Skip to content

Pin esbuild to patched version / 固定 esbuild 到安全版本#4323

Merged
esengine merged 1 commit into
main-v2from
fix/esbuild-security-override
Jun 14, 2026
Merged

Pin esbuild to patched version / 固定 esbuild 到安全版本#4323
esengine merged 1 commit into
main-v2from
fix/esbuild-security-override

Conversation

@SivanCola

@SivanCola SivanCola commented Jun 13, 2026

Copy link
Copy Markdown
Collaborator

Summary

  • Pin transitive esbuild resolution to 0.28.1 with npm/pnpm overrides for the site, crash report worker, and desktop frontend.
  • Refresh npm and pnpm lockfiles so Dependabot resolves the patched esbuild release.
  • Keep Astro, Wrangler, and Vite versions unchanged to avoid a broader framework upgrade while upstream dependency ranges catch up.

Related PRs

Verification

  • npm audit --json in site, workers/crash-report, and desktop/frontend
  • pnpm audit --audit-level low in desktop/frontend
  • npm run build in site
  • npm run typecheck in workers/crash-report
  • wails generate module followed by npm run build in desktop/frontend
  • npm test in desktop/frontend

@SivanCola
fix: pin esbuild to patched version
047411d 
Pin transitive esbuild resolution to 0.28.1 across the site, crash report worker, and desktop frontend dependency graphs.

This addresses the GitHub Advisory Database alerts for vulnerable esbuild versions while avoiding unrelated framework upgrades.

Co-authored-by: SivanCola <32437197+SivanCola@users.noreply.github.com>
@SivanCola SivanCola requested a review from esengine as a code owner June 13, 2026 18:39
@github-actions github-actions Bot added v2 Go rewrite (1.x) — main-v2 branch, active development desktop Wails desktop app (desktop/**) labels Jun 13, 2026
@SivanCola

SivanCola commented Jun 13, 2026

Copy link
Copy Markdown
Collaborator Author

@codex review

@chatgpt-codex-connector

chatgpt-codex-connector Bot commented Jun 13, 2026

Copy link
Copy Markdown

Codex Review: Didn't find any major issues. Can't wait for the next one!

Reviewed commit: 047411dedc

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

@esengine esengine merged commit 76ae52e into main-v2 Jun 14, 2026
14 checks passed
@esengine esengine deleted the fix/esbuild-security-override branch June 14, 2026 12:45
@esengine esengine mentioned this pull request Jun 15, 2026
Merged
esengine added a commit that referenced this pull request Jun 15, 2026
@esengine
fix(desktop): cap esbuild at ^0.25.0 so wails dev builds again (#4410)
b225dd7 
#4323 pinned esbuild to 0.28.1 (npm overrides + pnpm-workspace overrides)
to pick up the patched release. But vite 6.4.2 depends on esbuild
^0.25.0, and 0.28.1 breaks its dev dependency pre-bundling: every dep
using destructuring fails with "Transforming destructuring to the
configured target environment is not supported yet", so `wails dev`
never starts. The advisory the pin targeted was already fixed in 0.25.0,
which vite enforces anyway.

Cap the override at ^0.25.0 (>=0.25.0 <0.26.0): still patched, matches
vite's own range, and blocks Dependabot from bumping back to 0.28.
Resolves to 0.25.12. site/ and workers/ keep 0.28.1 (Astro/Wrangler are
unaffected by the vite dev path).

package-lock.json is regenerated by npm 11 — reformatting only, no
dependency drift beyond esbuild.
@jxzhealthy jxzhealthy mentioned this pull request Jun 15, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@esengine esengine Awaiting requested review from esengine esengine is a code owner

Assignees

No one assigned

Labels

desktop Wails desktop app (desktop/**) v2 Go rewrite (1.x) — main-v2 branch, active development

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@SivanCola @esengine