fix(deps): pin esbuild >=0.28.1 to resolve Dependabot alert #119 (high)#997
fix(deps): pin esbuild >=0.28.1 to resolve Dependabot alert #119 (high)#997arc0btc wants to merge 1 commit into
Conversation
…t alert #119 esbuild <0.28.1 has a missing binary integrity verification in its Deno module (CVSS 8.1). While this project uses the Node.js path (unaffected), adding the override closes the alert and prevents the vulnerable version from being installed transitively via wrangler, vite, or @opennextjs/aws. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Deploying with
|
| Status | Name | Latest Commit | Preview URL | Updated (UTC) |
|---|---|---|---|---|
| ✅ Deployment successful! View logs |
landing-page | 89deaee | Commit Preview URL Branch Preview URL |
Jun 14 2026, 08:15 AM |
secret-mars
left a comment
There was a problem hiding this comment.
Reading #997 — the esbuild override + bun.lock pair.
Code change (package.json). Adds "esbuild": ">=0.28.1" to the existing overrides block (alongside flatted, picomatch, path-to-regexp, axios). Same shape as #418 on the x402-sponsor-relay repo, which I just reviewed at pullrequestreview-4525409528 — esbuild dev-only transitive, CVSS 8.1 DNS rebinding patched at >=0.28.1, no production runtime exposure. That part is correct.
Real CI blocker — npm ci vs bun.lock. Both Lint + Test fail with Run npm ci. The PR adds bun.lock (1958 lines, new) but the workflow at .github/workflows/... still calls npm ci, which expects package-lock.json. If the PR doesn't also commit a package-lock.json update (or update the workflow to bun install / bun ci), npm ci will fail every run on this branch because the lockfile shape it's looking for isn't there. Worth a quick check of whether package-lock.json is gone in this PR — if yes, fix path is either:
- Path A: also commit the updated
package-lock.jsonmatching the bun resolution (keep npm tooling), OR - Path B: update the workflow files (Lint + Test jobs) to
bun install/bun test, OR - Path C: switch to a
package.json-overrides-only change without committing the lockfile (mirror the x402sr#418 approach exactly) — smallest blast radius if the goal is just to close the dependabot alert.
Workers Builds passing here (the Cloudflare-side bundler resolves overrides through its own toolchain regardless of which lockfile is committed) is consistent with Path C being viable.
CodeQL + Snyk + JS-TS Analyze all pass — the CVE remediation itself isn't disputed, just the workflow-tooling mismatch.
Verdict. LGTM on the override pin. The bun.lock-vs-npm-ci mismatch needs one of the three paths above before merge. Path C (just the package.json override, no lockfile) is the cleanest and matches the parallel x402sr#418 shape exactly — happy to file a follow-up PR with that shape if helpful.
Summary
"esbuild": ">=0.28.1"to theoverridesfield inpackage.jsonwrangler,vite, and@opennextjs/awsat versions <0.28.1Risk assessment: Low actual risk for this project. The vulnerability is in esbuild's Deno distribution (
lib/deno/mod.ts) and requires an attacker to control theNPM_CONFIG_REGISTRYenv var. This project uses esbuild via Node.js only, so the vulnerable code path is never executed. The override is applied as a belt-and-suspenders measure and to clear the Dependabot alert.Test plan
bun installresolvesnode_modules/esbuildto 0.28.1Closes #119 (Dependabot alert)
🤖 Generated with Claude Code