Skip to content

fix(deps): resolve dependabot alert 170 for rollup path traversal#2355

Merged
markscott-ms merged 1 commit intofinos:mainfrom
rocketstack-matt:fix/dependabot-rollup-alert-170
Apr 17, 2026
Merged

fix(deps): resolve dependabot alert 170 for rollup path traversal#2355
markscott-ms merged 1 commit intofinos:mainfrom
rocketstack-matt:fix/dependabot-rollup-alert-170

Conversation

@rocketstack-matt
Copy link
Copy Markdown
Member

@rocketstack-matt rocketstack-matt commented Apr 17, 2026

Description

Resolves Dependabot alert #170GHSA-mw96-cpmx-2vgc / CVE-2026-27606: arbitrary file write via path traversal in rollup < 2.80.0.

Chain: @stoplight/spectral-cli@6.15.0@stoplight/spectral-ruleset-bundler@1.6.3rollup@2.79.2.

Upgrading the bundler to 1.7.0 (which is within spectral-cli's existing ^1.6.0 range) pins rollup: ~2.80.0, clearing the alert. The prior version-keyed override "@stoplight/spectral-ruleset-bundler@1.6.x": { "rollup": "2.80.0" } was not being applied by npm, so it has been replaced with a direct bundler pin.

Type of Change

  • 🐛 Bug fix (non-breaking change which fixes an issue)
  • ✨ New feature (non-breaking change which adds functionality)
  • 💥 Breaking change (fix or feature that would cause existing functionality to not work as expected)
  • 📚 Documentation update
  • 🎨 Code style/formatting changes
  • ♻️ Refactoring (no functional changes)
  • ⚡ Performance improvements
  • ✅ Test additions or updates
  • 🔧 Chore (maintenance, dependencies, CI, etc.)

Affected Components

  • CLI (cli/)
  • Schema (calm/)
  • CALM AI (calm-ai/)
  • CALM Hub (calm-hub/)
  • CALM Hub UI (calm-hub-ui/)
  • CALM Server (calm-server/)
  • CALM Widgets (calm-widgets/)
  • Documentation (docs/)
  • Shared (shared/)
  • VS Code Extension (calm-plugins/vscode/)
  • Dependencies
  • CI/CD

Testing

  • I have tested my changes locally
  • I have added/updated unit tests
  • All existing tests pass

Verification:

  • npm ls rollup now shows rollup@2.80.0 under @stoplight/spectral-ruleset-bundler@1.7.0 (top-level rollup remains 4.60.1, already patched for the same CVE).
  • npm audit no longer reports rollup.
  • npm run build:shared succeeds.
  • Full npm run test:shared passes except for one pre-existing failure in docusaurus/package.spec.ts that reproduces on main and is unrelated to this change.

Checklist

  • My commits follow the conventional commit format
  • I have updated documentation if necessary
  • I have added tests for my changes (if applicable)
  • My changes follow the project's coding standards

@rocketstack-matt
fix(deps): resolve dependabot alert 170 for rollup path traversal
736b555 
Upgrade @stoplight/spectral-ruleset-bundler 1.6.3 → 1.7.0, which pins
rollup ~2.80.0 and clears GHSA-mw96-cpmx-2vgc / CVE-2026-27606 (arbitrary
file write via path traversal in rollup < 2.80.0).

The previous version-keyed override for bundler 1.6.x was not being
applied, so replace it with a direct bundler pin.

Signed-off-by: Matthew Bain <66839492+rocketstack-matt@users.noreply.github.com>
@rocketstack-matt rocketstack-matt requested a review from a team as a code owner April 17, 2026 07:14
Copilot AI review requested due to automatic review settings April 17, 2026 07:14
Copilot AI reviewed Apr 17, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Updates the root npm overrides to remediate Dependabot alert #170 (Rollup path traversal) by ensuring @stoplight/spectral-ruleset-bundler resolves to a version that depends on patched rollup.

Changes:

  • Replaced a version-keyed override (not applied by npm) with a direct override pin of @stoplight/spectral-ruleset-bundler to 1.7.0.
  • Updated package-lock.json to reflect @stoplight/spectral-ruleset-bundler@1.7.0 and its dependency on rollup@~2.80.0.

Reviewed changes

Copilot reviewed 1 out of 2 changed files in this pull request and generated no comments.

File Description
package.json Pins @stoplight/spectral-ruleset-bundler via root overrides to ensure a patched Rollup is selected.
package-lock.json Locks the updated bundler version and updates the nested Rollup dependency to 2.80.0.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@markscott-ms markscott-ms merged commit 73bc1b9 into finos:main Apr 17, 2026
18 checks passed
@rocketstack-matt rocketstack-matt deleted the fix/dependabot-rollup-alert-170 branch April 17, 2026 09:39
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@markscott-ms markscott-ms markscott-ms approved these changes

Assignees

No one assigned

Labels

config

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@rocketstack-matt @markscott-ms