Skip to content

[lexical] Chore: Fix rollup CVE-2026-27606 across all lockfiles#8173

Merged
thatmichael85 merged 1 commit intomainfrom
users/thatmichael85/roll-vulnerability-fix
Feb 27, 2026
Merged

[lexical] Chore: Fix rollup CVE-2026-27606 across all lockfiles#8173
thatmichael85 merged 1 commit intomainfrom
users/thatmichael85/roll-vulnerability-fix

Conversation

@thatmichael85
Copy link
Contributor

@thatmichael85 thatmichael85 commented Feb 26, 2026

Description

  • rollup >= 4.0.0, < 4.59.0 (CVE-2026-27606, HIGH severity) has an arbitrary file write via path traversal vulnerability (GHSA-mw96-cpmx-2vgc).
  • Updated root package.json rollup specifier from ^4.22.4 to ^4.59.0.
  • Regenerated all 16 affected pnpm-lock.yaml files (14 examples, root workspace, and astro integration test fixture) to resolve rollup@4.59.0.

Test plan

Before

  • rollup@4.57.1 or rollup@4.52.0 present across all lockfiles
  • 15 open Dependabot alerts for CVE-2026-27606

After

  • All lockfiles resolve rollup@4.59.0 (the fixed version)
  • No code changes — lockfile-only updates

@vercel
Copy link

vercel bot commented Feb 26, 2026
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
lexical Ready Ready Preview, Comment Feb 27, 2026 2:29am
lexical-playground Ready Ready Preview, Comment Feb 27, 2026 2:29am

Request Review

@meta-cla meta-cla bot added the CLA Signed This label is managed by the Facebook bot. Authors need to sign the CLA before a PR can be reviewed. label Feb 26, 2026
@etrepum etrepum added the extended-tests Run extended e2e tests on a PR label Feb 26, 2026
@thatmichael85
[lexical] Chore: Fix rollup CVE-2026-27606 across all lockfiles
0dfafc1 
Regenerate all pnpm lockfiles to resolve rollup >= 4.59.0, fixing
a HIGH severity arbitrary file write via path traversal vulnerability
(GHSA-mw96-cpmx-2vgc) that affected rollup >= 4.0.0, < 4.59.0.

Updated root package.json rollup specifier from ^4.22.4 to ^4.59.0
and regenerated lockfiles for all 14 example projects, the root
workspace, and the astro integration test fixture.
@thatmichael85 thatmichael85 force-pushed the users/thatmichael85/roll-vulnerability-fix branch from aa4c0a1 to 0dfafc1 Compare February 27, 2026 02:27
@thatmichael85 thatmichael85 added this pull request to the merge queue Feb 27, 2026
Merged via the queue into main with commit c4cc538 Feb 27, 2026
34 of 36 checks passed
@thatmichael85 thatmichael85 mentioned this pull request Feb 27, 2026
Merged
2 tasks
@etrepum etrepum mentioned this pull request Mar 19, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@etrepum etrepum etrepum approved these changes

@zurfyx zurfyx Awaiting requested review from zurfyx zurfyx is a code owner

@fantactuka fantactuka Awaiting requested review from fantactuka fantactuka is a code owner

@acywatson acywatson Awaiting requested review from acywatson acywatson is a code owner

@ivailop7 ivailop7 Awaiting requested review from ivailop7 ivailop7 is a code owner

@potatowagon potatowagon Awaiting requested review from potatowagon potatowagon is a code owner

@takuyakanbr takuyakanbr Awaiting requested review from takuyakanbr takuyakanbr is a code owner

Assignees

No one assigned

Labels

CLA Signed This label is managed by the Facebook bot. Authors need to sign the CLA before a PR can be reviewed. extended-tests Run extended e2e tests on a PR

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@thatmichael85 @etrepum