fix(deps): override esbuild to ^0.28.1 to clear audit advisories

[kanywst]

Background

CI for all open PRs (#27 #28 #29 #30) fails at the audit step of the lint / typecheck / test / audit / build job. The cause is not the dependabot bumps but a transitive esbuild vulnerability that also exists on main.

npm audit --audit-level=moderate detects 4 high-severity advisories and exits 1:

• GHSA-gv7w-rqvm-qjhr — Missing binary integrity verification in Deno module (RCE via NPM_CONFIG_REGISTRY)
• GHSA-g7r4-m6w7-qqqr — arbitrary file read in dev server on Windows

The dependency path is astro -> vite -> esbuild. The vulnerable range is esbuild 0.17.0 - 0.28.0; the installed version was 0.27.7.

Change

Add esbuild: ^0.28.1 (the patched version) to overrides. npm audit fix --force would downgrade astro with a breaking change, so an override is used instead.

Verification

• npm run audit -> found 0 vulnerabilities
• npm run lint -> clean
• npm run typecheck -> 0 errors
• npm run test -> 4 passed
• npm run build -> Complete

After this merges, rebasing each dependabot PR will make their CI pass.

[coderabbitai]

📝 Walkthrough

Walkthrough

package.json is updated to add an esbuild entry (^0.28.1) to the existing overrides block, which already contained a vite override (^7.3.2), so npm now resolves both packages to these pinned version ranges.

Dependency Override Expansion

Layer / File(s)	Summary
Add esbuild to npm overrides package.json	Adds esbuild: ^0.28.1 alongside the existing vite: ^7.3.2 entry in the overrides block, expanding transitive dependency version pinning to cover both packages.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

Poem

A bunny hops through dependency land,
Pinning esbuild with a careful hand.
Vite was there, now esbuild too,
Overrides keep the versions true.
🐇✨ No more version drift in view!

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately describes the main change: adding an esbuild dependency override to version ^0.28.1 to resolve security vulnerabilities, which is the core purpose of the PR.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/esbuild-audit

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[gemini-code-assist]

Code Review

This pull request updates the esbuild dependency and its platform-specific optional dependencies from version 0.27.7 to 0.28.1 in package-lock.json, and adds an override for esbuild to version ^0.28.1 in package.json. There are no review comments, and I have no feedback to provide.

Important

The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.