chore(security): upgrade Wrangler 3.x → 4.13.0 to fix esbuild vulnerability#3
Merged
ashercoren merged 1 commit intomainfrom Apr 9, 2026
Merged
chore(security): upgrade Wrangler 3.x → 4.13.0 to fix esbuild vulnerability#3ashercoren merged 1 commit intomainfrom
ashercoren merged 1 commit intomainfrom
Conversation
Resolves the esbuild <=0.17.x vulnerability (GHSA-67mh-4wv8-2f99 / CVE-2025-25193) by upgrading wrangler from ^3.72.3 to 4.13.0. Wrangler 4.x ships esbuild 0.25.2, eliminating the vulnerable 0.17.19 copy that was nested under node_modules/wrangler/. Pinned to exactly 4.13.0 (rather than ^4.13.0) because later 4.x releases require Node >=20.3.0 and the project currently runs Node 18. Made-with: Cursor
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
wranglerfrom^3.72.3to4.13.0invim--base-app-template--reactesbuild@0.17.19that was pinned inside Wrangler 3.x (node_modules/wrangler/node_modules/esbuild)Security context
Wrangler 3.x pins
esbuild@0.17.19, which is affected by GHSA-67mh-4wv8-2f99 — esbuild's dev server accepts cross-origin requests, allowing any website to read responses from the local dev server. The vulnerability is fully resolved in esbuild ≥0.25.3 (addressed in Wrangler ≥4.13.0).Why 4.13.0 (pinned, not
^4.13.0)Later 4.x releases (≥4.14.x) require Node ≥20.3.0. The project currently runs Node 18, so this is pinned to exactly
4.13.0— the minimum version that resolves the vulnerability and is compatible with Node 18. When the project moves to Node 20+, the pin can be relaxed to^4.x.x.Breaking changes assessed
All Wrangler 4.0 breaking changes were reviewed against this repo's usage. None apply:
wrangler pages devis used (in thedev:functionsscript) — no removed commands are in usewrangler.tomlonly configures standard Pages bindings — no deprecated config fields presentgetBindingsProxy,--node-compat, legacy assets, or removed D1 commands are usedfunctions/source filesTest plan
npm run devstarts successfully (both Vite and Wrangler Pages dev server)npm auditno longer reports theesbuild@0.17.19vulnerability