Remove minimumReleaseAgeExclude for esbuild once 0.28.1 clears the 7-day gate

[BigGillyStyle]

Background

PR #432 adopted the esbuild 0.28.1 security patch (advisory GHSA-gv7w-rqvm-qjhr — high) ahead of this repo's minimumReleaseAge: 10080 (7-day) supply-chain gate. esbuild 0.28.1 was published 2026-06-11 ~22:47Z, so at merge time it was under a day old and the gate was holding the build on the vulnerable 0.28.0.

To ship the patch immediately, pnpm-workspace.yaml was given a temporary exemption:

minimumReleaseAgeExclude:
  - esbuild
  - "@esbuild/*"   # platform-specific binary optional deps, also age-gated

What to do (on/after ~2026-06-19)

Once 0.28.1 has been published for ≥ 7 days, the minimumReleaseAge gate allows it on its own and the exemption is redundant.

1. Remove the minimumReleaseAgeExclude block (and its comment) from pnpm-workspace.yaml.
2. Run pnpm install and confirm the lockfile keeps esbuild at >= 0.28.1 (i.e. nothing regresses to 0.28.0).
3. Confirm pnpm audit --prod --audit-level=high still passes.

Notes

• Only the tsx > esbuild and esbuild-register > esbuild (prod, via packages/db and tailwindcss) paths were affected. vite's 0.21.x and @esbuild-kit's 0.18.20 were untouched.
• The advisory is specific to esbuild's Deno install path; this repo uses esbuild only under Node, so real exploitability was negligible — the upgrade is correctness/hygiene.

🤖 Generated with Claude Code

[mcmxcdev]

My practical experience with minimumReleaseAgeExclude from a work project is that you tend to just add those exceptions and at some point in the future clear out a couple ones again. Not sure each one of those warrants an issue filed.