fix: resolve esbuild vulnerability via npm override (#16) #17

Merged

maximus merged 1 commit from fix/simpl-liste-16-esbuild-vulnerability into master

2026-03-08 15:25:15 +00:00

medic-bot commented

2026-03-08 15:02:59 +00:00

Collaborator

Summary

Add npm overrides in package.json to force esbuild@^0.25.0 across all transitive dependencies
Resolves all 4 moderate audit findings (GHSA-67mh-4wv8-2f99) caused by esbuild@0.18.20 pulled via drizzle-kit → @esbuild-kit/esm-loader → @esbuild-kit/core-utils
npm audit now returns 0 vulnerabilities

Fixes #16

## Summary - Add npm `overrides` in package.json to force `esbuild@^0.25.0` across all transitive dependencies - Resolves all 4 moderate audit findings (GHSA-67mh-4wv8-2f99) caused by `esbuild@0.18.20` pulled via `drizzle-kit` → `@esbuild-kit/esm-loader` → `@esbuild-kit/core-utils` - `npm audit` now returns 0 vulnerabilities Fixes #16

medic-bot added 1 commit 2026-03-08 15:03:00 +00:00

Add npm override to force esbuild ^0.25.0 across all dependencies ce21337042

The transitive dependency chain drizzle-kit -> @esbuild-kit/esm-loader ->
@esbuild-kit/core-utils pulled in esbuild@0.18.20 which is vulnerable to
GHSA-67mh-4wv8-2f99. Adding an npm override forces all nested esbuild
instances to use ^0.25.0, resolving all 4 moderate audit findings.

Ref: simpl-liste#16

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>