chore(deps-dev): bump esbuild and minify

[dependabot]

Bumps esbuild and minify. These dependencies needed to be updated together.
Updates esbuild from 0.27.3 to 0.28.1

Release notes

Sourced from esbuild's releases.

v0.28.1

• Disallow \ in local development server HTTP requests (GHSA-g7r4-m6w7-qqqr)

  This release fixes a security issue where HTTP requests to esbuild's local development server could traverse outside of the serve directory on Windows using a \ backslash character. It happened due to the use of Go's path.Clean() function, which only handles Unix-style / characters. HTTP requests with paths containing \ are no longer allowed.

  Thanks to @​dellalibera for reporting this issue.

• Add integrity checks to the Deno API (GHSA-gv7w-rqvm-qjhr)

  The previous release of esbuild added integrity checks to esbuild's npm install script. This release also adds integrity checks to esbuild's Deno install script. Now esbuild's Deno API will also fail with an error if the downloaded esbuild binary contains something other than the expected content.

  Note that esbuild's Deno API installs from registry.npmjs.org by default, but allows the NPM_CONFIG_REGISTRY environment variable to override this with a custom package registry. This change means that the esbuild executable served by NPM_CONFIG_REGISTRY must now match the expected content.

  Thanks to @​sondt99 for reporting this issue.

• Avoid inlining using and await using declarations (#4482)

  Previously esbuild's minifier sometimes incorrectly inlined using and await using declarations into subsequent uses of that declaration, which then fails to dispose of the resource correctly. This bug happened because inlining was done for let and const declarations by avoiding doing it for var declarations, which no longer worked when more declaration types were added. Here's an example:

  // Original code
  {
    using x = new Resource()
    x.activate()
  }
  // Old output (with --minify)
  new Resource().activate();
  // New output (with --minify)
  {using e=new Resource;e.activate()}

• Fix module evaluation when an error is thrown (#4461, #4467)

  If an error is thrown during module evaluation, esbuild previously didn't preserve the state of the module for subsequent module references. This was observable if import() or require() is used to import a module multiple times. The thrown error is supposed to be thrown by every call to import() or require(), not just the first. With this release, esbuild will now throw the same error every time you call import() or require() on a module that throws during its evaluation.

• Fix some edge cases around the new operator (#4477)

  Previously esbuild incorrectly printed certain edge cases involving complex expressions inside the target of a new expression (specifically an optional chain and/or a tagged template literal). The generated code for the new target was not correctly wrapped with parentheses, and either contained a syntax error or had different semantics. These edge cases have been fixed so that they now correctly wrap the new target in parentheses. Here is an example of some affected code:

  // Original code
  new (foo()`bar`)()
  new (foo()?.bar)()
  // Old output
  new foo()bar();
  new (foo())?.bar();

... (truncated)

Changelog

Sourced from esbuild's changelog.

0.28.1

• Disallow \ in local development server HTTP requests (GHSA-g7r4-m6w7-qqqr)

  This release fixes a security issue where HTTP requests to esbuild's local development server could traverse outside of the serve directory on Windows using a \ backslash character. It happened due to the use of Go's path.Clean() function, which only handles Unix-style / characters. HTTP requests with paths containing \ are no longer allowed.

  Thanks to @​dellalibera for reporting this issue.

• Add integrity checks to the Deno API (GHSA-gv7w-rqvm-qjhr)

  The previous release of esbuild added integrity checks to esbuild's npm install script. This release also adds integrity checks to esbuild's Deno install script. Now esbuild's Deno API will also fail with an error if the downloaded esbuild binary contains something other than the expected content.

  Note that esbuild's Deno API installs from registry.npmjs.org by default, but allows the NPM_CONFIG_REGISTRY environment variable to override this with a custom package registry. This change means that the esbuild executable served by NPM_CONFIG_REGISTRY must now match the expected content.

  Thanks to @​sondt99 for reporting this issue.

• Avoid inlining using and await using declarations (#4482)

  Previously esbuild's minifier sometimes incorrectly inlined using and await using declarations into subsequent uses of that declaration, which then fails to dispose of the resource correctly. This bug happened because inlining was done for let and const declarations by avoiding doing it for var declarations, which no longer worked when more declaration types were added. Here's an example:

  // Original code
  {
    using x = new Resource()
    x.activate()
  }
  // Old output (with --minify)
  new Resource().activate();
  // New output (with --minify)
  {using e=new Resource;e.activate()}

• Fix module evaluation when an error is thrown (#4461, #4467)

  If an error is thrown during module evaluation, esbuild previously didn't preserve the state of the module for subsequent module references. This was observable if import() or require() is used to import a module multiple times. The thrown error is supposed to be thrown by every call to import() or require(), not just the first. With this release, esbuild will now throw the same error every time you call import() or require() on a module that throws during its evaluation.

