The CI step "Security audit (no dev deps)" (npm audit --audit-level=high
--omit=dev) failed repo-wide on every PR: newly-published advisories landed
against the already-pinned esbuild 0.27.7 (GHSA-gv7w-rqvm-qjhr,
GHSA-g7r4-m6w7-qqqr — both high), pulled in transitively via
vite -> @sveltejs/vite-plugin-svelte. The fix for both only exists at
esbuild@0.28.1. A scoped vite@7 minor bump cannot help — all vite 7.x pin
esbuild ^0.27.0.
Add an overrides block:
- esbuild 0.28.1 (exact, no caret — a future 0.29.x must not silently
float in and re-break vite; let Renovate propose bumps explicitly)
- cookie >=0.7.0 (clears the low GHSA-pxg6-pf52-xh8x reaching the prod
tree via @sentry/sveltekit; drop-in, done in the same pass)
npm audit --audit-level=high --omit=dev now exits 0 with 0 vulnerabilities.
npm run build, lint, and a dev-server boot all succeed with the forced
esbuild 0.28.1 (validated, not assumed — it sits outside vite@7.3.3's
declared ^0.27.0 range).
Closes#817
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
