Update `esbuild` to address GHSA-67mh-4wv8-2f99

[G-Rath]

It looks like as of v19 netlify-cli pulls in v0.19.11 and v0.21.2 of esbuild which are both vulnerable to GHSA-67mh-4wv8-2f99 - while I would be surprised if this is exploitable, but it would still be good to have addressed for security compliance.

npm ls esbuild
└─┬ netlify-cli@19.0.0
  ├─┬ @netlify/build@29.58.10
  │ ├─┬ @netlify/functions-utils@5.3.6
  │ │ └─┬ @netlify/zip-it-and-ship-it@9.42.6
  │ │   └── esbuild@0.19.11 deduped
  │ └─┬ @netlify/zip-it-and-ship-it@9.42.6
  │   └── esbuild@0.19.11 deduped
  ├─┬ @netlify/edge-bundler@12.3.2
  │ └── esbuild@0.21.2
  └─┬ @netlify/zip-it-and-ship-it@9.42.5
    └── esbuild@0.19.11

Note also it would be good to have all netlify packages using the same version especially since esbuild is a binary-based package, so having multiple versions of it in the tree is annoying.

[G-Rath]

Relates a bit to #6731, though in this particular case not using shrinkwrap might not have helped since this is a 0.x version of a build tool so it would be fair to use ~, and the fix was not backported to any old versions

Also, I didn't feel this was a "bug" or a "feature" so I used the "blank issue" option - let me know if in future you'd prefer I open these types of tickets as one of the mentioned types :)

[serhalp]

Thanks for reporting this, @G-Rath! We do see the security alert internally. It looks like we'll need to update some dependencies in some other Netlify repos to be able to address this in Netlify CLI. We'll get this prioritized.

[XhmikosR]

Note that this pinning of dependencies results in hundreds of duplicate packages across your netlify packages... Related #3941.

Quickly check the duplicate packages: https://npmgraph.js.org/?q=netlify-cli

[G-Rath]

@serhalp any update on this?

[XhmikosR]

IMHO there shouldn't be any pinning at least for Netlify's own packages. Assuming you guys follow semver, there's no gain from pinning your own packages. It should help with deduplication a bit.

Third-party packages is a whole other situation, though, and requires making sure you just don't bump major deps blindly across your own packages so that they can be deduplicated when possible.