Skip to content

fix(security): raise esbuild, js-yaml, and dompurify override floors across JS workspaces#671

Open
langwatch-agent wants to merge 2 commits into
mainfrom
dependabot-scout/esbuild-security
Open

fix(security): raise esbuild, js-yaml, and dompurify override floors across JS workspaces#671
langwatch-agent wants to merge 2 commits into
mainfrom
dependabot-scout/esbuild-security

Conversation

@langwatch-agent

Copy link
Copy Markdown
Contributor

What

Forces esbuild to >=0.28.1 across every scenario workspace via overrides, and regenerates each lockfile so both direct and transitive esbuild resolve to 0.28.1.

  • docs/pnpm-workspace.yaml overrides
  • javascript/package.json pnpm overrides
  • python/examples/lovable_clone/template/package.json (both npm overrides and pnpm.overrides)

Why

esbuild >=0.17.0 <0.28.1 is affected by two advisories, both patched in 0.28.1:

  • GHSA-gv7w-rqvm-qjhr (HIGH): missing binary integrity verification in the Deno module, enabling remote code execution via NPM_CONFIG_REGISTRY.
  • GHSA-g7r4-m6w7-qqqr (LOW): arbitrary file read when running the development server on Windows.

Resolves Dependabot alerts #411, #412, #413, #414, #415.

Verification

  • javascript: tsc --noEmit passes, tsup build succeeds with esbuild 0.28.1.
  • docs: vocs build (vite + esbuild 0.28.1) completes and prerenders all pages.
  • Frozen installs pass for all four locks (docs, javascript, template pnpm + npm).
  • No esbuild <0.28.1 remains in any lock.

Notes

The docs and template lockfiles show a large diff: a pnpm override only takes effect on a full re-resolution, so those locks were regenerated from scratch, which also refreshes other transitive deps to the latest within their existing semver ranges. The javascript lock moved incrementally and stays small. All builds pass on the refreshed locks.

@coderabbitai

coderabbitai Bot commented Jun 15, 2026

Copy link
Copy Markdown

Review Change Stack

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

  • @coderabbitai resume to resume automatic reviews.
  • @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

  • ▶️ Resume reviews
  • 🔍 Trigger review

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 7431ff71-0c90-4930-b312-0138a4845309

📥 Commits

Reviewing files that changed from the base of the PR and between 0600ba6 and 1b5ab08.

⛔ Files ignored due to path filters (4)
  • docs/pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml
  • javascript/package-lock.json is excluded by !**/package-lock.json
  • javascript/pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml
  • python/examples/lovable_clone/template/pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml
📒 Files selected for processing (3)
  • docs/pnpm-workspace.yaml
  • javascript/package.json
  • python/examples/lovable_clone/template/package.json
🚧 Files skipped from review as they are similar to previous changes (1)
  • python/examples/lovable_clone/template/package.json

Walkthrough

Updates dependency override ranges in the docs workspace, JavaScript package manifests, and the Python lovable_clone template, including new esbuild floor rules and revised js-yaml and dompurify mappings.

Changes

Dependency override updates

Layer / File(s) Summary
workspace and javascript overrides
docs/pnpm-workspace.yaml, javascript/package.json
Updates the workspace override table and the JavaScript package overrides with new esbuild floor rules and revised dompurify and js-yaml ranges.
python template overrides
python/examples/lovable_clone/template/package.json
Updates the lovable_clone template overrides with revised js-yaml ranges and added esbuild rules in both override blocks.

Suggested reviewers: drewdrewthis, sergioestebance

Poem

🐇 I hopped through overrides, tidy and neat,
with esbuild and yaml now both in step and beat.
Three configs got a careful little nudge,
and the rabbit approves with a tiny thumbs-up grudge.

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Title check ✅ Passed The title accurately summarizes the security override floor updates for esbuild, js-yaml, and dompurify across the workspace files.
Description check ✅ Passed The description matches the changeset and explains the override updates, lockfile regeneration, and security motivation.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch dependabot-scout/esbuild-security

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@langwatch-agent

Copy link
Copy Markdown
Contributor Author

CI is fully green. The first run was red only on a pre-existing, unrelated voice BDD contract failure (a scenario tagged only @docs, identical on main); fixed by tagging it @unit (the prove-it report already counted it as the 79th @unit). Closes all 5 esbuild alerts (#411, #412, #413, #414, #415). Ready for human review.

