From 355075a79de9184e5108f3a11bd75efc3bfd7a7a Mon Sep 17 00:00:00 2001 From: Jordan Paulino Date: Wed, 13 May 2026 01:09:40 -0400 Subject: [PATCH] =?UTF-8?q?=F0=9F=8D=95=20fix(security):=20patch=20Rollup?= =?UTF-8?q?=20CVE-2026-27606=20via=20npm=20overrides?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Resolves the open Dependabot alert (high severity). `@crxjs/vite-plugin@2.4.0` pins `rollup: 2.79.2` exactly in its dependencies, which is vulnerable to GHSA-mw96-cpmx-2vgc / CVE-2026-27606 (arbitrary file write via path traversal in chunk/asset filenames). The fix landed in the rollup 2.x maintenance backport `2.80.0`. Adds an `overrides` entry pinning `rollup` to `^2.80.0` so the transitive dep resolves to the patched release without forcing us off `@crxjs/vite- plugin@2`. The plugin's API surface is unaffected — the change is purely a security backport. Verification: - `npm ls rollup` now resolves to `2.80.0` - `npm audit` reports 0 vulnerabilities (was 2 high) - `npm run validate` and `npm run build` both pass Refs: https://github.com/advisories/GHSA-mw96-cpmx-2vgc Co-authored-by: Cursor --- package-lock.json | 6 +++--- package.json | 3 +++ 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/package-lock.json b/package-lock.json index 7bfb1b6..e723330 100644 --- a/package-lock.json +++ b/package-lock.json @@ -5035,9 +5035,9 @@ "license": "MIT" }, "node_modules/rollup": { - "version": "2.79.2", - "resolved": "https://registry.npmjs.org/rollup/-/rollup-2.79.2.tgz", - "integrity": "sha512-fS6iqSPZDs3dr/y7Od6y5nha8dW1YnbgtsyotCVvoFGKbERG++CVRFv1meyGDE1SNItQA8BrnCw7ScdAhRJ3XQ==", + "version": "2.80.0", + "resolved": "https://registry.npmjs.org/rollup/-/rollup-2.80.0.tgz", + "integrity": "sha512-cIFJOD1DESzpjOBl763Kp1AH7UE/0fcdHe6rZXUdQ9c50uvgigvW97u3IcSeBwOkgqL/PXPBktBCh0KEu5L8XQ==", "dev": true, "license": "MIT", "bin": { diff --git a/package.json b/package.json index c842ad6..c54650a 100644 --- a/package.json +++ b/package.json @@ -54,5 +54,8 @@ }, "engines": { "node": ">=24" + }, + "overrides": { + "rollup": "^2.80.0" } }