chore(DEPS): drop redundant esbuild and tar overrides

TheLastCicada · TheLastCicada · commit 560d2d2f55d3 · 2026-05-08T12:54:13.000-07:00
The esbuild and tar overrides are no longer needed: - @yao-pkg/pkg now requires esbuild@^0.27.3 and tar@^7.5.7 - sqlite3 requires tar@^7.5.10, node-gyp requires tar@^7.5.4 Natural resolution gives esbuild@0.27.7 and tar@7.5.15, both clean per `npm audit`. Pinning to 0.27.3 / 7.5.13 just blocks future patch versions while adding nothing. Existing lockfile resolutions (esbuild@0.27.3, tar@7.5.13) remain unchanged for current installs; only future regenerations pick up newer patches. The diff and mocha.serialize-javascript overrides are kept — without them mocha pulls diff@7.0.0 (low DoS, GHSA-73rr-hh4g-fpgx) and serialize-javascript@6.0.2 (two highs, RCE + DoS).
diff --git a/package.json b/package.json
@@ -122,8 +122,6 @@
   },
   "overrides": {
     "diff": "8.0.3",
-    "esbuild": "0.27.3",
-    "tar": "7.5.13",
     "mocha": {
       "serialize-javascript": "7.0.5"
     }

Original file line number	Diff line number	Diff line change
`@@ -122,8 +122,6 @@`
`122`	`122`	`},`
`123`	`123`	`"overrides": {`
`124`	`124`	`"diff": "8.0.3",`
`125`		`- "esbuild": "0.27.3",`
`126`		`- "tar": "7.5.13",`
`127`	`125`	`"mocha": {`
`128`	`126`	`"serialize-javascript": "7.0.5"`
`129`	`127`	`}`