fix(deps): override esbuild to >=0.28.1 to clear audit advisory by theoephraim · Pull Request #784 · dmno-dev/varlock

theoephraim · 2026-06-15T05:10:50Z

Bumps the transitive esbuild to >=0.28.1 via a root overrides entry to clear the high-severity bun audit advisory (GHSA-gv7w-rqvm-qjhr — binary integrity verification / RCE via NPM_CONFIG_REGISTRY). Same bump also clears the low-severity esbuild Windows dev-server file-read advisory.

esbuild is purely transitive (astro, tsup, vite, wrangler) with no direct usage in the repo. Verified @varlock/ci-env-info, @varlock/astro-integration, and @varlock/cloudflare-integration all still build. bun audit --audit-level=moderate now exits 0.

The remaining low-severity @ai-sdk/provider-utils advisory has no patched release (ai@5 pins it to 3.0.25) and is below the moderate gate, so it's left as-is.

github-actions · 2026-06-15T05:11:18Z

The changes in this PR will be included in the next version bump.

Patch releases

varlock 1.6.1 → 1.6.2

Bump files in this PR

proxy-phase1-guardrails.md (view diff) (edit)
proxy-audit-log.md (view diff) (edit)
proxy-require-approval.md (view diff) (edit)
proxy-root-decorator-fix.md (view diff) (edit)
proxy-default-omit-sensitive.md (view diff) (edit)
proxy-dual-form-decorator.md (view diff) (edit)
proxy-approval-scopes.md (view diff) (edit)
proxy-approval-granularity.md (view diff) (edit)
proxy-schema-fingerprint-full.md (view diff) (edit)
proxy-run-attach.md (view diff) (edit)
proxy-session-record.md (view diff) (edit)

Click here if you want to add another bump file to this PR

This comment is maintained by bumpy.

+  let out = '';
+  while (out.length < length) {
+    const byte = crypto.randomBytes(1)[0]!;
+    out += alphabet[byte % alphabet.length];


pkg-pr-new · 2026-06-15T05:16:18Z

Open in StackBlitz

npm i https://pkg.pr.new/varlock@784

commit: f19fd64

github-actions Bot added maintainer core:varlock labels Jun 15, 2026

github-advanced-security AI found potential problems Jun 15, 2026

View reviewed changes

Comment thread packages/varlock/src/proxy/session-registry.ts Outdated

let out = '';

while (out.length < length) {

const byte = crypto.randomBytes(1)[0]!;

out += alphabet[byte % alphabet.length];

fix(deps): override esbuild to >=0.28.1 to clear audit advisory

7611604

theoephraim force-pushed the fix-esbuild-audit-advisory branch from f19fd64 to 7611604 Compare June 15, 2026 05:16

theoephraim merged commit 05e39fd into main Jun 15, 2026
23 checks passed

Ari4ka approved these changes Jun 15, 2026

View reviewed changes

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

fix(deps): override esbuild to >=0.28.1 to clear audit advisory#784

fix(deps): override esbuild to >=0.28.1 to clear audit advisory#784
theoephraim merged 1 commit into
mainfrom
fix-esbuild-audit-advisory

theoephraim commented Jun 15, 2026

Uh oh!

github-actions Bot commented Jun 15, 2026

Uh oh!

pkg-pr-new Bot commented Jun 15, 2026

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

Uh oh!

Conversation

theoephraim commented Jun 15, 2026

Uh oh!

github-actions Bot commented Jun 15, 2026

Patch releases

Bump files in this PR

Uh oh!

pkg-pr-new Bot commented Jun 15, 2026

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants