Bump rolldown from 1.0.0-rc.9 to 1.0.0-rc.12#65255
Bump rolldown from 1.0.0-rc.9 to 1.0.0-rc.12#65255dependabot[bot] wants to merge 1 commit intomasterfrom
Conversation
dependabot
Bot
added
dependencies
dependabot
Bot
requested review from
avatus,
gzdunek,
r0mant,
ravicious and
zmb3
as code owners
dependabot
Bot
added
ui
dependencies
|
Review the following changes in direct dependencies. Learn more about Socket for GitHub.
|
![claude[bot]](https://avatars.githubusercontent.com/in/1236702?s=60&v=4){kind=small}
There was a problem hiding this comment.
LGTM — straightforward Dependabot dependency bump with no bugs found.
Extended reasoning...
Overview
This PR bumps rolldown from 1.0.0-rc.9 to 1.0.0-rc.12 in package.json, with the corresponding pnpm-lock.yaml lockfile update. The lockfile changes are consistent with the version bump, adding @emnapi/core and @emnapi/runtime as newly-explicit transitive peer dependencies for the WASM runtime.
Security Risks
No security risks. rolldown is a build-time bundler used only during development/CI; it does not ship in production runtime code. The changes are entirely confined to package.json and the auto-generated lockfile.
Level of Scrutiny
This warrants minimal scrutiny — it is a routine Dependabot patch update within the same RC series, touching only tooling infrastructure. The bug hunting system found no issues.
Other Factors
No prior reviews exist on this PR. The changes are mechanical and follow the established pattern of Dependabot dependency bumps in this repository.
dependabot
Bot
force-pushed
the
dependabot/npm_and_yarn/rolldown-1.0.0-rc.12
branch
from
a4c3448 to
c69fff3
Compare
There was a problem hiding this comment.
LGTM — straightforward automated dependency bump of a devDependency build tool with no logic changes.
Extended reasoning...
Overview
This PR modifies only package.json (version specifier change) and pnpm-lock.yaml (resolved snapshot update). It bumps rolldown from 1.0.0-rc.9 to 1.0.0-rc.12 in devDependencies. The lockfile cascade updates are mechanical consequences of rolldown@1.0.0-rc.12 gaining @emnapi/core and @emnapi/runtime as peer dependencies via @napi-rs/wasm-runtime@1.1.2.
Security risks
rolldown is a build tool in devDependencies — it is not shipped in the production bundle or runtime. Socket security scan rates rolldown@1.0.0-rc.12 at 95/100 supply chain security and 100/100 vulnerability. No new security concerns are introduced. The @xmldom/xmldom@0.8.10 deprecation surfaced in the lockfile diff is pre-existing and unrelated to this PR; the inline bug comment correctly notes it should be addressed in a follow-up.
Level of scrutiny
Low — this is an automated Renovate/Dependabot-style bump of a single devDependency build tool. No application logic, no auth or crypto code, no production dependencies were touched. The diff is entirely version string substitutions in the lockfile.
Other factors
No prior reviews on this PR. No outstanding human reviewer comments. Socket scan is clean for the new version. The only flagged issue is explicitly pre-existing and non-blocking.
| '@xmldom/xmldom@0.8.10': | ||
| resolution: {integrity: sha512-2WALfTl4xo2SkGCYRt6rDTFfk9R1czmBvUQy12gK2KuRKIpWEhcbbzy8EZXtz/jkRqHX8bFEc6FC1HjX4TUWYw==} | ||
| engines: {node: '>=10.0.0'} |
There was a problem hiding this comment.
🟣 This is a pre-existing issue: the lockfile regeneration triggered by this rolldown bump surfaced a deprecation warning for @xmldom/xmldom@0.8.10 — "this version has critical issues, please update to the latest version". While this package was already in the dependency tree before this PR and is unrelated to rolldown, the pnpm lockfile update made the registry deprecation metadata visible. Please follow up in a separate PR to identify which transitive dependency pulls in @xmldom/xmldom and update it.
Extended reasoning...
The pnpm-lock.yaml diff at lines 3630-3632 now includes the following deprecation annotation for @xmldom/xmldom@0.8.10:
deprecated: this version has critical issues, please update to the latest version
This annotation was not present in the previous lockfile but appeared during the pnpm install triggered by the rolldown rc.9 to rc.12 bump. When pnpm regenerates the lockfile, it fetches fresh registry metadata, which now includes this deprecation notice from the npm registry.
How this manifests: The @xmldom/xmldom package itself was already present in the dependency tree before this PR — the PR did not add it, remove it, or interact with it in any way. The deprecation annotation is new in the lockfile diff purely because pnpm re-fetched registry metadata during resolution. This means every future pnpm install on this project will display a deprecation warning, and security scanners will flag this package.
Why existing code does not prevent it: The deprecation is upstream from the npm registry. No code in this PR interacts with @xmldom/xmldom — it is a transitive dependency pulled in by some other package in the tree. Without identifying and updating that parent package, the deprecated version will remain.
Impact: Version 0.8.10 of @xmldom/xmldom is marked by the npm registry as having critical issues. Critical-severity deprecations from the registry typically indicate known security vulnerabilities. Any code in this project that processes XML through this transitive dependency path may be exposed.
How to fix: Run pnpm why @xmldom/xmldom to identify which packages transitively depend on this version, then update those packages to versions that pull in a non-deprecated @xmldom/xmldom release (>= 0.9.x or latest). This should be done in a follow-up PR and does not need to block the current rolldown bump.
Step-by-step proof:
- Before this PR: pnpm-lock.yaml contained @xmldom/xmldom@0.8.10 without a
deprecatedfield. - This PR bumps rolldown from rc.9 to rc.12, triggering a full
pnpm installrun. - pnpm fetches fresh registry metadata for all resolved packages, including @xmldom/xmldom@0.8.10.
- The npm registry now returns
deprecated: this version has critical issues, please update to the latest versionfor this version. - pnpm writes this metadata into the lockfile, making the deprecation visible in the diff at pnpm-lock.yaml:3630-3632.
- All subsequent
pnpm installruns will emit this deprecation warning to the console.
dependabot
Bot
force-pushed
the
dependabot/npm_and_yarn/rolldown-1.0.0-rc.12
branch
2 times, most recently
from
c889ac3 to
ce439f4
Compare
Bumps [rolldown](https://github.com/rolldown/rolldown/tree/HEAD/packages/rolldown) from 1.0.0-rc.9 to 1.0.0-rc.12. - [Release notes](https://github.com/rolldown/rolldown/releases) - [Changelog](https://github.com/rolldown/rolldown/blob/main/CHANGELOG.md) - [Commits](https://github.com/rolldown/rolldown/commits/v1.0.0-rc.12/packages/rolldown) --- updated-dependencies: - dependency-name: rolldown dependency-version: 1.0.0-rc.12 dependency-type: direct:development update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>
dependabot
Bot
force-pushed
the
dependabot/npm_and_yarn/rolldown-1.0.0-rc.12
branch
from
ce439f4 to
e7692de
Compare
|
We don't need this dependency #65330. |
|
OK, I won't notify you again about this release, but will get in touch when a new version is available. If you'd rather skip all updates until the next major or minor version, let me know by commenting If you change your mind, just re-open this PR and I'll resolve any conflicts on it. |
1 participant
Bumps rolldown from 1.0.0-rc.9 to 1.0.0-rc.12.
Release notes
Sourced from rolldown's releases.
... (truncated)
Changelog
Sourced from rolldown's changelog.
... (truncated)
Commits
917cc42release: v1.0.0-rc.12 (#8903)2cead17fix: emit build warnings during watch mode rebuilds (#8897)eec7d73fix(lazy-barrel): load import-then-export specifiers when barrel has local ex...cbc94c4release: v1.0.0-rc.11 (#8876)1ae17f6revert: "release: v1.0.0-rc.11 (#8868)" (#8875)bacd228release: v1.0.0-rc.11 (#8868)47b365dfix(types): removepluginNamefromMinimalPluginContext(#8864)7f7f9c5fix: handle negative indices, overlapping ranges, and moved content in MagicS...050cd43feat: magicString replace with regex (#8802)c35b547feat: supportoutput.sourcemapExcludeSourcesoption (#8828)