Skip to content

Bump esbuild and vite in /frontend#2

Closed
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/frontend/multi-1b777957f8
Closed

Bump esbuild and vite in /frontend#2
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/frontend/multi-1b777957f8

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github May 25, 2026

Copy link
Copy Markdown
Contributor

Removes esbuild. It's no longer used after updating ancestor dependency vite. These dependencies need to be updated together.

Removes esbuild

Updates vite from 5.4.21 to 8.0.14

Release notes

Sourced from vite's releases.

v8.0.14

Please refer to CHANGELOG.md for details.

v8.0.13

Please refer to CHANGELOG.md for details.

v8.0.12

Please refer to CHANGELOG.md for details.

v8.0.11

Please refer to CHANGELOG.md for details.

v8.0.10

Please refer to CHANGELOG.md for details.

v8.0.9

Please refer to CHANGELOG.md for details.

v8.0.8

Please refer to CHANGELOG.md for details.

v8.0.7

Please refer to CHANGELOG.md for details.

v8.0.6

Please refer to CHANGELOG.md for details.

v8.0.5

Please refer to CHANGELOG.md for details.

v8.0.4

Please refer to CHANGELOG.md for details.

create-vite@8.0.3

Please refer to CHANGELOG.md for details.

v8.0.3

Please refer to CHANGELOG.md for details.

create-vite@8.0.2

Please refer to CHANGELOG.md for details.

v8.0.2

Please refer to CHANGELOG.md for details.

plugin-legacy@8.0.2

Please refer to CHANGELOG.md for details.

create-vite@8.0.1

Please refer to CHANGELOG.md for details.

... (truncated)

Changelog

Sourced from vite's changelog.

8.0.14 (2026-05-21)

Features

Bug Fixes

  • deps: update all non-major dependencies (#22471) (98b8163)
  • dev: handle errors when sending messages to vite server (#22450) (e8e9a34)
  • html: handle trailing slash paths in transformIndexHtml (#22480) (5d94d1b)
  • optimizer: pass oxc jsx options to transformSync in dependency scan (#22342) (b3132da)

Miscellaneous Chores

  • deps: update rolldown-related dependencies (#22470) (7cb728e)
  • remove irrelevant commits from changelog (2c69495)

Code Refactoring

  • glob: do not rewrite import path for absolute base (#22310) (0ae2844)

Tests

8.0.13 (2026-05-14)

Features

  • bundled-dev: add lazy bundling support (#21406) (4f0949f)
  • optimizer: improve the esbuild plugin converter to pass some properties of build result to onEnd (#22357) (47071ce)
  • update rolldown to 1.0.1 (#22444) (8c766a6)

Bug Fixes

  • build: copy public directory after building same environment with write=false (#22328) (158e8ae)
  • css: await sass/less/styl worker disposal on teardown (fix #22274) (#22275) (b7edcb7)
  • css: keep deprecated name/originalFileName in synthetic assetFileNames call (#22439) (8e59c97)
  • make isBundled per environment (#22257) (a576326)
  • ssr: avoid rewriting labels that collide with imports (#22451) (d9b18e0)

Miscellaneous Chores

8.0.12 (2026-05-11)

Features

... (truncated)

Commits
  • c917f1e release: v8.0.14
  • 5d94d1b fix(html): handle trailing slash paths in transformIndexHtml (#22480)
  • 98b8163 fix(deps): update all non-major dependencies (#22471)
  • 96efc88 feat: update rolldown to 1.0.2 (#22484)
  • ebf39a0 test(css): sass does not use main field (#22449)
  • 0ae2844 refactor(glob): do not rewrite import path for absolute base (#22310)
  • 7cb728e chore(deps): update rolldown-related dependencies (#22470)
  • b3132da fix(optimizer): pass oxc jsx options to transformSync in dependency scan ...
  • e8e9a34 fix(dev): handle errors when sending messages to vite server (#22450)
  • 2c69495 chore: remove irrelevant commits from changelog
  • Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    You can disable automated security fix PRs for this repo from the Security Alerts page.

Removes [esbuild](https://github.com/evanw/esbuild). It's no longer used after updating ancestor dependency [vite](https://github.com/vitejs/vite/tree/HEAD/packages/vite). These dependencies need to be updated together.


Removes `esbuild`

Updates `vite` from 5.4.21 to 8.0.14
- [Release notes](https://github.com/vitejs/vite/releases)
- [Changelog](https://github.com/vitejs/vite/blob/main/packages/vite/CHANGELOG.md)
- [Commits](https://github.com/vitejs/vite/commits/v8.0.14/packages/vite)

---
updated-dependencies:
- dependency-name: esbuild
  dependency-version:
  dependency-type: indirect
- dependency-name: vite
  dependency-version: 8.0.14
  dependency-type: direct:development
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels May 25, 2026
sathyaprakash000 added a commit that referenced this pull request May 25, 2026
…y-token (#6)

Batch B (Meta-direct). The webhook POST accepted any forged JSON. Now:
- Capture the raw request body (express.json verify hook) and verify
  X-Hub-Signature-256 (HMAC-SHA256 with META_APP_SECRET) using timingSafeEqual;
  reject with 403 on mismatch. When META_APP_SECRET is unset, log a warning
  (unverified) rather than breaking existing deployments.
- Make the GET verify-token comparisons constant-time (safeEqual) to remove the
  timing oracle.

Audit ref: REVIEW.md P0 #2 (lane 06 CRITICAL + HIGHs).

Signed-off-by: KingArthur000 <sathyaprakashelango@gmail.com>
Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@sathyaprakash000

Copy link
Copy Markdown
Contributor

Superseded by #21, which performs the Vite 8 upgrade properly — bumping @vitejs/plugin-react to v6 alongside Vite (this PR bumped only vite, so the build failed). #21 is verified green (build + 51 tests + 0 vulnerabilities).

@dependabot @github

dependabot Bot commented on behalf of github May 25, 2026

Copy link
Copy Markdown
Contributor Author

OK, I won't notify you again about this release, but will get in touch when a new version is available. You can also ignore all major, minor, or patch releases for a dependency by adding an ignore condition with the desired update_types to your config file.

If you change your mind, just re-open this PR and I'll resolve any conflicts on it.

@sathyaprakash000 sathyaprakash000 deleted the dependabot/npm_and_yarn/frontend/multi-1b777957f8 branch May 25, 2026 05:11
sathyaprakash000 added a commit that referenced this pull request May 25, 2026
…y) (#21)

Dependabot opened two overlapping PRs (#2, #3) bumping vite to ^8.0.14 to clear
the esbuild dev-server advisory (GHSA-67mh-4wv8-2f99), but both broke the build
because Vite 8 needs a matching @vitejs/plugin-react v5+. Do the major upgrade
deliberately: bump vite ^8.0.14 AND @vitejs/plugin-react ^6.0.2 together.

Verified locally: npm install (0 vulnerabilities), npm run build (clean,
Rolldown-based), npm run test:unit (51/51 pass). vitest was already ^4.1.7
(Vite 8 compatible).

Supersedes #2 and #3.

Signed-off-by: KingArthur000 <sathyaprakashelango@gmail.com>
Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant