Skip to content

Fix Dependabot security alerts across SPA samples#91

Merged
priyanshu92 merged 1 commit into
mainfrom
priyanshu92/scaling-fishstick
Jun 17, 2026
Merged

Fix Dependabot security alerts across SPA samples#91
priyanshu92 merged 1 commit into
mainfrom
priyanshu92/scaling-fishstick

Conversation

@priyanshu92

Copy link
Copy Markdown
Contributor

Summary

Resolves all 13 open Dependabot alerts in samples/spa across 7 npm projects. npm run build was verified passing for every affected project.

Changes

esbuild (high — alerts #419–#425, all 7 projects)

esbuild is a build-time-only transitive dependency via Vite 6. The only patched version is 0.28.1, forced via npm overrides.

esbuild 0.28.1 has a regression where it wrongly tries to lower destructuring for Vite's default browser targets, which breaks vite build (Transforming destructuring to the configured target environment ... is not supported yet). To keep production builds working, each React project's vite.config now sets esbuild.supported.destructuring: true. This is behavior-preserving (bundle output unchanged). The Angular CLI builder is unaffected and needs no workaround.

Angular — samples/spa/angular/car-sales-website

  • @angular/common19.2.25 (#428, #429)
  • @angular/compiler19.2.25 (#430)
  • @angular/core19.2.25 (#427, #431)
  • tmp override bumped 0.2.6 → 0.2.7 (#426)

The Angular runtime packages require each other at the exact same version, so all were resolved together to the latest 19.2.x within the existing ^19.2.0 range via a clean reinstall.

Verification

npm run build succeeds for all 7 projects:

  • angular/car-sales-website
  • react/authentication-sample
  • react/car-sales-website
  • react/credit-cards-website
  • react/environment-variables-samples/vite-framework
  • react/fluent-ui-sample
  • react/localization-sample

Pre-existing build advisories (bundle-size budget, missing material-icons.css asset, chunk-size warnings) are unrelated to these changes.

🤖 Generated with Copilot CLI

Resolves 13 open Dependabot alerts in samples/spa.

esbuild (high, alerts 419-425) — transitive via Vite 6 in all 7 projects:
- Force esbuild 0.28.1 via npm overrides (only patched version).
- esbuild 0.28.1 regressed destructuring lowering for Vite's default
  browser targets, so add `esbuild.supported.destructuring: true` to each
  React project's vite.config to keep production builds working. The Angular
  CLI builder is unaffected and needs no workaround.

Angular (samples/spa/angular/car-sales-website):
- @angular/common 19.2.x -> 19.2.25 (alerts 428, 429)
- @angular/compiler 19.2.x -> 19.2.25 (alert 430)
- @angular/core 19.2.x -> 19.2.25 (alerts 427, 431)
- Bump tmp override 0.2.6 -> 0.2.7 (alert 426)

Verified `npm run build` succeeds for all 7 projects.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@priyanshu92 priyanshu92 merged commit 0917443 into main Jun 17, 2026
3 checks passed
@priyanshu92 priyanshu92 deleted the priyanshu92/scaling-fishstick branch June 17, 2026 16:38
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants