fix: upgrade esbuild to patch GHSA-67mh-4wv8-2f99

[auxesis]

What it says on the tin.

Summary by CodeRabbit

• Chores
  • Updated dependency resolution configuration to ensure compatibility with package management tools.

[changeset-bot]

⚠️ No Changeset found

Latest commit: 46ec2da

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[coderabbitai]

📝 Walkthrough

Walkthrough

Added a pnpm override for esbuild, specifying that versions 0.24.2 and below should resolve to version 0.25.0 or higher. This modifies dependency resolution constraints without altering code or dependencies themselves.

Changes

Cohort / File(s)	Summary
Package Configuration package.json	Added pnpm override for esbuild (0.24.2 → ≥0.25.0) to enforce minimum version compatibility alongside existing ajv override.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

Suggested reviewers

• CDThomas
• coderdan

Poem

🐰 A little hop and a package tweak,
esbuild's chains we gently break,
From old to new, the versions dance,
pnpm guides them in their prance,
Dependencies now play so sweet! ✨

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: upgrading esbuild to patch a security vulnerability (GHSA-67mh-4wv8-2f99), which matches the file modifications shown in the raw summary.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch fix/upgrade-esbuild-to-patch-GHSA-67mh-4wv8-2f99

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (2)

package.json (2)

44-47: ⚠️ Potential issue | 🟠 Major

packageManager version mismatch: pnpm 10.14.0 specified but documentation requires pnpm 9.x.

AGENTS.md and .cursorrules both document pnpm 9.x as the required version, with no changeset or record indicating an intentional upgrade to 10.x. Either update packageManager to pnpm@9.x for consistency, or if the upgrade to pnpm 10.x was intentional, document the decision via changeset and update all references in AGENTS.md and .cursorrules.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@package.json` around lines 44 - 47, The packageManager entry in package.json
currently reads "pnpm@10.14.0" but AGENTS.md and .cursorrules expect pnpm 9.x;
either revert packageManager to "pnpm@9.x" (update the packageManager field in
package.json) to match existing docs, or if upgrading to pnpm 10.x was
intentional, add a changeset and update AGENTS.md and .cursorrules to document
the pnpm 10.x requirement and any migration notes so all references
(packageManager, AGENTS.md, .cursorrules) are consistent.

---

25-36: ⚠️ Potential issue | 🟠 Major

Create a Changeset entry before publishing this change.

No changeset entry currently exists in .changeset/. Per the coding guidelines, Changesets are required for managing releases; run pnpm changeset before publishing to ensure the release notes and version bump reflect this change.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@package.json` around lines 25 - 36, Add a Changeset entry to the repository
so this change is tracked for release: run the interactive changeset command
(pnpm changeset) and create a new .changeset/* MD file describing the package(s)
affected and the desired version bump, then commit that file alongside your
changes; ensure the new changeset aligns with the scripts in package.json
(notably "changeset", "changeset:version", and "changeset:publish") so
CI/release tooling will pick up the bump during pnpm run build && changeset
publish.

🧹 Nitpick comments (1)

package.json (1)

64-66: Consider tightening the override target to avoid unintended future breaking upgrades.

">=0.25.0" can float to any future 0.x release; since esbuild 0.25.0 includes backwards-incompatible changes (including serve() return shape changes), you may want to cap this to the patched minor line (e.g. ^0.25.0 which stays <0.26.0) unless you explicitly want to float indefinitely. (newreleases.io)

Proposed change (cap to 0.25.x)

   "pnpm": {
     "overrides": {
       ...
-      "esbuild@<=0.24.2": ">=0.25.0"
+      "esbuild@<=0.24.2": "^0.25.0"
     }
   }

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@package.json` around lines 64 - 66, The override for the esbuild package
currently uses a floating range ("esbuild@<=0.24.2": ">=0.25.0") which allows
unintended future 0.x upgrades; update that override in package.json to a capped
range such as "^0.25.0" (or ">=0.25.0 <0.26.0") so it stays within the 0.25.x
line and avoids pulling in breaking changes from 0.26.0 and above.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Outside diff comments:
In `@package.json`:
- Around line 44-47: The packageManager entry in package.json currently reads
"pnpm@10.14.0" but AGENTS.md and .cursorrules expect pnpm 9.x; either revert
packageManager to "pnpm@9.x" (update the packageManager field in package.json)
to match existing docs, or if upgrading to pnpm 10.x was intentional, add a
changeset and update AGENTS.md and .cursorrules to document the pnpm 10.x
requirement and any migration notes so all references (packageManager,
AGENTS.md, .cursorrules) are consistent.
- Around line 25-36: Add a Changeset entry to the repository so this change is
tracked for release: run the interactive changeset command (pnpm changeset) and
create a new .changeset/* MD file describing the package(s) affected and the
desired version bump, then commit that file alongside your changes; ensure the
new changeset aligns with the scripts in package.json (notably "changeset",
"changeset:version", and "changeset:publish") so CI/release tooling will pick up
the bump during pnpm run build && changeset publish.

---

Nitpick comments:
In `@package.json`:
- Around line 64-66: The override for the esbuild package currently uses a
floating range ("esbuild@<=0.24.2": ">=0.25.0") which allows unintended future
0.x upgrades; update that override in package.json to a capped range such as
"^0.25.0" (or ">=0.25.0 <0.26.0") so it stays within the 0.25.x line and avoids
pulling in breaking changes from 0.26.0 and above.

---

ℹ️ Review info

Configuration used: defaults

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 8fdb105 and 46ec2da.

⛔ Files ignored due to path filters (1)

• pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml

📒 Files selected for processing (1)

• package.json