chore: bump esbuild to 0.25.0

[btea]

Description

close #18974
close #18843

[btea]

/ecosystem-ci run

[pkg-pr-new]

Open in Stackblitz

npm i https://pkg.pr.new/vite@19389

commit: c2ec01e

[vite-ecosystem-ci]

📝 Ran ecosystem CI on 6e9bdff: Open

suite	result	latest scheduled
astro	❌ failure	❌ failure
histoire	❌ failure	❌ failure
ladle	❌ failure	❌ failure
nuxt	✅ success	❌ failure
previewjs	❌ failure	❌ failure
redwoodjs	❌ failure	❌ failure
vike	✅ success	❌ failure
vuepress	✅ success	❌ failure
waku	❌ failure	✅ success

✅ analogjs, laravel, marko, quasar, qwik, rakkas, react-router, storybook, sveltekit, unocss, vite-environment-examples, vite-plugin-pwa, vite-plugin-react, vite-plugin-react-swc, vite-plugin-svelte, vite-plugin-vue, vite-setup-catalogue, vitepress, vitest

[btea]

astro/nuxt/vike/previewjs/vuepressfailed. According to the error message, it is related to nodejs/corepack#612.

[renatodeleao]

An extra note that, besides the CSS fix, this version bump is required to fix a security vulnerability on esbuild but apparently includes breaking changes.

• https://github.com/evanw/esbuild/releases/tag/v0.25.0
• GHSA-67mh-4wv8-2f99

[patak-cat]

@renatodeleao that security vulnerability is for esbuild dev server, that Vite doesn't use. The CVE was reported by @sapphi-red after fixing a similar one on Vite's side:

• GHSA-vg6x-rcgg-rjx6

[renatodeleao]

@renatodeleao that security vulnerability is for esbuild dev server, that Vite doesn't use. The CVE was reported by @sapphi-red after fixing a similar one on Vite's side:

@patak-dev thanks for clarifying, should have dug into details more thoroughly instead skimming through the dependabot alert.

[JReinhold]

@renatodeleao that security vulnerability is for esbuild dev server, that Vite doesn't use. The CVE was reported by @sapphi-red after fixing a similar one on Vite's side:

• GHSA-vg6x-rcgg-rjx6

@patak-dev npm audit still reports Vite as vulnerable though, blocking many enterprise users that don't allow audit warnings in their CI. I don't know if there's a way to tell the package managers that Vite is in fact not vulnerable, even though it is depending on a vulnerable version of esbuild.

Reproduction:

1. npm create vite
2. Choose "Vanilla" and "JavaScript"
3. cd into the project
4. npm install
5. npm audit
6. See:

npm audit
# npm audit report

esbuild  <=0.24.2
Severity: moderate
esbuild enables any website to send any requests to the development server and read the response - https://github.com/advisories/GHSA-67mh-4wv8-2f99
fix available via `npm audit fix --force`
Will install vite@0.10.3, which is a breaking change
node_modules/esbuild
  vite  >=0.11.0
  Depends on vulnerable versions of esbuild
  node_modules/vite

2 moderate severity vulnerabilities

To address all issues (including breaking changes), run:
  npm audit fix --force

[patak-cat]

This in an issue with automated tools that need to be resolved. But we are going to release vite 6.2 soon to upgrade esbuild.

[AshishDhama]

Are there no plans to back port it to version 5?

[sapphi-red]

Are there no plans to back port it to version 5?

I think there are no plans. Vite 5 uses esbuild 0.21 and there're multiple breaking changes between 0.21 and 0.25.

[dominikg]

If you are confident your project does not use the esbuild dev server (eg you only use vite dev) and you use pnpm, you can also add the vulnerability id to the audit ignore list

package.json next to pnpm-lock.yaml

  "pnpm":{
    "auditConfig": {
      "ignoreGhsas": [
        "GHSA-67mh-4wv8-2f99"
      ]
    }
  }