Bump the npm_and_yarn group across 2 directories with 1 update#106
Bump the npm_and_yarn group across 2 directories with 1 update#106dependabot[bot] wants to merge 2 commits into
Conversation
Bumps the npm_and_yarn group with 1 update in the / directory: [esbuild](https://github.com/evanw/esbuild). Bumps the npm_and_yarn group with 1 update in the /artifacts/api-server directory: [esbuild](https://github.com/evanw/esbuild). Updates `esbuild` from 0.27.3 to 0.28.1 - [Release notes](https://github.com/evanw/esbuild/releases) - [Changelog](https://github.com/evanw/esbuild/blob/main/CHANGELOG.md) - [Commits](evanw/esbuild@v0.27.3...v0.28.1) Updates `esbuild` from 0.27.3 to 0.28.1 - [Release notes](https://github.com/evanw/esbuild/releases) - [Changelog](https://github.com/evanw/esbuild/blob/main/CHANGELOG.md) - [Commits](evanw/esbuild@v0.27.3...v0.28.1) --- updated-dependencies: - dependency-name: esbuild dependency-version: 0.28.1 dependency-type: direct:development dependency-group: npm_and_yarn - dependency-name: esbuild dependency-version: 0.28.1 dependency-type: direct:development dependency-group: npm_and_yarn ... Signed-off-by: dependabot[bot] <support@github.com>
dependabot
Bot
added
dependencies
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
|
Seems you are using me but didn't get OPENAI_API_KEY seted in Variables/Secrets for this repo. you could follow readme for more information |
|
Review changes with |
Deploying with
|
| Status | Name | Latest Commit | Updated (UTC) |
|---|---|---|---|
| ❌ Deployment failed View logs |
tools | ffabbb7 | Jun 12 2026, 08:16 PM |
|
Skipping PR review because a bot author is detected. If you want to trigger CodeAnt AI, comment |
|
View changes in DiffLens |
Dependency ReviewThe following issues were found:
License Issuespnpm-lock.yaml
OpenSSF Scorecard
Scanned Files
|
|
View changes in DiffLens |
|
View changes in DiffLens |
![codescene-delta-analysis[bot]](https://avatars.githubusercontent.com/in/53921?s=60&v=4){kind=small}
This comment was marked as outdated.
This comment was marked as outdated.
Sorry, something went wrong.
|
View changes in DiffLens |
Hard-Coded Secrets (1)
More info on how to fix Hard-Coded Secrets in General. Insecure Processing of Data (2)
More info on how to fix Insecure Processing of Data in JavaScript. 👉 Go to the dashboard for detailed results. 📥 Happy? Share your feedback with us. |
|
Review the following changes in direct dependencies. Learn more about Socket for GitHub.
|
![devin-ai-integration[bot]](https://avatars.githubusercontent.com/in/811515?s=60&v=4){kind=small}
| "@types/express": "^5.0.6", | ||
| "@types/node": "catalog:", | ||
| "esbuild": "^0.27.3", | ||
| "esbuild": "^0.28.1", |
There was a problem hiding this comment.
📝 Info: esbuild 0.x minor version bump may contain breaking changes
Under semver for 0.x versions, the caret (^) only allows patch-level changes (e.g., ^0.28.1 matches >=0.28.1, <0.29.0), so this is effectively a controlled upgrade within the 0.28 range. However, esbuild treats minor version bumps in the 0.x series as potentially breaking. The build script at artifacts/api-server/build.mjs uses only stable, well-established API options (entryPoints, platform, bundle, format, outdir, outExtension, logLevel, external, sourcemap, plugins, banner), so the risk is low. Still, it's worth confirming the build succeeds with the new version, especially the esbuild-plugin-pino plugin compatibility.
Was this helpful? React with 👍 or 👎 to provide feedback.
There was a problem hiding this comment.
No application code in the PR — skipped Code Health checks.
