fix(security): bump rollup to 4.59.0 to fix path-traversal CVE

Addresses GHSA-mw96-cpmx-2vgc (arbitrary file write via path traversal in rollup <4.59.0). Bumps the direct dependency in the plugin authoring example and adds a pnpm override for transitive copies via Vite. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-06-14 01:50:39 +09:00 · 2026-04-05 14:33:05 -07:00 · 2026-04-05 14:33:05 -07:00 · 866032eaaa
commit 866032eaaa
parent 2082bb61fe
2 changed files with 4 additions and 1 deletions
--- a/package.json
+++ b/package.json
@ -51,6 +51,9 @@
  "pnpm": {
    "patchedDependencies": {
      "embedded-postgres@18.1.0-beta.16": "patches/embedded-postgres@18.1.0-beta.16.patch"
+    },
+    "overrides": {
+      "rollup": ">=4.59.0"
    }
  }
 }
--- a/packages/plugins/examples/plugin-authoring-smoke-example/package.json
+++ b/packages/plugins/examples/plugin-authoring-smoke-example/package.json
@ -34,7 +34,7 @@
    "@types/node": "^24.6.0",
    "@types/react": "^19.0.8",
    "esbuild": "^0.27.3",
-    "rollup": "^4.38.0",
+    "rollup": "^4.59.0",
    "tslib": "^2.8.1",
    "typescript": "^5.7.3",
    "vitest": "^3.0.5"