fix(deps): vuln minor upgrades — 15 packages (minor: 6 · patch: 9)

[gh-worker-campaigns-3e9aa4]

Summary: High-severity security update — 15 packages upgraded (MINOR changes included)

Manifests changed:

• . (npm)

---

✅ Action Required: Please review the changes below. If they look good, approve and merge this PR.

---

Updates

Package	From	To	Type	Dep Type	Vulnerabilities Fixed
rollup	4.40.1	4.60.2	minor	Direct	2 HIGH
@eslint/compat	1.2.9	1.4.1	minor	Direct	-
@typescript-eslint/eslint-plugin	8.31.1	8.59.0	minor	Direct	-
eslint	9.26.0	9.39.4	minor	Direct	-
eslint-plugin-import	2.31.0	2.32.0	minor	Direct	-
prettier	3.5.3	3.8.3	minor	Direct	-
@rollup/plugin-commonjs	28.0.3	28.0.9	patch	Direct	-
@rollup/plugin-node-resolve	16.0.1	16.0.3	patch	Direct	-
@rollup/plugin-typescript	12.1.2	12.1.4	patch	Direct	-
@types/node	20.17.32	20.17.58	patch	Direct	-
eslint-config-prettier	10.1.2	10.1.8	patch	Direct	-
eslint-plugin-jest	28.11.0	28.11.2	patch	Direct	-
eslint-plugin-prettier	5.4.0	5.4.1	patch	Direct	-
nock	14.0.4	14.0.13	patch	Direct	-
ts-jest	29.3.2	29.3.4	patch	Direct	-

Packages marked with "-" are updated due to dependency constraints.

---

Security Details

🚨 Critical & High Severity (2 fixed)

Package	CVE	Severity	Summary	Unsafe Version	Fixed In
rollup	GHSA-mw96-cpmx-2vgc	HIGH	Rollup 4 has Arbitrary File Write via Path Traversal	4.40.1	2.80.0
rollup	CVE-2026-27606	HIGH	Rollup 4 has Arbitrary File Write via Path Traversal	4.40.1	-

---

Review Checklist

Standard review:

• Review changes for compatibility with your code
• Check for breaking changes in release notes
• Run tests locally or wait for CI
• Approve and merge this PR

---

Update Mode: Vulnerability Remediation (High)

🤖 Generated by DataDog Automated Dependency Management System

[campaigner-prod]

Release Notes

rollup (4.40.1 → 4.60.2) — GitHub Release

v4.60.2

4.60.2

2026-04-18

Bug Fixes

• Resolve a variable rendering bug when generating different formats from the same build (fix: reset variable render names between outputs in the same generate rollup/rollup#6350)

Pull Requests

• https://github.com/rollup/rollup/issues/6327: docs: fix various typos in source and documentation (@Abhi3975, @lukastaegert)
• https://github.com/rollup/rollup/issues/6331: fix(deps): update minor/patch updates (@renovate[bot])
• https://github.com/rollup/rollup/issues/6332: chore(deps): update codecov/codecov-action action to v6 (@renovate[bot])
• https://github.com/rollup/rollup/issues/6333: chore(deps): update dependency eslint-plugin-unicorn to v64 (@renovate[bot])
• https://github.com/rollup/rollup/issues/6334: fix(deps): update rust crate swc_compiler_base to v51 (@renovate[bot])
• https://github.com/rollup/rollup/issues/6335: chore(deps): lock file maintenance (@renovate[bot], @lukastaegert)
• https://github.com/rollup/rollup/issues/6346: fix(deps): update minor/patch updates (@renovate[bot])
• https://github.com/rollup/rollup/issues/6347: chore(deps): update dependency lru-cache to v11 (@renovate[bot])
• https://github.com/rollup/rollup/issues/6348: fix(deps): update swc monorepo (major) (@renovate[bot], @lukastaegert)
• https://github.com/rollup/rollup/issues/6349: chore(deps): lock file maintenance (@renovate[bot], @lukastaegert)
• https://github.com/rollup/rollup/issues/6350: fix: reset variable render names between outputs in the same generate (@barry3406, @lukastaegert)
• https://github.com/rollup/rollup/issues/6351: chore(deps): update minor/patch updates (@renovate[bot])
• https://github.com/rollup/rollup/issues/6352: chore(deps): update cross-platform-actions/action action to v1 (@renovate[bot])
• https://github.com/rollup/rollup/issues/6353: chore(deps): update dependency lru-cache to v11 (@renovate[bot], @lukastaegert)
• https://github.com/rollup/rollup/issues/6354: chore(deps): lock file

(truncated)

v4.60.1

4.60.1

2026-03-30

Bug Fixes

• Resolve a situation where side effect imports could be dropped due to a caching issue (fix: skip dropping side-effects on namespaceReexportsByName cache hit (#6274) rollup/rollup#6286)

Pull Requests

• https://github.com/rollup/rollup/issues/6286: fix: skip dropping side-effects on namespaceReexportsByName cache hit (namespaceReexportsByName cache skips side-effect recording for subsequent importers via export * rollup/rollup#6274) (@littlegrayss, @TrickyPi)
• https://github.com/rollup/rollup/issues/6317: chore(deps): pin dependencies (@renovate[bot], @lukastaegert)
• https://github.com/rollup/rollup/issues/6318: chore(deps): update msys2/setup-msys2 digest to cafece8 (@renovate[bot], @lukastaegert)
• https://github.com/rollup/rollup/issues/6319: chore(deps): update minor/patch updates (@renovate[bot], @lukastaegert)
• https://github.com/rollup/rollup/issues/6320: chore(deps): pin dependency typescript to v5 (@renovate[bot], @lukastaegert)
• https://github.com/rollup/rollup/issues/6321: chore(deps): update openharmony-rs/setup-ohos-sdk action to v1 (@renovate[bot], @lukastaegert)

(truncated — see source for full notes)

@typescript-eslint/eslint-plugin (8.31.1 → 8.59.0) — GitHub Release

v8.59.0

8.59.0 (2026-04-20)

🚀 Features

• eslint-plugin: [no-unnecessary-type-assertion] report more cases based on assignability (https://github.com/typescript-eslint/typescript-eslint/issues/11789)

❤️ Thank You

• Ulrich Stark

See GitHub Releases for more information.

You can read about our versioning strategy and releases on our website.

v8.58.2

8.58.2 (2026-04-13)

🩹 Fixes

• remove tsbuildinfo cache file from published packages (https://github.com/typescript-eslint/typescript-eslint/issues/12187)
• eslint-plugin: [no-unnecessary-condition] use assignability checks in checkTypePredicates (https://github.com/typescript-eslint/typescript-eslint/issues/12147)

❤️ Thank You

• Abhijeet Singh @cseas
• 송재욱

See GitHub Releases for more information.

You can read about our versioning strategy and releases on our website.

v8.58.1

8.58.1 (2026-04-08)

🩹 Fixes

• eslint-plugin: [no-unused-vars] fix false negative for type predicate parameter (https://github.com/typescript-eslint/typescript-eslint/issues/12004)

❤️ Thank You

• MinJae @Ju-MINJAE

See GitHub Releases for more information.

You can read about our versioning strategy and releases on our website.

v8.58.0

8.58.0 (2026-03-30)

🚀 Features

• support TypeScript 6 (https://github.com/typescript-eslint/typescript-eslint/issues/12124)

🩹 Fixes

• eslint-plugin: crash in no-unnecessary-type-arguments (https://github.com/typescript-eslint/typescript-eslint/issues/12163)
• eslint-plugin: [no-extraneous-class] handle index signatures (https://github.com/typescript-eslint/typescript-eslint/issues/12142)
• eslint-plugin: [prefer-regexp-exec] avoid fixing unknown RegExp flags (https://github.com/typescript-eslint/typescript-eslint/issues/12161)

❤️ Thank You

• ej shafran @ej-shafran
• Evyatar Daud @StyleShit
• GG ZIBLAKING
• milkboy2564 @SeolJaeHyeok
• teee32 @teee32

See GitHub Releases for more information.

You can read about our versioning strategy and releases on our website.

v8.57.2

8.57.2 (2026-03-23)

🩹 Fixes

• eslint-plugin: [prefer-optional-chain] remove dangling closing parenthesis (https://github.com/typescript-eslint/typescript-eslint/issues/11865)
• eslint-plugin: [array-type] ignore Array and ReadonlyArray without type arguments (https://github.com/typescript-eslint/typescript-eslint/issues/11971)

(truncated — see source for full notes)

eslint (9.26.0 → 9.39.4) — GitHub Release

v9.39.4

Bug Fixes

• f18f6c8 fix: update dependency minimatch to ^3.1.5 (fix: update dependency minimatch to ^3.1.5 eslint/eslint#20564) (Milos Djermanovic)
• a3c868f fix: update dependency @eslint/eslintrc to ^3.3.4 (fix: update dependency @eslint/eslintrc to ^3.3.4 eslint/eslint#20554) (Milos Djermanovic)
• 234d005 fix: minimatch security vulnerability patch for v9.x (fix: minimatch security vulnerability patch for v9.x eslint/eslint#20549) (Andrej Beles)
• b1b37ee fix: update ajv to 6.14.0 to address security vulnerabilities (fix: update ajv to 6.14.0 to address security vulnerabilities eslint/eslint#20538) (루밀LuMir)

Documentation

• 4675152 docs: add deprecation notice partial (docs: add deprecation notice partial eslint/eslint#20520) (Milos Djermanovic)

Chores

• b8b4eb1 chore: update dependencies for ESLint v9.39.4 (chore: update dependencies for ESLint v9.39.4 eslint/eslint#20596) (Francesco Trotta)
• 71b2f6b chore: package.json update for @eslint/js release (Jenkins)
• 1d16c2f ci: pin Node.js 25.6.1 (ci: pin Node.js 25.6.1 eslint/eslint#20563) (Milos Djermanovic)

v9.39.3

Bug Fixes

• 791bf8d fix: restore TypeScript 4.0 compatibility in types (fix: restore TypeScript 4.0 compatibility in types eslint/eslint#20504) (sethamus)

Chores

• 8594a43 chore: upgrade @eslint/js@9.39.3 (chore: upgrade @eslint/js@9.39.3 eslint/eslint#20529) (Milos Djermanovic)
• 9ceef92 chore: package.json update for @eslint/js release (Jenkins)
• af498c6 chore: ignore /docs/v9.x in link checker (chore: ignore /docs/v9.x in link checker eslint/eslint#20453) (Milos Djermanovic)

v9.39.2

Bug Fixes

• 5705833 fix: warn when eslint-env configuration comments are found (fix: warn when eslint-env configuration comments are found eslint/eslint#20381) (sethamus)

Build Related

• 506f154 build: add .scss files entry to knip (build: add .scss files entry to knip eslint/eslint#20391) (Milos Djermanovic)

Chores

• 7ca0af7 chore: upgrade to @eslint/js@9.39.2 (chore: upgrade to @eslint/js@9.39.2 eslint/eslint#20394) (Francesco Trotta)
• c43ce24 chore: package.json update for @eslint/js release (Jenkins)
• 4c9858e ci: add v9.x-dev branch (ci: add v9.x-dev branch eslint/eslint#20382) (Milos Djermanovic)

v9.39.1

Bug Fixes

• 650753e fix: Only pass node to JS lang visitor methods (fix: Only pass node to JS lang visitor methods eslint/eslint#20283) (Nicholas C. Zakas)

Documentation

• 51b51f4 docs: add a section on when to use extends vs cascading (docs: add a section on when to use extends vs cascading eslint/eslint#20268) (Tanuj Kanti)

(truncated — see source for full notes)

eslint-plugin-import (2.31.0 → 2.32.0) — GitHub Release

v2.32.0

Added

• add [enforce-node-protocol-usage] rule and import/node-version setting ([https://github.com/[New] add enforce-node-protocol-usage rule import-js/eslint-plugin-import#3024], thanks [@GoldStrikeArch] and [@sevenc-nanashi])
• add TypeScript types ([https://github.com/[New] add TypeScript types import-js/eslint-plugin-import#3097], thanks [@G-Rath])
• [extensions]: add `pathGroupOverrides to allow enforcement decision overrides based on specifier ([https://github.com/[New] extensions: allow enforcement decision overrides based on specifier import-js/eslint-plugin-import#3105], thanks [@Xunnamius])
• [order]: add sortTypesGroup option to allow intragroup sorting of type-only imports ([https://github.com/[New] order: allow intragroup sorting of type-only imports via sortTypesGroup import-js/eslint-plugin-import#3104], thanks [@Xunnamius])
• [order]: add newlines-between-types option to control intragroup sorting of type-only imports ([https://github.com/[New] order: allow controlling intragroup spacing of type-only imports via newlines-between-types import-js/eslint-plugin-import#3127], thanks [@Xunnamius])
• [order]: add consolidateIslands option to collapse excess spacing for aesthetically pleasing imports ([https://github.com/[New] order: add consolidateIslands option to collapse excess spacing for aesthetically pleasing imports import-js/eslint-plugin-import#3129], thanks [@Xunnamius])

Fixed

• [no-unused-modules]: provide more meaningful error message when no .eslintrc is present ([https://github.com/[Fix] no-unused-modules: don't error out when running with flat config and an eslintrc isn't present import-js/eslint-plugin-import#3116], thanks [@michaelfaith])
• configs: added missing name attribute for eslint config inspector ([https://github.com/[Fix] configs: added missing name attribute for eslint config inspector import-js/eslint-plugin-import#3151], thanks [@NishargShah])
• [order]: ensure arcane imports do not cause undefined behavior ([https://github.com/[Fix] order: ensure arcane imports do not cause undefined behavior import-js/eslint-plugin-import#3128], thanks [@Xunnamius])
• [order]: resolve undefined property access issue when using named ordering ([https://github.com/[Fix] order: resolve undefined property access issue when using named.cjsExports import-js/eslint-plugin-import#3166], thanks [@Xunnamius])
• [enforce-node-protocol-usage]: avoid a crash with some TS code ([https://github.com/import/enforce-node-protocol-usage broken import-js/eslint-plugin-import#3173], thanks [@ljharb])
• [order]: codify invariants from docs into config schema ([https://github.com/[Fix] order: codify invariants from docs into config schema import-js/eslint-plugin-import#3152], thanks [@Xunnamius])

Changed

• [Docs] [extensions], [order]: improve documentation ([https://github.com/[Docs] extensions, order: improve documentation import-js/eslint-plugin-import#3106], thanks [@Xunnamius])
• [Docs] add flat config guide for using tseslint.config() ([https://github.com/'newline-after-import' not applied to jsdoc import-js/eslint-plugin-import#3125], thanks [@lnuvy])
• [Docs] add missing comma ([https://github.com/[Docs] add missing comma import-js/eslint-plugin-import#3122], thanks [@RyanGst])
• [readme] Update flatConfig example to include typescript config ([https://github.com/[meta] Update flatConfig example to include typescript config import-js/eslint-plugin-import#3138], thanks [@intellix])
• [Refactor] [order]: remove unnecessary negative check ([https://github.com/[Refactor] order: remove unnecessary negative check import-js/eslint-plugin-import#3167], thanks [@JounQin])
• [Docs] [no-unused-modules]: add missing double quote ([https://github.com/[Docs] no-unused-modules: add missing double quote import-js/eslint-plugin-import#3191], thanks [@albertpastrana])
• [Docs] no-restricted-paths: clarify wording and fix errors ([https://github.com/[Docs] no-restricted-paths: clarify wording and fix errors import-js/eslint-plugin-import#3172], thanks [@greim])

