chore(deps-dev)(deps-dev): bump rollup from 4.53.3 to 4.60.4 in /web by dependabot[bot] · Pull Request #59 · PatrickFanella/subcults

dependabot · 2026-05-18T19:10:59Z

Bumps rollup from 4.53.3 to 4.60.4.

Release notes

v4.60.4

4.60.4

2026-05-14

Bug Fixes

Improve stability of chunk hashes (#6362)

Pull Requests

#6362: fix: stabilize chunk assignment across parallel file reads (@sonukapoor, @Sonu Kapoor, @TrickyPi, @lukastaegert)

#6370: fix(deps): update minor/patch updates (@renovate[bot])

#6371: chore(deps): update dependency lru-cache to v11 (@renovate[bot], @lukastaegert)

#6372: chore(deps): update react monorepo to v19 (major) (@renovate[bot])

#6373: chore(deps): lock file maintenance (@renovate[bot], @lukastaegert)

#6375: Resolve vulnerabilities (@lukastaegert)

v4.60.2

4.60.2

2026-04-18

Bug Fixes

Resolve a variable rendering bug when generating different formats from the same build (#6350)

Pull Requests

#6327: docs: fix various typos in source and documentation (@Abhi3975, @lukastaegert)

#6331: fix(deps): update minor/patch updates (@renovate[bot])

#6332: chore(deps): update codecov/codecov-action action to v6 (@renovate[bot])

#6333: chore(deps): update dependency eslint-plugin-unicorn to v64 (@renovate[bot])

#6334: fix(deps): update rust crate swc_compiler_base to v51 (@renovate[bot])

#6335: chore(deps): lock file maintenance (@renovate[bot], @lukastaegert)

#6346: fix(deps): update minor/patch updates (@renovate[bot])

#6347: chore(deps): update dependency lru-cache to v11 (@renovate[bot])

#6348: fix(deps): update swc monorepo (major) (@renovate[bot], @lukastaegert)

#6349: chore(deps): lock file maintenance (@renovate[bot], @lukastaegert)

#6350: fix: reset variable render names between outputs in the same generate (@barry3406, @lukastaegert)

#6351: chore(deps): update minor/patch updates (@renovate[bot])

#6352: chore(deps): update cross-platform-actions/action action to v1 (@renovate[bot])

#6353: chore(deps): update dependency lru-cache to v11 (@renovate[bot], @lukastaegert)

#6354: chore(deps): lock file maintenance (@renovate[bot])

#6355: chore(deps): lock file maintenance (@renovate[bot])

#6356: chore(deps): lock file maintenance (@renovate[bot])

#6358: chore: remove cross-env from devDeps (@K-tecchan)

v4.60.1

4.60.1

... (truncated)

Changelog

Sourced from rollup's changelog.

4.60.4

2026-05-14

Bug Fixes

Improve stability of chunk hashes (#6362)

Pull Requests

#6362: fix: stabilize chunk assignment across parallel file reads (@sonukapoor, @Sonu Kapoor, @TrickyPi, @lukastaegert)

#6370: fix(deps): update minor/patch updates (@renovate[bot])

#6371: chore(deps): update dependency lru-cache to v11 (@renovate[bot], @lukastaegert)

#6372: chore(deps): update react monorepo to v19 (major) (@renovate[bot])

#6373: chore(deps): lock file maintenance (@renovate[bot], @lukastaegert)

#6375: Resolve vulnerabilities (@lukastaegert)

4.60.3

2026-05-04

Bug Fixes

Ensure nested "exports" variables are not renamed (#6360)

Pull Requests

#6360: fix: do not rename nested "exports" bindings that do not conflict (@tariqrafique, @lukastaegert)

#6364: chore(deps): update msys2/setup-msys2 digest to e989830 (@renovate[bot])

#6365: fix(deps): update minor/patch updates (@renovate[bot])

#6366: fix(deps): update swc monorepo (major) (@renovate[bot])

#6367: chore(deps): lock file maintenance (@renovate[bot], @lukastaegert)

#6368: docs: add missing backticks in plugin-development (@lumirlumir, @lukastaegert)

4.60.2

2026-04-18

Bug Fixes

Resolve a variable rendering bug when generating different formats from the same build (#6350)

Pull Requests

#6327: docs: fix various typos in source and documentation (@Abhi3975, @lukastaegert)

#6331: fix(deps): update minor/patch updates (@renovate[bot])

