chore(deps): force esbuild >=0.28.1 via pnpm override (GHSA-gv7w-rqvm-qjhr)

[charlesrhoward]

Why

GHSA-gv7w-rqvm-qjhr (high) flags esbuild <0.28.1. The lockfile carried two vulnerable copies:

• 0.25.12 under electron-vite/vite (declared range ^0.25.x)
• 0.28.0 under fumadocs-mdx

The advisory published after the open Dependabot PRs' CI runs (Jun 7), so the next push to main would fail the required pnpm audit --audit-level=high step. This must land before #265.

What

One-line pnpm override "esbuild": ">=0.28.1" + lockfile regen, matching the existing security-floor overrides (tar, minimatch, rollup, …).

Verification (local, node 22 / pnpm 10.12.4)

• pnpm audit --audit-level=high ✅ (0 high)
• desktop lint / tsc -b / electron-vite build ✅
• web lint / typecheck / next build ✅
• Electron Playwright smoke suite ✅ (vite 6 + electron-vite 3.1 work with esbuild 0.28.1)

🤖 Generated with Claude Code

---

^{Need help on this PR? Tag /codesmith with what you need. Autofix is disabled.}

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
agent-space-web	Ready	Preview, Comment	Jun 13, 2026 12:57am

[mogplex]

Mogplex PR Review

Status: No material issues found

Summary

Clean security patch — no issues found. ✅

This PR adds "esbuild": ">=0.28.1" to pnpm.overrides in package.json and regenerates the lockfile, addressing GHSA-gv7w-rqvm-qjhr (high severity). The change:

• Follows existing conventions: Uses the same >= range pattern as the other 12 security-floor overrides already in the file (tar, minimatch, rollup, flatted, picomatch, path-to-regexp, etc.).
• Lockfile is correct: Consolidates duplicate esbuild platform packages (removes 0.25.12 and 0.28.0 entries, keeps only 0.28.1). Net -267 lines is expected for platform-binary deduplication.
• Well-verified: PR description confirms local validation across desktop lint/tsc/build, web lint/typecheck/build, and Electron Playwright smoke suite.

No security, correctness, architectural, or performance concerns. Ready to merge.

View check run

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: b17f63aa99

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Keep Vite on its declared esbuild range

When the root dev/build/package scripts run through electron-vite and vite, this override makes pnpm install esbuild@0.28.1 for those tools (the lockfile now resolves both electron-vite@3.1.0 and vite@6.4.2 to 0.28.1). vite@6.4.2 declares esbuild: ^0.25.0, and the previous lockfile resolved it to 0.25.12, so forcing 0.28.x puts the main build pipeline outside the supported esbuild minor line; esbuild 0.x minor releases are treated as breaking releases. Please update Vite/electron-vite to versions that declare compatibility with 0.28.x, or use a compatible patched 0.25.x resolution if one exists, rather than overriding every consumer across minors.

Useful? React with 👍 / 👎.