See analysis details in CodeScene
Quality Gate Profile: Customizable Safeguards
Install CodeScene MCP: safeguard and uplift AI-generated code. Catch issues early with our IDE extension and CLI tool.
|
View changes in DiffLens |
|
 |
|
Overall Grade |
Security Reliability Complexity Hygiene |
Code Review Summary
| Analyzer | Status | Updated (UTC) | Details |
|---|---|---|---|
| Scala |  |
Jun 12, 2026 8:16p.m. | Review ↗ |
| Swift | |
Jun 12, 2026 8:16p.m. | Review ↗ |
| JavaScript | |
Jun 12, 2026 8:16p.m. | Review ↗ |
| Ruby | |
Jun 12, 2026 8:16p.m. | Review ↗ |
| C & C++ | |
Jun 12, 2026 8:16p.m. | Review ↗ |
| C# | |
Jun 12, 2026 8:16p.m. | Review ↗ |
| Rust | |
Jun 12, 2026 8:16p.m. | Review ↗ |
| Shell | |
Jun 12, 2026 8:16p.m. | Review ↗ |
| Terraform | |
Jun 12, 2026 8:16p.m. | Review ↗ |
| Code coverage |  |
Jun 12, 2026 8:16p.m. | Review ↗ |
| SQL | |
Jun 12, 2026 8:16p.m. | Review ↗ |
| Secrets | |
Jun 12, 2026 8:16p.m. | Review ↗ |
| Ansible | |
Jun 12, 2026 8:16p.m. | Review ↗ |
Important
AI Review is run only on demand for your team. We're only showing results of static analysis review right now. To trigger AI Review, comment @deepsourcebot review on this thread.
![greptile-apps[bot]](https://avatars.githubusercontent.com/in/867647?s=60&v=4){kind=small}
| { | ||
| integrity: sha512-V0hjH4dGPh9Ao5p0MoRY6BVqtwCjhz6vI5LT8AJ55H+4g9/4vbHx1I54fS0XuclLhDHArPQCiMjDxjaL8fPxhw==, | ||
| } | ||
| engines: { node: ">=0.12" } | ||
|
|
||
| es-define-property@1.0.1: | ||
| resolution: {integrity: sha512-e3nRfgfUZ4rNGL232gUgX06QNyyez04KdjFrF+LTRoOXmrOgFKDg4BCdsjW8EnT69eqdYGmRpJwiPVYNrCaW3g==} | ||
| engines: {node: '>= 0.4'} | ||
| resolution: |
There was a problem hiding this comment.
The lockfile now surfaces a deprecation notice for recharts@2.15.4: the 1.x/2.x branches are no longer active and maintainers recommend upgrading to v3. This isn't introduced by the esbuild bump, but the notice appearing here makes it easy to miss. If recharts is used in the project, tracking an upgrade to v3 is worth a follow-up.
Note: If this suggestion doesn't match your team's coding style, reply to this and let me know. I'll remember it for next time!
|
View changes in DiffLens |
Code Review SummaryStatus: No Issues Found | Recommendation: Merge This PR is a Dependabot-driven update of
Security Improvements in esbuild 0.28.1:
The lockfile formatting changes (single to double quotes) are auto-generated by pnpm and do not affect functionality. Files Reviewed (2 files)
Reviewed by laguna-m.1-20260312:free · 438,756 tokens |
Not up to standards ⛔🔴 Issues
|
| Category | Results |
|---|---|
| Security | 1 medium |
🟢 Metrics 0 complexity · 0 duplication
Metric Results Complexity 0 Duplication 0
NEW Get contextual insights on your PRs based on Codacy's metrics, along with PR and Jira context, without leaving GitHub. Enable AI reviewer
TIP This summary will be updated as you push new changes.
![llamapreview[bot]](https://avatars.githubusercontent.com/in/1023541?s=60&v=4){kind=small}
There was a problem hiding this comment.
AI Code Review by LlamaPReview
🎯 TL;DR & Recommendation
Recommendation: Approve with suggestions
This PR bumps esbuild to 0.28.1 across two directories, addressing two security advisories. However, the lockfile was also reformatted by external tools, which could lead to merge conflicts or parsing issues; it's recommended to regenerate it using pnpm.
💡 Suggestions (P2)
- artifacts/api-server/package.json: Esbuild bump is fine, but the lockfile was reformatted by external tools, risking merge conflicts and potential YAML parsing issues. Run
pnpm installto regenerate.
💡 Have feedback? We'd love to hear it in our GitHub Discussions.
✨ This review was generated by LlamaPReview Advanced, which is free for all open-source projects. Learn more.
| "@types/node": "catalog:", | ||
| "esbuild": "^0.27.3", | ||
| "esbuild": "^0.28.1", | ||
| "esbuild-plugin-pino": "^2.3.3", |
There was a problem hiding this comment.
P2 | Confidence: Medium
The esbuild dependency is bumped from ^0.27.3 to ^0.28.1. This is a minor version bump in a 0.x release line, which per semver conventions may include breaking changes. The release notes for 0.28.1 list only bug fixes and security patches (e.g., corrected handling of using declarations, module evaluation errors, and new operator edge cases) without explicitly stating any breaking changes. However, these fixes can alter build output semantics (e.g., minification of using blocks now correctly preserves resource disposal).
The lockfile (pnpm-lock.yaml) was also updated to reflect the new version and additionally went through an automated reformatting pass (commit ffabbb7) by tools like Prettier. Reformatting a package lockfile with external tools is non‑standard; pnpm expects a specific structure (two‑space indentation). While the lockfile may still be valid, this practice increases the risk of merge conflicts and could potentially cause silent parsing issues if the formatting deviates from what pnpm’s YAML parser expects.
Impacts path:pnpm-lock.yaml because the lockfile was reformatted, not just version‑updated. The esbuild update itself includes two security advisories (GHSA‑g7r4‑m6w7‑qqqr and GHSA‑gv7w‑rqvm‑qjhr) which is beneficial. Recommend verifying the build output and running the full test suite after merging, and regenerating the lockfile via pnpm install to avoid formatting‑related risks.
|
Seems you are using me but didn't get OPENAI_API_KEY seted in Variables/Secrets for this repo. you could follow readme for more information |
Bumps the npm_and_yarn group with 1 update in the / directory: esbuild.
Bumps the npm_and_yarn group with 1 update in the /artifacts/api-server directory: esbuild.
Updates
esbuildfrom 0.27.3 to 0.28.1Release notes
Sourced from esbuild's releases.
... (truncated)
Changelog
Sourced from esbuild's changelog.
... (truncated)
Commits
bb9db84publish 0.28.1 to npm9ff053esecurity: add integrity checks to the Deno API0a9bf21enforce non-negative size in gzip parsere2a1a71security: forbid\\in local dev server requests83a2cbffix #4482: don't inlineusingdeclarations308ad74fix #4471: renaming of nestedvardeclarationsf013f5ffix some typosaafd6e4chore: fix some minor issues in comments (#4462)15300c3follow up: cjs evaluation fixes1bda0c3fix #4461, fix #4467: esm evaluation fixesUpdates
esbuildfrom 0.27.3 to 0.28.1Release notes
Sourced from esbuild's releases.
... (truncated)
Changelog
Sourced from esbuild's changelog.
... (truncated)
Commits
bb9db84publish 0.28.1 to npm9ff053esecurity: add integrity checks to the Deno API0a9bf21enforce non-negative size in gzip parsere2a1a71security: forbid\\in local dev server requests83a2cbffix #4482: don't inlineusingdeclarations308ad74fix #4471: renaming of nestedvardeclarationsf013f5ffix some typosaafd6e4chore: fix some minor issues in comments (#4462)15300c3follow up: cjs evaluation fixes1bda0c3fix #4461, fix #4467: esm evaluation fixesDependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore <dependency name> major versionwill close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)@dependabot ignore <dependency name> minor versionwill close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)@dependabot ignore <dependency name>will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)@dependabot unignore <dependency name>will remove all of the ignore conditions of the specified dependency@dependabot unignore <dependency name> <ignore condition>will remove the ignore condition of the specified dependency and ignore conditionsYou can disable automated security fix PRs for this repo from the Security Alerts page.
Summary by cubic
Upgrade
esbuildto 0.28.1 inartifacts/api-serverand update the root lockfile; also apply automated code formatting across the repo. No functional changes.Dependencies
esbuildfrom 0.27.3 to 0.28.1 and update lockfile.esbuild-plugin-pino) withesbuild@0.28.1.Refactors
Written for commit ffabbb7. Summary will update on new commits.
Greptile Summary
This PR bumps esbuild from 0.27.3 to 0.28.1 across two directories, patching two security CVEs and several bug fixes. The lockfile consistently updates all dependents and tsx gets an incidental bump to 4.22.4.
Confidence Score: 5/5
Safe to merge — this is a targeted security patch with no API-breaking changes for the usage patterns in this repo.
The bump closes two published security advisories in esbuild's dev server and Deno install script. The esbuild 0.27→0.28 range contains only bug fixes and no breaking changes to the build API. The indirect tsx bump (4.21→4.22) is a minor patch. All lockfile changes are consistent and the old tsx snapshot is legitimately retained for other dependents.
No files require special attention. The recharts@2.15.4 deprecation surfaced in the lockfile is worth a separate follow-up but is unrelated to this change.
Important Files Changed
Reviews (1): Last reviewed commit: "style: format code with ClangFormat, dot..." | Re-trigger Greptile