chore(deps): override esbuild to ^0.28.1 — clear dev-only audit advisory, un-red main#126
Conversation
…sories GHSA-gv7w-rqvm-qjhr + GHSA-g7r4-m6w7-qqqr (high) are transitive via vitepress→vite→esbuild (dev-only; npm audit --omit=dev was already clean). Both are first-patched in esbuild 0.28.1. Forces the patched version via the existing root overrides block; keeps the strict CI audit gate intact. This is not a regression from #120 — main fails the same audit since the advisory was published. Merging this also un-reds main's audit. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
jasperboerhof
added
the
Agent Review Requested
Deploying fs-packages with
|
| Latest commit: |
18a06d8
|
| Status: | ✅ Deploy successful! |
| Preview URL: | https://464c7532.fs-packages.pages.dev |
| Branch Preview URL: | https://chore-esbuild-override-0-28.fs-packages.pages.dev |
The esbuild ^0.28.1 override + lockfile churn was unrelated dev-dependency scope bundled into this feature PR. Lifted into standalone chore PR #126 so main can go green independently and this PR's diff stays scoped to the extend hook. Reverts 5ca3ee6 + 82e59ce. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Goosterhof
left a comment
Goosterhof
left a comment
There was a problem hiding this comment.
✅ Approve-worthy
0 blockers · 1 concern · 0 nits · 1 praise · 1 inline
Round 1. CI check green (4m21s).
Standalone dev-only esbuild: ^0.28.1 override to clear GHSA-gv7w-rqvm-qjhr and un-red main. The "why a standalone PR" rationale checks out: ci.yml:18 runs a bare npm audit (no --omit=dev) as the second step of the single check job, so a dev advisory short-circuits all downstream gates on every branch incl. main's next push. The override resolves the entire esbuild subtree to 0.28.1 in the lock (verified — main was at 0.27.7), and the green check run is the proof of compatibility: that one job runs npm run test:coverage + npm run test:mutation, both vitest-driven, so the 0.27 → 0.28 major bump is empirically safe for the test runner, not only docs.
Findings (detail inline)
package.json:42— scope claim understates blast radius (concern)
Automated war-room agent review — posted because this PR carries the Agent Review Requested label.
Review Loop · 10/10 · PASSfs-packages #126 · AC anchor: none (no issue/plan/PR-AC anchor; self-evident dep-override PR) · head Tip No findings — clean against the review checklist. Actionmerge-ready |
|
Confirmed identical to the override I'd split out in parallel (now closed as #127) — same hunk, lockfile keeps all |
2 participants
What
Adds an
esbuild: ^0.28.1override to the rootoverridesblock, clearing the dev-only advisory GHSA-gv7w-rqvm-qjhr (esbuild dev-server request SSRF/RCE) carried transitively viavitepress → vite → esbuild.Why a standalone PR
The advisory was published after
mainlast went green, and the CIcheckjob runs a hardnpm audit(no--omit=dev) as its first step — so it now fails on every branch, includingmain's next push, short-circuiting all 7 downstream gates. This override un-redsmainon its own merit.It was originally bundled into #120 (the
extendhook feature). Per review feedback, lifting it out so:maincan go green independently of the feature debate, andextendhook.Scope
package.json— one line added to the existingoverridesblock.package-lock.json— regen of theesbuild/vite/vitepresssubtree only.Dev-only dependency (docs tooling); no production runtime or published-package impact. The
esbuildmajor bump (0.27 → 0.28) affects local docs builds only.🤖 Generated with Claude Code