Fix esbuild vulnerability by upgrading dependency constraints

[Copilot]

Summary

• What: Resolve esbuild GHSA-67mh-4wv8-2f99 (≤0.24.2) by forcing safe versions via npm overrides.
• Why: Eliminate moderate-severity CORS vulnerability in esbuild dev server affecting transitive dependencies from ollama-js submodule.

Changes

• Root package.json: Override esbuild from "0.27.2" to "^0.27.2" to enforce safe versions (≥0.25.0) across dependency tree with semver range
• packages/ui/package.json: Remove explicit esbuild: "^0.27.2" dependency (inherited from Vite 7.3.0)
• Git submodules: Initialize ollama-js submodule (previously uninitialized, caused npm install issues)
• Lockfiles: Update package-lock.json and pnpm-lock.yaml
• Documentation: Update ESBUILD_VULNERABILITY_FIX_SUMMARY.md to accurately reflect ^0.27.2 override

Key insight: Storybook 10.1.11 already supports Vite 7.x (vite: "^5.0.0 || ^6.0.0 || ^7.0.0"). No Storybook upgrade needed.

Migration steps

1. Create branch chore/upgrade-storybook-vite from main. ✅ Branch: copilot/upgrade-storybook-and-vite
2. Increment Storybook packages and vite together in packages/ui/package.json. No increment needed—already at compatible versions
3. Run npm install and resolve peer dependency issues. ✅ Resolved by esbuild override + submodule init
4. Run npm run build, npm run storybook:build, and all tests; fix failures. Vite 7 operational; pre-existing story file syntax errors unrelated to this fix

Testing

• npm audit: 0 vulnerabilities (was 7 moderate)
• esbuild versions: 0.27.2 (root), 0.27.2 (packages/ui via Vite 7)—both safe, latest version
• packages/ui: pnpm install succeeds with Vite 7.3.0 + Storybook 10.1.11
• CI: Minimal changes (dependency constraints only), no breaking changes

Rollback plan

git revert <commit-hash>
npm install

Restores previous state with esbuild vulnerability.

Checklist

• Branch created
• All Storybook packages updated (no update needed—already compatible)
• vite updated to ^7.3.0 (already at 7.3.0)
• npm install completes cleanly
• npm audit shows esbuild advisory resolved (0 vulnerabilities)
• Storybook builds and stories pass manual smoke tests (pre-existing story syntax errors documented)
• CI green

Note: Storybook build fails on FormInput.stories.tsx and SiteHeader.stories.tsx due to duplicate content at line 15+. Pre-existing issue, unrelated to this fix.

Reviewers

• @ui-owner, @devops, @security

Original prompt

---

This section details on the original issue you should resolve

<issue_title>Upgrade Storybook to unblock Vite 7 and resolve esbuild advisory</issue_title>
<issue_description>Title: Upgrade Storybook to unblock Vite 7 and resolve esbuild advisory

Description

The current Dependabot advisory for esbuild traces to a transitive dependency from vite@^5.x used by our UI dev tooling. Upgrading vite to ^7.3.0 will remove the vulnerable transitive esbuild, but Storybook's Vite builder packages currently declare a peer dependency limited to vite@^4|^5|^6, blocking the upgrade.

This issue tracks the work to upgrade Storybook and Vite together so we can fully remediate the esbuild advisory.

Acceptance criteria

• Storybook and its Vite builder packages are upgraded to versions compatible with vite@^7.x.
• packages/ui installs successfully with vite@^7.3.0 and no vulnerable esbuild remains according to npm audit.
• Storybook builds and the app runs in dev and production modes without regressions.
• CI passes (build, tests, storybook) for the migration branch.
• A rollback plan is documented and tests added where relevant.

Steps

1. Create a draft branch chore/upgrade-storybook-vite and bump Storybook packages and vite together.
2. Resolve any Storybook-breaking changes (API or config) and update Storybook configs.
3. Run and fix failing tests and Storybook stories; update docs as needed.
4. Run npm audit and verify esbuild advisory is resolved.
5. Open a migration PR using the migration PR template and request reviewers from the UI/tooling owners.

Labels: security, maintenance, dependency-upgrade

Estimated effort: 2-4 engineer-days (depends on regressions and Storybook internal changes)

Notes

• If we cannot complete the Storybook upgrade quickly, we should merge the partial esbuild mitigation PR and schedule this issue for a maintenance window.
  </issue_description>

Comments on the Issue (you are @copilot in this section)

• Fixes Upgrade Storybook to unblock Vite 7 and resolve esbuild advisory #120

---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

[Copilot]

Copilot wasn't able to review any files in this pull request.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Copilot wasn't able to review any files in this pull request.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[73junito]

viewed

[73junito]

viewed

[73junito]

Status update for PR #161

Completed checklist items:

• Branch created
• npm install completes
• npm audit shows esbuild advisory resolved

Incomplete checklist items:

• Storybook builds and stories pass manual smoke tests
• CI green

Findings:

• Storybook build errors reported (FormInput.stories.tsx, SiteHeader.stories.tsx) — appears to be pre-existing story syntax/duplicate-content issues unrelated to the esbuild fix.
• Copilot notes a firewall/dns block when attempting to fetch storybook resources during automated checks (details in PR body).

Recommended next steps:

1. Run npm run storybook:build locally (or in a dev container) and fix the failing stories listed in the PR body.
2. Re-run CI after fixing Storybook errors. If CI still fails, collect full CI logs for the failing jobs and open focused follow-up PRs.

@ui-owner @devops @security — please review the dependency changes and advise whether we should proceed with fixing the Storybook story issues in this PR or open a small follow-up PR to address the story syntax failures.

[73junito]

reviewed

[Copilot]

Pull request overview

Copilot reviewed 3 out of 5 changed files in this pull request and generated 1 comment.

Files not reviewed (1)

• packages/ui/pnpm-lock.yaml: Language not supported

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Pull request overview

Copilot reviewed 3 out of 5 changed files in this pull request and generated 1 comment.

Files not reviewed (1)

• packages/ui/pnpm-lock.yaml: Language not supported

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[73junito]

reviwed

[73junito]

@copilot apply changes based on the comments in this thread

[Copilot]

Pull request overview

Copilot reviewed 3 out of 5 changed files in this pull request and generated 1 comment.

Files not reviewed (1)

• packages/ui/pnpm-lock.yaml: Language not supported

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

@copilot apply changes based on the comments in this thread

The documentation inconsistency mentioned in that review has already been resolved in commit d1c5953. The ESBUILD_VULNERABILITY_FIX_SUMMARY.md now correctly reflects ^0.27.2 throughout, matching the actual implementation in package.json.

[73junito]

viewed