• Home
  • Features
  • Pricing
  • Docs
  • Announcements
  • Sign In

Unleash / unleash / 27621572083
87%
master: 91%

Build:
Build:
LAST BUILD BRANCH: main
DEFAULT BRANCH: master
Ran 16 Jun 2026 01:46PM UTC
Jobs 1
Files 1186
Run time 3min
Badge
Embed ▾
README BADGES
x

If you need to use a raster PNG badge, change the '.svg' to '.png' in the link

Markdown

Textile

RDoc

HTML

Rst

16 Jun 2026 01:37PM UTC coverage: 87.367% (+0.03%) from 87.333%
27621572083

push

github

web-flow
fix(security): vulnerabilities (#12325)

## About the changes

Fixes security vulnerabilities reported in esbuild,  vite and form-data

## Security due diligence

Dependency paths were checked with `pnpm why` after regenerating the
lockfile:

- `form-data@4.0.6` is reached from runtime dependency `@slack/web-api`
and dev/test tooling. This is the most relevant runtime-facing update in
this PR.
- `esbuild@0.28.1` is reached through build/dev tooling (`orval` and
Vite). The reported high-severity advisory affects esbuild's Deno
module; Unleash does not use Deno or ship that module as part of the
server/runtime product, but the package was present in the repository
lockfile, so updating it is still the right repository hygiene response.
- `vite@8.0.16` is dev/build tooling.
- `js-yaml@4.2.0` is reached through OpenAPI tooling and helpers.
- `markdown-it@14.2.0` is reached through TypeDoc tooling.

The `minimumReleaseAgeExclude` entries are intentionally narrow:

- `form-data@4.0.6` was published on 2026-06-12 and is exempted by exact
version because it is still inside the 7-day release-age window.
- `esbuild@0.28.1` was published on 2026-06-11 and is exempted by exact
version. The `@esbuild/<platform>@0.28.1` packages are listed explicitly
because pnpm does not allow a version-pinned glob such as
`@esbuild/*@0.28.1`; using `@esbuild/*` would exempt future
platform-package releases too broadly.
- `vite@8.0.16`, `markdown-it@14.2.0`, `js-yaml@4.2.0`, `ws@8.21.0`, and
`react-router@6.30.4` are already outside the current release-age window
and do not need new age exceptions.

Validation performed:

- `pnpm install --lockfile-only` passes pnpm's supply-chain policy
check.
- `pnpm audit --audit-level moderate` reports no known vulnerabilities.
- `pnpm run build` passes.

Follow-up: remove the temporary release-age exceptions for
`form-data@4.0.6`, `esbuild@0.28.1`, and the
`@esbuild/<platform>@0.28.1` packages once they are older than the 7-day
release-age wi... (continued)

1878 of 2069 branches covered (90.77%)

15215 of 17415 relevant lines covered (87.37%)

900.72 hits per line

Coverage Regressions

Lines Coverage ∆ File
1
83.13
-1.2% src/lib/features/playground/feature-evaluator/client.ts
Jobs
ID Job ID Ran Files Coverage
1 27621572083.1 16 Jun 2026 01:46PM UTC 1186
87.37
GitHub Action Run
Source Files on build 27621572083
  • Tree
  • List 1186
  • Changed 3
  • Source Changed 0
  • Coverage Changed 3
Coverage ∆ File Lines Relevant Covered Missed Hits/Line Branch Hits Branch Misses
  • Back to Repo
  • Github Actions Build #27621572083
  • be51bced on github
  • Prev Build on main (#27601527557)
  • Next Build on main (#27623155588)
STATUS · Troubleshooting · Open an Issue · Sales · Support · CAREERS · ENTERPRISE · START FREE · SCHEDULE DEMO
ANNOUNCEMENTS · TWITTER · TOS & SLA · Supported CI Services · What's a CI service? · Automated Testing

© 2026 Coveralls, Inc