Skip to content

fix: upgrade esbuild to 0.25.x to resolve GHSA-67mh-4wv8-2f99#378

Merged
mchmarny merged 2 commits intomainfrom
fix/esbuild-vulnerability
Mar 12, 2026
Merged

fix: upgrade esbuild to 0.25.x to resolve GHSA-67mh-4wv8-2f99#378
mchmarny merged 2 commits intomainfrom
fix/esbuild-vulnerability

Conversation

@mchmarny
Copy link
Copy Markdown
Member

@mchmarny mchmarny commented Mar 12, 2026

Summary

  • Adds npm overrides for esbuild ^0.25.0 to fix GHSA-67mh-4wv8-2f99 (Medium severity, esbuild <0.25.0)
  • Bumps site dependencies: vitepress 1.6.4, mermaid 11.13.0, vue 3.5.30
  • Removes the grype ignore entry for GHSA-67mh-4wv8-2f99 since the vulnerability is now resolved at source

Why overrides? Vitepress 1.x (latest stable) depends on Vite 5.x which pins esbuild to ^0.21.3. Vitepress 2.x is alpha-only. The npm override forces esbuild >=0.25.0 without requiring an unstable vitepress upgrade.

Test plan

  • npm install resolves esbuild 0.25.12 (verified via npm ls esbuild)
  • npm audit reports 0 vulnerabilities
  • npm run build completes successfully
  • CI scan passes without grype ignore for GHSA-67mh-4wv8-2f99

@mchmarny
fix: upgrade esbuild to 0.25.x to resolve GHSA-67mh-4wv8-2f99
7f87111 
Override esbuild to ^0.25.0 via npm overrides since vitepress 1.x
pins vite 5.x which caps esbuild at ^0.21.3. Also bumps vitepress
to 1.6.4, mermaid to 11.13.0, vue to 3.5.30, and removes the grype
ignore entry now that the vulnerability is resolved at source.
@mchmarny mchmarny requested a review from a team as a code owner March 12, 2026 11:46
@mchmarny mchmarny requested review from dims and lalitadithya March 12, 2026 11:46
@mchmarny mchmarny self-assigned this Mar 12, 2026
@mchmarny mchmarny added the priority/critical Critical priority label Mar 12, 2026
@github-actions
Copy link
Copy Markdown

github-actions bot commented Mar 12, 2026
edited
Loading

Coverage Report ✅

Metric Value
Coverage 73.3%
Threshold 70%
Status Pass
Coverage Badge 
![Coverage](https://img.shields.io/badge/coverage-73.3%25-green)

No Go source files changed in this PR.

@mchmarny mchmarny added this to the M1 - Repo Opening milestone Mar 12, 2026
@mchmarny mchmarny enabled auto-merge (squash) March 12, 2026 11:53
@mchmarny mchmarny merged commit 0846193 into main Mar 12, 2026
24 checks passed
@mchmarny mchmarny deleted the fix/esbuild-vulnerability branch March 12, 2026 11:55
xdu31 pushed a commit to xdu31/aicr that referenced this pull request Mar 24, 2026
@mchmarny @xdu31
fix: upgrade esbuild to 0.25.x to resolve GHSA-67mh-4wv8-2f99 (NVIDIA…
3ad0a26 
…#378)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@lalitadithya lalitadithya lalitadithya approved these changes

@dims dims Awaiting requested review from dims

Assignees

@mchmarny mchmarny

Labels

priority/critical Critical priority size/L

Projects

None yet

Milestone

M1 - Repo Opening

Development

Successfully merging this pull request may close these issues.

2 participants

@mchmarny @lalitadithya