esbuild Deno module lacks binary integrity verification

The esbuild Deno module (lib/deno/mod.ts) downloads native binaries from an npm registry without any integrity verification (e.g., SHA-256 hash check), unlike the Node.js equivalent which has a binaryIntegrityCheck function. This allows an attacker controlling the NPM_CONFIG_REGISTRY environment variable to supply a malicious binary, leading to remote code execution.

All Deno projects using esbuild, especially those in CI/CD pipelines, shared development environments, or corporate networks where NPM_CONFIG_REGISTRY is set.

Update esbuild to a patched version once available, or manually add SHA-256 integrity verification to the Deno module as suggested in the advisory. As a workaround, avoid setting NPM_CONFIG_REGISTRY to untrusted registries and ensure the environment variable is not attacker-controlled.