goog-vulnz flags CVE-2024-24790 in esbuild 0.19.7

[paulmarsicloud]

Hello!

Artifact Registry flags CVE-2024-24790 in drizzle-kit usage of esbuild (e.g. /app/node_modules/drizzle-kit/node_modules/@esbuild/linux-x64/bin/esbuild)

Upon closer inspection it seems that per evanw/esbuild#4022 (comment) esbuild 0.24.2 should resolve this one. I'll make an issue and attempt a PR to bump this for ya'll 👍

[AndriiSherman]

Fixed in [email protected]

[anthonyhagi]

It looks like it's not completely resolved. Since there's a reliance on @esbuild-kit/[email protected], npm still installs esbuild@~0.18.20. Is it possible to move away from @esbuild-kit/core-utils or to update it to a newer version? I believe it would solve the issue.

[sterkmi]

It seems the issue is this dependency in drizzle-kit: "@esbuild-kit/esm-loader": "^2.5.5", , This repo is archived and there is the hint that the functionality was merged in tsx:
https://github.com/esbuild-kit/esm-loader?tab=readme-ov-file#%EF%B8%8F-project-moved-repository-unmaintained

This project has been merged with tsx and this repository is no longer maintained.

Use tsx instead: node --loader tsx/esm ./file.ts

esm-loader is used here:

drizzle-orm/drizzle-kit/build.dev.ts

Line 27 in 9e81def

js: `#!/usr/bin/env -S node --loader @esbuild-kit/esm-loader --no-warnings`,