#6332: chore(deps): update codecov/codecov-action action to v6 (@renovate[bot])

#6333: chore(deps): update dependency eslint-plugin-unicorn to v64 (@renovate[bot])

#6334: fix(deps): update rust crate swc_compiler_base to v51 (@renovate[bot])

#6335: chore(deps): lock file maintenance (@renovate[bot], @lukastaegert)

... (truncated)

Commits

d311a84 4.60.4
6aa3248 fix: stabilize chunk assignment across parallel file reads (#6362)
82a0fe7 Resolve vulnerabilities (#6375)
71f5ebc chore(deps): update dependency lru-cache to v11 (#6371)
af91d77 chore(deps): lock file maintenance (#6373)
65e7b94 chore(deps): update react monorepo to v19 (major) (#6372)
642587f fix(deps): update minor/patch updates (#6370)
b47bdab 4.60.3
15c5f33 Add again some unneeded dev dependencies, to make some builds succeed
12195dc fix: do not rename nested "exports" bindings that do not conflict (#6360)
Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

@dependabot rebase will rebase this PR
@dependabot recreate will recreate this PR, overwriting any edits that have been made to it
@dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
@dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the Security Alerts page.

Bumps [rollup](https://github.com/rollup/rollup) from 4.53.3 to 4.60.4. - [Release notes](https://github.com/rollup/rollup/releases) - [Changelog](https://github.com/rollup/rollup/blob/master/CHANGELOG.md) - [Commits](rollup/rollup@v4.53.3...v4.60.4) --- updated-dependencies: - dependency-name: rollup dependency-version: 4.60.4 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com>

dependabot · 2026-05-18T19:11:00Z

Labels

The following labels could not be found: frontend, npm, security. Please create them before Dependabot can add them to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.

github-actions · 2026-05-18T19:13:07Z

NPM Vulnerability Scan Results - e2e

Severity	Count
Critical	0
High	1
Moderate	0
Low	1
Total	2

Click to see details

# npm audit report

path-to-regexp  <0.1.13
Severity: high
path-to-regexp vulnerable to Regular Expression Denial of Service via multiple route parameters - https://github.com/advisories/GHSA-37ch-88jc-xwx2
fix available via `npm audit fix`
node_modules/path-to-regexp

qs  6.7.0 - 6.14.1
qs's arrayLimit bypass in comma parsing allows denial of service - https://github.com/advisories/GHSA-w7fw-mjwx-w883
fix available via `npm audit fix`
node_modules/qs

2 vulnerabilities (1 low, 1 high)

To address all issues, run:
  npm audit fix

github-actions · 2026-05-18T19:13:18Z

NPM Vulnerability Scan Results - web

Severity	Count
Critical	0
High	5
Moderate	5
Low	0
Total	10

Click to see details

# npm audit report

ajv  <6.14.0
Severity: moderate
ajv has ReDoS when using `$data` option - https://github.com/advisories/GHSA-2g4f-4pwh-qvx6
fix available via `npm audit fix`
node_modules/ajv

brace-expansion  <1.1.13 || >=2.0.0 <2.0.3
Severity: moderate
brace-expansion: Zero-step sequence causes process hang and memory exhaustion - https://github.com/advisories/GHSA-f886-m6hf-6m8v
brace-expansion: Zero-step sequence causes process hang and memory exhaustion - https://github.com/advisories/GHSA-f886-m6hf-6m8v
fix available via `npm audit fix`
node_modules/@typescript-eslint/typescript-estree/node_modules/brace-expansion
node_modules/brace-expansion

flatted  <=3.4.1
Severity: high
flatted vulnerable to unbounded recursion DoS in parse() revive phase - https://github.com/advisories/GHSA-25h7-pfq9-p65f
Prototype Pollution via parse() in NodeJS flatted - https://github.com/advisories/GHSA-rf6f-7fwh-wjgh
fix available via `npm audit fix`
node_modules/flatted

i18next-http-backend  <3.0.5
Severity: moderate
 i18next-http-backend has Path Traversal & URL Injection via Unsanitised lng/ns - https://github.com/advisories/GHSA-q89c-q3h5-w34g
fix available via `npm audit fix`
node_modules/i18next-http-backend

lodash-es  <=4.17.23
Severity: high
lodash vulnerable to Code Injection via `_.template` imports key names - https://github.com/advisories/GHSA-r5fr-rjxr-66jc
lodash vulnerable to Prototype Pollution via array path bypass in `_.unset` and `_.omit` - https://github.com/advisories/GHSA-f23m-r3pf-42rh
fix available via `npm audit fix`
node_modules/lodash-es

minimatch  <=3.1.3 || 9.0.0 - 9.0.6
Severity: high
minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern - https://github.com/advisories/GHSA-3ppc-4f35-3m26
minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern - https://github.com/advisories/GHSA-3ppc-4f35-3m26
minimatch has ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segments - https://github.com/advisories/GHSA-7r86-cg39-jmmj
minimatch has ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segments - https://github.com/advisories/GHSA-7r86-cg39-jmmj
minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressions - https://github.com/advisories/GHSA-23c5-xmqv-rm74
minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressions - https://github.com/advisories/GHSA-23c5-xmqv-rm74
fix available via `npm audit fix`
node_modules/@typescript-eslint/typescript-estree/node_modules/minimatch
node_modules/minimatch

picomatch  <=2.3.1 || 4.0.0 - 4.0.3
Severity: high
Picomatch: Method Injection in POSIX Character Classes causes incorrect Glob Matching - https://github.com/advisories/GHSA-3v7f-55p6-f55p
Picomatch: Method Injection in POSIX Character Classes causes incorrect Glob Matching - https://github.com/advisories/GHSA-3v7f-55p6-f55p
Picomatch has a ReDoS vulnerability via extglob quantifiers - https://github.com/advisories/GHSA-c2c7-rcm5-vvqj
Picomatch has a ReDoS vulnerability via extglob quantifiers - https://github.com/advisories/GHSA-c2c7-rcm5-vvqj
fix available via `npm audit fix`
node_modules/picomatch
node_modules/rollup-plugin-visualizer/node_modules/picomatch
node_modules/tinyglobby/node_modules/picomatch
node_modules/vite/node_modules/picomatch
node_modules/vitest/node_modules/picomatch

postcss  <8.5.10
Severity: moderate
PostCSS has XSS via Unescaped </style> in its CSS Stringify Output - https://github.com/advisories/GHSA-qx2v-qp2m-jg93
fix available via `npm audit fix`
node_modules/postcss

protocol-buffers-schema  <3.6.1
Severity: moderate
Mafintosh's protocol-buffers-schema is vulnerable to prototype pollution - https://github.com/advisories/GHSA-j452-xhg8-qg39
fix available via `npm audit fix`
node_modules/protocol-buffers-schema

vite  7.0.0 - 7.3.1
Severity: high
Vite Vulnerable to Path Traversal in Optimized Deps `.map` Handling - https://github.com/advisories/GHSA-4w7w-66w2-5vf9
Vite: `server.fs.deny` bypassed with queries - https://github.com/advisories/GHSA-v2wj-q39q-566r
Vite Vulnerable to Arbitrary File Read via Vite Dev Server WebSocket - https://github.com/advisories/GHSA-p9ff-h696-f583
fix available via `npm audit fix`
node_modules/vite

10 vulnerabilities (5 moderate, 5 high)

To address all issues, run:
  npm audit fix

github-actions · 2026-05-18T19:14:33Z

Docker Image Scan Results - Dockerfile.indexer

Image: subcults-indexer:scan

Severity	Count
Critical	1
High	12
Medium	8
Low	1
Total	22

Click to see details


Report Summary

┌──────────────────────────────────────┬──────────┬─────────────────┬─────────┐
│                Target                │   Type   │ Vulnerabilities │ Secrets │
├──────────────────────────────────────┼──────────┼─────────────────┼─────────┤
│ subcults-indexer:scan (debian 12.14) │  debian  │        0        │    -    │
├──────────────────────────────────────┼──────────┼─────────────────┼─────────┤
│ app/indexer                          │ gobinary │       22        │    -    │
└──────────────────────────────────────┴──────────┴─────────────────┴─────────┘
Legend:
- '-': Not scanned
- '0': Clean (no security findings detected)


For OSS Maintainers: VEX Notice
--------------------------------
If you're an OSS maintainer and Trivy has detected vulnerabilities in your project that you believe are not actually exploitable, consider issuing a VEX (Vulnerability Exploitability eXchange) statement.
VEX allows you to communicate the actual status of vulnerabilities in your project, improving security transparency and reducing false positives for your users.
Learn more and start using VEX: https://trivy.dev/docs/v0.70/guide/supply-chain/vex/repo#publishing-vex-documents

