chore(deps): Add mdx-builder scanning and patch vulns

[davidkonigsberg]

Short description of the changes made

Added CI to build/upload mdx-builder container for scanning
Perform base image update identical to what I did for FDR. New build of node22 while retaining alpine3.20
Add an override for esbuild to patch vulns

What was the motivation & context behind this PR?

soc2 vulnerability patching

Drops vulnerabilities count from 81 (4/41/34/2/0) to 10 (0/5/4/1/0)

How has this PR been tested?

CI

Before

After

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Preview	Updated (UTC)
dev.ferndocs.com	Ready	Preview	Oct 16, 2025 3:47pm
fern-dashboard	Ready	Preview	Oct 16, 2025 3:47pm
fern-dashboard-dev	Ready	Preview	Oct 16, 2025 3:47pm
ferndocs.com	Ready	Preview	Oct 16, 2025 3:47pm

4 Skipped Deployments

Project	Deployment	Preview	Updated (UTC)
fern-platform	Ignored		Oct 16, 2025 3:47pm
preview.ferndocs.com	Skipped		Oct 16, 2025 3:47pm
prod-assets.ferndocs.com	Skipped		Oct 16, 2025 3:47pm
prod.ferndocs.com	Skipped		Oct 16, 2025 3:47pm

[vercel]

The Dockerfile hardcodes esbuild version 0.25.9 but the catalog defines 0.25.0, creating a version mismatch that violates the project's strict esbuild versioning requirements.

View Details

📝 Patch Details

diff --git a/pnpm-workspace.yaml b/pnpm-workspace.yaml
index 36660f32c..e35eb4fde 100644
--- a/pnpm-workspace.yaml
+++ b/pnpm-workspace.yaml
@@ -56,7 +56,7 @@ catalog:
   # this exact esbuild version is used in fern docs dev build process
   # if you update the esbuild version, you **must** ensure that other references match
   # including fern-docs/bundle/package.json + cdk/utilities/install-esbuild.js
-  "esbuild": "0.25.0"
+  "esbuild": "0.25.9"
   "eslint-config-next": "15.5.4"
   "hastscript": "^9.0.0"
   "jose": "^5.9.6"

Analysis

esbuild version mismatch between Dockerfile and catalog causes build inconsistencies

What fails: Dockerfile hardcodes [email protected] while pnpm-workspace.yaml catalog defines 0.25.0, violating project's strict versioning requirements and causing build inconsistencies between containerized and local environments

How to reproduce:

1. Check Dockerfile line 10: "esbuild": "0.25.9"
2. Check pnpm-workspace.yaml catalog line 59: "esbuild": "0.25.0"
3. Compare with CI workflows that override catalog to 0.25.9 for deployment
4. Check install-esbuild.js which hardcodes [email protected] paths

Result: Container builds use esbuild 0.25.9 while workspace uses 0.25.0, creating version inconsistencies despite catalog comment requiring all references to match

Expected: All esbuild references should use the same version per catalog documentation stating "you must ensure that other references match" when updating esbuild version

Per esbuild changelog, version 0.25.0 introduced breaking changes that could cause different bundling behavior between environments.

[davidkonigsberg]

I'm just copying the version already in use that was updated by Catherine last night. Didn't want to mess with other people's changes.

[davidkonigsberg]

In addition to the override, the only other change here is that I bumped up hast-util-properties-to-mdx-jsx-attributes to match the catalog since that is what is used in package.json for mdx-bundler

[davidkonigsberg]

Added this here since I'm using it in the Dockerfile, happy to change to a hardcoded value of 0.25.9 if that is preferable

[davidkonigsberg]

actually, I'm gonna do that so it matches what is in the Dockerfile.

[davidkonigsberg]

There were changed to match the Dockerfile. If we use catalog, it will be 0.25.0. @chdeskur is it possible that we want to update the catalog to reflect the changes you made yesterday to get everything on 0.25.9?