Skip to content

🍕 fix(security): patch Rollup CVE-2026-27606 via npm overrides#4

Merged
jjpaulino merged 1 commit into
masterfrom
fix/dependabot-rollup-cve-2026-27606
May 13, 2026
Merged

🍕 fix(security): patch Rollup CVE-2026-27606 via npm overrides#4
jjpaulino merged 1 commit into
masterfrom
fix/dependabot-rollup-cve-2026-27606

Conversation

@jjpaulino
Copy link
Copy Markdown
Member

@jjpaulino jjpaulino commented May 13, 2026
edited
Loading

Summary

Resolves the open Dependabot alert (high severity, GHSA-mw96-cpmx-2vgc / CVE-2026-27606): Rollup arbitrary file write via path traversal.

Root cause

@crxjs/vite-plugin@2.4.0 pins rollup: 2.79.2 exactly in its dependencies. Any version < 2.80.0 is vulnerable. The Rollup team backported the fix to the 2.x maintenance line as rollup@2.80.0 (alongside 3.30.0 and 4.59.0 for the active majors).

clay-slip → @crxjs/vite-plugin@2.4.0 → rollup@2.79.2 (vulnerable)

Vite 8 itself is not affected — it has migrated to rolldown for bundling, so the only rollup in our tree is the transitive 2.x pin from @crxjs/vite-plugin.

Fix

Add an overrides entry to package.json pinning rollup to ^2.80.0. This forces npm to resolve the transitive dependency to the patched release without bumping @crxjs/vite-plugin off its 2.x line (the alternative npm-audit fix would have downgraded us to @crxjs/vite-plugin@1.0.14, a major step backwards).

"overrides": {
  "rollup": "^2.80.0"
}

The Rollup 2.79.2 → 2.80.0 diff is purely the security backport — no API surface changes — so @crxjs/vite-plugin's exact pin contract is honored at the API level.

Verification

Check Before After
npm ls rollup rollup@2.79.2 rollup@2.80.0
npm audit 2 high 0
npm run validate (84 tests + lint + tc)
npm run build

Test plan

  • npm install resolves rollup@2.80.0
  • npm audit reports 0 vulnerabilities
  • npm run validate passes (84 tests, 0 lint warnings, 0 type errors, 0 format issues)
  • npm run build produces the same dist/ output sizes as before
  • CI on this PR (rerun on a clean machine to confirm the lockfile change is reproducible)
  • After merge: confirm Dependabot alert auto-closes

Refs: GHSA-mw96-cpmx-2vgc

Made with Cursor

@jjpaulino @cursoragent
🍕 fix(security): patch Rollup CVE-2026-27606 via npm overrides
355075a 
Resolves the open Dependabot alert (high severity).

`@crxjs/vite-plugin@2.4.0` pins `rollup: 2.79.2` exactly in its
dependencies, which is vulnerable to GHSA-mw96-cpmx-2vgc / CVE-2026-27606
(arbitrary file write via path traversal in chunk/asset filenames). The
fix landed in the rollup 2.x maintenance backport `2.80.0`.

Adds an `overrides` entry pinning `rollup` to `^2.80.0` so the transitive
dep resolves to the patched release without forcing us off `@crxjs/vite-
plugin@2`. The plugin's API surface is unaffected — the change is purely
a security backport.

Verification:
- `npm ls rollup` now resolves to `2.80.0`
- `npm audit` reports 0 vulnerabilities (was 2 high)
- `npm run validate` and `npm run build` both pass

Refs: GHSA-mw96-cpmx-2vgc
Co-authored-by: Cursor <cursoragent@cursor.com>
@jjpaulino jjpaulino merged commit 9544ccc into master May 13, 2026
1 check passed
@jjpaulino jjpaulino deleted the fix/dependabot-rollup-cve-2026-27606 branch May 13, 2026 05:16
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@jjpaulino