Skip to content

chore(deps): bump esbuild ^0.25.0 -> ^0.28.1 (fixes SNYK-JS-ESBUILD-17750822)#1502

Closed
juar-queue-it wants to merge 1 commit into
fastly:mainfrom
juar-queue-it:test/esbuild-0.28-bump
Closed

chore(deps): bump esbuild ^0.25.0 -> ^0.28.1 (fixes SNYK-JS-ESBUILD-17750822)#1502
juar-queue-it wants to merge 1 commit into
fastly:mainfrom
juar-queue-it:test/esbuild-0.28-bump

Conversation

@juar-queue-it

Copy link
Copy Markdown

Summary

Bumps the esbuild dependency from ^0.25.0 to ^0.28.1.

The pinned ^0.25.0 range keeps esbuild on 0.25.x, which is flagged by Snyk as SNYK-JS-ESBUILD-17750822"Resources Downloaded over Insecure Protocol" (CWE-426, CVSS 9.2). The advisory covers >=0.17.0 <0.28.1 and is fixed in 0.28.1. Because the range is ^0.25.0, downstream consumers cannot pull the fix without an override — Snyk reports "no remediation path available" until @fastly/js-compute bumps it here.

esbuild is only used in the JS bundler step of the CLI (src/compiler-steps/bundle.ts and the two src/esbuild-plugins/*), so this has no effect on the StarlingMonkey/Wasm runtime.

Verification

With esbuild@0.28.1 installed:

  • npx tsc (build:cli) — passes
  • npm run test:types (tsd) — passes
  • Ran a real build() through both Fastly plugins (fastlyPlugin + swallowTopLevelExportsPlugin) against a sample app: fastly:* imports resolve correctly and top-level exports are swallowed as expected.

The esbuild API surface used here (build({...}) plus the onResolve/onLoad plugin hooks) is unchanged across 0.250.28, so no source changes were required.

🤖 Generated with Claude Code

@juar-queue-it
juar-queue-it force-pushed the test/esbuild-0.28-bump branch from f3fc306 to 9dbe38e Compare July 13, 2026 12:07
@juar-queue-it

Copy link
Copy Markdown
Author

Hi everyone. I'm bumping up the dependency to esbuild as our vulnerability scanner detected a critical issue with the version you are using here.

@zkat

zkat commented Jul 17, 2026

Copy link
Copy Markdown
Member

replaced by #1506

@zkat zkat closed this Jul 17, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants