Skip to content

[Aikido] Fix security issue in esbuild via minor version upgrade from 0.28.0 to 0.28.1#1708

Open
aikido-autofix[bot] wants to merge 2 commits into
mainfrom
fix/aikido-security-update-packages-49052259-fn62
Open

[Aikido] Fix security issue in esbuild via minor version upgrade from 0.28.0 to 0.28.1#1708
aikido-autofix[bot] wants to merge 2 commits into
mainfrom
fix/aikido-security-update-packages-49052259-fn62

Conversation

@aikido-autofix

@aikido-autofix aikido-autofix Bot commented Jun 13, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Upgrade esbuild to fix remote code execution via unverified binary downloads in Deno and path traversal on Windows dev server.

✅ Code not affected by breaking changes.

✅ No breaking changes from esbuild 0.28.0 => 0.28.1 affect this codebase.

Analysis:

  1. HTTP requests with backslash characters in paths: This codebase does not use esbuild's local development server. The @aligent/cdk-esbuild package only uses buildSync() for bundling Lambda functions during CDK synthesis (as seen in packages/constructs/esbuild/esbuild.ts). The development server feature (.serve()) is not used anywhere in the codebase.

  2. Custom package registry integrity checks: No usage of custom NPM registries (NPM_CONFIG_REGISTRY) or Deno API was found in the codebase. The project uses standard npm/yarn package management without custom registry configurations.

The esbuild package is used exclusively for build-time bundling of Lambda@Edge handlers and Lambda functions, not for running a development server or using the Deno API. Therefore, neither breaking change impacts this codebase.

All breaking changes by upgrading esbuild from version 0.28.0 to 0.28.1 (CHANGELOG)

Version Description 
0.28.1
 HTTP requests with paths containing \ backslash characters are no longer allowed in the local development server 
0.28.1
 The esbuild executable served by custom package registries (via NPM_CONFIG_REGISTRY) must now match the expected content due to integrity checks in the Deno API
✅ 2 CVEs resolved by this upgrade

This PR will resolve the following CVEs:

Issue Severity           Description 
GHSA-gv7w-rqvm-qjhr
 
HIGH
 [esbuild] Deno module downloads native binaries from npm registry without SHA-256 integrity verification, allowing attackers who control the NPM_CONFIG_REGISTRY environment variable to inject malicious binaries and achieve remote code execution. Node.js equivalent includes this protection, but Deno implementation lacks it entirely. 
GHSA-g7r4-m6w7-qqqr
 
LOW
 [esbuild] A path traversal vulnerability in the development server on Windows allows attackers to bypass directory containment using backslash characters, enabling arbitrary file read access outside the configured servedir root directory.
🤖 Remediation details

Fix esbuild security vulnerabilities (GHSA-gv7w-rqvm-qjhr, GHSA-g7r4-m6w7-qqqr)

Short summary

This PR remediates two security advisories (one HIGH, one LOW severity) affecting esbuild. The vulnerable package appears as a transitive dependency consumed by two workspace members — packages/constructs/esbuild and packages/cdk-aspects — both of which declare "esbuild": "^0.28.0" in their respective package.json manifests. No manifest files required editing; only yarn.lock was updated to resolve esbuild to the patched version.

esbuild

Both workspace packages (@aligent/cdk-esbuild at packages/constructs/esbuild and @aligent/cdk-aspects at packages/cdk-aspects) already declared "esbuild": "^0.28.0", a range that permits 0.28.1. The lockfile had simply resolved to 0.28.0 at install time and was not yet refreshed to the patched release. Running yarn up -R esbuild --mode=update-lockfile refreshed the single shared lockfile entry — and all accompanying @esbuild/* platform-specific optional packages — from 0.28.0 to 0.28.1 without any manifest changes, resolving both advisories.

