Skip to content

fix(deps): bump tsx to pull esbuild >=0.28.1#68

Merged
kmansou merged 1 commit into
mainfrom
fix/esbuild-via-tsx-dependabot
Jun 22, 2026
Merged

fix(deps): bump tsx to pull esbuild >=0.28.1#68
kmansou merged 1 commit into
mainfrom
fix/esbuild-via-tsx-dependabot

Conversation

@kmansou

@kmansou kmansou commented Jun 17, 2026

Copy link
Copy Markdown
Contributor

Summary

Resolves both open Dependabot esbuild alerts. esbuild is a dev-only, transitive dependency — it reaches the tree only via @github/local-actiontsx, and is not used by the rollup-based dist/ build.

Alert Package Sev Advisory
#49 esbuild high GHSA-gv7w-rqvm-qjhr (withdrawn 2026-06-17, still open)
#48 esbuild low GHSA-g7r4-m6w7-qqqr (dev-server arbitrary file read on Windows)

Change

  • tsx 4.21.0 → 4.22.4 (within @github/local-action's ^4.21.0 range), which bumps its bundled esbuild 0.27.3 → 0.28.1.

No package.json change needed — esbuild/tsx are transitive, so this is a lockfile-only update.

Verification

  • esbuild advisories no longer appear in npm audit
  • npm test — 55/55 passing
  • npm run package (rollup) — dist/ unchanged, so check-dist passes

Note: npm audit surfaces a few other moderate advisories (brace-expansion, yaml, js-yaml, @babel/core) that are not currently open Dependabot alerts on this repo, so they're out of scope here. Happy to follow up on them separately if desired.

🤖 Generated with Claude Code

@kmansou @claude
fix(deps): bump tsx to pull esbuild >=0.28.1
fd31e2e 
Resolves Dependabot esbuild alerts (dev-only, transitive via
@github/local-action -> tsx):
- GHSA-gv7w-rqvm-qjhr (high, withdrawn)
- GHSA-g7r4-m6w7-qqqr (low, dev-server file read)

tsx 4.21.0 -> 4.22.4 bumps its esbuild dependency 0.27.3 -> 0.28.1.
esbuild is not used by the rollup-based dist build, so dist/ is
unchanged; tests pass (55) and the esbuild advisories clear in audit.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
@kmansou kmansou enabled auto-merge June 18, 2026 13:56
jlutheratwork
jlutheratwork approved these changes Jun 22, 2026
View reviewed changes

@jlutheratwork jlutheratwork left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM — bumps tsx so esbuild resolves to ≥0.28.1 (GHSA-g7r4-m6w7-qqqr). 28 checks green.

@kmansou kmansou merged commit 0959384 into main Jun 22, 2026
28 checks passed
@kmansou kmansou deleted the fix/esbuild-via-tsx-dependabot branch June 22, 2026 17:57
@jlutheratwork jlutheratwork mentioned this pull request Jun 22, 2026
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jlutheratwork jlutheratwork jlutheratwork approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@kmansou @jlutheratwork