Summary
@vanilla-extract/integration@6 pins esbuild to versions ≤0.24.2 and brings in vite ≤6.4.1, both flagged by npm audit with security advisories.
Vulnerabilities
| Package |
Advisory |
Severity |
Fix version |
| esbuild ≤0.24.2 |
GHSA-67mh-4wv8-2f99 |
Moderate |
0.25.0+ |
| vite ≤6.4.1 |
(via esbuild dependency) |
Moderate |
6.4.2+ |
GHSA-67mh-4wv8-2f99: esbuild's dev server allows any website to send requests to it and read the response. Fixed in [email protected].
Impact
Any project using @remix-run/[email protected] (which pins @vanilla-extract/integration@6) receives these as transitive dependencies with no available fix via npm audit.
Steps to reproduce
npm install @remix-run/dev
npm audit
Expected
@vanilla-extract/integration should upgrade esbuild to >=0.25.0 and vite to >=6.4.2.
Environment
@vanilla-extract/integration: 6.5.0esbuild (nested): 0.21.5- Node.js: 24
Summary
@vanilla-extract/integration@6pinsesbuildto versions≤0.24.2and brings invite ≤6.4.1, both flagged bynpm auditwith security advisories.Vulnerabilities
GHSA-67mh-4wv8-2f99: esbuild's dev server allows any website to send requests to it and read the response. Fixed in [email protected].
Impact
Any project using
@remix-run/[email protected](which pins@vanilla-extract/integration@6) receives these as transitive dependencies with no available fix vianpm audit.Steps to reproduce
Expected
@vanilla-extract/integrationshould upgradeesbuildto>=0.25.0andviteto>=6.4.2.Environment
@vanilla-extract/integration: 6.5.0esbuild(nested): 0.21.5