[`import

(truncated)

prettier (3.5.3 → 3.8.3) — GitHub Release

3.8.3

• SCSS: Prevent trailing comma in if() function (Prevent trailing comma for scss if-function syntax prettier/prettier#18471 by @kovsu)

🔗 Changelog

3.8.2

• Support Angular v21.2

🔗 Changelog

3.8.1

• Include available printers in plugin type declarations (https://github.com/prettier/prettier/issues/18706 by @porada)

🔗 Changelog

3.8.0

• Support Angular v21.1

diff

🔗 Release note "Prettier 3.8: Support for Angular v21.1"

3.7.4

What's Changed

• Fix comment in union type gets duplicated by @fisker in Fix comment in union type get duplicated prettier/prettier#18393
• Fix unstable comment print in union type by @fisker in Fix unstable comment print in union type prettier/prettier#18395
• Avoid quote around LWC interpolations by @kovsu in Fix LWC attribute with --embedded-language-formatting off prettier/prettier#18383

🔗 Changelog

3.7.3

What's Changed

• Fix prettier.getFileInfo() change that breaks VSCode extension by @fisker in Revert previous change to getFileInfo prettier/prettier#18375

🔗 Changelog

3.7.2

What's Changed

• Fix string print when switching quotes by @fisker in Fix string print prettier/prettier#18351
• Preserve quote for embedded HTML attribute values by @kovsu in Fix embed html attribute print prettier/prettier#18352
• Fix comment in empty type literal by @fisker in Fix comment in empty type literal prettier/prettier#18364

🔗 Changelog

3.7.1

• Fix performance regression in doc printer (https://github.com/prettier/prettier/issues/18342 by @fisker)

🔗 Changelog

3.7.0

diff

🔗 Release note

3.6.2

What's Changed

• Add missing blank line around code block by @fisker in Add missing blank line around code block prettier/prettier#17675

🔗 Changelog

3.6.1

• Fix "Warning: File descriptor 39 closed but not opened in unmanaged mode" error when running --experimental-cli

🔗 Changelog

3.6.0

diff

🔗 Release note "Prettier 3.6: Experimental fast CLI and new OXC and Hermes plugins!"

eslint-config-prettier (10.1.2 → 10.1.8) — GitHub Release

v10.1.8

republish latest version

Full Changelog: prettier/eslint-config-prettier@v10.1.5...v10.1.8

v10.1.5

Patch Changes

• https://github.com/prettier/eslint-config-prettier/issues/332 60fef02 Thanks @JounQin! - chore: add funding field into package.json

Full Changelog: prettier/eslint-config-prettier@v10.1.4...v10.1.5

v10.1.4

Patch Changes

• https://github.com/prettier/eslint-config-prettier/issues/328 94b4799 Thanks @silvenon! - fix(cli): do not crash on no rules configured

Full Changelog: prettier/eslint-config-prettier@v10.1.3...v10.1.4

v10.1.3

Patch Changes

• https://github.com/prettier/eslint-config-prettier/issues/325 4e95a1d Thanks @pilikan! - fix: this package is commonjs, align its types correctly

New Contributors

• @pilikan made their first contribution in fix: this package is commonjs, align its types correctly prettier/eslint-config-prettier#325

Full Changelog: prettier/eslint-config-prettier@v10.1.2...v10.1.3

eslint-plugin-jest (28.11.0 → 28.11.2) — GitHub Release

v28.11.2

28.11.2 (2025-05-29)

Bug Fixes

• no-commented-out-tests: make message less ambiguous (fix(no-commented-out-tests): make message less ambiguous jest-community/eslint-plugin-jest#1740) (14c27ab)

v28.11.1

28.11.1 (2025-05-27)

Bug Fixes

• no-large-snapshots: use a far better message for when an unexpected snapshot is found (fix(no-large-snapshots): use a far better message for when an unexpected snapshot is found jest-community/eslint-plugin-jest#1736) (0f5b873)

eslint-plugin-prettier (5.4.0 → 5.4.1) — GitHub Release

Patch Changes

• https://github.com/prettier/eslint-plugin-prettier/issues/740 c21521f Thanks @JounQin! - fix(deps): bump synckit to v0.11.7 to fix potential TypeError: Cannot read properties of undefined (reading 'message') error

Full Changelog: prettier/eslint-plugin-prettier@v5.4.0...v5.4.1

nock (14.0.4 → 14.0.13) — GitHub Release

v14.0.13

14.0.13 (2026-04-20)

Bug Fixes

• types: align Definition with runtime; add rawHeaders, drop headers (fix(types): align Definition with runtime; add rawHeaders, drop headers nock/nock#2955) (07fbfab)

v14.0.12

14.0.12 (2026-04-05)

Bug Fixes

• prevent crash when query params have conflicting dot-notation keys (fix: prevent crash when query params have conflicting dot-notation keys nock/nock#2958) (7ea9933)

v14.0.11

14.0.11 (2026-02-09)

Bug Fixes

• migrate to npm OIDC (fix: migrate to npm OIDC nock/nock#2940) (113dcac)
• restore github actions write permissions (fix: restore github actions write permissions nock/nock#2941) (a4cb6b8)
• update @mswjs/interceptors to fix a memory leak (fix: update @mswjs/interceptors to fix a memory leak nock/nock#2938) (025db76)
• upgrade semantic-release (fix: upgrade semantic-release nock/nock#2943) (db0b280)

v14.0.10

14.0.10 (2025-08-12)

Bug Fixes

• Use Error objects instead of plain objects with replyWithError() (doc, types, test: Use Error objects instead of plain objects with replyWithError() nock/nock#2900) (f2a3389)

v14.0.9

14.0.9 (2025-08-07)

Bug Fixes

• address timeout issue with mocked timers (Revert fix: address timeout issue with mocked timers nock/nock#2880) (Revert "fix: address timeout issue with mocked timers (#2880)" nock/nock#2902) (bc48f92)

v14.0.8

14.0.8 (2025-08-01)

Bug Fixes

• ClientRequest: support http.Agent instances as agents for https requests (fix(ClientRequest): support http.Agent instances as agents for https requests nock/nock#2896) (e4390b8)

v14.0.7

14.0.7 (2025-07-26)

Bug Fixes

• address timeout issue with mocked timers (fix: address timeout issue with mocked timers nock/nock#2880) (fb112f3)

v14.0.6

14.0.6 (2025-07-19)

Bug Fixes

• upgrade interceptors (2bcaf0f)

v14.0.5

14.0.5 (2025-05-30)

Bug Fixes

• use of a fetch() recording that uses gzip compression is missing the headers, Possible EventEmitter memory leak when used together with MongoDBContainer (fix: use of a fetch() recording that uses gzip compression is missing the headers, Possible EventEmitter memory leak when used together with MongoDBContainer nock/nock#2869) (90b2a04)

ts-jest (29.3.2 → 29.3.4) — GitHub Release

v29.3.4

Please refer to CHANGELOG.md for details.

v29.3.3

Please refer to CHANGELOG.md for details.

---

Generated by ADMS Sources: 10 GitHub Releases, 5 not available.

[seberm-6]

Hey, sorry for the noise. This was caused by a bug in our automated dependency update system that incorrectly included upstream changelog content in PR comments, triggering notifications to external contributors. The feature flag has been turned off and we're working on a fix. Sorry about that again.