fix(deps): clear 2 remaining high npm-audit GHSAs to unblock CI

[timoa]

Summary

Follow-up to PR #150 (already merged). The previous fix cleared the 4 moderate advisories listed in TIM-14, but two high-severity advisories remained and were breaking pnpm audit --audit-level=high in the PR check. This adds the two missing pnpm overrides to bring the audit back to zero high.

GHSA	Package	Old	New	Mechanism
GHSA-gv7w-rqvm-qjhr	esbuild	0.27.3	0.28.1	new esbuild override >=0.28.1
GHSA-hmw2-7cc7-3qxx	form-data	4.0.5	4.0.6	new form-data override >=4.0.6

Why overrides, not direct dep bumps

• esbuild: Vite 7.3.5 (the version just merged via Renovate) pins esbuild at 0.27.3. The vulnerable code path is only the Deno entry point of esbuild, which the extension build never uses. The Node.js path (what vite calls) is unchanged in 0.28.1, so a pnpm override is safe and avoids waiting for a vite upstream release.
• form-data: The only consumer is @vscode/vsce, used only at publish time to talk to the VSCode Marketplace. It never builds multipart bodies from untrusted input, so the CRLF-injection path is unreachable. Override forces the patched version without waiting for a vsce release.

Verification

• pnpm audit --audit-level=high: exit 0, no high/critical advisories. CI unblocked.
• pnpm audit (full): 2 advisories remain (down from 7). Both below the high threshold:
  • GHSA-4x5r-pxfx-6jf8 (low) — @babel/core arbitrary file read via sourceMappingURL (transitive of @vitejs/plugin-react).
  • GHSA-h67p-54hq-rp68 (moderate) — js-yaml quadratic-complexity DoS in merge-key handling (transitive of @vscode/vsce>@secretlint/node>...>js-yaml).
• pnpm test: 201/201 pass (15 files, fast-check fuzz included).
• pnpm lint: clean.
• pnpm run compile: tsc clean.
• pnpm run webpack: production bundle builds successfully.

Refs TIM-14.

Summary by CodeRabbit

• Chores
  • Updated dependency version constraints to ensure compatibility and stability across the project.

[coderabbitai]

📝 Walkthrough

Walkthrough

Two minimum version constraints are added to the overrides block in pnpm-workspace.yaml: esbuild is pinned to >=0.28.1 and form-data to >=4.0.6.

Changes

Dependency Version Overrides

Layer / File(s)	Summary
Add esbuild and form-data overrides pnpm-workspace.yaml	Two new entries added under overrides enforcing minimum versions: esbuild >=0.28.1 and form-data >=4.0.6.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

Possibly related PRs

• timoa/workflow-editor#144: Also modifies pnpm-workspace.yaml overrides to add lower-bound version constraints for vulnerable packages, directly overlapping with this change at the same config level.

Suggested labels

released

🐇 Two little versions, now locked in place,
esbuild and form-data set a minimum pace.
No older culprits sneaking through the door,
The workspace file guards what we're looking for!
Hop hop hooray, the overrides hold the line~ 🌿

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Description check	⚠️ Warning	The description provides comprehensive context about the PR objectives, verification results, and technical rationale, but does not follow the repository's template structure with required sections.	Reformat the description to follow the template: add 'Description' section, specify 'Type of change' (Dependency update), and complete the 'Checklist' sections with confirmation of testing and build validation.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately describes the main change: fixing two high-severity npm-audit GHSAs by adding pnpm overrides for esbuild and form-data.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/npm-audit-2-high

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

No React Doctor issues found. 🎉

_{Reviewed by React Doctor for commit 80a042a.}

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 94.13%. Comparing base (21d2b67) to head (80a042a).

Additional details and impacted files

@@           Coverage Diff           @@
##             main     #151   +/-   ##
=======================================
  Coverage   94.13%   94.13%           
=======================================
  Files          10       10           
  Lines         290      290           
  Branches      105      105           
=======================================
  Hits          273      273           
  Misses          1        1           
  Partials       16       16           

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[coderabbitai]

🧹 Nitpick comments (1)

pnpm-workspace.yaml (1)

36-37: ⚡ Quick win

Consider adding inline comments documenting the GHSA references and rationale.

Following the precedent set by the eslint>ajv entry (lines 19-23), adding brief comments would help future maintainers understand why these overrides exist and when they might be safe to remove:

• esbuild: GHSA-gv7w-rqvm-qjhr affects only the Deno entry point; the Node.js path remains safe
• form-data: GHSA-hmw2-7cc7-3qxx CRLF injection is unreachable in vsce's publish-time usage

📝 Example documentation format

  tmp: '>=0.2.6'
+ # GHSA-gv7w-rqvm-qjhr (esbuild): Deno-only vulnerability; Node.js path
+ # used by the extension build is unaffected. Override safe until Vite
+ # upstream updates (currently pins 0.27.3).
  esbuild: '>=0.28.1'
+ # GHSA-hmw2-7cc7-3qxx (form-data): CRLF injection unreachable in vsce's
+ # publish-time Marketplace operations. Override safe until vsce updates
+ # from 4.0.5.
  form-data: '>=4.0.6'

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@pnpm-workspace.yaml` around lines 36 - 37, Add inline comments to document
the GHSA references and rationale for the esbuild and form-data dependency
overrides in pnpm-workspace.yaml. For the esbuild entry, add a comment
explaining that GHSA-gv7w-rqvm-qjhr affects only the Deno entry point while the
Node.js path remains safe. For the form-data entry, add a comment explaining
that GHSA-hmw2-7cc7-3qxx's CRLF injection vulnerability is unreachable in vsce's
publish-time usage. Follow the same documentation format precedent established
by the eslint>ajv entry to help future maintainers understand why these
overrides exist and when they might be safe to remove.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@pnpm-workspace.yaml`:
- Around line 36-37: Add inline comments to document the GHSA references and
rationale for the esbuild and form-data dependency overrides in
pnpm-workspace.yaml. For the esbuild entry, add a comment explaining that
GHSA-gv7w-rqvm-qjhr affects only the Deno entry point while the Node.js path
remains safe. For the form-data entry, add a comment explaining that
GHSA-hmw2-7cc7-3qxx's CRLF injection vulnerability is unreachable in vsce's
publish-time usage. Follow the same documentation format precedent established
by the eslint>ajv entry to help future maintainers understand why these
overrides exist and when they might be safe to remove.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 7f57c3e4-9bbd-4247-99ef-7d88e8c54397

📥 Commits

Reviewing files that changed from the base of the PR and between 21d2b67 and 80a042a.

⛔ Files ignored due to path filters (1)

• pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml

📒 Files selected for processing (1)

• pnpm-workspace.yaml

[timoa]

Superseded by the comprehensive TIM-16 fix. Closing this partial 2-of-4 advisory fix.