nx Critical CVE vulnerabilities in Go 1.19.3 (@nx/playwright@19.8.14 / esbuild 0.21.5 )

Critical CVE vulnerabilities in Go 1.19.3 (@nx/[email protected] / esbuild 0.21.5 )

Open digitalhank opened this issue 5 months ago • 0 comments

Current Behavior

Dependency vulnerability scanners are flagging critical bugs for Go 1.19.3 (esbuild 0.21.5) which is present in at least @esbuild/linux-x64 which is a dependency of @nx/[email protected].

CVE https://nvd.nist.gov/vuln/detail/CVE-2023-24540 https://nvd.nist.gov/vuln/detail/CVE-2023-24538

We are unable to upgrade NX since we need to remain on the version of nextjs provided by NX 19.8.14. Upgrading NX makes the generator install newer versions of next. The latest release of esbuild have patched these CVE vulnerabilities.

Would the maintainers be willing to release a patch fix to nx 19.8.14 to upgrade esbuild?

Expected Behavior

No vulnerability alarms

GitHub Repo

No response

Steps to Reproduce

Nx Report

Not needed

Failure Logs

Package Manager Version

No response

Operating System

[ ] macOS
[ ] Linux
[ ] Windows
[ ] Other (Please specify)

Additional Information

No response

Jun 10 '25 07:06 digitalhank

nx nx copied to clipboard

Critical CVE vulnerabilities in Go 1.19.3 (@nx/[email protected] / esbuild 0.21.5 )

Current Behavior

Expected Behavior

GitHub Repo

Steps to Reproduce

Nx Report

Failure Logs

Package Manager Version

Operating System

Additional Information

nx
nx copied to clipboard