• Fix some edge cases around the new operator (#4477)

  Previously esbuild incorrectly printed certain edge cases involving complex expressions inside the target of a new expression (specifically an optional chain and/or a tagged template literal). The generated code for the new target was not correctly wrapped with parentheses, and either contained a syntax error or had different semantics. These edge cases have been fixed so that they now correctly wrap the new target in parentheses. Here is an example of some affected code:

  // Original code
  new (foo()`bar`)()
  new (foo()?.bar)()
  // Old output
  new foo()bar();
  new (foo())?.bar();

... (truncated)

Commits

• bb9db84 publish 0.28.1 to npm
• 9ff053e security: add integrity checks to the Deno API
• 0a9bf21 enforce non-negative size in gzip parser
• e2a1a71 security: forbid \\ in local dev server requests
• 83a2cbf fix #4482: don't inline using declarations
• 308ad74 fix #4471: renaming of nested var declarations
• f013f5f fix some typos
• aafd6e4 chore: fix some minor issues in comments (#4462)
• 15300c3 follow up: cjs evaluation fixes
• 1bda0c3 fix #4461, fix #4467: esm evaluation fixes
• Additional commits viewable in compare view

Updates minify from 15.0.1 to 15.3.1

Release notes

Sourced from minify's releases.

minify v15.3.1

🔥 feature

• 91e63b9 minify: mjs -> js

minify v15.3.0

🔥 feature

• c5f7744 minify: read-std -> redstd

minify v15.2.1

🔥 feature

• 051adaa minify: oxc-minify v0.125.0
• 6978772 minify: html-minifier-next v6.1.2
• 8cb8a0a minify: esbuild v0.28.0

minify v15.2.0

🔥 feature

• edbcb95 minify: add support of oxc-minify

minify v15.1.1

🐞 fix

• 6d8f851 help: simplify

🔥 feature

• 6dcaeca we should know if minification fail (#145)
• 36488e8 minify: superc8 v12.2.4
• f293b52 minify: putout v42.0.25
• b31f2ff minify: madrun v13.0.0
• b6a5057 minify: html-minifier-next v5.1.5
• a4ab156 minify: eslint-plugin-putout v31.0.2
• 8ddaab1 minify: eslint v10.0.2
• d348430 minify: escover v6.0.0

minify v15.1.0

🔥 feature

• 6dcaeca minify: we should know if minification fail (#145)
• f7244c3 minify: superc8 v12.2.4
• f8d6038 minify: putout v42.0.25
• d7d5d45 minify: madrun v13.0.0
• 705eab5 minify: html-minifier-next v5.1.5
• 6f9b883 minify: eslint-plugin-putout v31.0.2
• b131f26 minify: eslint v10.0.2
• 7b275d4 minify: escover v6.0.0

Changelog

Sourced from minify's changelog.

2026.04.15, v15.3.1

feature:

• 91e63b9 minify: mjs -> js

2026.04.15, v15.3.0

feature:

• c5f7744 minify: read-std -> redstd

2026.04.14, v15.2.1

feature:

• 051adaa minify: oxc-minify v0.125.0
• 6978772 minify: html-minifier-next v6.1.2
• 8cb8a0a minify: esbuild v0.28.0

2026.03.04, v15.2.0

feature:

• edbcb95 minify: add support of oxc-minify

2026.03.04, v15.1.1

fix:

• 6d8f851 help: simplify

feature:

• 6dcaeca we should know if minification fail (#145)
• 36488e8 minify: superc8 v12.2.4
• f293b52 minify: putout v42.0.25
• b31f2ff minify: madrun v13.0.0
• b6a5057 minify: html-minifier-next v5.1.5
• a4ab156 minify: eslint-plugin-putout v31.0.2
• 8ddaab1 minify: eslint v10.0.2
• d348430 minify: escover v6.0.0

2026.03.04, v15.1.0

feature:

• 6dcaeca minify: we should know if minification fail (#145)
• f7244c3 minify: superc8 v12.2.4
• f8d6038 minify: putout v42.0.25
• d7d5d45 minify: madrun v13.0.0
• 705eab5 minify: html-minifier-next v5.1.5
• 6f9b883 minify: eslint-plugin-putout v31.0.2
• b131f26 minify: eslint v10.0.2
• 7b275d4 minify: escover v6.0.0

2026.01.11, v15.0.1

... (truncated)

Commits

• 4be721b chore: minify: v15.3.1
• 91e63b9 feature: minify: mjs -> js
• 5be2cf1 chore: minify: v15.3.0
• a261532 feature: minify: read-std -> redstd
• c24c7ca chore: minify: actions: lint ☘️
• 1539008 chore: minify: v15.2.1
• fb785e7 chore: lint
• e3714a1 feature: minify: oxc-minify v0.125.0
• 8c462ab feature: minify: html-minifier-next v6.1.2
• 20ff439 feature: minify: esbuild v0.28.0
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	esbuild@​0.28.1
	minify@​15.0.1 ⏵ 15.3.1				-2

View full report

[socket-security]

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action	Severity	Alert  (click "▶" to expand/collapse)
Warn		Obfuscated code: npm css-tree is 90.0% likely obfuscated Confidence: 0.90 Location: Package overview From: package-lock.json → npm/minify@15.3.1 → npm/css-tree@3.2.1 ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/css-tree@3.2.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Obfuscated code: npm entities is 91.0% likely obfuscated Confidence: 0.91 Location: Package overview From: package-lock.json → npm/minify@15.3.1 → npm/entities@4.5.0 ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/entities@4.5.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report