fix: update esbuild to 0.28.1 to resolve GHSA-gv7w-rqvm-qjhr and GHSA-g7r4-m6w7-qqqr#230
Conversation
…-g7r4-m6w7-qqqr Add npm override to force esbuild >= 0.28.1, resolving two Dependabot alerts: - GHSA-gv7w-rqvm-qjhr (high, CVSS 8.1): missing binary integrity verification - GHSA-g7r4-m6w7-qqqr (low, CVSS 2.5): arbitrary file read on Windows dev server esbuild is a transitive dependency pulled in by astro, @astrojs/vercel, and vite. Co-Authored-By: Oz <oz-agent@warp.dev>
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
|
I'm starting a first review of this pull request. You can view the conversation on Warp. I completed the review and no human review was requested for this pull request. Comment Powered by Oz |
![oz-for-oss[bot]](https://avatars.githubusercontent.com/in/3450139?s=60&v=4){kind=small}
There was a problem hiding this comment.
Overview
This PR updates the transitive esbuild installation from 0.27.7 to 0.28.1 via an npm override and refreshes the lockfile entries for the esbuild package and its platform-specific optional packages. The attached spec context states that no approved or repository spec applies.
Concerns
- None found.
Verdict
Found: 0 critical, 0 important, 0 suggestions
Approve
Comment /oz-review on this pull request to retrigger a review (up to 3 times on the same pull request).
Powered by Oz
3 participants
Summary
Updates
esbuildfrom0.27.7to0.28.1by adding an npmoverridesentry inpackage.json. This resolves two Dependabot security alerts:NPM_CONFIG_REGISTRYesbuildis a transitive dependency pulled in byastro,@astrojs/vercel, andvite. Dependabot could not auto-update because those packages constrainesbuildto^0.27.x. The npmoverridesfield forcesesbuild >= 0.28.1across the entire dependency tree.Dependabot alerts
Verification
After running
npm install --ignore-scripts,npm auditshows no esbuild vulnerabilities.This PR was generated with Oz.