Description
@solidjs/start@2.0.0-alpha.2 lists esbuild in dependencies, which causes it to be installed in production environments even though it's only needed at build time.
https://github.com/solidjs/solid-start/blob/4cc999b698abcf4d934e2e0e24e9dd13be454c42/packages/start/package.json#L51
Why this matters
-
Docker image bloat: esbuild ships a platform-specific Go binary (~9 MB). In multi-stage Docker builds that run npm ci --omit=dev for the production stage, esbuild still gets installed because it's a transitive production dependency of @solidjs/start.
-
False-positive security vulnerabilities: Security scanners (e.g., Trivy) flag Go stdlib CVEs in the esbuild binary. Since these CVEs exist in the Go binary that ships with esbuild and not in any JavaScript code, they are not exploitable at runtime — but they still require triage and .trivyignore entries. Current examples: CVE-2025-58183, CVE-2025-61726, CVE-2025-61728, CVE-2025-61729, CVE-2025-68121, CVE-2026-25679.
-
Not needed at runtime: The SolidStart build output (.output/server/) is a standalone bundle. esbuild is only imported in build-time config code (src/config/fs-routes/router.ts) — it is never used by the production server.
Suggested fix
Move esbuild from dependencies to devDependencies (or peerDependencies with optional: true), since it's only used during the Vite build step.
Additional note
vite is listed as a non-optional peerDependency, which has a similar effect — it forces vite to be installed in production even though the built output doesn't need it. Making it "optional": true in peerDependenciesMeta would allow npm ci --omit=dev to skip it.
Environment
@solidjs/start: 2.0.0-alpha.2- Node.js: 24.x
- npm: 11.x
Description
@solidjs/start@2.0.0-alpha.2listsesbuildindependencies, which causes it to be installed in production environments even though it's only needed at build time.https://github.com/solidjs/solid-start/blob/4cc999b698abcf4d934e2e0e24e9dd13be454c42/packages/start/package.json#L51
Why this matters
Docker image bloat: esbuild ships a platform-specific Go binary (~9 MB). In multi-stage Docker builds that run
npm ci --omit=devfor the production stage, esbuild still gets installed because it's a transitive production dependency of@solidjs/start.False-positive security vulnerabilities: Security scanners (e.g., Trivy) flag Go stdlib CVEs in the esbuild binary. Since these CVEs exist in the Go binary that ships with esbuild and not in any JavaScript code, they are not exploitable at runtime — but they still require triage and
.trivyignoreentries. Current examples: CVE-2025-58183, CVE-2025-61726, CVE-2025-61728, CVE-2025-61729, CVE-2025-68121, CVE-2026-25679.Not needed at runtime: The SolidStart build output (
.output/server/) is a standalone bundle. esbuild is only imported in build-time config code (src/config/fs-routes/router.ts) — it is never used by the production server.Suggested fix
Move
esbuildfromdependenciestodevDependencies(orpeerDependencieswithoptional: true), since it's only used during the Vite build step.Additional note
viteis listed as a non-optionalpeerDependency, which has a similar effect — it forces vite to be installed in production even though the built output doesn't need it. Making it"optional": trueinpeerDependenciesMetawould allownpm ci --omit=devto skip it.Environment
@solidjs/start: 2.0.0-alpha.2