Fix Dependabot security alerts: bump esbuild, tsx, js-yaml

[Copilot]

Resolves the open Dependabot dependency alerts on the repository. All alerts originate from vulnerable npm packages across the SDK's tooling/build projects; Go, Python, and Rust dependencies were audited and are clean.

Patched advisories

Package	From	To	Advisory
esbuild	≤0.28.0	0.28.1	GHSA-gv7w-rqvm-qjhr, GHSA-g7r4-m6w7-qqqr (high)
tsx	3.13.0–4.21.1	4.22.4	transitive on vulnerable esbuild
js-yaml	≤4.1.1	4.2.0	GHSA-h67p-54hq-rp68 (moderate)

Changes

• nodejs/package.json — bumped the direct esbuild devDependency to ^0.28.1; its caret range otherwise pinned the project below the patched release.
• Lockfiles — refreshed package-lock.json in nodejs, nodejs/samples, java/scripts/codegen, scripts/codegen, scripts/docs-validation, and test/harness so the transitive tsx/js-yaml/esbuild resolutions land on patched versions.

tsx and js-yaml were transitive and already within permitted ranges, so no manifest edits were needed beyond the lockfile updates.

Notes for reviewers

The Dependabot alerts page and GitHub API are unreachable from the build environment, so the alert set was reconstructed via npm audit / pip-audit / cargo-audit, which draw from the same advisory sources. npm audit reports zero vulnerabilities across all projects after these changes.

[Copilot]

Pull request overview

This PR addresses repository Dependabot/security audit findings by updating vulnerable npm dependencies (directly and transitively) across the SDK’s Node-based tooling and build/test subprojects.

Changes:

• Bump esbuild devDependency in nodejs/package.json to ^0.28.1.
• Refresh multiple package-lock.json files so esbuild resolves to 0.28.1, tsx resolves to 4.22.4, and js-yaml resolves to 4.2.0 where applicable.
• Lockfile cleanup consistent with the updated dependency graph (e.g., removal of no-longer-needed get-tsconfig / resolve-pkg-maps lock entries where tsx no longer depends on them).

Show a summary per file

File	Description
test/harness/package-lock.json	Updates resolved esbuild/tsx versions for the test harness tooling dependencies.
scripts/docs-validation/package-lock.json	Updates resolved esbuild/tsx versions used by the docs validation tooling.
scripts/codegen/package-lock.json	Updates resolved js-yaml (and related dependency graph) for codegen tooling.
nodejs/samples/package-lock.json	Refreshes lockfile resolutions for the sample project and its local dependency on the Node SDK.
nodejs/package.json	Bumps direct esbuild devDependency range to pick up the patched release.
nodejs/package-lock.json	Refreshes the Node SDK lockfile to resolve patched esbuild/tsx/js-yaml versions.
java/scripts/codegen/package-lock.json	Updates resolved esbuild to the patched version for Java codegen scripts.

Copilot's findings

Files not reviewed (6)

• java/scripts/codegen/package-lock.json: Generated file
• nodejs/package-lock.json: Generated file
• nodejs/samples/package-lock.json: Generated file
• scripts/codegen/package-lock.json: Generated file
• scripts/docs-validation/package-lock.json: Generated file
• test/harness/package-lock.json: Generated file

• Files reviewed: 1/7 changed files
• Comments generated: 0

[github-actions]

Cross-SDK Consistency Review ✅

This PR makes no changes to any SDK API or feature code — it is exclusively a security dependency bump (esbuild → 0.28.1) with corresponding package-lock.json refreshes in tooling/build/codegen directories:

• nodejs/package.json — direct esbuild devDependency bump
• nodejs/package-lock.json, nodejs/samples/package-lock.json, java/scripts/codegen/package-lock.json, scripts/codegen/package-lock.json, scripts/docs-validation/package-lock.json, test/harness/package-lock.json — lockfile-only updates

Go, Python, .NET, Rust, and Java SDK source code and their dependencies are unaffected. No cross-language API parity concerns apply to this change.

Generated by SDK Consistency Review Agent for issue #1685 · sonnet46 452.3K · ◷