search

aelbore / esbuild-jest

A Jest transformer using esbuild
519 stars 51 forks source link

decode-uri-component - high vulnerability #89

Open gustawdaniel opened 1 year ago

gustawdaniel commented 1 year ago

There is many open issues for dependencies. Eg this one:

https://github.com/aelbore/esbuild-jest/pull/81

npm audit
┌───────────────┬──────────────────────────────────────────────────────────────┐                                      
│ High          │ decode-uri-component vulnerable to Denial of Service (DoS)   │                                      
├───────────────┼──────────────────────────────────────────────────────────────┤                                      
│ Package       │ decode-uri-component                                         │                                      
├───────────────┼──────────────────────────────────────────────────────────────┤                                      
│ Patched in    │ >=0.2.1                                                      │                                      
├───────────────┼──────────────────────────────────────────────────────────────┤                                      
│ Dependency of │ esbuild-jest [dev]                                           │                                      
├───────────────┼──────────────────────────────────────────────────────────────┤                                      
│ Path          │ esbuild-jest > babel-jest > @jest/transform > jest-haste-map │                                      
│               │ > sane > micromatch > braces > snapdragon >                  │                                      
│               │ source-map-resolve > decode-uri-component                    │                                      
├───────────────┼──────────────────────────────────────────────────────────────┤                                      
│ More info     │ https://github.com/advisories/GHSA-w573-4hg7-7wgq            │                                      
└───────────────┴──────────────────────────────────────────────────────────────┘                                      
┌───────────────┬──────────────────────────────────────────────────────────────┐                                      
│ High          │ decode-uri-component vulnerable to Denial of Service (DoS)   │                                      
├───────────────┼──────────────────────────────────────────────────────────────┤                                      
│ Package       │ decode-uri-component                                         │                                      
├───────────────┼──────────────────────────────────────────────────────────────┤                                      
│ Patched in    │ >=0.2.1                                                      │                                      
├───────────────┼──────────────────────────────────────────────────────────────┤                                      
│ Dependency of │ esbuild-jest [dev]                                           │                                      
├───────────────┼──────────────────────────────────────────────────────────────┤                                      
│ Path          │ esbuild-jest > babel-jest > @jest/transform > jest-haste-map │                                      
│               │ > sane > anymatch > micromatch > braces > snapdragon >       │                                      
│               │ source-map-resolve > decode-uri-component                    │                                      
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://github.com/advisories/GHSA-w573-4hg7-7wgq            │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ decode-uri-component vulnerable to Denial of Service (DoS)   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ decode-uri-component                                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=0.2.1                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ esbuild-jest [dev]                                           │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ esbuild-jest > babel-jest > @jest/transform > jest-haste-map │
│               │ > sane > anymatch > micromatch > extglob > expand-brackets > │
│               │ snapdragon > source-map-resolve > decode-uri-component       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://github.com/advisories/GHSA-w573-4hg7-7wgq            │

@aelbore can you merge them and publish new release? Can I help you with this?

gustawdaniel commented 1 year ago

I am rather sad writing this, because I was recommending this library many times, but now to fix this vulnerability I removed this library from my project.

npm remove esbuild-jest

replaced it by esbuild-jest-transform

npm install -D esbuild esbuild-jest-transform

then

removed all imports from @jest/globals, eg.:

import {describe, expect, it} from '@jest/globals';

finally in jest.config.js changed

    transform: {
        '^.+\\.(ts|tsx)$': 'esbuild-jest'
    },

to

    transform: {
        '^.+\\.(ts|tsx)$': 'esbuild-jest-transform'
    },

I can confirm, that migration was successful without complications. You can read more about differences between esbuild-jest and esbuild-jest-transform in issue:

https://github.com/AkifumiSato/esbuild-jest-transform/issues/8