search

evanw / esbuild

An extremely fast bundler for the web
https://esbuild.github.io/
MIT License
38.21k stars 1.15k forks source link

update go 1.22.5 => 1.23.0 #3902

Closed Nemikolh closed 2 months ago

Nemikolh commented 2 months ago

In version of the go compiler prior to 1.23.0, esbuild-wasm can crash with the following stack trace:

✘ [ERROR] panic: runtime error: slice bounds out of range [:-4294967295]
(while printing "<some module>")

  debug.Stack (runtime/debug/stack.go:24)
  helpers.PrettyPrintedStack (internal/helpers/stack.go:9)
  linker.(*linkerContext).recoverInternalError
(internal/linker/linker.go:7084)
  panic (runtime/panic.go:884)
  js_printer.(*printer).printNonNegativeFloat
(internal/js_printer/js_printer.go:3524)
  js_printer.(*printer).printNumber (internal/js_printer/js_printer.go:522)
  js_printer.(*printer).printExpr (internal/js_printer/js_printer.go:3030)
  js_printer.(*binaryExprVisitor).visitRightAndFinish
(internal/js_printer/js_printer.go:3381)
  js_printer.(*printer).printExpr (internal/js_printer/js_printer.go:3231)
  js_printer.(*binaryExprVisitor).visitRightAndFinish
(internal/js_printer/js_printer.go:3381)
  js_printer.(*printer).printExpr (internal/js_printer/js_printer.go:3206)
  js_printer.(*printer).printStmt (internal/js_printer/js_printer.go:4782)
  js_printer.(*printer).printBlock (internal/js_printer/js_printer.go:3662)
  js_printer.(*printer).printBody (internal/js_printer/js_printer.go:3644)
  js_printer.(*printer).printStmt (internal/js_printer/js_printer.go:4530)
  js_printer.(*printer).printBlock (internal/js_printer/js_printer.go:3662)
  js_printer.(*printer).printFn (internal/js_printer/js_printer.go:898)
  js_printer.(*printer).printStmt (internal/js_printer/js_printer.go:4045)
  js_printer.Print (internal/js_printer/js_printer.go:4888)
  linker.(*linkerContext).generateCodeForFileInChunkJS
(internal/linker/linker.go:4919)
  linker.(*linkerContext).generateChunkJS (internal/linker/linker.go:5546)

This was due to a bug in memchr which was incorrectly treating memory addresses as signed integers.

It's now fixed in Go 1.23.0: https://github.com/golang/go/commit/90c6558b6acef5a9b9fb8f3c35cff58423c8b00e

Original issue on the golang repository https://github.com/golang/go/issues/65571

velll commented 2 months ago

Good stuff! This will also fix two supply chain vulnerabilities (fix version 1.22.7)

I'm not qualified to say whether they apply at all to esbuild, but they do get picked up by the vulnerability scanner in our CI

migmartri commented 2 months ago

Yes please, let's release a patch for this. Thanks!

app/node_modules/@esbuild/linux-arm64/bin/esbuild (gobinary)

Total: 3 (UNKNOWN: 0, LOW: 0, MEDIUM: 2, HIGH: 1, CRITICAL: 0)

┌─────────┬────────────────┬──────────┬────────┬───────────────────┬────────────────┬─────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability  │ Severity │ Status │ Installed Version │ Fixed Version  │                            Title                            │
├─────────┼────────────────┼──────────┼────────┼───────────────────┼────────────────┼─────────────────────────────────────────────────────────────┤
│ stdlib  │ CVE-2024-34156 │ HIGH     │ fixed  │ 1.22.5            │ 1.22.7, 1.23.1 │ encoding/gob: golang: Calling Decoder.Decode on a message   │
│         │                │          │        │                   │                │ which contains deeply nested structures...                  │
│         │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2024-34156                  │
│         ├────────────────┼──────────┤        │                   │                ├─────────────────────────────────────────────────────────────┤
│         │ CVE-2024-34155 │ MEDIUM   │        │                   │                │ go/parser: golang: Calling any of the Parse functions       │
│         │                │          │        │                   │                │ containing deeply nested literals...                        │
│         │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2024-34155                  │
│         ├────────────────┤          │        │                   │                ├─────────────────────────────────────────────────────────────┤
│         │ CVE-2024-34158 │          │        │                   │                │ go/build/constraint: golang: Calling Parse on a "// +build" │
│         │                │          │        │                   │                │ build tag line with...                                      │
│         │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2024-34158                  │
└─────────┴────────────────┴──────────┴────────┴───────────────────┴────────────────┴──────────────────────────────────────────────────────────
luka-papez commented 2 months ago

If possible, I'd encourage going one step further and updating to 1.23.1 instead of 1.23.0

Doing that would also get rid of CVE-2024-34156 which has been fixed in 1.23.1

In any case, thanks for preparing the patch!