To disable this notice, set the TRIVY_DISABLE_VEX_NOTICE environment variable.


app/indexer (gobinary)
======================
Total: 22 (LOW: 1, MEDIUM: 8, HIGH: 12, CRITICAL: 1)

┌──────────────────────────────────────────────────────────────┬────────────────┬──────────┬────────┬───────────────────┬─────────────────┬──────────────────────────────────────────────────────────────┐
│                           Library                            │ Vulnerability  │ Severity │ Status │ Installed Version │  Fixed Version  │                            Title                             │
├──────────────────────────────────────────────────────────────┼────────────────┼──────────┼────────┼───────────────────┼─────────────────┼──────────────────────────────────────────────────────────────┤
│ go.opentelemetry.io/otel                                     │ CVE-2026-29181 │ HIGH     │ fixed  │ v1.38.0           │ 1.41.0          │ OpenTelemetry-Go: multi-value `baggage` header extraction    │
│                                                              │                │          │        │                   │                 │ causes excessive allocations (remote dos amplification)      │
│                                                              │                │          │        │                   │                 │ https://avd.aquasec.com/nvd/cve-2026-29181                   │
├──────────────────────────────────────────────────────────────┼────────────────┼──────────┤        ├───────────────────┼─────────────────┼──────────────────────────────────────────────────────────────┤
│ go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptrace- │ CVE-2026-39882 │ MEDIUM   │        │ v1.24.0           │ 1.43.0          │ OpenTelemetry-Go is the Go implementation of OpenTelemetry.  │
│ http                                                         │                │          │        │                   │                 │ Prior to 1 ...                                               │
│                                                              │                │          │        │                   │                 │ https://avd.aquasec.com/nvd/cve-2026-39882                   │
├──────────────────────────────────────────────────────────────┼────────────────┼──────────┤        ├───────────────────┼─────────────────┼──────────────────────────────────────────────────────────────┤
│ go.opentelemetry.io/otel/sdk                                 │ CVE-2026-24051 │ HIGH     │        │ v1.38.0           │ 1.40.0          │ OpenTelemetry Go SDK Vulnerable to Arbitrary Code Execution  │
│                                                              │                │          │        │                   │                 │ via PATH Hijacking                                           │
│                                                              │                │          │        │                   │                 │ https://avd.aquasec.com/nvd/cve-2026-24051                   │
│                                                              ├────────────────┤          │        │                   ├─────────────────┼──────────────────────────────────────────────────────────────┤
│                                                              │ CVE-2026-39883 │          │        │                   │ 1.43.0          │ opentelemetry-go: BSD kenv command not using absolute path   │
│                                                              │                │          │        │                   │                 │ enables PATH hijacking                                       │
│                                                              │                │          │        │                   │                 │ https://avd.aquasec.com/nvd/cve-2026-39883                   │
├──────────────────────────────────────────────────────────────┼────────────────┼──────────┤        ├───────────────────┼─────────────────┼──────────────────────────────────────────────────────────────┤
│ google.golang.org/grpc                                       │ CVE-2026-33186 │ CRITICAL │        │ v1.77.0           │ 1.79.3          │ google.golang.org/grpc/grpc-go:                              │
│                                                              │                │          │        │                   │                 │ google.golang.org/grpc/authz: gRPC-Go: Authorization bypass  │
│                                                              │                │          │        │                   │                 │ due to improper HTTP/2 path validation                       │
│                                                              │                │          │        │                   │                 │ https://avd.aquasec.com/nvd/cve-2026-33186                   │
├──────────────────────────────────────────────────────────────┼────────────────┼──────────┤        ├───────────────────┼─────────────────┼──────────────────────────────────────────────────────────────┤
│ stdlib                                                       │ CVE-2026-25679 │ HIGH     │        │ v1.24.13          │ 1.25.8, 1.26.1  │ net/url: Incorrect parsing of IPv6 host literals in net/url  │
│                                                              │                │          │        │                   │                 │ https://avd.aquasec.com/nvd/cve-2026-25679                   │
│                                                              ├────────────────┤          │        │                   ├─────────────────┼──────────────────────────────────────────────────────────────┤
│                                                              │ CVE-2026-32280 │          │        │                   │ 1.25.9, 1.26.2  │ crypto/x509: crypto/tls: golang: Go: Denial of Service       │
│                                                              │                │          │        │                   │                 │ vulnerability in certificate chain building...               │
│                                                              │                │          │        │                   │                 │ https://avd.aquasec.com/nvd/cve-2026-32280                   │
│                                                              ├────────────────┤          │        │                   │                 ├──────────────────────────────────────────────────────────────┤
│                                                              │ CVE-2026-32281 │          │        │                   │                 │ crypto/x509: golang: Go crypto/x509: Denial of Service via   │
│                                                              │                │          │        │                   │                 │ inefficient certificate chain validation...                  │
│                                                              │                │          │        │                   │                 │ https://avd.aquasec.com/nvd/cve-2026-32281                   │
│                                                              ├────────────────┤          │        │                   │                 ├──────────────────────────────────────────────────────────────┤
│                                                              │ CVE-2026-32283 │          │        │                   │                 │ crypto/tls: golang: Go crypto/tls: Denial of Service via     │
│                                                              │                │          │        │                   │                 │ multiple TLS 1.3 key...                                      │
│                                                              │                │          │        │                   │                 │ https://avd.aquasec.com/nvd/cve-2026-32283                   │
│                                                              ├────────────────┤          │        │                   ├─────────────────┼──────────────────────────────────────────────────────────────┤
│                                                              │ CVE-2026-33811 │          │        │                   │ 1.25.10, 1.26.3 │ When using LookupCNAME with the cgo DNS resolver, a very     │
│                                                              │                │          │        │                   │                 │ long CNAME...                                                │
│                                                              │                │          │        │                   │                 │ https://avd.aquasec.com/nvd/cve-2026-33811                   │
│                                                              ├────────────────┤          │        │                   │                 ├──────────────────────────────────────────────────────────────┤
│                                                              │ CVE-2026-33814 │          │        │                   │                 │ When processing HTTP/2 SETTINGS frames, transport will enter │
│                                                              │                │          │        │                   │                 │ an infini ...                                                │
