Skip to content

[CLNP-8652] fix(security): bump transitive rollup to 4.62.0#5

Open
sf-tyler-jeong wants to merge 1 commit into
mainfrom
fix/clnp-8652
Open

[CLNP-8652] fix(security): bump transitive rollup to 4.62.0#5
sf-tyler-jeong wants to merge 1 commit into
mainfrom
fix/clnp-8652

Conversation

@sf-tyler-jeong

@sf-tyler-jeong sf-tyler-jeong commented Jun 19, 2026

Copy link
Copy Markdown

Update the pinned transitive rollup (via vite) from 4.14.1 to 4.62.0 across all four tutorial projects' lockfiles to resolve two High-severity SCA findings:

rollup is a dev-only transitive dependency of vite (rollup: ^4.13.0), so only the package-lock.json files change; no package.json edits required. Verified rollup advisories clear via npm audit and that npm ci + build (tsc && vite build) still pass.

@sf-tyler-jeong @claude
fix(security): bump transitive rollup to 4.62.0 (CLNP-8652)
873b9e5 
Update the pinned transitive rollup (via vite) from 4.14.1 to 4.62.0
across all four tutorial projects' lockfiles to resolve two High-severity
SCA findings:

- CVE-2024-47068 (GHSA-gcx4-mw62-g8wm): DOM Clobbering gadget -> XSS,
  fixed in 4.22.4
- CVE-2026-27606 (GHSA-mw96-cpmx-2vgc): Arbitrary File Write via Path
  Traversal, fixed in 4.59.0

rollup is a dev-only transitive dependency of vite (rollup: ^4.13.0), so
only the package-lock.json files change; no package.json edits required.
Verified rollup advisories clear via npm audit and that npm ci + build
(tsc && vite build) still pass.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@danney-chun danney-chun Awaiting requested review from danney-chun

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@sf-tyler-jeong