security(deps): resolve 7 open dependabot alerts

.lore.md

@@ -5,9 +5,17 @@
 ### Decision
 
 <!-- lore:019e2add-e248-7c69-81d6-55de39182966 -->
-* **Migrated to Content Layer API**: migrated to Content Layer API,
+* **Migrated to Content Layer API**: Migrated to Content Layer API in getsentry/spotlight. \`packages/website/content.config.ts\` is an untracked file that should NOT be committed in security/dependency bump PRs — it is intentionally excluded from those commits.
 
 ### Gotcha
 
+<!-- lore:019ed0b6-c2c6-7197-9cec-2026914ec51d -->
+* **esbuild override cap in getsentry/spotlight — resolved at 0.28.1**: The pnpm override \`"esbuild": ">=0.25.0 <0.28.0"\` was a deliberate cap to avoid esbuild#4436 (erroring on destructuring for old targets). Trap: bumping to \`>=0.28.1\` looks risky because 0.28.x retained that behavior. Fix: the regression did NOT reappear in practice — website build succeeded without adding \`target: "es2020"\`. Override is now \`"esbuild": ">=0.28.1"\`, resolving Dependabot alerts #279 and #280.
+
 <!-- lore:019e2b7e-99e1-7402-8c4f-9699919d7e69 -->
 * **plist override breaks electron-builder osx-sign**: Forcing \`plist>=3.1.1\` via pnpm overrides bumps it to v5.x, which breaks \`@electron/osx-sign@1.0.5\` (used by \`electron-builder@24.13.3\`) due to incompatible CJS \`require()\` and new \`exports\` map. Fix: remove the \`plist\` override and instead override \`@xmldom/xmldom\` directly to \`>=0.8.13\` (first patched 0.8.x version). This keeps \`plist@3.1.0\` for osx-sign compatibility while eliminating the \`@xmldom/xmldom\` vulnerability.
+
+### Pattern
+
+<!-- lore:019ed0b6-c2ce-7193-9376-5e711e5d5441 -->
+* **Security dep-bump workflow in getsentry/spotlight**: Pattern for resolving Dependabot alerts: (1) fetch alerts via \`gh api /repos/{owner}/{repo}/dependabot/alerts\`; (2) plan fix in \`.opencode/plans/\`; (3) bump pnpm override in root \`package.json\`; (4) run \`pnpm install\`, verify lockfile, run full \`pnpm build\` + \`vitest run\`; (5) create branch \`security/deps-\<pkg>-\<version>\` off main, commit, push, open PR. Untracked \`.opencode/\` and \`packages/website/content.config.ts\` are intentionally excluded from security commits.

package.json

@@ -23,8 +23,8 @@
   "pnpm": {
     "overrides": {
       "vite@>=6.0.0 <6.4.2": "~6.4.2",
-      "vite@>=7.0.0 <7.3.2": ">=7.3.2",
-      "tar": ">=7.5.11",
+      "vite@>=7.0.0 <7.3.5": ">=7.3.5 <8",
+      "tar": ">=7.5.16",
       "h3": ">=1.15.6",
       "@sveltejs/kit": ">=2.49.5",
       "diff": ">=5.2.2",
@@ -40,7 +40,7 @@
       "ajv@>=7.0.0-alpha.0 <9.0.0": "~8.18.0",
       "path-to-regexp": "^6.3.0",
       "cross-spawn": ">=7.0.5",
-      "form-data": ">=4.0.4",
+      "form-data": ">=4.0.6",
       "next": "^15.4.8",
       "cookie": ">=0.7.0",
       "esbuild": ">=0.28.1",
@@ -54,6 +54,7 @@
       "ip-address": ">=10.1.1",
       "lodash": ">=4.18.0",
       "@xmldom/xmldom": ">=0.8.13",
+      "@opentelemetry/core": ">=2.8.0",
       "postcss": ">=8.5.10",
       "qs": ">=6.15.2",
       "svelte": ">=5.55.7",

packages/website/package.json

@@ -23,7 +23,7 @@
     "@types/react": "catalog:",
     "@types/react-dom": "catalog:",
     "@vercel/analytics": "^1.6.1",
-    "astro": "^6.1.10",
+    "astro": "^6.4.6",
     "react": "catalog:",
     "react-dom": "catalog:",
     "sharp": "^0.33.5",