Bump esbuild from 0.21.5 to removed in /frontend in the npm_and_yarn group across 1 directory

[dependabot]

Bumps the npm_and_yarn group with 1 update in the /frontend directory: esbuild.

Removes esbuild

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
  You can disable automated security fix PRs for this repo from the Security Alerts page.

[alvarofraguas]

Verified clean against the existing frontend/ codebase. Major bumps (vite ^7 → ^8, vitest ^2 → ^4) typically have a compatibility tail, but everything stayed green:

Install

npm ci                # 279 packages, 0 vulnerabilities (the bump removes the
                      # last esbuild 0.21.x reference; new tree is on esbuild 0.27.x)

Verification

Step	Result
npm run check (tsc --noEmit strict)	clean
npm test (vitest 4.1.6)	19 test files / 92 tests passed
npm run build (vite 8.0.5)	built in 245 ms
Bundle size	787 KB JS (210 KB gzip), 53 KB CSS (9.4 KB gzip), 21 KB Monaco — essentially identical to vite 7
npm run dev	dev server boots in ~247 ms, serves / with HMR + react-refresh wired in correctly

Peer-dep compatibility check (the usual major-bump landmine):

• @vitejs/plugin-react@5.2.0 peer vite: ^4 || ^5 || ^6 || ^7 || ^8 ✓
• @tailwindcss/vite@4.3.0 peer vite: ^5.2 || ^6 || ^7 || ^8 ✓
• vitest@4.1.6 peer vite: ^6 || ^7 || ^8 ✓

No peer-dep mismatches, no install warnings, no test failures.

Noteworthy (not a problem, just FYI): vite 8 swaps its internal bundler from rollup to rolldown. The user-visible build artifacts are the same shape and size, but the warning text changed (build.rolldownOptions.output.codeSplitting rather than build.rollupOptions.output.manualChunks). Nothing in our config explicitly references rollup, so we're not affected.

Ship-ready.

[alvarofraguas]

Follow-up: also deployed the vite-8 build to a real Kali dev stack (nginx-fronted) and ran a headless Chromium smoke against it via Playwright's standalone API. The project doesn't have a Playwright test suite yet (only the dev-dep is installed; no tests/e2e/ directory), so I wrote an ad-hoc spec against the deployed SPA:

Step	Result
SPA root via nginx (http://:8088/)	HTTP 200, <title>osctrl</title>
Unauthenticated → /login redirect	✓
Login form has env + user + password fields	✓ all three present
vite-8 asset references in index.html (assets/index-*.{js,css})	✓ both linked
POST /api/v1/login/dev from a browser context	HTTP 200, JWT (156 chars)
Authenticated GET /api/v1/environments from same context	HTTP 200, ['dev']
JS errors during page load	0
Failed network requests (HTTP ≥ 400)	0

The rolldown-based build executes correctly in Chromium, the SPA renders, the React bundle hydrates without JS errors, the API roundtrip works. Reverted the dev stack back to the merged-#815 SPA after the test.