[Aikido] Fix security issue in esbuild via minor version upgrade from 0.28.0 to 0.28.1

[aikido-autofix]

Upgrade esbuild to fix critical RCE vulnerability in Deno module (missing binary integrity verification), high-severity path traversal on Windows, and low-severity DoS issues.

✅ Code not affected by breaking changes.

✅ No breaking changes from esbuild 0.28.0 => 0.28.1 affect this codebase.

The codebase uses esbuild exclusively through the buildSync API for bundling Lambda functions during CDK synthesis. It does not use:

1. esbuild's local development server - The code only uses buildSync() for build-time bundling (found in packages/constructs/esbuild/esbuild.ts), not the serve() API that would be affected by the backslash path restriction.

2. Deno API - No Deno usage was found in the codebase, so the integrity check changes for custom package registries do not apply.

The HTTP path handling found in Lambda@Edge handlers (e.g., in static-hosting, prerender-proxy) operates on CloudFront request URIs at runtime, which is unrelated to esbuild's development server.

All breaking changes by upgrading esbuild from version 0.28.0 to 0.28.1 (CHANGELOG)

Version	Description
0.28.1	HTTP requests with paths containing \ backslash characters are no longer allowed in the local development server
0.28.1	The esbuild executable served by custom package registries (via NPM_CONFIG_REGISTRY) must now match the expected content due to integrity checks in the Deno API

✅ 3 CVEs resolved by this upgrade

This PR will resolve the following CVEs:

Issue	Severity	Description
GHSA-gv7w-rqvm-qjhr	HIGH	[esbuild] Deno module downloads native binaries from npm registry without SHA-256 integrity verification, allowing attackers who control the NPM_CONFIG_REGISTRY environment variable to inject malicious binaries and achieve remote code execution. Node.js equivalent includes this protection, but Deno implementation lacks it entirely.
AIKIDO-2026-445064	HIGH	[esbuild] A vulnerability allows attackers to redirect binary downloads to malicious sources by manipulating the NPM_CONFIG_REGISTRY environment variable, enabling remote code execution since downloaded binaries lack SHA-256 integrity verification before execution.
GHSA-g7r4-m6w7-qqqr	LOW	[esbuild] A path traversal vulnerability in the development server on Windows allows attackers to bypass directory containment using backslash characters, enabling arbitrary file read access outside the configured servedir root directory.

🤖 Remediation details

Fix esbuild vulnerability: bump resolved version from 0.28.0 to 0.28.1

Short summary

This PR remediates security vulnerabilities in esbuild by refreshing the yarn.lock lockfile to resolve esbuild at 0.28.1 instead of 0.28.0. The vulnerable package appears as a direct dependency in two workspace member manifests (packages/constructs/esbuild/package.json and packages/cdk-aspects/package.json); only yarn.lock at the workspace root required a change.

esbuild

esbuild is declared as a direct dependency ("esbuild": "^0.28.0") in both packages/constructs/esbuild and packages/cdk-aspects. The ^0.28.0 semver range already admits 0.28.1, so no manifest edits were required — the fix was a lockfile-only refresh via yarn up -R esbuild --mode=update-lockfile, which re-resolved esbuild and all its @esbuild/* platform-specific optional packages from 0.28.0 to 0.28.1. The bump was necessary because 0.28.0 is within the vulnerable range and 0.28.1 is the minimum patched version that addresses the reported advisories.

Version changes

Package	From	To	Why updated
esbuild	0.28.0	0.28.1	Direct CVE fix
@esbuild/aix-ppc64	0.28.0	0.28.1	Lockfile refresh (esbuild platform package)
@esbuild/android-arm	0.28.0	0.28.1	Lockfile refresh (esbuild platform package)
@esbuild/android-arm64	0.28.0	0.28.1	Lockfile refresh (esbuild platform package)
@esbuild/android-x64	0.28.0	0.28.1	Lockfile refresh (esbuild platform package)
@esbuild/darwin-arm64	0.28.0	0.28.1	Lockfile refresh (esbuild platform package)
@esbuild/darwin-x64	0.28.0	0.28.1	Lockfile refresh (esbuild platform package)
@esbuild/freebsd-arm64	0.28.0	0.28.1	Lockfile refresh (esbuild platform package)
@esbuild/freebsd-x64	0.28.0	0.28.1	Lockfile refresh (esbuild platform package)
@esbuild/linux-arm	0.28.0	0.28.1	Lockfile refresh (esbuild platform package)
@esbuild/linux-arm64	0.28.0	0.28.1	Lockfile refresh (esbuild platform package)
@esbuild/linux-ia32	0.28.0	0.28.1	Lockfile refresh (esbuild platform package)
@esbuild/linux-loong64	0.28.0	0.28.1	Lockfile refresh (esbuild platform package)
@esbuild/linux-mips64el	0.28.0	0.28.1	Lockfile refresh (esbuild platform package)
@esbuild/linux-ppc64	0.28.0	0.28.1	Lockfile refresh (esbuild platform package)
@esbuild/linux-riscv64	0.28.0	0.28.1	Lockfile refresh (esbuild platform package)
@esbuild/linux-s390x	0.28.0	0.28.1	Lockfile refresh (esbuild platform package)
@esbuild/linux-x64	0.28.0	0.28.1	Lockfile refresh (esbuild platform package)
@esbuild/netbsd-arm64	0.28.0	0.28.1	Lockfile refresh (esbuild platform package)
@esbuild/netbsd-x64	0.28.0	0.28.1	Lockfile refresh (esbuild platform package)
@esbuild/openbsd-arm64	0.28.0	0.28.1	Lockfile refresh (esbuild platform package)
@esbuild/openbsd-x64	0.28.0	0.28.1	Lockfile refresh (esbuild platform package)
@esbuild/sunos-x64	0.28.0	0.28.1	Lockfile refresh (esbuild platform package)
@esbuild/win32-arm64	0.28.0	0.28.1	Lockfile refresh (esbuild platform package)
@esbuild/win32-ia32	0.28.0	0.28.1	Lockfile refresh (esbuild platform package)
@esbuild/win32-x64	0.28.0	0.28.1	Lockfile refresh (esbuild platform package)