Skip to content

[codex] Remediate esbuild audit findings#202

Merged
nahremenkova1 merged 1 commit into
masterfrom
codex/remediate-esbuild-audit
Jun 14, 2026
Merged

[codex] Remediate esbuild audit findings#202
nahremenkova1 merged 1 commit into
masterfrom
codex/remediate-esbuild-audit

Conversation

@biggora

@biggora biggora commented Jun 13, 2026

Copy link
Copy Markdown
Owner

Summary

  • updates the dev tooling that pulls in vulnerable esbuild versions: tsup, tsx, and vitest
  • adds an npm overrides.esbuild entry for ^0.28.1 so the resolved graph stays on the patched range
  • regenerates package-lock.json, reducing the duplicate nested Vitest esbuild install

Why

npm audit --json reported 3 high-severity findings through esbuild advisory GHSA-gv7w-rqvm-qjhr, affecting tsup and tsx. The remediation keeps the change scoped to development tooling and the lockfile.

GitHub still reports one low-severity Dependabot alert on the default branch, but this branch resolves the npm audit high-severity findings for the local dependency graph.

Validation

  • npm install -> found 0 vulnerabilities
  • npm audit --json -> metadata.vulnerabilities.total: 0
  • npm run build -> passed with tsup v8.5.1
  • npm run test:vitest -> 13 test files passed, 187 tests passed

@biggora biggora marked this pull request as ready for review June 13, 2026 11:17
@nahremenkova1 nahremenkova1 merged commit d4c5524 into master Jun 14, 2026
7 checks passed
@nahremenkova1 nahremenkova1 deleted the codex/remediate-esbuild-audit branch June 14, 2026 07:03
@nahremenkova1

Copy link
Copy Markdown
Collaborator

QA Sign-off

Recommendation: merged

Validation:

  • GitHub CI/CodeQL: green before merge
  • Security hold: none found (SECURITY-HOLD absent from PR comments/reviews)
  • Duplicate QA sign-off: none found before this comment
  • Local install: npm ci passed, 0 vulnerabilities
  • Local audit: npm audit --json reported metadata.vulnerabilities.total: 0
  • Local build: npm run build passed with tsup v8.5.1
  • Local test: npm run test:vitest passed, 13 files / 187 tests
  • Local typecheck: npm run typecheck passed
  • Local lint: npm run lint passed

Merged with squash/delete-branch policy. Merge commit: d4c55244256998be104143ff8a356cdb1a6d0e36.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants