fix(security): remediate esbuild vulnerability#2292
Conversation
Rebased onto mainThe PR branch was 24 commits behind Action taken this run:
Status: PR is now MERGEABLE with all 11 required checks SUCCESS (Quality Check, Advanced Security Analysis, Container Scan, copilot-setup-steps, Review Dependencies, License Scan, Triage, Renovate, GitGuardian Scan, CodeQL — SKIPPED: Create Renovate Changeset, Fro Bot, Release, as expected for branch PRs). Awaiting human review and merge to resolve Dependabot alert #51 (esbuild LOW). |
|
@fro-bot rebase and update this PR |
|
@fro-bot rebase and update this PR |
Force esbuild >=0.28.1 via pnpm-workspace.yaml overrides to fix: - GHSA-#52: HIGH severity - Missing binary integrity verification in Deno module - GHSA-#51: LOW severity - Arbitrary file read on Windows development server Vulnerable range: >=0.17.0 <0.28.1 Patched range: >=0.28.1 Updates lockfile to resolve both transitive esbuild paths: - .>tsx>esbuild (0.28.0 -> 0.28.1) - .github__actions__renovate-changesets>tsup>esbuild (0.27.7 -> 0.28.1) Fixes: #1959 (security section)
787eb64 to
85b8609
Compare
Rebased onto mainPR branch was 32 commits behind Action taken this run:
Verification:
Status: Awaiting CI re-run and human review/merge. Dependabot alerts #51 (LOW) and #52 (HIGH) are addressed by the esbuild override. Run Summary |

Security Fix
This PR remediates two esbuild vulnerabilities identified by Dependabot:
Vulnerabilities
Fix
Force esbuild >=0.28.1 via pnpm-workspace.yaml overrides.
Vulnerable range: >=0.17.0 <0.28.1
Patched range: >=0.28.1
Transitive paths updated
Verification
Notes
This is a minimal security fix. No bulk dependency updates. Only the esbuild override was added to resolve the confirmed high-severity advisory.