fix(deps): override esbuild to >=0.28.1 to clear audit advisory

[theoephraim]

Bumps the transitive esbuild to >=0.28.1 via a root overrides entry to clear the high-severity bun audit advisory (GHSA-gv7w-rqvm-qjhr — binary integrity verification / RCE via NPM_CONFIG_REGISTRY). Same bump also clears the low-severity esbuild Windows dev-server file-read advisory.

esbuild is purely transitive (astro, tsup, vite, wrangler) with no direct usage in the repo. Verified @varlock/ci-env-info, @varlock/astro-integration, and @varlock/cloudflare-integration all still build. bun audit --audit-level=moderate now exits 0.

The remaining low-severity @ai-sdk/provider-utils advisory has no patched release (ai@5 pins it to 3.0.25) and is below the moderate gate, so it's left as-is.

[github-actions]

The changes in this PR will be included in the next version bump.

Patch releases

• varlock 1.6.1 → 1.6.2

Bump files in this PR

• proxy-phase1-guardrails.md (view diff) (edit)
• proxy-audit-log.md (view diff) (edit)
• proxy-require-approval.md (view diff) (edit)
• proxy-root-decorator-fix.md (view diff) (edit)
• proxy-default-omit-sensitive.md (view diff) (edit)
• proxy-dual-form-decorator.md (view diff) (edit)
• proxy-approval-scopes.md (view diff) (edit)
• proxy-approval-granularity.md (view diff) (edit)
• proxy-schema-fingerprint-full.md (view diff) (edit)
• proxy-run-attach.md (view diff) (edit)
• proxy-session-record.md (view diff) (edit)

Click here if you want to add another bump file to this PR

---

This comment is maintained by bumpy.

[pkg-pr-new]

Open in StackBlitz

npm i https://pkg.pr.new/varlock@784

commit: f19fd64