convex-js icon indicating copy to clipboard operation
convex-js copied to clipboard

Published 20 hours ago verified publisher icon get-convex

Security Issue: Vulnerable esbuild dependency in Convex

Open davidwarmuth opened this issue 9 months ago • 0 comments

Description:

Hello Convex team,

I noticed that Convex depends on [email protected], which has a known security vulnerability (GHSA-67mh-4wv8-2f99). This vulnerability allows any website to send arbitrary requests to the development server and read the response, posing a risk in development environments.

Steps to reproduce:

  1. Install Convex (npm install convex)
  2. Run npm audit
  3. The audit report highlights the vulnerability in [email protected].

Expected behavior:

Convex should update its dependency to a secure version of esbuild (e.g., 0.25.0 or later) to mitigate this security risk.

Environment:

  • Convex version: 1.19.2
  • Node.js version: 22.12.0
  • NPM version: 11.1.0

Additional context:

This issue only affects development environments, but it's still important to ensure a secure setup. Would it be possible to update the dependency in a future release?

Thank you for your work on Convex!

davidwarmuth avatar Feb 22 '25 22:02 davidwarmuth