chore(vscode): esbuild ^0.25.0 + dependabot @types/node guard#32
chore(vscode): esbuild ^0.25.0 + dependabot @types/node guard#32SingleSourceStudios merged 1 commit intomainfrom
Conversation
…e majors - Bump esbuild ^0.24.0 → ^0.25.0 (resolves GHSA-67mh-4wv8-2f99 dev-server CORS) Not exploitable in our usage (we don't run 'esbuild serve'), but bump hygiene. - Add dependabot.yml ignore rules for @types/node semver-major in both / and /editors/vscode. @types/node must trail engines.node, not lead it (ref #29). - Add /editors/vscode to dependabot scan scope (previously unscanned). - VSCode extension bumped to v0.1.3 and published to Marketplace.
|
Warning Rate limit exceeded
Your organization is not enrolled in usage-based pricing. Contact your admin to enable usage-based pricing to continue reviews beyond the rate limit, or try again in 21 minutes and 23 seconds. ⌛ How to resolve this issue?After the wait time has elapsed, a review can be triggered using the We recommend that you space out your commits to avoid hitting the rate limit. 🚦 How do rate limits work?CodeRabbit enforces hourly rate limits for each developer per organization. Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout. Please see our FAQ for further information. ℹ️ Review info⚙️ Run configurationConfiguration used: defaults Review profile: CHILL Plan: Pro Run ID: ⛔ Files ignored due to path filters (1)
📒 Files selected for processing (2)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
![cubic-dev-ai[bot]](https://avatars.githubusercontent.com/in/1082092?s=60&v=4){kind=small}
1 participant
What
esbuild^0.24.0→^0.25.0ineditors/vscode(resolves GHSA-67mh-4wv8-2f99 dev-server CORS bypass). Not exploitable in our usage — we only runesbuildas a bundler, neveresbuild serve— but bump hygiene.dependabot.ymlignore rules for@types/nodeversion-update:semver-majorin both/and/editors/vscode. Per Align @types/node with VS Code extension host Node runtime #29,@types/nodemust trailengines.node, never lead it./editors/vscodeto Dependabot scan scope (previously unscanned — explains why PR chore(deps-dev): bump @types/node from 22.19.17 to 24.12.2 in the dev-dependencies group #30 surfaced from the root scan).v0.1.3, published to Marketplace.Why
Closes the remaining action items from the dependabot audit:
@types/nodeto 24) is being closed — it's exactly the anti-pattern Align @types/node with VS Code extension host Node runtime #29 warns against.Test
npm installineditors/vscoderesolves esbuild 0.25.xnpm run esbuild-base -- --minifybundles cleanly (1.9kb minified)vsce publishships v0.1.3 with icon intactRefs #29. Unblocks closing #30.
Summary by cubic
Bumped
esbuildineditors/vscodeto^0.25.0to address GHSA-67mh-4wv8-2f99 (we only use bundling, notesbuild serve). Published the VS Code extension as v0.1.3.@types/nodein/and/editors/vscodeso types trailengines.node/VS Code host./editors/vscodeto weekly scans.Written for commit d9afd25. Summary will update on new commits.