, but in this scenario it's safe to ignore.

[Paulos-se]

Thank you for your response. I would definitely be interested in having this PR prioritized and merged in. While I understand the security vulnerability doesn't affect production builds, having compatibility with esbuild 0.25.x would simplify our dependency management and align with our security policies that require using the patched version across our projects.

[conico974]

I'll try to take a look at it this week-end. The thing is, updating esbuild is not as straightforward for us as it is for most people.
We need to test it, not only against the current versions of Next but against Next 12,13,14 and 15 and make sure that every one of our patch works as expected there.
If you see that i haven't touched it next week, don't hesitate to ping me.

[Paulos-se]

Thank you for taking the time to look into this issue. I really appreciate your willingness to investigate the esbuild compatibility problem, especially considering the complexity of maintaining support across multiple Next.js versions. Your explanation helps me understand the challenges involved.

I look forward to any updates you might have after your weekend investigation. No rush - quality and
stability are more important than speed.

Thanks again for your help and transparency throughout this process.

[patlachance]

@conico974 thanks for working on this issue, could you make any progress so far?

[conico974]

@patlachance Sorry, didn't get the time.
@sommeeeer said he will take a look at it shortly. We'll update you of the progress here

[sommeeeer]

@patlachance @Paulos-se

Latest OpenNext version 3.6.2 is using latest esbuild now. Can you close this issue if everything looks fine on your end?

[Paulos-se]

@sommeeeer Thank you for all your effort and yeah everything is looking good now.