fix(security): remediate esbuild vulnerability by fro-bot · Pull Request #2292 · bfra-me/.github · GitHub
Skip to content

fix(security): remediate esbuild vulnerability#2292

Merged
marcusrbrown merged 1 commit into
mainfrom
security/esbuild-vulnerability-fix
Jun 25, 2026
Merged

fix(security): remediate esbuild vulnerability#2292
marcusrbrown merged 1 commit into
mainfrom
security/esbuild-vulnerability-fix

Conversation

@fro-bot

@fro-bot fro-bot commented Jun 13, 2026

Copy link
Copy Markdown
Collaborator

Security Fix

This PR remediates two esbuild vulnerabilities identified by Dependabot:

Vulnerabilities

Alert Severity Description
#52 HIGH esbuild: Missing binary integrity verification in Deno module enables remote code execution via NPM_CONFIG_REGISTRY
#51 LOW esbuild allows arbitrary file read when running the development server on Windows

Fix

Force esbuild >=0.28.1 via pnpm-workspace.yaml overrides.

Vulnerable range: >=0.17.0 <0.28.1
Patched range: >=0.28.1

Transitive paths updated

  • (0.28.0 → 0.28.1)
  • (0.27.7 → 0.28.1)

Verification

  • pnpm audit shows no high/critical vulnerabilities
  • pnpm run quality-check passes (type-check, lint, build, test)
  • All 641 tests pass
  • No source code changes — only lockfile and workspace override

Notes

This is a minimal security fix. No bulk dependency updates. Only the esbuild override was added to resolve the confirmed high-severity advisory.


@fro-bot

fro-bot commented Jun 18, 2026

Copy link
Copy Markdown
Collaborator Author

Rebased onto main

The PR branch was 24 commits behind main with a CONFLICTING merge state (pnpm-lock.yaml diverged).

Action taken this run:

  • Merged origin/main into security/esbuild-vulnerability-fix via a merge commit (no force-push)
  • Resolved the pnpm-lock.yaml conflict by taking main's lockfile and re-applying the esbuild override
  • Rebuilt the three action dist/ bundles (renovate-changesets, update-metadata, update-repository-settings) so the patched esbuild is bundled
  • Verified pnpm audit no longer flags esbuild (only the MODERATE js-yaml transitive remains)
  • Verified pnpm run quality-check passes: type-check + lint + build + 641/641 tests

Status: PR is now MERGEABLE with all 11 required checks SUCCESS (Quality Check, Advanced Security Analysis, Container Scan, copilot-setup-steps, Review Dependencies, License Scan, Triage, Renovate, GitGuardian Scan, CodeQL — SKIPPED: Create Renovate Changeset, Fro Bot, Release, as expected for branch PRs).

Awaiting human review and merge to resolve Dependabot alert #51 (esbuild LOW).

@marcusrbrown

Copy link
Copy Markdown
Member

@fro-bot rebase and update this PR

@marcusrbrown

Copy link
Copy Markdown
Member

@fro-bot rebase and update this PR

Force esbuild >=0.28.1 via pnpm-workspace.yaml overrides to fix:
- GHSA-#52: HIGH severity - Missing binary integrity verification in Deno module
- GHSA-#51: LOW severity - Arbitrary file read on Windows development server

Vulnerable range: >=0.17.0 <0.28.1
Patched range: >=0.28.1

Updates lockfile to resolve both transitive esbuild paths:
- .>tsx>esbuild (0.28.0 -> 0.28.1)
- .github__actions__renovate-changesets>tsup>esbuild (0.27.7 -> 0.28.1)

Fixes: #1959 (security section)
@fro-bot fro-bot force-pushed the security/esbuild-vulnerability-fix branch from 787eb64 to 85b8609 Compare June 25, 2026 17:29
@fro-bot

fro-bot commented Jun 25, 2026

Copy link
Copy Markdown
Collaborator Author

Rebased onto main

PR branch was 32 commits behind main (with a DIRTY merge state from the prior merge-commit rebase). Rebuilt it cleanly on top of the latest main.

Action taken this run:

  • Created a worktree for security/esbuild-vulnerability-fix and rebased onto origin/main
  • Replaced the previous merge-commit history with a single clean commit: fix(security): remediate esbuild vulnerability via pnpm override
  • Resolved the pnpm-lock.yaml conflict by taking main's lockfile, re-running pnpm install to apply the esbuild override, and regenerating the lockfile
  • Rebuilt all three action dist/ bundles (renovate-changesets, update-metadata, update-repository-settings) so the patched esbuild is bundled
  • Force-pushed with --force-with-lease

Verification:

  • pnpm why esbuild → esbuild@0.28.1 (forced by override)
  • pnpm audit --prod → No known vulnerabilities found
  • pnpm run quality-check → type-check + lint + build + 641/641 tests pass
  • Branch state: 0 behind, 1 ahead of main, MERGEABLE
  • Diff is now minimal: 5 files, +126/-392 (lockfile consolidation from main + 1 added override line)

Status: Awaiting CI re-run and human review/merge. Dependabot alerts #51 (LOW) and #52 (HIGH) are addressed by the esbuild override.


Run Summary
Field Value
Event issue_comment
Repository bfra-me/.github
Run ID 28188425654
Cache hit
Session ses_1002cfc27ffe2tThLb2okHNLhf

@marcusrbrown marcusrbrown enabled auto-merge (squash) June 25, 2026 17:30
@marcusrbrown marcusrbrown merged commit 6c617cb into main Jun 25, 2026
12 checks passed
@marcusrbrown marcusrbrown deleted the security/esbuild-vulnerability-fix branch June 25, 2026 17:31
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Dependency updates or security alerts

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants