René's URL Explorer Experiment


Title: Bump esbuild from 0.28.0 to 0.28.1 by dependabot[bot] · Pull Request #3958 · github/codeql-action · GitHub

Open Graph Title: Bump esbuild from 0.28.0 to 0.28.1 by dependabot[bot] · Pull Request #3958 · github/codeql-action

X Title: Bump esbuild from 0.28.0 to 0.28.1 by dependabot[bot] · Pull Request #3958 · github/codeql-action

Description: Bumps esbuild from 0.28.0 to 0.28.1. Release notes Sourced from esbuild's releases. v0.28.1 Disallow \ in local development server HTTP requests (GHSA-g7r4-m6w7-qqqr) This release fixes a security issue where HTTP requests to esbuild's local development server could traverse outside of the serve directory on Windows using a \ backslash character. It happened due to the use of Go's path.Clean() function, which only handles Unix-style / characters. HTTP requests with paths containing \ are no longer allowed. Thanks to @​dellalibera for reporting this issue. Add integrity checks to the Deno API (GHSA-gv7w-rqvm-qjhr) The previous release of esbuild added integrity checks to esbuild's npm install script. This release also adds integrity checks to esbuild's Deno install script. Now esbuild's Deno API will also fail with an error if the downloaded esbuild binary contains something other than the expected content. Note that esbuild's Deno API installs from registry.npmjs.org by default, but allows the NPM_CONFIG_REGISTRY environment variable to override this with a custom package registry. This change means that the esbuild executable served by NPM_CONFIG_REGISTRY must now match the expected content. Thanks to @​sondt99 for reporting this issue. Avoid inlining using and await using declarations (#4482) Previously esbuild's minifier sometimes incorrectly inlined using and await using declarations into subsequent uses of that declaration, which then fails to dispose of the resource correctly. This bug happened because inlining was done for let and const declarations by avoiding doing it for var declarations, which no longer worked when more declaration types were added. Here's an example: // Original code { using x = new Resource() x.activate() } // Old output (with --minify) new Resource().activate(); // New output (with --minify) {using e=new Resource;e.activate()} Fix module evaluation when an error is thrown (#4461, #4467) If an error is thrown during module evaluation, esbuild previously didn't preserve the state of the module for subsequent module references. This was observable if import() or require() is used to import a module multiple times. The thrown error is supposed to be thrown by every call to import() or require(), not just the first. With this release, esbuild will now throw the same error every time you call import() or require() on a module that throws during its evaluation. Fix some edge cases around the new operator (#4477) Previously esbuild incorrectly printed certain edge cases involving complex expressions inside the target of a new expression (specifically an optional chain and/or a tagged template literal). The generated code for the new target was not correctly wrapped with parentheses, and either contained a syntax error or had different semantics. These edge cases have been fixed so that they now correctly wrap the new target in parentheses. Here is an example of some affected code: // Original code new (foo()`bar`)() new (foo()?.bar)() // Old output new foo()bar(); new (foo())?.bar(); ... (truncated) Changelog Sourced from esbuild's changelog. 0.28.1 Disallow \ in local development server HTTP requests (GHSA-g7r4-m6w7-qqqr) This release fixes a security issue where HTTP requests to esbuild's local development server could traverse outside of the serve directory on Windows using a \ backslash character. It happened due to the use of Go's path.Clean() function, which only handles Unix-style / characters. HTTP requests with paths containing \ are no longer allowed. Thanks to @​dellalibera for reporting this issue. Add integrity checks to the Deno API (GHSA-gv7w-rqvm-qjhr) The previous release of esbuild added integrity checks to esbuild's npm install script. This release also adds integrity checks to esbuild's Deno install script. Now esbuild's Deno API will also fail with an error if the downloaded esbuild binary contains something other than the expected content. Note that esbuild's Deno API installs from registry.npmjs.org by default, but allows the NPM_CONFIG_REGISTRY environment variable to override this with a custom package registry. This change means that the esbuild executable served by NPM_CONFIG_REGISTRY must now match the expected content. Thanks to @​sondt99 for reporting this issue. Avoid inlining using and await using declarations (#4482) Previously esbuild's minifier sometimes incorrectly inlined using and await using declarations into subsequent uses of that declaration, which then fails to dispose of the resource correctly. This bug happened because inlining was done for let and const declarations by avoiding doing it for var declarations, which no longer worked when more declaration types were added. Here's an example: // Original code { using x = new Resource() x.activate() } // Old output (with --minify) new Resource().activate(); // New output (with --minify) {using e=new Resource;e.activate()} Fix module evaluation when an error is thrown (#4461, #4467) If an error is thrown during module evaluation, esbuild previously didn't preserve the state of the module for subsequent module references. This was observable if import() or require() is used to import a module multiple times. The thrown error is supposed to be thrown by every call to import() or require(), not just the first. With this release, esbuild will now throw the same error every time you call import() or require() on a module that throws during its evaluation. Fix some edge cases around the new operator (#4477) Previously esbuild incorrectly printed certain edge cases involving complex expressions inside the target of a new expression (specifically an optional chain and/or a tagged template literal). The generated code for the new target was not correctly wrapped with parentheses, and either contained a syntax error or had different semantics. These edge cases have been fixed so that they now correctly wrap the new target in parentheses. Here is an example of some affected code: // Original code new (foo()`bar`)() new (foo()?.bar)() // Old output new foo()bar(); new (foo())?.bar(); ... (truncated) Commits bb9db84 publish 0.28.1 to npm 9ff053e security: add integrity checks to the Deno API 0a9bf21 enforce non-negative size in gzip parser e2a1a71 security: forbid \\ in local dev server requests 83a2cbf fix #4482: don't inline using declarations 308ad74 fix #4471: renaming of nested var declarations f013f5f fix some typos aafd6e4 chore: fix some minor issues in comments (#4462) 15300c3 follow up: cjs evaluation fixes 1bda0c3 fix #4461, fix #4467: esm evaluation fixes Additional commits viewable in compare view Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase. Dependabot commands and options You can trigger Dependabot actions by commenting on this PR: @dependabot rebase will rebase this PR @dependabot recreate will recreate this PR, overwriting any edits that have been made to it @dependabot show ignore conditions will show all of the ignore conditions of the specified dependency @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) You can disable automated security fix PRs for this repo from the Security Alerts page.

Open Graph Description: Bumps esbuild from 0.28.0 to 0.28.1. Release notes Sourced from esbuild's releases. v0.28.1 Disallow \ in local development server HTTP requests (GHSA-g7r4-m6w7-qqqr) This release fixes a s...

X Description: Bumps esbuild from 0.28.0 to 0.28.1. Release notes Sourced from esbuild's releases. v0.28.1 Disallow \ in local development server HTTP requests (GHSA-g7r4-m6w7-qqqr) This release fixes...

Opengraph URL: https://github.com/github/codeql-action/pull/3958

X: @github

direct link

Domain: github.com

route-pattern/:user_id/:repository/pull/:id/files(.:format)
route-controllerpull_requests
route-actionfiles
fetch-noncev2:4dac765e-587b-908b-cdb3-036cb85f306d
current-catalog-service-hashae870bc5e265a340912cde392f23dad3671a0a881730ffdadd82f2f57d81641b
request-id8DD8:171F06:1A0144:21EDA5:6A4C1FC3
html-safe-nonce8e78e331359b624e9a3863dc1f768bca2b225306f1502ecfd10cd16a7264ca2c
visitor-payloadeyJyZWZlcnJlciI6IiIsInJlcXVlc3RfaWQiOiI4REQ4OjE3MUYwNjoxQTAxNDQ6MjFFREE1OjZBNEMxRkMzIiwidmlzaXRvcl9pZCI6IjEzODAzMDk5NTEzNTI0MTQxNDciLCJyZWdpb25fZWRnZSI6ImlhZCIsInJlZ2lvbl9yZW5kZXIiOiJpYWQifQ==
visitor-hmac458b27dffd16bf239003b5258d1579189fc4fb78d2734c37f64e09619654f906
hovercard-subject-tagpull_request:3859225797
github-keyboard-shortcutsrepository,pull-request-list,pull-request-conversation,pull-request-files-changed,copilot
google-site-verificationApib7-x98H0j5cPqHWwSMm6dNU4GmODRoqxLiDzdx9I
octolytics-urlhttps://collector.github.com/github/collect
analytics-location///pull_requests/show/files
fb:app_id1401488693436528
apple-itunes-appapp-id=1477376905, app-argument=https://github.com/github/codeql-action/pull/3958/files
twitter:imagehttps://avatars.githubusercontent.com/in/29110?s=400&v=4
twitter:cardsummary_large_image
og:imagehttps://avatars.githubusercontent.com/in/29110?s=400&v=4
og:image:altBumps esbuild from 0.28.0 to 0.28.1. Release notes Sourced from esbuild's releases. v0.28.1 Disallow \ in local development server HTTP requests (GHSA-g7r4-m6w7-qqqr) This release fixes a s...
og:site_nameGitHub
og:typeobject
hostnamegithub.com
expected-hostnamegithub.com
None1b6b16d04026f131a36d57e3b01d0f4d26a51800edf48bf5ed0256e0ac905511
turbo-cache-controlno-preview
diff-viewunified
go-importgithub.com/github/codeql-action git https://github.com/github/codeql-action.git
octolytics-dimension-user_id9919
octolytics-dimension-user_logingithub
octolytics-dimension-repository_id259445878
octolytics-dimension-repository_nwogithub/codeql-action
octolytics-dimension-repository_publictrue
octolytics-dimension-repository_is_forkfalse
octolytics-dimension-repository_network_root_id259445878
octolytics-dimension-repository_network_root_nwogithub/codeql-action
turbo-body-classeslogged-out env-production page-responsive full-width
disable-turbotrue
browser-stats-urlhttps://api.github.com/_private/browser/stats
browser-errors-urlhttps://api.github.com/_private/browser/errors
releasef95fb36c72adc940ff991c03531114b2245658d0
ui-targetfull
theme-color#1e2327
color-schemelight dark

Links:

Skip to contenthttps://github.com/github/codeql-action/pull/3958/files#start-of-content
https://github.com/
Sign in https://github.com/login?return_to=https%3A%2F%2Fgithub.com%2Fgithub%2Fcodeql-action%2Fpull%2F3958%2Ffiles
GitHub CopilotWrite better code with AIhttps://github.com/features/copilot
GitHub Copilot appDirect agents from issue to mergehttps://github.com/features/ai/github-app
MCP RegistryNewIntegrate external toolshttps://github.com/mcp
ActionsAutomate any workflowhttps://github.com/features/actions
CodespacesInstant dev environmentshttps://github.com/features/codespaces
IssuesPlan and track workhttps://github.com/features/issues
Code ReviewManage code changeshttps://github.com/features/code-review
GitHub Advanced SecurityFind and fix vulnerabilitieshttps://github.com/security/advanced-security
Code securitySecure your code as you buildhttps://github.com/security/advanced-security/code-security
Secret protectionStop leaks before they starthttps://github.com/security/advanced-security/secret-protection
Why GitHubhttps://github.com/why-github
Documentationhttps://docs.github.com
Bloghttps://github.blog
Changeloghttps://github.blog/changelog
Marketplacehttps://github.com/marketplace
View all featureshttps://github.com/features
Enterpriseshttps://github.com/enterprise
Small and medium teamshttps://github.com/team
Startupshttps://github.com/enterprise/startups
Nonprofitshttps://github.com/solutions/industry/nonprofits
App Modernizationhttps://github.com/solutions/use-case/app-modernization
DevSecOpshttps://github.com/solutions/use-case/devsecops
DevOpshttps://github.com/solutions/use-case/devops
CI/CDhttps://github.com/solutions/use-case/ci-cd
View all use caseshttps://github.com/solutions/use-case
Healthcarehttps://github.com/solutions/industry/healthcare
Financial serviceshttps://github.com/solutions/industry/financial-services
Manufacturinghttps://github.com/solutions/industry/manufacturing
Governmenthttps://github.com/solutions/industry/government
View all industrieshttps://github.com/solutions/industry
View all solutionshttps://github.com/solutions
AIhttps://github.com/resources/articles?topic=ai
Software Developmenthttps://github.com/resources/articles?topic=software-development
DevOpshttps://github.com/resources/articles?topic=devops
Securityhttps://github.com/resources/articles?topic=security
View all topicshttps://github.com/resources/articles
Customer storieshttps://github.com/customer-stories
Events & webinarshttps://github.com/resources/events
Ebooks & reportshttps://github.com/resources/whitepapers
Business insightshttps://github.com/solutions/executive-insights
GitHub Skillshttps://skills.github.com
Documentationhttps://docs.github.com
Customer supporthttps://support.github.com
Community forumhttps://github.com/orgs/community/discussions
Trust centerhttps://github.com/trust-center
Partnershttps://github.com/partners
View all resourceshttps://github.com/resources
GitHub SponsorsFund open source developershttps://github.com/sponsors
Security Labhttps://securitylab.github.com
Maintainer Communityhttps://maintainers.github.com
Acceleratorhttps://github.com/accelerator
GitHub Starshttps://stars.github.com
Archive Programhttps://archiveprogram.github.com
Topicshttps://github.com/topics
Trendinghttps://github.com/trending
Collectionshttps://github.com/collections
Enterprise platformAI-powered developer platformhttps://github.com/enterprise
GitHub Advanced SecurityEnterprise-grade security featureshttps://github.com/security/advanced-security
Copilot for BusinessEnterprise-grade AI featureshttps://github.com/features/copilot/copilot-business
Premium SupportEnterprise-grade 24/7 supporthttps://github.com/premium-support
Pricinghttps://github.com/pricing
Search syntax tipshttps://docs.github.com/search-github/github-code-search/understanding-github-code-search-syntax
documentationhttps://docs.github.com/search-github/github-code-search/understanding-github-code-search-syntax
Sign in https://github.com/login?return_to=https%3A%2F%2Fgithub.com%2Fgithub%2Fcodeql-action%2Fpull%2F3958%2Ffiles
Sign up https://github.com/signup?ref_cta=Sign+up&ref_loc=header+logged+out&ref_page=%2F%3Cuser-name%3E%2F%3Crepo-name%3E%2Fpull_requests%2Fshow%2Ffiles&source=header-repo&source_repo=github%2Fcodeql-action
Reloadhttps://github.com/github/codeql-action/pull/3958/files
Reloadhttps://github.com/github/codeql-action/pull/3958/files
Reloadhttps://github.com/github/codeql-action/pull/3958/files
