[Aikido] Fix 3 security issues in esbuild, devalue

[aikido-autofix]

Upgrade esbuild and devalue to fix remote code execution via missing binary integrity checks, Windows path traversal in dev server, and denial-of-service via sparse array deserialization.

✅ Code not affected by breaking changes.

✅ The changelog entry mentions that integrity check hashes for platform-specific binary packages are now embedded in the top-level esbuild package, which could affect the fallback download path during installation. However, this change does not affect this codebase because:

1. No direct esbuild usage: The codebase does not directly import, require, or use esbuild in any source files (.js, .ts, .jsx, .tsx, .mjs, .cjs).

2. No custom installation scripts: There are no custom npm scripts, postinstall hooks, or shell scripts that interact with esbuild's installation process.

3. No custom npm configuration affecting downloads: The .npmrc file only configures a custom registry for @virtuslab packages and does not contain any settings that would interact with esbuild's fallback download mechanism.

4. Transitive dependency only: esbuild is used as a transitive dependency through Astro and Vite, and the installation is handled automatically by npm. The integrity check change is an internal implementation detail that npm handles transparently.

The breaking change is limited to the installation mechanism and does not affect the runtime API or behavior of esbuild. Since this codebase relies on standard npm installation without custom hooks or configurations that would interact with esbuild's download fallback path, the upgrade should proceed without issues.

All breaking changes by upgrading esbuild from version 0.27.7 to 0.28.1 (CHANGELOG)

Version	Description
0.28.0	Integrity check hashes for all platform-specific binary packages are now embedded in the top-level esbuild package, which could affect the fallback download path during installation

✅ 3 CVEs resolved by this upgrade

This PR will resolve the following CVEs:

Issue	Severity	Description
GHSA-gv7w-rqvm-qjhr	HIGH	[esbuild] Deno module downloads native binaries from npm registry without SHA-256 integrity verification, allowing attackers who control the NPM_CONFIG_REGISTRY environment variable to inject malicious binaries and achieve remote code execution. Node.js equivalent includes this protection, but Deno implementation lacks it entirely.
GHSA-g7r4-m6w7-qqqr	LOW	[esbuild] A path traversal vulnerability in the development server on Windows allows attackers to bypass directory containment using backslash characters, enabling arbitrary file read access outside the configured servedir root directory.
CVE-2026-42570	HIGH	[devalue] Deserialization of sparse arrays causes excessive memory allocation due to JavaScript engine quirks, leading to denial of service through memory exhaustion.

🤖 Remediation details

Fix security vulnerabilities in esbuild and devalue transitive dependencies

Short summary

This PR remediates security vulnerabilities in two transitive dependencies — esbuild and devalue — neither of which is declared directly in package.json. Both are pulled in by astro. The fixes are applied via a lockfile-only update (devalue) and an overrides entry in the root package.json (esbuild), with the resolved versions recorded in package-lock.json.

esbuild

esbuild appeared in two lockfile instances: one hoisted to node_modules/esbuild (resolved by astro@5.18.1 under spec ^0.27.3) and one nested at node_modules/vite/node_modules/esbuild (resolved by vite@6.4.2 under spec ^0.25.0). Both caret ranges are capped below the patched floor of 0.28.1, and exhaustive parent-chain analysis confirmed no published version of astro bumps its esbuild spec to ^0.28.x, while the first vite release that resolves esbuild ≥ 0.28.1 is 8.0.4 — a major that no current astro release pulls in. With no viable parent-bump path available, a selector-pattern override "esbuild@<0.28.1": "0.28.1" was added to the root package.json, targeting only sub-0.28.1 instances; after npm install --package-lock-only both instances consolidated to 0.28.1.

devalue

devalue is a transitive dependency of astro, which already declares it as ^5.6.2 — a range that permits the patched version 5.8.1. The lockfile had simply not been refreshed to pick up the newer release, so running npm update devalue --package-lock-only was sufficient to advance the resolved version from 5.7.1 to 5.8.1 without any manifest change.

Version changes

Package	From	To	Why updated
esbuild	0.27.7 / 0.25.12	0.28.1	Override ("esbuild@<0.28.1": "0.28.1") — parent specs could not reach patched floor
devalue	5.7.1	5.8.1	Lockfile refresh — parent astro spec ^5.6.2 already permitted patched version

[aikido-autofix]

Closed by Aikido: a new AutoFix has been created → #7