fix(security): bump rollup to 4.59.0 to fix path-traversal CVE

Addresses GHSA-mw96-cpmx-2vgc (arbitrary file write via path traversal in rollup <4.59.0). Bumps the direct dependency in the plugin authoring example and adds a pnpm override for transitive copies via Vite. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-06-14 01:50:39 +09:00 · 2026-04-05 14:33:05 -07:00 · 2026-04-05 14:33:05 -07:00 · 866032eaaa
commit 866032eaaa
parent 2082bb61fe
2 changed files with 4 additions and 1 deletions
--- a/package.json
+++ b/package.json
@ -51,6 +51,9 @@
  "pnpm": {
    "patchedDependencies": {
      "embedded-postgres@18.1.0-beta.16": "patches/embedded-postgres@18.1.0-beta.16.patch"
+    },
+    "overrides": {
+      "rollup": ">=4.59.0"
    }
  }
 }