Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

esbuild found in production (peer)dependencies in sveltekit app #12077

Open
LoricAndre opened this issue Oct 20, 2024 · 1 comment
Open

esbuild found in production (peer)dependencies in sveltekit app #12077

LoricAndre opened this issue Oct 20, 2024 · 1 comment
Labels
bug Something isn't working triage Unseen or unconfirmed by a maintainer yet. Provide extra information in the meantime.

Comments

@LoricAndre
Copy link

Environment

  System:
    OS: Linux 6.10 CachyOS Linux
    CPU: (16) x64 AMD Ryzen 7 8845HS w/ Radeon 780M Graphics
    Memory: 7.65 GB / 14.92 GB
    Container: Yes
    Shell: 5.9 - /usr/bin/zsh
  Binaries:
    Node: 20.18.0 - ~/.local/share/nvm/versions/node/v20.18.0/bin/node
    npm: 10.8.2 - ~/.local/share/nvm/versions/node/v20.18.0/bin/npm
    pnpm: 8.15.5 - ~/.local/share/pnpm/pnpm

package.json

	"dependencies": {
		"@auth/core": "^0.36.0",
		"@auth/sveltekit": "1.6.0",

Reproduction URL

https://github.com/LoricAndre/next-auth-example

Describe the issue

After using pnpm --filter <filter> --prod --no-optional deploy app to create an app bundle, we found that esbuild is included in the packages that were pulled into the bundle.

After tracing the dependencies, we found that @auth/sveltekit "pulls" vite as a peer dependency, which in turn pulls esbuild as a dependency.

This seems like unwanted behavior, as vite and esbuild should not be needed after the package is built, and it flagged the package in a vulnerability scanner.

How to reproduce

Create a prod bundle of a package requiring @auth/sveltekit :

pnpm deploy /tmp/app --filter app
find /tmp/app/node_modules -name '*esbuild*'

Result :

/tmp/app/node_modules/.pnpm/@[email protected][email protected][email protected]/node_modules/@sveltejs/vite-plugin-svelte/src/utils/esbuild.js                                                                                                                                                                                                                                                                             
/tmp/app/node_modules/.pnpm/[email protected]/node_modules/esbuild                                                                                                                                                                                                                                                                                                                                                                       
/tmp/app/node_modules/.pnpm/[email protected]/node_modules/vite/node_modules/.bin/esbuild                                                                                                                                                                                                                                                                                                                                                
/tmp/app/node_modules/.pnpm/@[email protected]                                                                                                                                                                                                                                                                                                                                                                             
/tmp/app/node_modules/.pnpm/@[email protected]/node_modules/@esbuild                                                                                                                                                                                                                                                                                                                                                       
/tmp/app/node_modules/.pnpm/@[email protected]/node_modules/@esbuild/linux-x64/bin/esbuild
/tmp/app/node_modules/.pnpm/[email protected]
/tmp/app/node_modules/.pnpm/[email protected]/node_modules/@esbuild
/tmp/app/node_modules/.pnpm/[email protected]/node_modules/esbuild
/tmp/app/node_modules/.pnpm/[email protected]/node_modules/esbuild/bin/esbuild
/tmp/app/node_modules/.pnpm/[email protected]/node_modules/esbuild/node_modules/.bin/esbuild
/tmp/app/node_modules/.pnpm/node_modules/@esbuild
/tmp/app/node_modules/.pnpm/node_modules/esbuild
/tmp/app/node_modules/.pnpm/node_modules/.bin/esbuild

Expected behavior

This should not include vite or esbuild
@LoricAndre LoricAndre added bug Something isn't working triage Unseen or unconfirmed by a maintainer yet. Provide extra information in the meantime. labels Oct 20, 2024
@LoricAndre LoricAndre changed the title esbuild found in production (peer)dependencies in sveltekit app Vulnerability caused by esbuild being present in sveltekit app Oct 30, 2024
@balazsorban44 balazsorban44 changed the title Vulnerability caused by esbuild being present in sveltekit app esbuild found in production (peer)dependencies in sveltekit app Nov 1, 2024
@balazsorban44
Copy link
Member

If you think this causes a security issue, please read https://authjs.dev/security and reach out responsibly instead. I reached out to the Svelte team to clarify, for what it's worth, haven't gotten an answer yet.

Maybe worth re-asking in https://github.com/sveltejs/svelte

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working triage Unseen or unconfirmed by a maintainer yet. Provide extra information in the meantime.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@balazsorban44 @LoricAndre