Version changes

Package From To Why updated
esbuild 0.28.0 0.28.1 Lockfile refresh only — direct CVE fix (GHSA-gv7w-rqvm-qjhr, GHSA-g7r4-m6w7-qqqr)
@esbuild/aix-ppc64 0.28.0 0.28.1 Lockfile refresh only — esbuild platform package co-versioned with esbuild
@esbuild/android-arm 0.28.0 0.28.1 Lockfile refresh only — esbuild platform package co-versioned with esbuild
@esbuild/android-arm64 0.28.0 0.28.1 Lockfile refresh only — esbuild platform package co-versioned with esbuild
@esbuild/android-x64 0.28.0 0.28.1 Lockfile refresh only — esbuild platform package co-versioned with esbuild
@esbuild/darwin-arm64 0.28.0 0.28.1 Lockfile refresh only — esbuild platform package co-versioned with esbuild
@esbuild/darwin-x64 0.28.0 0.28.1 Lockfile refresh only — esbuild platform package co-versioned with esbuild
@esbuild/freebsd-arm64 0.28.0 0.28.1 Lockfile refresh only — esbuild platform package co-versioned with esbuild
@esbuild/freebsd-x64 0.28.0 0.28.1 Lockfile refresh only — esbuild platform package co-versioned with esbuild
@esbuild/linux-arm 0.28.0 0.28.1 Lockfile refresh only — esbuild platform package co-versioned with esbuild
@esbuild/linux-arm64 0.28.0 0.28.1 Lockfile refresh only — esbuild platform package co-versioned with esbuild
@esbuild/linux-ia32 0.28.0 0.28.1 Lockfile refresh only — esbuild platform package co-versioned with esbuild
@esbuild/linux-loong64 0.28.0 0.28.1 Lockfile refresh only — esbuild platform package co-versioned with esbuild
@esbuild/linux-mips64el 0.28.0 0.28.1 Lockfile refresh only — esbuild platform package co-versioned with esbuild
@esbuild/linux-ppc64 0.28.0 0.28.1 Lockfile refresh only — esbuild platform package co-versioned with esbuild
@esbuild/linux-riscv64 0.28.0 0.28.1 Lockfile refresh only — esbuild platform package co-versioned with esbuild
@esbuild/linux-s390x 0.28.0 0.28.1 Lockfile refresh only — esbuild platform package co-versioned with esbuild
@esbuild/linux-x64 0.28.0 0.28.1 Lockfile refresh only — esbuild platform package co-versioned with esbuild
@esbuild/netbsd-arm64 0.28.0 0.28.1 Lockfile refresh only — esbuild platform package co-versioned with esbuild
@esbuild/netbsd-x64 0.28.0 0.28.1 Lockfile refresh only — esbuild platform package co-versioned with esbuild
@esbuild/openbsd-arm64 0.28.0 0.28.1 Lockfile refresh only — esbuild platform package co-versioned with esbuild
@esbuild/openbsd-x64 0.28.0 0.28.1 Lockfile refresh only — esbuild platform package co-versioned with esbuild
@esbuild/sunos-x64 0.28.0 0.28.1 Lockfile refresh only — esbuild platform package co-versioned with esbuild
@esbuild/win32-arm64 0.28.0 0.28.1 Lockfile refresh only — esbuild platform package co-versioned with esbuild
@esbuild/win32-ia32 0.28.0 0.28.1 Lockfile refresh only — esbuild platform package co-versioned with esbuild
@esbuild/win32-x64 0.28.0 0.28.1 Lockfile refresh only — esbuild platform package co-versioned with esbuild

@aikido-autofix aikido-autofix Bot requested a review from a team as a code owner June 13, 2026 23:50
@aikido-autofix aikido-autofix Bot requested review from AdamJHall and crispy101 June 13, 2026 23:50
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@AdamJHall AdamJHall Awaiting requested review from AdamJHall AdamJHall is a code owner automatically assigned from aligent/devops

@crispy101 crispy101 Awaiting requested review from crispy101 crispy101 is a code owner automatically assigned from aligent/devops

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants