chore: update esbuild

[asanehisa]

https://yext.atlassian.net/browse/VULN-44975?atlOrigin=eyJpIjoiZWU1ODMyZWY4NzM1NGQwOThkMzdlMTdmZjkxNTk0ODYiLCJwIjoiaiJ9

Similar change to yext/js#152

[coderabbitai]

Warning

Review limit reached

@asanehisa, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 50 minutes and 32 seconds. Learn how PR review limits work.

Your organization has used up its prepaid credits, and credit purchases are no longer available. Enable the review add-on in the billing tab to keep reviews running — you're only billed for reviews past your plan's rate limits ($0.25/file).

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based credits.

🚦 How do rate limits work?

CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan refill rate.

For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, the refill rate gradually slows as usage increases. The highest same-day bursts are limited more strictly.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 182fdbdc-11f1-4975-9d3c-e0122e0ecd9d

📥 Commits

Reviewing files that changed from the base of the PR and between e8c8edc and c189a94.

⛔ Files ignored due to path filters (1)

• pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml

📒 Files selected for processing (1)

• package.json

Walkthrough

Dependency versions are bumped in both the root package.json and packages/pages/package.json: @types/node is updated to ^25.9.3, tsx to ^4.22.4, and esbuild to ^0.28.1. A pnpm.overrides block is added to the root package.json to pin esbuild at 0.28.1. In packages/pages/src/vite-plugin/build/build.ts, build.target: "es2022" is explicitly added to the Vite UserConfig. The THIRD-PARTY-NOTICES file, generated by generate-license-file, is regenerated to reflect the updated dependency tree, including new license blocks for process-nextick-args, core-util-is, to-buffer, and get-proto, removal of an asn1.js entry, and version bumps across many packages.

🚥 Pre-merge checks | ✅ 4

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately describes the main change—updating esbuild across the project to address a vulnerability.
Description check	✅ Passed	The description references a Jira ticket (VULN-44975) and a similar prior PR, indicating it relates to a vulnerability fix involving esbuild.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch vuln

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

THIRD-PARTY-NOTICES (1)

204-11215: ⚠️ Potential issue | 🟠 Major

Regenerate THIRD-PARTY-NOTICES from the current lockfile.
The file still includes 75 package names that do not appear in pnpm-lock.yaml, so stale entries need to be removed.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@THIRD-PARTY-NOTICES` around lines 204 - 11215, THIRD-PARTY-NOTICES is stale
and contains packages not present in the current pnpm lockfile. Regenerate the
notice content from the current lockfile output so only actually bundled
dependencies remain, and remove obsolete entries from the existing generated
list. Use the same generation flow/tooling that produced the notices originally
so the package/license sections stay consistent with the current dependency
graph.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@package.json`:
- Line 35: The `@types/node` dependency is pinned to version ^25.9.3, which
corresponds to Node.js v25, but the project's engines field specifies support
for Node.js ^20.6.0 || ^22 || ^24, creating a version mismatch. Update the
`@types/node` version specification in package.json to ^20 to align with the
minimum supported Node.js version (20.6.0) and ensure type definitions
accurately reflect the APIs available in all supported runtime versions.

---

Outside diff comments:
In `@THIRD-PARTY-NOTICES`:
- Around line 204-11215: THIRD-PARTY-NOTICES is stale and contains packages not
present in the current pnpm lockfile. Regenerate the notice content from the
current lockfile output so only actually bundled dependencies remain, and remove
obsolete entries from the existing generated list. Use the same generation
flow/tooling that produced the notices originally so the package/license
sections stay consistent with the current dependency graph.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: fbfd65e5-8bde-4f76-809d-4b1fdd2e9298

📥 Commits

Reviewing files that changed from the base of the PR and between 118eae1 and e8c8edc.

⛔ Files ignored due to path filters (1)

• pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml

📒 Files selected for processing (4)

• THIRD-PARTY-NOTICES
• package.json
• packages/pages/package.json
• packages/pages/src/vite-plugin/build/build.ts