drizzle-orm icon indicating copy to clipboard operation
drizzle-orm copied to clipboard
verified publisher icon drizzle-team

feat: replace @esbuild-kit/esm-loader with tsx

Open kevcube opened this issue 8 months ago β€’ 18 comments

Removes the deprecated package @esbuild-kit/esm-loader which used a vulnerable version of esbuild and replaces it with tsx, the recommendation by esm-loader.

kevcube avatar Apr 18 '25 12:04 kevcube

fixes #3067

kevcube avatar Apr 18 '25 12:04 kevcube

@kevcube Excuse me, I am not a reviewer, but perhaps the following corrections are needed?

  • Running with npx tsx may not work correctly if the user is using pnpm, yarn or others. It would be better to use node ---import tsx.

  • Move tsx from devDependencies to dependencies.

mdoi2 avatar Apr 20 '25 02:04 mdoi2

  • Running with npx tsx may not work correctly if the user is using pnpm, yarn or others. It would be better to use node ---import tsx.

with node --import tsx utils.js I get some error, with npx tsx utils.js I do not. NPM and NPX come bundled with node, so I can't imagine a system that wouldn't have them unless a user is using bun or Deno, but then node --import would fail as well.

  • Move tsx from devDependencies to dependencies.

because this is in build.dev.ts I don't believe this is used for production builds. therefore IMO devDependencies is correct.

kevcube avatar Apr 22 '25 12:04 kevcube

Thanks, @kevcube πŸ™‡πŸ»β€β™‚οΈ And sorry. I mistakenly thought it was a script that was executed when a user performs a migration. I'm not sure why @esbuild-kit/esm-loader is currently in dependencies.

mdoi2 avatar Apr 22 '25 22:04 mdoi2

I see last commit is from 2 weeks ago, and last comment from 1 week ago. Any estimates on when we can expect this being delivered?

ir33k avatar Apr 29 '25 07:04 ir33k

@ir33k only once we get maintainer review.

kevcube avatar Apr 29 '25 10:04 kevcube

I need to re-commit and sign my commits. Will do later today.

kevcube avatar Apr 29 '25 11:04 kevcube

@AndriiSherman πŸ™

davidaragundy avatar Apr 29 '25 16:04 davidaragundy

@kevcube Amazing effort, it would be really great to close this πŸ™

We are trying to get rid of the vulnerable esbuild packages across our codebase and drizzle-kit is still forcing that dependency.

dominikj-cf avatar May 19 '25 08:05 dominikj-cf

commits now signed, conflicts fixed, @drizzle-team, @AndriiSherman, @Sukairo-02, @dankochetov ready for review please πŸ™

kevcube avatar May 31 '25 08:05 kevcube

@kevcube could you please revert the last commit because it's making a huge change to the lock file, unless you have conflict with main branch.

dulmandakh avatar Jun 04 '25 09:06 dulmandakh

@dulmandakh fixed now. main branch was flipping between lockfile versions 6 and 9 recently, so I mistakenly created a v6 lock. now it's v9, matching main. not sure why so many other lines were changed by my pnpm i.

kevcube avatar Jun 04 '25 09:06 kevcube

@dulmandakh fixed now. main branch was flipping between lockfile versions 6 and 9 recently, so I mistakenly created a v6 lock. now it's v9, matching main. not sure why so many other lines were changed by my pnpm i.

It was version 6 in the main. I would suggest that someone from maintainers should update lock file version.

dulmandakh avatar Jun 04 '25 13:06 dulmandakh

@dulmandakh fixed now. main branch was flipping between lockfile versions 6 and 9 recently, so I mistakenly created a v6 lock. now it's v9, matching main. not sure why so many other lines were changed by my pnpm i.

It was version 6 in the main. I would suggest that someone from maintainers should update lock file version.

now its 10th. its better to perform remove again based on most recent main

https://github.com/drizzle-team/drizzle-orm/blob/main/package.json#L42

edit: removing that package with [email protected] against main produces way smaller diff

vasyl@phoenix /tmp/drizzle-orm-orgi $ gt di --stat
 drizzle-kit/package.json |   1 -
 pnpm-lock.yaml           | 468 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++-----------------------------------------------------------------------------------
 2 files changed, 280 insertions(+), 189 deletions(-)
vasyl@phoenix /tmp/drizzle-orm-orgi $

ZuBB avatar Jun 06 '25 18:06 ZuBB

Hope this gets merge soonπŸ™

oscar-ospina avatar Jun 18 '25 23:06 oscar-ospina

This pull request includes updates to the build configuration and dependencies in the drizzle-kit package. The most notable changes involve switching the runtime environment for the build script and removing an unused dependency.

Updates to build configuration:

  • drizzle-kit/build.dev.ts: Changed the banner.js value to use npx tsx instead of @esbuild-kit/esm-loader for the runtime environment in the build script.

Dependency cleanup:

  • drizzle-kit/package.json: Removed the @esbuild-kit/esm-loader dependency, which is no longer needed after the runtime environment change.

MagnumGoYB avatar Jul 09 '25 02:07 MagnumGoYB

+1, This should have been bumped a while ago. Closes #3118 and #3067

k1ngcrypt avatar Aug 06 '25 02:08 k1ngcrypt

Thanks, everyone, for their efforts! It seems PR is approved. Can someone click the "merge" button so we can get rid of the vulnerable dependency, please? πŸ™

@drizzle-team, @AndriiSherman, @Sukairo-02, @dankochetov

maZahaca avatar Nov 04 '25 12:11 maZahaca

Please merge this, having an easy-to-fix security vulnerability for so long is not a good look, plus removing the warning makes the tool better to use.

If this needs additional testing in order to merge, let us know.

SteampunkWizardStudios avatar Dec 05 '25 14:12 SteampunkWizardStudios