Skip to content

Commit deb063c

Browse files
wolpertclaude
andcommitted
fix(sdk,deps): force esbuild >=0.28.1 to clear GHSA-gv7w-rqvm-qjhr (HIGH)
Dependabot alert #5: esbuild 0.27.7 (transitive dev dep via tsup and vitest->vite) is vulnerable to GHSA-gv7w-rqvm-qjhr — missing binary integrity verification in the Deno module enables RCE via NPM_CONFIG_REGISTRY (patched in 0.28.1). The actual exploit path doesn't apply here (esbuild is used via Node, not Deno, and is build-only — never shipped in the published bundle), but it's a HIGH advisory and trivially fixable. Add an npm override pinning esbuild to ^0.28.1; both tsup and vite now resolve to 0.28.1. Build (tsup ESM/CJS/DTS), typecheck, and the full vitest suite (76 tests) all pass on the bumped version. npm audit reports no remaining high-severity issues. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
1 parent 565aaa4 commit deb063c

2 files changed

Lines changed: 110 additions & 107 deletions

File tree

0 commit comments

Comments
 (0)