│                                                              │                │          │        │                   │                 │ https://avd.aquasec.com/nvd/cve-2026-33814                   │
│                                                              ├────────────────┤          │        │                   │                 ├──────────────────────────────────────────────────────────────┤
│                                                              │ CVE-2026-39820 │          │        │                   │                 │ Well-crafted inputs reaching ParseAddress, ParseAddressList, │
│                                                              │                │          │        │                   │                 │ and Parse ...                                                │
│                                                              │                │          │        │                   │                 │ https://avd.aquasec.com/nvd/cve-2026-39820                   │
│                                                              ├────────────────┤          │        │                   │                 ├──────────────────────────────────────────────────────────────┤
│                                                              │ CVE-2026-39836 │          │        │                   │                 │ Panic in Dial and LookupPort when handling NUL byte on       │
│                                                              │                │          │        │                   │                 │ Windows in...                                                │
│                                                              │                │          │        │                   │                 │ https://avd.aquasec.com/nvd/cve-2026-39836                   │
│                                                              ├────────────────┤          │        │                   │                 ├──────────────────────────────────────────────────────────────┤
│                                                              │ CVE-2026-42499 │          │        │                   │                 │ Pathological inputs could cause DoS through consumePhrase    │
│                                                              │                │          │        │                   │                 │ when parsing ...                                             │
│                                                              │                │          │        │                   │                 │ https://avd.aquasec.com/nvd/cve-2026-42499                   │
│                                                              ├────────────────┼──────────┤        │                   ├─────────────────┼──────────────────────────────────────────────────────────────┤
│                                                              │ CVE-2026-27142 │ MEDIUM   │        │                   │ 1.25.8, 1.26.1  │ html/template: URLs in meta content attribute actions are    │
│                                                              │                │          │        │                   │                 │ not escaped in html/template...                              │
│                                                              │                │          │        │                   │                 │ https://avd.aquasec.com/nvd/cve-2026-27142                   │
│                                                              ├────────────────┤          │        │                   ├─────────────────┼──────────────────────────────────────────────────────────────┤
│                                                              │ CVE-2026-32282 │          │        │                   │ 1.25.9, 1.26.2  │ golang: internal/syscall/unix: Root.Chmod can follow         │
│                                                              │                │          │        │                   │                 │ symlinks out of the root                                     │
│                                                              │                │          │        │                   │                 │ https://avd.aquasec.com/nvd/cve-2026-32282                   │
│                                                              ├────────────────┤          │        │                   │                 ├──────────────────────────────────────────────────────────────┤
│                                                              │ CVE-2026-32288 │          │        │                   │                 │ archive/tar: golang: Go's archive/tar package: Denial of     │
│                                                              │                │          │        │                   │                 │ Service via maliciously-crafted archive                      │
│                                                              │                │          │        │                   │                 │ https://avd.aquasec.com/nvd/cve-2026-32288                   │
│                                                              ├────────────────┤          │        │                   │                 ├──────────────────────────────────────────────────────────────┤
│                                                              │ CVE-2026-32289 │          │        │                   │                 │ html/template: golang: html/template: Cross-Site Scripting   │
│                                                              │                │          │        │                   │                 │ (XSS) via improper context and brace depth...                │
│                                                              │                │          │        │                   │                 │ https://avd.aquasec.com/nvd/cve-2026-32289                   │
│                                                              ├────────────────┤          │        │                   ├─────────────────┼──────────────────────────────────────────────────────────────┤
│                                                              │ CVE-2026-39823 │          │        │                   │ 1.25.10, 1.26.3 │ CVE-2026-27142 fixed a vulnerability in which URLs were not  │
│                                                              │                │          │        │                   │                 │ correctly ......                                             │
│                                                              │                │          │        │                   │                 │ https://avd.aquasec.com/nvd/cve-2026-39823                   │
│                                                              ├────────────────┤          │        │                   │                 ├──────────────────────────────────────────────────────────────┤
│                                                              │ CVE-2026-39825 │          │        │                   │                 │ ReverseProxy can forward queries containing parameters not   │
│                                                              │                │          │        │                   │                 │ visible to ...                                               │
│                                                              │                │          │        │                   │                 │ https://avd.aquasec.com/nvd/cve-2026-39825                   │
│                                                              ├────────────────┤          │        │                   │                 ├──────────────────────────────────────────────────────────────┤
│                                                              │ CVE-2026-39826 │          │        │                   │                 │ If a trusted template author were to write a <script> tag    │
│                                                              │                │          │        │                   │                 │ containing...                                                │
│                                                              │                │          │        │                   │                 │ https://avd.aquasec.com/nvd/cve-2026-39826                   │
│                                                              ├────────────────┼──────────┤        │                   ├─────────────────┼──────────────────────────────────────────────────────────────┤
│                                                              │ CVE-2026-27139 │ LOW      │        │                   │ 1.25.8, 1.26.1  │ os: FileInfo can escape from a Root in golang os module      │
│                                                              │                │          │        │                   │                 │ https://avd.aquasec.com/nvd/cve-2026-27139                   │
└──────────────────────────────────────────────────────────────┴────────────────┴──────────┴────────┴───────────────────┴─────────────────┴──────────────────────────────────────────────────────────────┘

