Skip to content

fix(deps): resolve esbuild CORS vulnerability#11

Merged
Snider merged 1 commit intodevfrom
fix/dependabot-esbuild-vulnerability
Feb 1, 2026
Merged

fix(deps): resolve esbuild CORS vulnerability#11
Snider merged 1 commit intodevfrom
fix/dependabot-esbuild-vulnerability

Conversation

@Snider
Copy link
Contributor

@Snider Snider commented Feb 1, 2026

Summary

Vulnerability Details

esbuild <=0.24.2 allowed any website to send requests to the development server and read responses due to permissive CORS settings (Access-Control-Allow-Origin: *).

Severity: Moderate
Impact: Source code exposure during development

Changes

  • package.json: Added overrides for esbuild (>=0.25.0) and vite (>=6.4.1)
  • package-lock.json: Regenerated with patched dependencies

Test plan

  • npm audit shows 0 vulnerabilities
  • Verify docs build still works: npm run docs:build

🤖 Generated with Claude Code

@Snider @claude
fix(deps): resolve esbuild CORS vulnerability (GHSA-67mh-4wv8-2f99)
2ee3df4 
- Add npm overrides to force esbuild >=0.25.0 and vite >=6.4.1
- Update direct vite dependency to ^6.4.1
- Resolves Dependabot alert #1 (moderate severity)

The vulnerability allowed any website to send requests to the dev server
and read responses due to permissive CORS settings in esbuild <=0.24.2.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
@coderabbitai
Copy link

coderabbitai bot commented Feb 1, 2026

Warning

Rate limit exceeded

@Snider has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 21 minutes and 31 seconds before requesting another review.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

✨ Finishing touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Post copyable unit tests in a comment
  • Commit unit tests in branch fix/dependabot-esbuild-vulnerability

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@github-actions
Copy link

github-actions bot commented Feb 1, 2026

QA Pipeline Results

Check Status Details
Tests 197 tests, 393 assertions
PHPStan 0 errors
Psalm 0 issues
Code Style 0 files need formatting
Security 0 vulnerabilities
Artifacts
  • test-results.xml - JUnit test results
  • phpstan.json - PHPStan analysis
  • psalm.json / psalm.sarif - Psalm analysis
  • pint.json - Code style report
  • audit.json - Security audit

Generated by core php qa pipeline

@Snider Snider merged commit eaca2a0 into dev Feb 1, 2026
10 checks passed
@Snider Snider deleted the fix/dependabot-esbuild-vulnerability branch February 1, 2026 01:37
@Snider Snider mentioned this pull request Feb 1, 2026
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@Snider