Commit deb063c
fix(sdk,deps): force esbuild >=0.28.1 to clear GHSA-gv7w-rqvm-qjhr (HIGH)
Dependabot alert #5: esbuild 0.27.7 (transitive dev dep via tsup and
vitest->vite) is vulnerable to GHSA-gv7w-rqvm-qjhr — missing binary integrity
verification in the Deno module enables RCE via NPM_CONFIG_REGISTRY (patched in
0.28.1). The actual exploit path doesn't apply here (esbuild is used via Node,
not Deno, and is build-only — never shipped in the published bundle), but it's
a HIGH advisory and trivially fixable.
Add an npm override pinning esbuild to ^0.28.1; both tsup and vite now resolve
to 0.28.1. Build (tsup ESM/CJS/DTS), typecheck, and the full vitest suite
(76 tests) all pass on the bumped version. npm audit reports no remaining
high-severity issues.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>1 parent 565aaa4 commit deb063c
2 files changed
Lines changed: 110 additions & 107 deletions
0 commit comments