Skip to content

Bump rollup from 4.24.0 to 4.60.3#102

Merged
guibranco merged 7 commits into
mainfrom
dependabot/npm_and_yarn/rollup-4.60.3
May 7, 2026
Merged

Bump rollup from 4.24.0 to 4.60.3#102
guibranco merged 7 commits into
mainfrom
dependabot/npm_and_yarn/rollup-4.60.3

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot Bot commented on behalf of github May 6, 2026

Bumps rollup from 4.24.0 to 4.60.3.

Release notes

Sourced from rollup's releases.

v4.60.2

4.60.2

2026-04-18

Bug Fixes

  • Resolve a variable rendering bug when generating different formats from the same build (#6350)

Pull Requests

v4.60.1

4.60.1

2026-03-30

Bug Fixes

  • Resolve a situation where side effect imports could be dropped due to a caching issue (#6286)

Pull Requests

... (truncated)

Changelog

Sourced from rollup's changelog.

4.60.3

2026-05-04

Bug Fixes

  • Ensure nested "exports" variables are not renamed (#6360)

Pull Requests

4.60.2

2026-04-18

Bug Fixes

  • Resolve a variable rendering bug when generating different formats from the same build (#6350)

Pull Requests

4.60.1

2026-03-30

... (truncated)

Commits
  • b47bdab 4.60.3
  • 15c5f33 Add again some unneeded dev dependencies, to make some builds succeed
  • 12195dc fix: do not rename nested "exports" bindings that do not conflict (#6360)
  • b74aa39 Migrate instructions to AGENTS.md
  • aa5a377 fix(deps): update minor/patch updates (#6365)
  • 197e68b chore(deps): update msys2/setup-msys2 digest to e989830 (#6364)
  • cded70a fix(deps): update swc monorepo (major) (#6366)
  • bb2b8a5 docs: add missing backticks in plugin-development (#6368)
  • 20af1c4 chore(deps): lock file maintenance (#6367)
  • a6be82b 4.60.2
  • Additional commits viewable in compare view
Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for rollup since your current version.

Install script changes

This version modifies prepare script that runs during installation. Review the package contents before updating.


Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    You can disable automated security fix PRs for this repo from the Security Alerts page.

@dependabot
Bump rollup from 4.24.0 to 4.60.3
3b26579 
Bumps [rollup](https://github.com/rollup/rollup) from 4.24.0 to 4.60.3.
- [Release notes](https://github.com/rollup/rollup/releases)
- [Changelog](https://github.com/rollup/rollup/blob/master/CHANGELOG.md)
- [Commits](rollup/rollup@v4.24.0...v4.60.3)

---
updated-dependencies:
- dependency-name: rollup
  dependency-version: 4.60.3
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot @github
Copy link
Copy Markdown
Contributor Author

dependabot Bot commented on behalf of github May 6, 2026

Labels

The following labels could not be found: dependencies, npm. Please create them before Dependabot can add them to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.

@dependabot dependabot Bot mentioned this pull request May 6, 2026
Closed
@github-actions github-actions Bot added the size/L Denotes a PR that changes 100-499 lines, ignoring generated files. label May 6, 2026
@deepsource-io
Copy link
Copy Markdown

deepsource-io Bot commented May 6, 2026
edited
Loading

DeepSource Code Review

We reviewed changes in 5c3a4a6...3b26579 on this pull request. Below is the summary for the review, and you can see the individual issues we found as inline review comments.

See full review on DeepSource ↗

PR Report Card

Overall Grade   Security  

Reliability  

Complexity  

Hygiene  

Code Review Summary

Analyzer Status Updated (UTC) Details
JavaScript May 6, 2026 2:55p.m. Review ↗
Secrets May 6, 2026 2:55p.m. Review ↗
Code coverage May 6, 2026 2:55p.m. Review ↗

Important

AI Review is run only on demand for your team. We're only showing results of static analysis review right now. To trigger AI Review, comment @deepsourcebot review on this thread.

@socket-security
Copy link
Copy Markdown

socket-security Bot commented May 6, 2026
edited
Loading

Caution

Review the following alerts detected in dependencies.

