Skip to content

fix(security): force esbuild >=0.28.1 (GHSA-g7r4-m6w7-qqqr / alert #35)#114

Merged
jldeen merged 1 commit into
mainfrom
fix-esbuild-cve
Jun 24, 2026
Merged

fix(security): force esbuild >=0.28.1 (GHSA-g7r4-m6w7-qqqr / alert #35)#114
jldeen merged 1 commit into
mainfrom
fix-esbuild-cve

Conversation

@jldeen

@jldeen jldeen commented Jun 24, 2026

Copy link
Copy Markdown
Collaborator

Resolves Dependabot alert #35esbuild GHSA-g7r4-m6w7-qqqr (low: dev-server arbitrary file read on Windows, vulnerable >=0.27.3 <0.28.1, patched 0.28.1).

Approach

esbuild is a transitive dependency (via astro@6.4.8 and vite@7.3.5), resolving to 0.27.7 on main. Rather than take #112's astro 6→7 jump (which drags in the broken Vite 8 / rolldown + Tailwind migration), this adds a one-line npm overrides entry pinning esbuild to ^0.28.1. Both astro and vite dedupe to the patched build:

├─┬ @astrojs/preact@6.0.0 → vite@7.3.5 → esbuild@0.28.1 (deduped)
└─┬ astro@6.4.8 → esbuild@0.28.1 (overridden)

Verification (local, Node 22 = CI)

Step Result
esbuild resolved version 0.28.1
npm run check ✅ 0 errors
npm run build
npm run test (Playwright) ✅ 1 passed
npm audit (esbuild) ✅ no longer flagged

Follow-up

This fully addresses the security alert, so #112 (astro 7) can be closed — it remains a separate, non-security migration (Vite 8/rolldown + Tailwind rework) tracked on its own.

@jldeen
fix(security): force esbuild >=0.28.1 to resolve GHSA-g7r4-m6w7-qqqr
f75df25 
Adds an npm "overrides" entry pinning esbuild to ^0.28.1, which dedupes
the transitive copies pulled by astro 6.4.8 and vite 7.3.5 (previously
0.27.7, in the vulnerable >=0.27.3 <0.28.1 range) up to the patched
0.28.1. Resolves Dependabot alert #35 (low: dev-server arbitrary file
read on Windows) without the astro 7 / vite 8 migration proposed in #112.

Verified with Node 22: astro check, astro build, and Playwright tests
all pass; npm audit no longer flags esbuild.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@jldeen jldeen requested a review from Damovisa as a code owner June 24, 2026 20:21
Copilot AI review requested due to automatic review settings June 24, 2026 20:21
GitHub Advanced Security started work on behalf of jldeen June 24, 2026 20:22 View session
GitHub Advanced Security finished work on behalf of jldeen June 24, 2026 20:22
@jldeen jldeen merged commit 303944f into main Jun 24, 2026
9 checks passed
Copilot AI reviewed Jun 24, 2026
View reviewed changes

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR addresses Dependabot alert #35 (GHSA-g7r4-m6w7-qqqr) by forcing the transitive esbuild dependency to resolve to a patched version (>= 0.28.1) without requiring a major astro upgrade.

Changes:

  • Add an npm overrides entry to pin esbuild to ^0.28.1.
  • Update package-lock.json so esbuild and all @esbuild/* platform packages resolve to 0.28.1.
Show a summary per file
File Description
package.json Adds an npm override to force esbuild to a patched version across the dependency graph.
package-lock.json Updates the lockfile to reflect esbuild@0.28.1 (and platform binaries) as the resolved versions.

Copilot's findings

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

  • Files reviewed: 1/2 changed files
  • Comments generated: 0

@jldeen jldeen mentioned this pull request Jun 24, 2026
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments
@Damovisa Damovisa Awaiting requested review from Damovisa Damovisa is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@jldeen