@langwatch-agent

Copy link
Copy Markdown
Contributor Author

Rebased onto current main (resolved the overlap with the merged #684). esbuild resolves to 0.28.1 across docs/javascript/template; the javascript library lock diff is esbuild-only, doc/example-dir locks refreshed via the override fresh-resolve. CI fully green, MERGEABLE. Ready for human review and merge.

@langwatch-agent langwatch-agent force-pushed the dependabot-scout/esbuild-security branch from c3acfc6 to 0600ba6 Compare June 29, 2026 06:15
@langwatch-agent

Copy link
Copy Markdown
Contributor Author

Rebased onto main to clear the conflicts that appeared after the vite 8.x security PR (#709) merged into the same override blocks and locks. Kept both override sets; regenerated all four locks so esbuild resolves to 0.28.1 across docs, javascript (pnpm + npm), and the lovable_clone template (pnpm + npm).

While here, also closed the javascript npm-lock esbuild alert (#437): javascript/package.json had esbuild only under pnpm.overrides, so the npm package-lock stayed on 0.27.7. Added a top-level npm overrides entry and regenerated, so this PR now resolves both esbuild alerts (#411 pnpm-lock and #437 package-lock). CI is green and the PR is mergeable again.

Adds js-yaml floors (3.x line to >=3.15.0 capped <4, 4.x line to >=4.2.0
capped <5 to avoid the 5.x major) across docs, javascript (pnpm + npm), and
the lovable_clone template (pnpm + npm), and raises the docs dompurify floor
to >=3.4.11. Regenerated locks resolve js-yaml to 3.15.0 / 4.2.0 / 4.3.0 and
dompurify to 3.4.11.

Clears MODERATE alerts js-yaml #477/#478/#479/#480 and dompurify #473 (also
covers the earlier dompurify #425), alongside the esbuild floors already in
this PR.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
@langwatch-agent langwatch-agent changed the title fix(security): bump esbuild to >=0.28.1 across all workspaces fix(security): raise esbuild, js-yaml, and dompurify override floors across JS workspaces Jul 2, 2026
@langwatch-agent

Copy link
Copy Markdown
Contributor Author

Folded in the js-yaml and dompurify MODERATE floors, since they live in the same override blocks and locks this PR already edits (docs, javascript pnpm+npm, template pnpm+npm):

  • js-yaml: 3.x line to >=3.15.0 (capped <4) and 4.x line to >=4.2.0 (capped <5 so it does not cross into the 5.x major). Locks resolve to js-yaml 3.15.0 / 4.2.0 / 4.3.0.
  • dompurify (docs): floor raised <3.4.0 to <3.4.11, resolves to 3.4.11.

Now closes esbuild #411/#437, js-yaml #477/#478/#479/#480, and dompurify #473 (also covers the older dompurify #425). Dogfooded: javascript frozen install + typecheck clean + 853 unit tests pass.

@langwatch-agent

Copy link
Copy Markdown
Contributor Author

CI is green on re-run. The earlier ci-checks failure was a flaky testing-remote-agents-stateful.test.ts hook timeout (network-dependent Examples suite, unrelated to these build-tool override bumps); it passed cleanly on re-run with no code change. Ready for human review and merge (closes esbuild #411/#437, js-yaml #477/#478/#479/#480, dompurify #473).

@langwatch-agent langwatch-agent added the dependabot-scout Opened by the dependabot-scout security-triage agent (shared langwatch-agent bot identity) label Jul 2, 2026
@github-actions

github-actions Bot commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

Automated low-risk assessment

This PR was evaluated against the repository's Low-Risk Pull Requests procedure and does not qualify as low risk.

This PR's diff could not be evaluated automatically: Diff too large for automated evaluation (663568 chars exceeds 100000-char limit). Manual review required.

This PR requires a manual review before merging.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependabot-scout Opened by the dependabot-scout security-triage agent (shared langwatch-agent bot identity)

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants