Skip to content

fix: up esbuild to avoid vuln (v3.0.6)#677

Merged
Fondryext merged 5 commits into
mainfrom
dev/up-esbuild
Jun 16, 2026
Merged

fix: up esbuild to avoid vuln (v3.0.6)#677
Fondryext merged 5 commits into
mainfrom
dev/up-esbuild

Conversation

@Fondryext

Copy link
Copy Markdown
Contributor

As title suggests. Avoids:
GHSA-gv7w-rqvm-qjhr

J=VULN-44973
TEST=compile

As title suggests. Avoids:
GHSA-gv7w-rqvm-qjhr

J=VULN-44973
TEST=compile
@Fondryext Fondryext requested a review from a team as a code owner June 16, 2026 14:48
Comment thread package-lock.json Outdated
@semgrep-code-yext

Copy link
Copy Markdown

Legal Risk

The following dependencies were released under a license that
is currently prohibited by your organization. Merging is blocked until this is resolved.

Recommendation

Reach out to your security team or Semgrep admin to address this issue. In special cases, exceptions may be made for dependencies with violating licenses, however, the general recommendation is to avoid using a dependency under such a license

non-standard

@github-actions

github-actions Bot commented Jun 16, 2026

Copy link
Copy Markdown
Contributor

Current unit coverage is 89.16766228594186%
Current visual coverage is 68.97263810015488%
Current combined coverage is 91.59828057835092%

@coveralls

coveralls commented Jun 16, 2026

Copy link
Copy Markdown

Coverage Status

coverage: 84.463%. remained the same — dev/up-esbuild into main

@Fondryext Fondryext merged commit a057349 into main Jun 16, 2026
18 of 19 checks passed
@Fondryext Fondryext deleted the dev/up-esbuild branch June 16, 2026 16:10
Fondryext added a commit that referenced this pull request Jun 16, 2026
* feat: allow users to turn analytics on and off (v2.1.0) (#632)

* feat: allow users to turn analytics on and off (v2.1.0)

This PR adds a new property to the SearchAnalyticsConfig, which
can be used to start with analytics enabled or disabled by
default. Three new methods are added to the analytics object-
two to turn analytics on/off, and one to get the current enabled
status.

J=WAT-5404
TEST=auto, manual

Ran test site locally with debugging and buttons to turn
analytics on and off, saw expected behavior.

* Update various names to be in-line with pages code

* Automated update to repo's documentation from github action

* Add enableYextAnalytics function to window

* drop unneeded parens

---------

Co-authored-by: github-actions <41898282+github-actions[bot]@users.noreply.github.com>

* release: v2.1.0

* More accessbilities fixes for autocomplete results (#635)

* More accessbilities fixes for autocomplete results

Associate the visible label with the input via `label` + `htmlFor`, and wire `DropdownInput` with `inputId` and `aria-labelledby`.

Change the instructions container from `hidden` to `sr-only`, so `aria-describedby` references content that is actually exposed to screen readers.

J=WAT-5357
TEST=manual

tested with voice over enabled on test-site

* Update snapshots

---------

Co-authored-by: github-actions <41898282+github-actions[bot]@users.noreply.github.com>

* release: v2.1.1

* chore: suppress error/warning spam, fix key errors etc (#642)

* fix: point TypeScript output to dist directory (#644)

* suppress error/warning spam, fix key errors etc

* set ts output dir to dist

* retry logic to WCAG

* release: v2.1.2

* fix: improve accessibility in FilterSearch and Facets (v2.2.0) (#638)

* fix linting; added optional region landmark semantics to FilterSearch

* Automated update to repo's documentation from github action

* chore: suppress error/warning spam, fix key errors etc (#642)

* fix: point TypeScript output to dist directory (#644)

* suppress error/warning spam, fix key errors etc

* set ts output dir to dist

* retry logic to WCAG

* release: v2.1.2

* revert fieldset legend accessibility change

* Automated update to repo's documentation from github action

* optional toggle to show label on facet/static filter searchable sections; update locales

* add group section semantics to filter search results when multiple sections

---------

Co-authored-by: github-actions <41898282+github-actions[bot]@users.noreply.github.com>

* hotfix: improve accessibility in FilterSearch (v2.2.0) (#649)

- make sure autocomplete option count is announced when the input is cleared too
- detect all stale state value usages when using React.useState and fix to use a functional state update (eg setValue(value + 1) becomes setValue(prev => prev + 1))

* chore: update svgo and storybook (#651)

* release: v2.2.0

* chore: upgrade mapbox-gl version for accessibility issues (v3.0.0) (#654)

- current version has some accessibility issues that will be addressed by this upgrade
- removed unnecessary @types/mapbox-gl import since mapbox-gl provides its own types
- replace Mapbox-owned public types in search-ui-react with library-owned, version-stable interfaces
- replace deprecated Mapbox aliases usage
This PR also includes some improvements that I noticed when testing:
- test-site pin popups not showing up
- clean up the map listeners properly
- memoizes the debounced function so it stays the same across renders unless milliseconds changes

J=WAT-5461
TEST=auto,manual

verified test-site still function as expected
verified that locator functions as expected and that there is no longer any accessibility errors on live site

* release: v3.0.0

* chore: upgrade transitive handlebars dependency (#657)

* fix: various accessibility improvements (v3.0.1) (#659)

* various improvements

* Update snapshots

---------

Co-authored-by: github-actions <41898282+github-actions[bot]@users.noreply.github.com>

* release: v3.0.1

* fix: axios and vite vulns

This PR ups the axios and vite versions we use to avoid the
vulnerabilities in each.
J=VULN-43399, VULN-43501, VULN-43502

* release: v3.0.2

* fix: up node version in tests to 20 (#665)

* fix: up node version in tests to 20

We recently upped the node versions in the reusable
workflows to 20, so do the same here

* remake package locks

* Automated update to THIRD-PARTY-NOTICES from github action's 3rd party notices check

* Update snapshots

* try remaking with node 20

---------

Co-authored-by: github-actions <41898282+github-actions[bot]@users.noreply.github.com>

* Version 3.0.3: fix lodash vulns (#664)

* Version 3.0.3: fix lodash vulns

The versions of lodash and lodash-es used have a vuln,
so this PR bumps them to a safe version.
J=TECHOPS-17980

* bump versions higher

* seeing weird build errors, remake package locks

* Automated update to THIRD-PARTY-NOTICES from github action's 3rd party notices check

* Update snapshots

* remake package locks

---------

Co-authored-by: github-actions <41898282+github-actions[bot]@users.noreply.github.com>

* release: v3.0.3

* fix: @babel/preset-env vulnerabilities (v3.0.4) (#670)

@babel/preset-env@7.23.2 depends on @babel/plugin-transform-modules-systemjs@7.29.0, which has vulnerabilities.
The latest @babel/preset-env version fixed this

* release: v3.0.4

* fix: axios vulns (v3.0.5) (#673)

* fix: axios vulns (v3.0.5)

This axios version bump should fix two vulns:
- Prototype Pollution
- Inefficient Regular Expression Complexity

J=VULN-44767,VULN-44820

* Update snapshots

---------

Co-authored-by: github-actions <41898282+github-actions[bot]@users.noreply.github.com>

* release: v3.0.5

* fix: up esbuild to avoid vuln (v3.0.6) (#677)

* fix: up esbuild to avoid vuln

As title suggests. Avoids:
GHSA-gv7w-rqvm-qjhr

J=VULN-44973
TEST=compile

* remake package locks

* Automated update to THIRD-PARTY-NOTICES from github action's 3rd party notices check

* Update snapshots

* override

---------

Co-authored-by: github-actions <41898282+github-actions[bot]@users.noreply.github.com>

* release: v3.0.6

* try remake

* up rollup

---------

Co-authored-by: Fondryext <160865254+Fondryext@users.noreply.github.com>
Co-authored-by: github-actions <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: Jacob Fondriest <jfondriest@yext.com>
Co-authored-by: anguyen-yext2 <143001514+anguyen-yext2@users.noreply.github.com>
Co-authored-by: anguyen-yext2 <anguyen@yext.com>
Co-authored-by: Kyle Gerner <49618240+k-gerner@users.noreply.github.com>
Co-authored-by: Kyle Gerner <kgerner@yext.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants