drizzle-orm icon indicating copy to clipboard operation
drizzle-orm copied to clipboard
verified publisher icon drizzle-team

[FEATURE]: Dependency to deprecated package `@esbuild-kit/esm-loader`

Open SiNONiMiTY opened this issue 1 year ago • 17 comments

Describe what you want

@esbuild-kit/esm-loader was recently marked as deprecated. It might be a good time to update the dependencies to this library.

SiNONiMiTY avatar Oct 08 '24 01:10 SiNONiMiTY

Agree, just noticed same thing in my project.

jannhama avatar Oct 11 '24 17:10 jannhama

Apologies for the multiple commit messages in the log! I was refining the commit message to make it clearer...

Created a pull request #3498 , which simply moves @esbuild-kit/esm-loader from dependencies to devDependencies, because this package doesn't appear to be used in end-user environments.

Daiius avatar Nov 06 '24 08:11 Daiius

[email protected] depends on @esbuild-kit/core-utils and core-utils is deprecated too and add some critical vulnerability to dockerfile. It is reported by docker scout.

Should you change it to tsx?

npm warn deprecated @esbuild-kit/[email protected]: Merged into tsx: https://tsx.is
npm warn deprecated @esbuild-kit/[email protected]: Merged into tsx: https://tsx.is

BCsabaEngine avatar Nov 16 '24 19:11 BCsabaEngine

+1

arthberman avatar Nov 25 '24 18:11 arthberman

+1

Rick-Phoenix avatar Dec 30 '24 14:12 Rick-Phoenix

+1

gainggs avatar Feb 05 '25 11:02 gainggs

npm audit is now showing vulnerabilities related to drizzle-kit: "depends on vulnerable versions of @esbuild-kit/esm-loader". Would it be possible to prioritize merging PR #3498 so I can resolve the build pipeline blocker? Thank you!

gnowland avatar Feb 26 '25 23:02 gnowland

Hi! We are also using drizzle-kit in our project and would love to have this fixed!

Here's the related npm audit output:

esbuild  <=0.24.2
Severity: moderate
esbuild enables any website to send any requests to the development server and read the response - https://github.com/advisories/GHSA-67mh-4wv8-2f99
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/@esbuild-kit/core-utils/node_modules/esbuild
node_modules/drizzle-kit/node_modules/esbuild
  @esbuild-kit/core-utils  *
  Depends on vulnerable versions of esbuild
  node_modules/@esbuild-kit/core-utils
    @esbuild-kit/esm-loader  *
    Depends on vulnerable versions of @esbuild-kit/core-utils
    node_modules/@esbuild-kit/esm-loader
      drizzle-kit  0.9.1 - 0.9.54 || >=0.12.9
      Depends on vulnerable versions of @esbuild-kit/esm-loader
      Depends on vulnerable versions of esbuild
      node_modules/drizzle-kit

I would prefer not downgrading drizzle-kit to v.0.19.1, as npm audit suggests :)

AnMW avatar Mar 03 '25 15:03 AnMW

Hi! We are also using drizzle-kit in our project and would love to have this fixed!

Here's the related npm audit output:

esbuild  <=0.24.2
Severity: moderate
...
node_modules/drizzle-kit

I would prefer not downgrading drizzle-kit to v.0.19.1, as npm audit suggests :)

Hi @AnMW I solved that by adding in package.json the overrides section with esbuild set to the newest version in drizzle-kit and also in its sub-dependencies (esm-loader and core-utils):

"overrides": {
    "@esbuild-kit/core-utils": {
      "esbuild": "0.25.0"
    },
    "@esbuild-kit/esm-loader": {
      "esbuild": "0.25.0"
    },
    "drizzle-kit": {
      "esbuild": "0.25.0"
    }
  }

And running npm i + npm update after that.

gurgelff avatar Mar 06 '25 22:03 gurgelff

@gurgelff worked for me too. Thanks!

Ruban-EA avatar Mar 07 '25 18:03 Ruban-EA

Is there a coming fix for those dependencies ?

ItsTarik avatar Mar 08 '25 23:03 ItsTarik

+1

davidaragundy avatar Mar 22 '25 02:03 davidaragundy

¡Hola! También usamos drizzle-kit en nuestro proyecto y nos encantaría solucionarlo.

Aquí está la salida de auditoría de npm relacionada:

esbuild  <=0.24.2
Severity: moderate
esbuild enables any website to send any requests to the development server and read the response - https://github.com/advisories/GHSA-67mh-4wv8-2f99
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/@esbuild-kit/core-utils/node_modules/esbuild
node_modules/drizzle-kit/node_modules/esbuild
  @esbuild-kit/core-utils  *
  Depends on vulnerable versions of esbuild
  node_modules/@esbuild-kit/core-utils
    @esbuild-kit/esm-loader  *
    Depends on vulnerable versions of @esbuild-kit/core-utils
    node_modules/@esbuild-kit/esm-loader
      drizzle-kit  0.9.1 - 0.9.54 || >=0.12.9
      Depends on vulnerable versions of @esbuild-kit/esm-loader
      Depends on vulnerable versions of esbuild
      node_modules/drizzle-kit

Preferiría no degradar drizzle-kit a v.0.19.1, como sugiere la auditoría de npm :)

fix problem warn moderate

package.json

"overrides": { "esbuild": "0.25.1", },

ready!!

artiefy avatar Mar 28 '25 06:03 artiefy

Image

today fix error compatibility tsx merge in drizzle-kit

kakita15 avatar Mar 31 '25 06:03 kakita15

can someone take a look into this?

berkerdemirer avatar Apr 12 '25 19:04 berkerdemirer

A simple way is to remove the @esbuild-kit/esm-loader dependency and use the already dependent tsx instead

https://github.com/drizzle-team/drizzle-orm/blob/9e81def6dbe33e54ef96f5960cf87ec829b7414f/drizzle-kit/build.dev.ts#L27

		js: `#!/usr/bin/env -S node --loader tsx --no-warnings`,

See https://tsx.is/dev-api/node-cli#node-js-cli .

Tiscs avatar Apr 17 '25 10:04 Tiscs

proposed PR #4430

kevcube avatar Apr 18 '25 12:04 kevcube

fix problem warn moderate

package.json

"overrides": { "esbuild": "0.25.1", },

Adding to @artiefy 's fix above, if you're using pnpm you can add this to your package.json file:

  "pnpm": {
    "overrides": {
      "esbuild": "^0.25.0"
    }
  },

sscovil avatar May 30 '25 16:05 sscovil

fix problem warn moderate package.json "overrides": { "esbuild": "0.25.1", },

Adding to @artiefy 's fix above, if you're using pnpm you can add this to your package.json file:

  "pnpm": {
    "overrides": {
      "esbuild": "^0.25.0"
    }
  },

Did not work for me. Possibly because I'm in a monorepo.

npearson72 avatar May 30 '25 20:05 npearson72 

  "pnpm": {
    "overrides": {
      "esbuild": "^0.25.0"
    }
  },

Did not work for me. Possibly because I'm in a monorepo.

@npearson72 it looks like that can only be used at the root of a project.

Note that the overrides field can only be set at the root of the project.

Source: https://pnpm.io/9.x/package_json#pnpmoverrides

sscovil avatar May 30 '25 21:05 sscovil

+1

oscar-ospina avatar Jun 10 '25 16:06 oscar-ospina

+1

axeloehrli avatar Jun 21 '25 14:06 axeloehrli

+1

brayden-cog avatar Jun 24 '25 23:06 brayden-cog

+1

jmazurpl avatar Jun 25 '25 20:06 jmazurpl

At this point it is no longer a deprecation warning but a moderate vulnerability warning. The esbuild version override throws an error with npm..

ViggoV avatar Jun 30 '25 08:06 ViggoV

+1, this should have been fixed a while ago

gastrify-dev avatar Jul 08 '25 01:07 gastrify-dev

Trying Drizzle for the first time.

Getting a vulnerability warning.

cha0s avatar Jul 11 '25 17:07 cha0s

Image

mengxi-ream avatar Jul 19 '25 19:07 mengxi-ream

+1

ufwo avatar Jul 24 '25 16:07 ufwo

+1

LucasWinkler avatar Jul 27 '25 03:07 LucasWinkler