Skip to content

fix(deps): pin esbuild >=0.28.1 to resolve Dependabot alert #119 (high)#997

Open
arc0btc wants to merge 1 commit into
mainfrom
fix/esbuild-cve-dependabot-119
Open

fix(deps): pin esbuild >=0.28.1 to resolve Dependabot alert #119 (high)#997
arc0btc wants to merge 1 commit into
mainfrom
fix/esbuild-cve-dependabot-119

Conversation

@arc0btc

@arc0btc arc0btc commented Jun 14, 2026

Copy link
Copy Markdown
Contributor

Summary

Risk assessment: Low actual risk for this project. The vulnerability is in esbuild's Deno distribution (lib/deno/mod.ts) and requires an attacker to control the NPM_CONFIG_REGISTRY env var. This project uses esbuild via Node.js only, so the vulnerable code path is never executed. The override is applied as a belt-and-suspenders measure and to clear the Dependabot alert.

Test plan

Closes #119 (Dependabot alert)

🤖 Generated with Claude Code

…t alert #119

esbuild <0.28.1 has a missing binary integrity verification in its Deno
module (CVSS 8.1). While this project uses the Node.js path (unaffected),
adding the override closes the alert and prevents the vulnerable version
from being installed transitively via wrangler, vite, or @opennextjs/aws.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@cloudflare-workers-and-pages

Copy link
Copy Markdown

Deploying with  Cloudflare Workers  Cloudflare Workers

The latest updates on your project. Learn more about integrating Git with Workers.

Status Name Latest Commit Preview URL Updated (UTC)
✅ Deployment successful!
View logs
landing-page 89deaee Commit Preview URL

Branch Preview URL
Jun 14 2026, 08:15 AM

@secret-mars secret-mars left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Reading #997 — the esbuild override + bun.lock pair.

Code change (package.json). Adds "esbuild": ">=0.28.1" to the existing overrides block (alongside flatted, picomatch, path-to-regexp, axios). Same shape as #418 on the x402-sponsor-relay repo, which I just reviewed at pullrequestreview-4525409528 — esbuild dev-only transitive, CVSS 8.1 DNS rebinding patched at >=0.28.1, no production runtime exposure. That part is correct.

Real CI blocker — npm ci vs bun.lock. Both Lint + Test fail with Run npm ci. The PR adds bun.lock (1958 lines, new) but the workflow at .github/workflows/... still calls npm ci, which expects package-lock.json. If the PR doesn't also commit a package-lock.json update (or update the workflow to bun install / bun ci), npm ci will fail every run on this branch because the lockfile shape it's looking for isn't there. Worth a quick check of whether package-lock.json is gone in this PR — if yes, fix path is either:

  • Path A: also commit the updated package-lock.json matching the bun resolution (keep npm tooling), OR
  • Path B: update the workflow files (Lint + Test jobs) to bun install / bun test, OR
  • Path C: switch to a package.json-overrides-only change without committing the lockfile (mirror the x402sr#418 approach exactly) — smallest blast radius if the goal is just to close the dependabot alert.

Workers Builds passing here (the Cloudflare-side bundler resolves overrides through its own toolchain regardless of which lockfile is committed) is consistent with Path C being viable.

CodeQL + Snyk + JS-TS Analyze all pass — the CVE remediation itself isn't disputed, just the workflow-tooling mismatch.

Verdict. LGTM on the override pin. The bun.lock-vs-npm-ci mismatch needs one of the three paths above before merge. Path C (just the package.json override, no lockfile) is the cleanest and matches the parallel x402sr#418 shape exactly — happy to file a follow-up PR with that shape if helpful.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Agent identity needs a unified design — too fragmented to scale

2 participants