Skip to content

fix(deps): add esbuild override >=0.28.1 to fix GHSA-gv7w-rqvm-qjhr#30

Merged
davidkonigsberg merged 3 commits into
mainfrom
dependabot-alert-25-devin
Jun 15, 2026
Merged

fix(deps): add esbuild override >=0.28.1 to fix GHSA-gv7w-rqvm-qjhr#30
davidkonigsberg merged 3 commits into
mainfrom
dependabot-alert-25-devin

Conversation

@github-actions

@github-actions github-actions Bot commented Jun 15, 2026
edited by devin-ai-integration Bot
Loading

Copy link
Copy Markdown
Contributor

Summary

Fixes Dependabot Alert #25 — esbuild missing binary integrity verification (GHSA-gv7w-rqvm-qjhr, severity HIGH).

esbuild is a transitive optional dependency via vite. The vulnerable range is >= 0.17.0, < 0.28.1. No version of vite 6.x pins esbuild above the vulnerable range.

Fix: Add an npm overrides entry (consistent with the existing undici override) to pin esbuild to >=0.28.1:

  "overrides": {
    "undici": "^6.24.1",
+   "esbuild": ">=0.28.1"
  }

All 12 tests pass, lint clean, ncc build succeeds.

Link to Devin session: https://app.devin.ai/sessions/aa165ad3900b412889291ce9dd78a85a

github-actions Bot and others added 2 commits June 15, 2026 13:05
@github-actions
[Dependabot Alert #25] Scaffold PR for esbuild
b90029d
@devin-ai-integration
fix(deps): upgrade vite to v8 to fix esbuild CVE (GHSA-gv7w-rqvm-qjhr)
4615a82 
Upgrade vite from ^6.4.2 to ^8.0.16. Vite 8 dropped esbuild as a
dependency (replaced by rolldown), which eliminates the vulnerable
esbuild versions (>= 0.17.0, < 0.28.1) from the dependency tree
entirely.

No overrides needed — the transitive dependency is simply gone.
@devin-ai-integration devin-ai-integration Bot changed the title [Dependabot Alert #25] HIGH: esbuild vulnerability fix(deps): upgrade vite to v8 to fix esbuild CVE (GHSA-gv7w-rqvm-qjhr) Jun 15, 2026
@devin-ai-integration devin-ai-integration Bot marked this pull request as ready for review June 15, 2026 13:08
@devin-ai-integration
fix(deps): add esbuild override >=0.28.1 to fix GHSA-gv7w-rqvm-qjhr
77018ce 
Add npm override for esbuild to resolve Dependabot alert #25.
esbuild is a transitive optional dependency via vite. The override
pins it to the patched version (>=0.28.1) without changing vite's
major version.

Reverts the vite v6->v8 upgrade in favor of this smaller change.
@devin-ai-integration devin-ai-integration Bot changed the title fix(deps): upgrade vite to v8 to fix esbuild CVE (GHSA-gv7w-rqvm-qjhr) fix(deps): add esbuild override >=0.28.1 to fix GHSA-gv7w-rqvm-qjhr Jun 15, 2026
@davidkonigsberg davidkonigsberg merged commit 4d62f83 into main Jun 15, 2026
1 check passed
@davidkonigsberg davidkonigsberg deleted the dependabot-alert-25-devin branch June 15, 2026 13:36
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@davidkonigsberg davidkonigsberg davidkonigsberg approved these changes

@patrickthornton patrickthornton Awaiting requested review from patrickthornton patrickthornton is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@davidkonigsberg