Skip to content

chore: deduplicate esbuild via resolution#1118

Merged
brendan-kellam merged 1 commit intomainfrom
brendan/deduplicate-esbuild
Apr 15, 2026
Merged

chore: deduplicate esbuild via resolution#1118
brendan-kellam merged 1 commit intomainfrom
brendan/deduplicate-esbuild

Conversation

@brendan-kellam
Copy link
Copy Markdown
Contributor

@brendan-kellam brendan-kellam commented Apr 15, 2026
edited
Loading

Summary

  • Add an esbuild resolution (^0.27.3) to consolidate 4 separate versions (0.25.1, 0.25.12, 0.27.3, 0.27.7) down to a single 0.27.7

🤖 Generated with Claude Code

@brendan-kellam @claude
chore: deduplicate esbuild via resolution
441671c 
Add a `^0.27.3` resolution for esbuild to consolidate 4 separate
versions (0.25.1, 0.25.12, 0.27.3, 0.27.7) down to a single 0.27.7.

Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]>
@github-actions
Copy link
Copy Markdown
Contributor

github-actions bot commented Apr 15, 2026

@brendan-kellam your pull request is missing a changelog!

@coderabbitai
Copy link
Copy Markdown
Contributor

coderabbitai bot commented Apr 15, 2026
edited
Loading

Walkthrough

Updated package.json to add a forced version resolution for esbuild at ^0.27.3 to address CVE concerns. The existing picomatch@^4 resolution remains unchanged.

Changes

Cohort / File(s) Summary
Dependency Resolution
package.json		 Added forced esbuild@^0.27.3 resolution override to Yarn resolutions field for CVE mitigation.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

Possibly related PRs

🚥 Pre-merge checks | ✅ 3
✅ Passed checks (3 passed)
Check name Status Explanation
Title check ✅ Passed The title clearly and specifically describes the main change: adding an esbuild resolution to deduplicate multiple versions into one.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch brendan/deduplicate-esbuild

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@brendan-kellam brendan-kellam merged commit 02becc4 into main Apr 15, 2026
7 of 9 checks passed
@brendan-kellam brendan-kellam deleted the brendan/deduplicate-esbuild branch April 15, 2026 00:50
@github-actions github-actions bot mentioned this pull request Apr 15, 2026
Open
@github-actions
Copy link
Copy Markdown
Contributor

github-actions bot commented Apr 15, 2026

License Audit

Status: FAIL

Metric Count
Total packages 2070
Resolved (non-standard) 10
Unresolved 1
Strong copyleft 0
Weak copyleft 39

Fail Reasons

  • 1 package has an unresolvable license: element-source (0.0.3)

Unresolved Packages

Package Version License Reason
element-source 0.0.3 UNKNOWN No repository URL or homepage in npm registry metadata; no README available; no linked GitHub repository found; license cannot be determined

Weak Copyleft Packages (informational)

Package Version License
@img/sharp-libvips-darwin-arm64 1.0.4 LGPL-3.0-or-later
@img/sharp-libvips-darwin-arm64 1.2.4 LGPL-3.0-or-later
@img/sharp-libvips-darwin-x64 1.0.4 LGPL-3.0-or-later
@img/sharp-libvips-darwin-x64 1.2.4 LGPL-3.0-or-later
@img/sharp-libvips-linux-arm 1.0.5 LGPL-3.0-or-later
@img/sharp-libvips-linux-arm 1.2.4 LGPL-3.0-or-later
@img/sharp-libvips-linux-arm64 1.0.4 LGPL-3.0-or-later
@img/sharp-libvips-linux-arm64 1.2.4 LGPL-3.0-or-later
@img/sharp-libvips-linux-ppc64 1.2.4 LGPL-3.0-or-later
@img/sharp-libvips-linux-riscv64 1.2.4 LGPL-3.0-or-later
@img/sharp-libvips-linux-s390x 1.0.4 LGPL-3.0-or-later
@img/sharp-libvips-linux-s390x 1.2.4 LGPL-3.0-or-later
@img/sharp-libvips-linux-x64 1.0.4 LGPL-3.0-or-later
@img/sharp-libvips-linux-x64 1.2.4 LGPL-3.0-or-later
@img/sharp-libvips-linuxmusl-arm64 1.0.4 LGPL-3.0-or-later
@img/sharp-libvips-linuxmusl-arm64 1.2.4 LGPL-3.0-or-later
@img/sharp-libvips-linuxmusl-x64 1.0.4 LGPL-3.0-or-later
@img/sharp-libvips-linuxmusl-x64 1.2.4 LGPL-3.0-or-later
@img/sharp-wasm32 0.33.5 Apache-2.0 AND LGPL-3.0-or-later AND MIT
@img/sharp-wasm32 0.34.5 Apache-2.0 AND LGPL-3.0-or-later AND MIT
@img/sharp-win32-arm64 0.34.5 Apache-2.0 AND LGPL-3.0-or-later
@img/sharp-win32-ia32 0.33.5 Apache-2.0 AND LGPL-3.0-or-later
@img/sharp-win32-ia32 0.34.5 Apache-2.0 AND LGPL-3.0-or-later
@img/sharp-win32-x64 0.33.5 Apache-2.0 AND LGPL-3.0-or-later
@img/sharp-win32-x64 0.34.5 Apache-2.0 AND LGPL-3.0-or-later
axe-core 4.10.3 MPL-2.0
dompurify 3.3.1 (MPL-2.0 OR Apache-2.0)
lightningcss 1.32.0 MPL-2.0
lightningcss-android-arm64 1.32.0 MPL-2.0
lightningcss-darwin-arm64 1.32.0 MPL-2.0
lightningcss-darwin-x64 1.32.0 MPL-2.0
lightningcss-freebsd-x64 1.32.0 MPL-2.0
lightningcss-linux-arm-gnueabihf 1.32.0 MPL-2.0
lightningcss-linux-arm64-gnu 1.32.0 MPL-2.0
lightningcss-linux-arm64-musl 1.32.0 MPL-2.0
lightningcss-linux-x64-gnu 1.32.0 MPL-2.0
lightningcss-linux-x64-musl 1.32.0 MPL-2.0
lightningcss-win32-arm64-msvc 1.32.0 MPL-2.0
lightningcss-win32-x64-msvc 1.32.0 MPL-2.0
Resolved Packages (10)
Package Version Original Resolved Source
@react-grab/cli 0.1.23 UNKNOWN MIT GitHub repo (aidenybai/react-grab) — MIT license file detected by GitHub API
@react-grab/cli 0.1.29 UNKNOWN MIT GitHub repo (aidenybai/react-grab) — MIT license file detected by GitHub API
@react-grab/mcp 0.1.29 UNKNOWN MIT GitHub repo (aidenybai/react-grab) — MIT license file detected by GitHub API
codemirror-lang-elixir 4.0.0 UNKNOWN Apache-2.0 GitHub repo (livebook-dev/codemirror-lang-elixir) — Apache-2.0 detected by GitHub license API
lezer-elixir 1.1.2 UNKNOWN Apache-2.0 GitHub repo (livebook-dev/lezer-elixir) — Apache-2.0 detected by GitHub license API
map-stream 0.1.0 UNKNOWN MIT GitHub repo (dominictarr/map-stream) — MIT detected by GitHub license API
memorystream 0.3.1 UNKNOWN MIT npm registry package.json contains license object [{"type":"MIT","url":"..."}]; confirmed by GitHub repo (JSBizon/node-memorystream) license API
pause-stream 0.0.11 ["MIT", "Apache2"] MIT AND Apache-2.0 GitHub repo (dominictarr/pause-stream) LICENSE file states dual MIT and Apache 2 license
posthog-js 1.345.5 SEE LICENSE IN LICENSE Apache-2.0 GitHub repo (PostHog/posthog-js) LICENSE file header states Apache License, Version 2.0
valid-url 1.0.9 UNKNOWN MIT GitHub repo (ogt/valid-url) LICENSE file states MIT license

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@brendan-kellam