evanw/esbuild latest releasev0.28.1
PatchContains new features Released
-
Disallow
\in local development server HTTP requests (GHSA-g7r4-m6w7-qqqr)This release fixes a security issue where HTTP requests to esbuild's local development server could traverse outside of the serve directory on Windows using a
\backslash character. It happened due to the use of Go'spath.Clean()function, which only handles Unix-style/characters. HTTP requests with paths containing\are no longer allowed.
Show more