"Known security vulnerabilities detected" but what is esbuild?

[galgier]

Select Topic Area

Question

Body

I regularly get notification emails telling me:

Known security vulnerabilities detected
Dependency esbuild 	Version <= 0.24.2 	Upgrade to ~> 0.25.0

But I have nothing named esbuild in my repos. The notice goes on to mention it is referenced in "package.json". I have no such file.

Is there a fix or should I just turn off notices?

Gary

[davevad93]

Hi @galgier,

esbuild is a bundler that optimize JavaScript, TypeScript, JSX, and CSS code and package.json is a core file for Node.js based projects.

As far as I know Dependabot alerts don't trigger randomly for files that don't exist in a repo, so if you get that warning it means you should have that file (package.json) and the esbuild npm package needs to be updated.

[Dev-LK7]

Galgier

Mesmo que você não tenha esbuild diretamente em seus repositórios, ele pode estar sendo incluído como uma dependência transitiva—ou seja, uma biblioteca que outra dependência usa. Isso explicaria por que você recebe esses avisos.

Aqui estão algumas coisas que você pode fazer para identificar e corrigir isso:

1. Verificar dependências instaladas
   Se você estiver em um projeto Node.js, tente rodar este comando no terminal:

   npm list esbuild --depth=all

   ou, se estiver usando yarn:

   yarn list esbuild

   Isso mostrará se esbuild está sendo usado indiretamente por alguma outra biblioteca.

2. Procurar referências no repositório
   Caso tenha um gerenciador de pacotes como npm ou yarn, tente localizar package.json e package-lock.json ou yarn.lock com:

   grep -i esbuild package*

   Se o arquivo package.json realmente não existir no seu projeto, pode ser que você tenha alguma dependência que está fazendo referência ao esbuild.

3. Atualizar dependências
   Se esbuild estiver listado, tente atualizar suas dependências com:

   npm update

   ou

   yarn upgrade

   Isso pode substituir automaticamente a versão problemática por uma mais segura.

4. Ignorar avisos (caso não seja um problema real)
   Se você confirmar que não há riscos reais para seu projeto, pode configurar seu gerenciador de dependências para ignorar esse aviso. No GitHub, por exemplo, é possível ajustar as notificações de segurança no painel de configurações do repositório.

Faz esse diagnóstico! 🚀🔎
Espero ter ajudado!

[debrafeil42]

This discussion about security vulnerabilities is quite concerning. It reminds me of how important it is to be aware of what you're consuming, whether it's code dependencies or food ingredients. Speaking of ingredients, I recently published a post on my website, Gluten Free Dine (glutenfreedinel.com), about whether farro is gluten-free, as it's a grain some people might not realize contains gluten. It's essential to be informed about potential issues in both the digital and dietary realms.

[galgier]

I looked at my code. There are only 4 files, three basic Python scripts and one HTML file that does the same thing using PyScript (Python in the browser using WebAssembly) . It must be this last one that is the triggering the warnings. It links to PyScript 2024.1.1 which must ultimately be the culprit. I will need to upgrade it to link the latest (and fix anything that breaks) and see if the notifications go away. Yes, this is the problem with linking to code not actually part of the code base. You can be using something that is broken without even realizing it. And you can grep all you want for "esbuild" and not see it because it isn't there.

Thank you all for your insight.

[github-actions[bot]]

🕒 Discussion Activity Reminder 🕒

This Discussion has been labeled as dormant by an automated system for having no activity in the last 60 days. Please consider one the following actions:

1️⃣ Close as Out of Date: If the topic is no longer relevant, close the Discussion as out of date at the bottom of the page.

2️⃣ Provide More Information: Share additional details or context — or let the community know if you've found a solution on your own.

3️⃣ Mark a Reply as Answer: If your question has been answered by a reply, mark the most helpful reply as the solution.

Note: This dormant notification will only apply to Discussions with the Question label. To learn more, see our recent announcement.

Thank you for helping bring this Discussion to a resolution! 💬

[R41CY]

---

Hey Gary,
Even if you didn’t directly install esbuild, it might be a dependency of a dependency—meaning something else you installed is using it under the hood.

To check, try this:

1. Run npm ls esbuild (in your repo folder, if it’s Node.js).
2. If you don’t have package.json, maybe it's in a subfolder or part of a GitHub Action or workflow file (check .github/workflows/).

Also, if your repo uses GitHub Actions, esbuild might come from an action’s internal package, not yours directly.

You don’t need to turn off notices—just track down where it’s coming from. If it’s not your code, you can ignore it until that upstream dependency updates.

[github-actions[bot]]

🕒 Discussion Activity Reminder 🕒

This Discussion has been labeled as dormant by an automated system for having no activity in the last 60 days. Please consider one the following actions:

1️⃣ Close as Out of Date: If the topic is no longer relevant, close the Discussion as out of date at the bottom of the page.

2️⃣ Provide More Information: Share additional details or context — or let the community know if you've found a solution on your own.

3️⃣ Mark a Reply as Answer: If your question has been answered by a reply, mark the most helpful reply as the solution.

Note: This dormant notification will only apply to Discussions with the Question label. To learn more, see our recent announcement.

Thank you for helping bring this Discussion to a resolution! 💬