Donttrytofindme

**Name of the Vulnerable Software and Affected Versions** esm.sh versions 137 and earlier **Description** A Local File Inclusion (LFI) issue exists in the esbuild plugin's handling of the `browser` field within the `package.json` file. An attacker can publish a malicious npm package that leverages `../` sequences in the `browser` field to remap module paths. Because the plugin fails to perform a second validation check after this remapping, the server can be forced to read and return arbitrary files from the host filesystem during the build process. These files may appear in the bundled JavaScript output or the `sourcesContent` array of the source map. The impact includes the potential exposure of sensitive files, such as the `config.json` file, which may contain S3 storage credentials and npm registry authentication tokens. **Recommendations** Update to a version later than 137. As a temporary mitigation, restrict the use of the `browser` field in `package.json` for untrusted npm packages.