fix(deps): pin esbuild >=0.28.1 (Dependabot GHSA-gv7w-rqvm-qjhr)#63
Conversation
esbuild resolved transitively to 0.28.0, vulnerable to two advisories patched in 0.28.1: GHSA-gv7w-rqvm-qjhr (HIGH — missing binary integrity verification in the Deno module enables RCE via NPM_CONFIG_REGISTRY) and GHSA-g7r4-m6w7-qqqr (low — arbitrary file read via the dev server on Windows). Add an overrides entry forcing esbuild ^0.28.1; npm audit now reports 0 vulnerabilities. esbuild is build/dev tooling only (not a runtime dependency).
|
Warning Review limit reached
More reviews will be available in 45 minutes and 41 seconds. Learn how PR review limits work. Your organization has used up its prepaid credits, and credit purchases are no longer available. Enable the review add-on in the billing tab to keep reviews running — you're only billed for reviews past your plan's rate limits ($0.25/file). ⌛ How to resolve this issue?After more reviews become available, a review can be triggered using the We recommend that you space out your commits to avoid hitting the rate limit. 🚦 How do rate limits work?CodeRabbit enforces hourly rate limits for each developer per organization. Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available. Please see our Fair Usage Limits Policy for further information. ℹ️ Review info⚙️ Run configurationConfiguration used: Path: .coderabbit.yaml Review profile: CHILL Plan: Pro Run ID: ⛔ Files ignored due to path filters (1)
📒 Files selected for processing (1)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
Summary
Dependabot flagged esbuild (resolved transitively to 0.28.0) for two advisories, both patched in 0.28.1:
NPM_CONFIG_REGISTRYAdded an
overridesentry forcingesbuild ^0.28.1(consistent with the repo's existing transitive pins for hono/fast-uri/postcss/brace-expansion). esbuild is build/dev tooling only — not a runtime dependency (pulled by Prisma, lightningcss/tailwind, vitest, testcontainers).Verification
package-lock.jsonnow resolves esbuild to 0.28.1 everywhere (0 entries below)npm audit→ 0 vulnerabilitiestscclean; 533 tests pass;next buildokThese were the only two open Dependabot alerts on the repo; this clears both.