chore: update esbuild

[asanehisa]

For this vuln, have esbuild be 0.28.1 everywhere.

Additionally removed some dependencies that weren't used in packages/visual-editor and moved others only used in dev to devDependencies.

And aligned all the nodes to "node": "^20.6.0 || ^22 || ^24" (already was done in other package.json files)

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: 02a26af6-5cdd-45b9-a267-e7e7ea54f7f4

📥 Commits

Reviewing files that changed from the base of the PR and between 1c8d79c and 431ba21.

📒 Files selected for processing (1)

• starter/vite.config.js

---

Walkthrough

This PR updates dependencies across the monorepo with structural changes to the visual-editor package. Root package.json updates @types/node to ^20.0.0 and tsx to ^4.22.4, while adding an esbuild 0.28.1 override to pnpm.overrides. Starter package.json also receives an @types/node update to ^20.0.0. In packages/visual-editor, dependencies are restructured: tsx moves from dependencies to devDependencies, the engines.node range is expanded to ^20.6.0 || ^22 || ^24, and minimist and semver are removed from dev dependencies. Microsoft API documentation packages (@microsoft/api-documenter, @microsoft/api-extractor, @microsoft/api-extractor-model) are updated to newer releases. Vite configurations in both visual-editor and starter add explicit es2022 transpilation targets for both dependency pre-bundling and library builds. License notices are regenerated to reflect the updated bundled dependency versions.

Suggested reviewers

• mkilpatrick
• briantstephan
• benlife5

🚥 Pre-merge checks | ✅ 4

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'chore: update esbuild' is related to the PR's main objective of updating esbuild to 0.28.1 for a vulnerability fix, but it is somewhat vague and doesn't capture the broader scope of dependency cleanup and standardization also included in the changeset.
Description check	✅ Passed	The description clearly explains the vulnerability fix, dependency cleanup, and Node.js version alignment, all of which are present in the changeset.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch vuln

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@packages/visual-editor/package.json`:
- Line 98: Move the tsx dependency from the dependencies section to the
devDependencies section in packages/visual-editor/package.json. The tsx entry
with version ^4.22.4 is currently listed as a production dependency but should
only be listed as a development dependency since it is only used for development
scripting and tooling, not for runtime execution.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: 87462486-d9f4-4588-ae9c-4590e816e844

📥 Commits

Reviewing files that changed from the base of the PR and between 196f5e1 and 03c53af.

⛔ Files ignored due to path filters (1)

• pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml

📒 Files selected for processing (5)

• package.json
• packages/visual-editor/THIRD-PARTY-NOTICES
• packages/visual-editor/package.json
• packages/visual-editor/vite.config.ts
• starter/package.json

[mkilpatrick]

Why do we need to target an older version after upgrading esbuild?

[asanehisa]

Oh it makes the upgraded esbuild compile to the JS version we're using or else it breaks when testing

[mkilpatrick]

What is "JS version we're using?" Like Node version? And is this only for running tests when you say "testing" or do you mean testing the full flow/working for real? If this is specific to running tests only then we shouldn't have it do this for the prod output.

[asanehisa]

Hmm so target by default assumes all of the latest JavaScript and CSS features are supported, but for us it isn't as we are on Node 20, 22, 24. Google says Node version + browser determines which targets are supported, so it is Node dependent.

And sorry it is for running tests (including testing in fake starter with pnpm run dev) and building (pnpm build). Or else I see
│ Transforming destructuring to the configured target environment ("chrome87", "edge88", "es2020", "firefox78", "safari14"… errors when testing and/or building.

[mkilpatrick]

Ok, just weird we didn't have to do this before