Goal
Resolve the 3 high-severity npm audit findings in frontend/ that all stem from a single transitive dependency on a vulnerable esbuild, so that npm audit --audit-level=high --prefix frontend (matching the CI security check) reports 0 vulnerabilities.
Your Task
- Upgrade
vite (currently ^6.2.0, resolving to 6.4.3) to v8 and bump @vitejs/plugin-react to a compatible major in frontend/package.json.
- Run
npm install --prefix frontend and confirm esbuild resolves to >= 0.28.1.
- Address any vite 6 → 8 breaking changes (config in
frontend/vite.config.ts, plugin API, build target/output) needed to make npm run --prefix frontend build succeed.
- Verify the dev server, unit tests (Vitest), and Playwright E2E still work.
Context
The advisory GHSA-gv7w-rqvm-qjhr (esbuild dev-server / Deno module RCE via NPM_CONFIG_REGISTRY) affects esbuild 0.17.0 – 0.28.0. The chain is esbuild → vite@6.4.3 → @vitejs/plugin-react.
The /x-fixing-vulnerabilities skill attempted a non-breaking fix and could not resolve it:
npm audit fix (non-force) does nothing — the only patched esbuild is 0.28.1.vite@6.4.3 pins esbuild: ^0.25.0 (i.e. < 0.26), so an overrides: { "esbuild": "^0.28.1" } entry was tried. Audit went clean and all unit tests + lint passed, but npm run --prefix frontend build failed with 12 errors (Transforming destructuring to the configured target environment ... is not supported yet). esbuild 0.28.x is genuinely incompatible with vite 6's build pipeline, so the override was reverted.
There is no esbuild version that is both patched and compatible with vite 6. The only resolution is the major vite upgrade — equivalent to npm audit fix --force, which the skill deliberately avoids because it needs human review.
Warning
- This is a major version bump (vite 6 → 8) and may require config and plugin changes; it is intentionally out of scope for the automated vulnerability-fix skill.
- The vulnerability is dev-only: the frontend ships pre-built static assets to S3/CloudFront, so esbuild never runs in production. Practical exposure is local dev / CI, not the deployed app. CI's
--audit-level=high will still flag it until fixed.
- Do the work on a dedicated branch and run the full frontend verification suite before merging.
Acceptance Criteria
Goal
Resolve the 3 high-severity npm audit findings in
frontend/that all stem from a single transitive dependency on a vulnerableesbuild, so thatnpm audit --audit-level=high --prefix frontend(matching the CI security check) reports 0 vulnerabilities.Your Task
vite(currently^6.2.0, resolving to 6.4.3) to v8 and bump@vitejs/plugin-reactto a compatible major infrontend/package.json.npm install --prefix frontendand confirmesbuildresolves to>= 0.28.1.frontend/vite.config.ts, plugin API, build target/output) needed to makenpm run --prefix frontend buildsucceed.Context
The advisory GHSA-gv7w-rqvm-qjhr (esbuild dev-server / Deno module RCE via
NPM_CONFIG_REGISTRY) affects esbuild0.17.0 – 0.28.0. The chain isesbuild→vite@6.4.3→@vitejs/plugin-react.The
/x-fixing-vulnerabilitiesskill attempted a non-breaking fix and could not resolve it:npm audit fix(non-force) does nothing — the only patched esbuild is 0.28.1.vite@6.4.3pinsesbuild: ^0.25.0(i.e.< 0.26), so anoverrides: { "esbuild": "^0.28.1" }entry was tried. Audit went clean and all unit tests + lint passed, butnpm run --prefix frontend buildfailed with 12 errors (Transforming destructuring to the configured target environment ... is not supported yet). esbuild 0.28.x is genuinely incompatible with vite 6's build pipeline, so the override was reverted.There is no esbuild version that is both patched and compatible with vite 6. The only resolution is the major vite upgrade — equivalent to
npm audit fix --force, which the skill deliberately avoids because it needs human review.Warning
--audit-level=highwill still flag it until fixed.Acceptance Criteria
npm audit --audit-level=high --prefix frontendreportsfound 0 vulnerabilities.npm ls esbuild --prefix frontendshowsesbuild@0.28.1or later.npm run --prefix frontend buildexits 0 and producesfrontend/dist/.npm run --prefix frontend test -- --runpasses all tests.npm run --prefix frontend lintexits 0.npx --prefix frontend playwright test(frontend E2E) passes.