[bug]: Outdated Vite dependency using esbuild v0.21.5 (GHSA-67mh-4wv8-2f99) #34
Description
What's Wrong?
@strapi/pack-up@5.1.0 currently depends on vite@5.4.8, which is affected by multiple known vulnerabilities, including:
1. esbuild Vulnerability (GHSA-67mh-4wv8-2f99)
- vite@5.4.8 uses esbuild@0.21.5, which allows arbitrary websites to send requests to the dev server and read responses, due to overly permissive default CORS settings.
- This issue has been fixed in esbuild@0.25.0, which is used by vite@6.2.0 and above.
2. vite Vulnerability (GHSA-vg6x-rcgg-rjx6)
- vite@5.4.8 also has its own critical security issue, allowing Cross-Site WebSocket Hijacking (CSWSH) and code leakage via dev server responses over insecure WebSocket connections.
- This allows a malicious site to steal file paths, code snippets, or trigger plugin behaviors if the dev server is running.
Both vulnerabilities affect users even if the Vite dev server is only running locally (e.g., on localhost), which makes this a high-priority issue for development-time security.
Affected esbuild versions: <= 0.24.2
Affected vite versions: < 6.2.0
Patched in: >= 0.25.0
Patched vite version: >= 6.2.0
@strapi/pack-up@5.1.0
└─ vite@5.4.8
└─ esbuild@0.21.5
To Reproduce
This vulnerability was identified during a security scan of our project:
Path: @strapi/pack-up@5.1.0 > vite@5.4.8 > esbuild@0.21.5
Expected Behaviour
Downstream users should not inherit vulnerable tooling dependencies, especially in commonly used dev-server environments. By upgrading vite, @strapi/pack-up will ensure:
- Development security hygiene
- Fewer audit issues for consumers
- Compatibility with the latest Vite plugin ecosystem
Recommendation
Please update vite in @strapi/pack-up to version ^6.2.0 or higher, which includes:
- A patched version of esbuild (>= 0.25.0)
- A fix for vite's own CORS/WebSocket/Host header vulnerabilities (GHSA-vg6x-rcgg-rjx6
Security References
- GHSA-67mh-4wv8-2f99 – esbuild CORS vulnerability
- GHSA-vg6x-rcgg-rjx6 – vite WebSocket & CORS dev server exposure