Build(deps): bump rollup from 4.53.3 to 4.59.0#565
Build(deps): bump rollup from 4.53.3 to 4.59.0#565dependabot[bot] wants to merge 2 commits intomainfrom
Conversation
LabelsThe following labels could not be found: Please fix the above issues or remove invalid values from |
|
The files' contents are under analysis for test generation. |
gstraccini
bot
added
the
☑️ auto-merge
|
Unrestricted File Download
DescriptionUnrestricted File Downloads are a type of vulnerability that allow a malicious actor to download internal files, resulting in the potential, unintentional exposure of sensitive files, such as the configuration file, which contains credentials for the database. In milder forms, Unrestricted File Download attacks allow access to a specific directory subtree but could still enable cross-user breaches or access to crucial configuration and sensitive files. Read moreImpactThe damage an attacker can cause by employing this type of attack is really only limited by the value of the exposed information. If a developer has structured their web root folder to include sensitive configuration files, for example, the fallout will, of course, be highly damaging. Furthermore, as with many other attacks that are a part of the attacker's toolkit, the vulnerability can be used by an attacker as a stepping stone, leading to the full compromise of the system. ScenariosA classic scenario is a web application that dynamically fetches resources according to a query parameter; and the available resources are stored in a particular directory within the file systems. For example, the following URL fetches the The Directory Traversal technique is commonly used to exploit this type of vulnerability in file systems; the nickname "dot-dot-slash" is often used as an alternative label given the punctuated order of symbols ( If no checks or sanitisation are in place, it is possible to traverse the resources directory and target any file on the file system. For example, the following fetches the sensitive PreventionIf possible, developers should avoid building file path strings with user-provided input. Many functions of an application can be rewritten to deliver functionally identical behavior but in a safer manner. If passing user-supplied input to a filesystem API is absolutely necessary, developers must ensure the following:
As defense in depth, developers should never run a server component with TestingVerify that user-submitted filename metadata is not used directly by system or framework filesystems and that a URL API is used to protect against path traversal.
|
github-actions
bot
added
the
size/L
![gstraccini[bot]](https://avatars.githubusercontent.com/in/480132?s=60&v=4){kind=small}
guibranco
left a comment
guibranco
left a comment
There was a problem hiding this comment.
Automatically approved by gstraccini[bot]
 |
|
Overall Grade |
Security Reliability Complexity Hygiene Coverage |
Code Review Summary
| Analyzer | Status | Updated (UTC) | Details |
|---|---|---|---|
| Test coverage |  |
Mar 4, 2026 1:52p.m. | Review ↗ |
| Secrets | |
Mar 4, 2026 1:52p.m. | Review ↗ |
| JavaScript | |
Mar 4, 2026 1:52p.m. | Review ↗ |
Code Coverage Summary
| Language | Line Coverage (Overall) |
|---|---|
| Aggregate | 93.8% |
| Javascript | 93.8% |
➟ Additional coverage metrics may have been reported. See full coverage report ↗
|
Caution Review the following alerts detected in dependencies. According to your organization's Security Policy, you must resolve all "Block" alerts before proceeding. Learn more about Socket for GitHub.
|
dependabot
bot
force-pushed
the
dependabot/npm_and_yarn/rollup-4.59.0
branch
3 times, most recently
from
c79b348 to
2ca3a63
Compare
Bumps [rollup](https://github.com/rollup/rollup) from 4.53.3 to 4.59.0. - [Release notes](https://github.com/rollup/rollup/releases) - [Changelog](https://github.com/rollup/rollup/blob/master/CHANGELOG.md) - [Commits](rollup/rollup@v4.53.3...v4.59.0) --- updated-dependencies: - dependency-name: rollup dependency-version: 4.59.0 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com>
dependabot
bot
force-pushed
the
dependabot/npm_and_yarn/rollup-4.59.0
branch
from
2ca3a63 to
6c9908f
Compare
|
Infisical secrets check: ✅ No secrets leaked! 💻 Scan logs2026-03-04T13:52:56Z INF scanning for exposed secrets...
1:52PM INF 469 commits scanned.
2026-03-04T13:52:56Z INF scan completed in 357ms
2026-03-04T13:52:56Z INF no leaks found
|
|
1 participant
Bumps rollup from 4.53.3 to 4.59.0.
Release notes
Sourced from rollup's releases.
... (truncated)
Changelog
Sourced from rollup's changelog.
... (truncated)
Commits
ae846954.59.0b39616eUpdate audit-resolvec60770dValidate bundle stays within output dir (#6275)33f39c14.58.0b61c408forward NO_SIDE_EFFECTS annotations to function expressions in variable decla...7f00689Extend agent instructionse7b2b85chore(deps): lock file maintenance (#6270)2aa5da9fix(deps): update minor/patch updates (#6267)4319837chore(deps): update dependency lru-cache to v11 (#6269)c3b6b4bchore(deps): update dependency eslint-plugin-unicorn to v63 (#6268)Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)You can disable automated security fix PRs for this repo from the Security Alerts page.