dependabot Bot added the dependencies Pull requests that update a dependency file label May 18, 2026

dependabot Bot mentioned this pull request May 18, 2026

chore(deps-dev)(deps-dev): bump rollup from 4.53.3 to 4.60.3 in /web #55

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

chore(deps-dev)(deps-dev): bump rollup from 4.53.3 to 4.60.4 in /web#59

chore(deps-dev)(deps-dev): bump rollup from 4.53.3 to 4.60.4 in /web#59
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/web/rollup-4.60.4

dependabot Bot commented on behalf of github May 18, 2026

Uh oh!

dependabot Bot commented on behalf of github May 18, 2026

Uh oh!

github-actions Bot commented May 18, 2026

Uh oh!

github-actions Bot commented May 18, 2026

Uh oh!

github-actions Bot commented May 18, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

Conversation

dependabot Bot commented on behalf of github May 18, 2026

v4.60.4

4.60.4

Bug Fixes

Pull Requests

v4.60.2

4.60.2

Bug Fixes

Pull Requests

v4.60.1

4.60.1

4.60.4

Bug Fixes

Pull Requests

4.60.3

Bug Fixes

Pull Requests

4.60.2

Bug Fixes

Pull Requests

Uh oh!

dependabot Bot commented on behalf of github May 18, 2026

Labels

Uh oh!

github-actions Bot commented May 18, 2026

NPM Vulnerability Scan Results - e2e

Uh oh!

github-actions Bot commented May 18, 2026

NPM Vulnerability Scan Results - web

Uh oh!

github-actions Bot commented May 18, 2026

Docker Image Scan Results - Dockerfile.indexer

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants