chore(security): ignore dev-only esbuild advisory GHSA-gv7w-rqvm-qjhr

[olivrg]

GHSA-gv7w-rqvm-qjhr

Description

The CI pnpm audit --audit-level=high gate started failing on every branch after a new advisory was published for esbuild (GHSA-gv7w-rqvm-qjhr: "Missing binary integrity verification in Deno module enables RCE via NPM_CONFIG_REGISTRY", patched in >=0.28.1). esbuild is a transitive build-time dependency only — pulled in by tsup (proxy build) and vite (dashboard build), both devDependencies. It is not part of the shipped @gethelio/proxy runtime.

This adds a scoped audit-ignore for that single GHSA so the gate passes:

"pnpm": {
  "auditConfig": {
    "ignoreGhsas": ["GHSA-gv7w-rqvm-qjhr"]
  }
}

Why ignore rather than bump? I first tried the proper fix — a pnpm override forcing esbuild ^0.28.1 — but esbuild 0.28 changed its destructuring transform and vite@6.4.2 cannot compile against it (the dashboard build fails with 600+ "Transforming destructuring … is not supported yet" errors). There is no patched esbuild below 0.28.1, so the only real fix is a vite major upgrade, which is out of scope for a CI unblock. The advisory's exploit vector (a malicious NPM_CONFIG_REGISTRY during install) does not apply to our trusted CI/build context, and esbuild ships in no runtime artifact, so suppressing this one advisory is a deliberate, low-risk triage.

Follow-up (tracked separately): upgrade vite to a release whose esbuild dependency is >=0.28.1, then drop this ignore. This keeps the suppression temporary rather than permanent.


## Type of Change

<!-- Check all that apply. -->

- [ ] Bug fix (non-breaking change that fixes an issue)
- [ ] New feature (non-breaking change that adds functionality)
- [ ] Breaking change (fix or feature that would cause existing functionality to not work as expected)
- [ ] Refactor (no functional changes)
- [ ] Documentation
- [x] CI / build / tooling

## Packages Affected

- [ ] `packages/proxy`
- [ ] `packages/dashboard`
- [ ] `packages/python-sdk`
- [x] Root config / monorepo tooling
- [ ] `docs/`
- [ ] `examples/`

## Checklist

- [x] I have read [CONTRIBUTING.md](../CONTRIBUTING.md)
- [x] My code follows the existing style (ESLint + Prettier pass)
- [x] TypeScript strict mode — no `any` types or `@ts-ignore` without justification
- [x] I have added or updated tests for my changes
- [x] All CI checks pass (`pnpm secrets:scan`, `pnpm docs:check:ci`, `pnpm audit --audit-level=high`, `pnpm build`, `pnpm lint`, `pnpm format:check`, `pnpm typecheck`, `pnpm test`)
- [x] I have updated documentation if this changes user-facing behavior
- [x] Commit messages follow [Conventional Commits](https://www.conventionalcommits.org/) (e.g. `feat:`, `fix:`, `docs:`)

## How to Test

<!-- Steps a reviewer can follow to verify the change. -->

1. pnpm audit --audit-level=high — exits 0 (the esbuild advisory is reported but ignored; no other highs).
2. pnpm build — dashboard (vite) and proxy (tsup) both build with the existing esbuild (unchanged; pnpm-lock.yaml is not modified by this PR).
3. pnpm lint && pnpm format:check && pnpm typecheck — all clean.

## Additional Context

<!-- Screenshots, config snippets, performance benchmarks, or anything else that helps reviewers. -->
Single-file change (package.json); no dependency-graph or lockfile changes — auditConfig only affects how pnpm audit reports, not resolution. Unblocks the audit gate for all open PRs (it was failing repo-wide), including the in-flight sideband governance API (#12).