Skip to content

Commit 736b555

Browse files
rocketstack-mattrocketstack-matt
committed
fix(deps): resolve dependabot alert 170 for rollup path traversal
Upgrade @stoplight/spectral-ruleset-bundler 1.6.3 → 1.7.0, which pins rollup ~2.80.0 and clears GHSA-mw96-cpmx-2vgc / CVE-2026-27606 (arbitrary file write via path traversal in rollup < 2.80.0). The previous version-keyed override for bundler 1.6.x was not being applied, so replace it with a direct bundler pin. Signed-off-by: Matthew Bain <66839492+rocketstack-matt@users.noreply.github.com>
1 parent 5cfdd54 commit 736b555

2 files changed

Lines changed: 8 additions & 10 deletions

File tree

package-lock.json

Lines changed: 7 additions & 7 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

package.json

Lines changed: 1 addition & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -85,9 +85,7 @@
8585
"npm": "11.12.1"
8686
},
8787
"serialize-javascript": "^7.0.5",
88-
"@stoplight/spectral-ruleset-bundler@1.6.x": {
89-
"rollup": "2.80.0"
90-
},
88+
"@stoplight/spectral-ruleset-bundler": "1.7.0",
9189
"eslint": {
9290
"minimatch": "^3.1.4"
9391
},

0 commit comments

Comments
 (0)