Please reload this pagehttps://github.com/github/codeql-action/pull/3958/files
github https://github.com/github
codeql-actionhttps://github.com/github/codeql-action
Notifications https://github.com/login?return_to=%2Fgithub%2Fcodeql-action
Fork 471 https://github.com/login?return_to=%2Fgithub%2Fcodeql-action
Star 1.6k https://github.com/login?return_to=%2Fgithub%2Fcodeql-action
Code https://github.com/github/codeql-action
Issues 156 https://github.com/github/codeql-action/issues
Pull requests 27 https://github.com/github/codeql-action/pulls
Actions https://github.com/github/codeql-action/actions
Models https://github.com/github/codeql-action/models
Security and quality 2 https://github.com/github/codeql-action/security
Insights https://github.com/github/codeql-action/pulse
Code https://github.com/github/codeql-action
Issues https://github.com/github/codeql-action/issues
Pull requests https://github.com/github/codeql-action/pulls
Actions https://github.com/github/codeql-action/actions
Models https://github.com/github/codeql-action/models
Security and quality https://github.com/github/codeql-action/security
Insights https://github.com/github/codeql-action/pulse
Sign up for GitHub https://github.com/signup?return_to=%2Fgithub%2Fcodeql-action%2Fissues%2Fnew%2Fchoose
terms of servicehttps://docs.github.com/terms
privacy statementhttps://docs.github.com/privacy
Sign inhttps://github.com/login?return_to=%2Fgithub%2Fcodeql-action%2Fissues%2Fnew%2Fchoose
henrymercerhttps://github.com/henrymercer
mainhttps://github.com/github/codeql-action/tree/main
dependabot/npm_and_yarn/esbuild-0.28.1https://github.com/github/codeql-action/tree/dependabot/npm_and_yarn/esbuild-0.28.1
Conversation 2 https://github.com/github/codeql-action/pull/3958
Findings https://github.com/github/codeql-action/pull/3958/findings
Commits 2 https://github.com/github/codeql-action/pull/3958/commits
Checks 416 https://github.com/github/codeql-action/pull/3958/checks
Files changed https://github.com/github/codeql-action/pull/3958/files
Please reload this pagehttps://github.com/github/codeql-action/pull/3958/files
Bump esbuild from 0.28.0 to 0.28.1 https://github.com/github/codeql-action/pull/3958/files#top
Show all changes 2 commits https://github.com/github/codeql-action/pull/3958/files
c8f0aa4 Bump esbuild from 0.28.0 to 0.28.1 dependabot[bot] Jun 13, 2026 https://github.com/github/codeql-action/pull/3958/commits/c8f0aa4c67ebce6e4661bf6067d76ce7e95c817e
98dfd09 Rebuild github-actions[bot] Jun 13, 2026 https://github.com/github/codeql-action/pull/3958/commits/98dfd09d4a8e8a3215b817a5f71efaf55929f1b6
Clear filters https://github.com/github/codeql-action/pull/3958/files
Please reload this pagehttps://github.com/github/codeql-action/pull/3958/files
Please reload this pagehttps://github.com/github/codeql-action/pull/3958/files
entry-points.js https://github.com/github/codeql-action/pull/3958/files#diff-73697317a7dd14441dcfb24bc586f637ae2b815b5e503a05a81816be74fcd815
package-lock.json https://github.com/github/codeql-action/pull/3958/files#diff-053150b640a7ce75eff69d1a22cae7f0f94ad64ce9a855db544dda0929316519
package.json https://github.com/github/codeql-action/pull/3958/files#diff-7ae45ad102eab3b6d7e7896acd08c427a9b25b346470d7bc6507b6481575d519
https://github.com/github/codeql-action/blob/main/CODEOWNERS#L1
lib/entry-points.jshttps://github.com/github/codeql-action/pull/3958/files#diff-73697317a7dd14441dcfb24bc586f637ae2b815b5e503a05a81816be74fcd815
View file https://github.com/github/codeql-action/blob/98dfd09d4a8e8a3215b817a5f71efaf55929f1b6/lib/entry-points.js
Open in desktop https://desktop.github.com
how customized files appear on GitHubhttps://docs.github.com/github/administering-a-repository/customizing-how-changed-files-appear-on-github
Please reload this pagehttps://github.com/github/codeql-action/pull/3958/files
Please reload this pagehttps://github.com/github/codeql-action/pull/3958/files
Please reload this pagehttps://github.com/github/codeql-action/pull/3958/files
https://github.com
Termshttps://docs.github.com/site-policy/github-terms/github-terms-of-service
Privacyhttps://docs.github.com/site-policy/privacy-policies/github-privacy-statement
Securityhttps://github.com/security
Statushttps://www.githubstatus.com/
Communityhttps://github.community/
Docshttps://docs.github.com/
Contacthttps://support.github.com?tags=dotcom-footer

Viewport: width=device-width


URLs of crawlers that visited me.