π¦ deps(security): pin esbuild to 0.28.1 (GHSA-g7r4-m6w7-qqqr, GHSA-gv7w-rqvm-qjhr)#431
Merged
Conversation
Forces esbuild >=0.28.1 via npm overrides to resolve GHSA-g7r4-m6w7-qqqr (dev-server path traversal, Windows) and GHSA-gv7w-rqvm-qjhr (Deno module RCE), both first patched in 0.28.1. esbuild is transitive via vite (apps/demo) and fumadocs-mdx (apps/web); both cap it at <0.28.0, so an override is the only way to reach the fix. The vulnerable surface (esbuild dev server / Deno module) is not exercised by drydock's build.
scttbnsn
requested review from
ALARGECOMPANY and
biggest-littlest
as code owners
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
biggest-littlest
approved these changes
Jun 13, 2026
biggest-littlest
left a comment
biggest-littlest
left a comment
Member
There was a problem hiding this comment.
Verified: esbuild pinned to 0.28.1 via npm overrides (patches GHSA-g7r4-m6w7-qqqr, GHSA-gv7w-rqvm-qjhr). qlty security gate passes; ποΈ Build green with the forced bump; lockfile diff is esbuild-scoped only.
ALARGECOMPANY
approved these changes
Jun 13, 2026
ALARGECOMPANY
left a comment
ALARGECOMPANY
left a comment
Member
There was a problem hiding this comment.
Confirmed esbuild override resolves both advisories with no collateral lockfile changes; CI Lint/Test/Build all green. Approving.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Resolves two
esbuildsecurity advisories flagged by osv-scanner inapps/demoandapps/web:Both are first patched in esbuild 0.28.1. esbuild is pulled in transitively β
vite@^7.3.1(apps/demo) andfumadocs-mdx(apps/web) β and both cap it at<0.28.0, so a normal dependency bump can't reach the fix. This pins it via an npmoverridesentry in each app (the same mechanism both apps already use forpostcss/yaml).Risk
Low. The vulnerable surface (esbuild's dev server and Deno module) is not exercised by drydock's build pipeline β esbuild is used only as vite/fumadocs' build-time transformer. The override forces 0.28.1 above vite's declared
^0.27.0range; theποΈ Buildcheck verifies vite/Next still build cleanly in full monorepo context.Verification
Diff is surgical: only the two
package.jsonoverrides + the esbuild/@esbuild/*version lines in each lockfile (0.27.4 β 0.28.1). No other dependencies changed.π― Target:
mainΒ· follow-up to the qlty finding surfaced while opening #429