From 866032eaaa0209af4a9a25694253814b646d2101 Mon Sep 17 00:00:00 2001 From: Matt Van Horn <455140+mvanhorn@users.noreply.github.com> Date: Sun, 5 Apr 2026 14:33:05 -0700 Subject: [PATCH] fix(security): bump rollup to 4.59.0 to fix path-traversal CVE Addresses GHSA-mw96-cpmx-2vgc (arbitrary file write via path traversal in rollup <4.59.0). Bumps the direct dependency in the plugin authoring example and adds a pnpm override for transitive copies via Vite. Co-Authored-By: Claude Opus 4.6 (1M context) --- package.json | 3 +++ .../examples/plugin-authoring-smoke-example/package.json | 2 +- 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/package.json b/package.json index 311a092f..58ffa103 100644 --- a/package.json +++ b/package.json @@ -51,6 +51,9 @@ "pnpm": { "patchedDependencies": { "embedded-postgres@18.1.0-beta.16": "patches/embedded-postgres@18.1.0-beta.16.patch" + }, + "overrides": { + "rollup": ">=4.59.0" } } } diff --git a/packages/plugins/examples/plugin-authoring-smoke-example/package.json b/packages/plugins/examples/plugin-authoring-smoke-example/package.json index 66657e4a..61b27ab9 100644 --- a/packages/plugins/examples/plugin-authoring-smoke-example/package.json +++ b/packages/plugins/examples/plugin-authoring-smoke-example/package.json @@ -34,7 +34,7 @@ "@types/node": "^24.6.0", "@types/react": "^19.0.8", "esbuild": "^0.27.3", - "rollup": "^4.38.0", + "rollup": "^4.59.0", "tslib": "^2.8.1", "typescript": "^5.7.3", "vitest": "^3.0.5"