According to your organization's Security Policy, you must resolve all "Block" alerts before proceeding. Learn more about Socket for GitHub.

Action Severity Alert  (click "▶" to expand/collapse)
Block Low
Potential code anomaly (AI signal): npm rollup is 100.0% likely to have a medium risk anomaly

Notes: No direct evidence of hidden malware behavior (no explicit network exfiltration, credential theft, or system command execution is visible). The dominant security concern is that this build tooling intentionally enables arbitrary code execution via new Function() for inline plugin arguments and via dynamic require()/import() of plugins and configs based on runtime-provided strings/paths, plus a stdin-to-module loader and codegen+temp-file+import for transpiled configs. If an attacker can influence CLI/CI inputs (e.g., --plugin, config path, or plugin argument text), the risk is high for build-time arbitrary code execution.

Confidence: 1.00

Severity: 0.60

From: package-lock.jsonnpm/vite@5.4.21npm/rollup@4.60.3

ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/rollup@4.60.3. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Low
Embedded URLs or IPs: npm rollup

URLs: https://github.com/paulmillr/chokidar/blob/e1753ddbc9571bdc33b4a4af172d52cb6e611c10/lib/nodefs-handler.js#L612, https://github.com/paulmillr/chokidar/blob/e1753ddbc9571bdc33b4a4af172d52cb6e611c10/lib/nodefs-handler.js#L553, https://github.com/FredKSchott/rollup-plugin-polyfill-node, https://rollupjs.org/, output.name, https://aka.ms/vs/17/release/, https://github.com/npm/cli/issues/4828, https://requirejs.org/docs/api.html#jsfiles, https://v8.dev/blog/preparser#pife, https://github.com/facebook/react/issues/20031#issuecomment-710346866, syntheticExports.ad, https://github.com/substack/node-commondir, https://nodejs.org/api/path.html#path_path_resolve_paths, https://datatracker.ietf.org/doc/html/rfc2396, https://no-color.org, https://www.npmjs.com/package/chalk, https://github.com/rich-harris/magic-string, https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/String/replace#specifying_a_string_as_a_parameter, output.amd.id

Location: Package overview

From: package-lock.jsonnpm/vite@5.4.21npm/rollup@4.60.3

ℹ Read more on: This package | This alert | What are URL strings?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Review all remote URLs to ensure they are intentional, pointing to trusted sources, and not being used for data exfiltration or loading untrusted code at runtime.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/rollup@4.60.3. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

@guibranco guibranco enabled auto-merge (squash) May 6, 2026 15:08
@gstraccini gstraccini Bot added the ☑️ auto-merge Automatic merging of pull requests (gstraccini-bot) label May 6, 2026
guibranco
guibranco approved these changes May 6, 2026
View reviewed changes
Copy link
Copy Markdown
Owner

@guibranco guibranco left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Automatically approved by gstraccini[bot]

@gstraccini gstraccini Bot added the 🤖 bot Automated processes or integrations label May 6, 2026
guibranco
guibranco approved these changes May 6, 2026
View reviewed changes
Copy link
Copy Markdown
Owner

@guibranco guibranco left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Automatically approved by gstraccini[bot]

@sonarqubecloud
Copy link
Copy Markdown

sonarqubecloud Bot commented May 7, 2026

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 7, 2026

Infisical secrets check: ✅ No secrets leaked!

💻 Scan logs 
2026-05-07T17:47:19Z INF scanning for exposed secrets...
5:47PM INF 94 commits scanned.
2026-05-07T17:47:19Z INF scan completed in 220ms
2026-05-07T17:47:19Z INF no leaks found

@guibranco guibranco merged commit a2b7341 into main May 7, 2026
15 of 16 checks passed
@guibranco guibranco deleted the dependabot/npm_and_yarn/rollup-4.60.3 branch May 7, 2026 17:47
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@guibranco guibranco guibranco approved these changes

@gstraccini gstraccini[bot] gstraccini[bot] approved these changes

Assignees

@guibranco guibranco

Labels

☑️ auto-merge Automatic merging of pull requests (gstraccini-bot) 🤖 bot Automated processes or integrations size/L Denotes a PR that changes 100-499 lines, ignoring generated files.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@guibranco