fix(deps): resolve esbuild audit advisory

[Astro-Han]

Summary

Adds root and site esbuild overrides to resolve GHSA-gv7w-rqvm-qjhr and unblock dependency audit coverage. It also teaches PR labeler to route root dependency updates (package.json, bun.lock) to the ci area, which fixes the pr-triage failure this dependency-only PR exposed. There is no related issue; this PR responds to the live CI audit failure affecting open PRs.

Why

bun audit --audit-level=high started failing after GitHub published GHSA-gv7w-rqvm-qjhr for esbuild >=0.17.0 <0.28.1. The existing root lockfile resolved esbuild@0.27.7 plus nested 0.25.12 copies through Vite, electron-vite, and drizzle-kit.

The site is a separate Bun project and also carried vulnerable esbuild@0.27.7 resolutions through Astro/Vite, so this PR applies the same override there and refreshes site/bun.lock.

The first PR run also showed a label-policy gap: actions/labeler uses sync-labels: true, so manually adding ci is removed unless the changed paths match .github/labeler.yml. Root dependency updates did not match any primary routing label before this PR.

Related Issue

None.

Human Review Status

Pending

Review Focus

Check that the dependency overrides are limited to esbuild@0.28.1, both lockfiles no longer carry vulnerable esbuild resolutions, and root dependency updates are routed to ci by labeler.

Risk Notes

The dependency override affects build tooling used by Vite, electron-vite, drizzle-kit, and the Astro site. Local app, desktop, and site builds passed with the override; PR CI covers the broader OS matrix. The labeler change is limited to root package.json and bun.lock updates. No visible UI or copy changed, so no screenshot was taken.

How To Verify

bun audit --audit-level=high: passed, no high advisory output
bun install --frozen-lockfile: passed, no lockfile changes
bun --cwd packages/app build: passed
bun --cwd packages/desktop-electron build: passed
bun run typecheck: passed, 8 successful tasks
bun run lint: passed
node --test .github/scripts/label-policy-check.test.js: passed, 12 tests
cd site && bun audit --audit-level=high: passed, no vulnerabilities found
cd site && bun run build: passed, 2 pages built
rg actual esbuild/@esbuild lockfile resolutions below 0.28.1: no matches
git diff --check: passed
PR CI: passed after rerunning one transient opencode unit failure

Screenshots or Recordings

Not applicable; no visible UI or copy changes.

Checklist

How to use this checklist:

• Tick a box by replacing [ ] with [x]. Do not edit, add, or remove items.
• The bot-applied label items can only be honestly ticked AFTER the PR is opened and the labeler / priority-triage bots have run — return to the PR description and tick them then.
• Most items are required. The few that are conditional are explicitly marked (conditional); for those, leave unticked if they truly do not apply and explain why in Risk Notes. All other items must be ticked before requesting human review.

• Type label — this PR carries exactly one of bug, enhancement, task, documentation. Type labels are author-added; the labeler bot does NOT assign them. Add the label in the GitHub UI, then tick this.
• Routing labels — this PR carries at least one of app, ui, platform, harness, ci. The labeler bot assigns these on PR open based on changed paths. Confirm the bot's choice (or override if wrong), then tick this.
• Priority label — this PR carries exactly one of P0, P1, P2, P3. The priority-triage bot suggests one on PR open. Confirm or override, then tick this.
• Human Review Status above is set to Pending, Approved by @<reviewer>, or Not required: <reason> (default is Pending; "not required" is restricted to bot-authored low-risk PRs).
• I linked the related issue, or stated in Summary why there is no issue.
• I described the review focus and any meaningful risks.
• I replaced the example block in How To Verify with the real verification steps and the key result for each.
• I did not introduce unrelated refactors, dependencies, generated files, or file changes beyond the stated scope.
• (conditional) I manually checked visible UI or copy changes when needed, with screenshots or recordings. Leave unticked only if no visible UI or copy changed.
• (conditional) I considered macOS and Windows impact for platform, packaging, updater, signing, paths, shell, or permissions changes. Leave unticked only if no platform/packaging surface was touched.
• (conditional) I called out docs, release notes, dependencies, permissions, credentials, deletion behavior, generated content, or local file changes when relevant. Leave unticked only if none of those surfaces was touched.
• I reviewed the final diff for unrelated changes and suspicious dependency changes.
• I am targeting dev, and my PR title and commit messages use Conventional Commits in English.

Summary by CodeRabbit

• Chores
  • Updated dependency configuration to maintain stability and compatibility.

[coderabbitai]

📝 Walkthrough

Walkthrough

This PR adds an explicit esbuild version override to the root package.json, pinning it to version 0.28.1 in the dependency overrides section. No other configuration, scripts, or workspace settings were modified.

Changes

Dependency version override

Layer / File(s)	Summary
Esbuild version override package.json	Add explicit esbuild version pin at 0.28.1 to the overrides section in root package.json.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

Poem

🐰 A pinned version, oh so neat,
esbuild at 0.28.1 can't be beat!
One line added, dependency tamed,
Build harmony is the game.

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'fix(deps): resolve esbuild audit advisory' accurately and concisely describes the main change—adding an esbuild override to fix a security audit failure.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Description check	✅ Passed	The pull request description comprehensively covers all required template sections with detailed explanations of changes, rationale, verification steps, and risk assessment.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch codex/fix-esbuild-audit

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

Suggested priority: P2 (includes non-doc, non-test paths outside the low-risk bucket).

P1/P0 are reserved for maintainer confirmation. Please relabel manually if this is a release blocker, security issue, data-loss risk, or updater/runtime failure.

[gemini-code-assist]

Code Review

This pull request adds esbuild version 0.28.1 as a direct dependency in package.json and updates the lockfile accordingly. It also cleans up older, nested versions of esbuild (such as those from drizzle-kit and electron-vite) from the lockfile. I have no feedback to provide as there are no review comments.

Important

The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@package.json`:
- Line 117: package.json is pinned to "esbuild": "0.28.1" but old esbuild@0.27.x
entries remain in bun.lock files; add an npm "overrides" (or "resolutions" if
you prefer) section to package.json that forces esbuild and its platform
packages to 0.28.1+ (e.g., add "overrides": { "esbuild": "0.28.1", "`@esbuild/`*":
"0.28.1" }), then run bun install to regenerate bun.lock and site/bun.lock and
commit the updated lockfiles so all `@esbuild/`* entries resolve to 0.28.1+.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro Plus

Run ID: 94d75cf7-e8e1-43d2-a904-0b0905dde1bd

📥 Commits

Reviewing files that changed from the base of the PR and between 5c61127 and b3ecf52.

⛔ Files ignored due to path filters (1)

• bun.lock is excluded by !**/*.lock

📒 Files selected for processing (1)

• package.json