Skip to content

fix: upgrade rollup to fix CVE-2026-27606#175

Open
gilescope wants to merge 1 commit intoLFDT-Minokawa:mainfrom
gilescope:giles-upgrade-rollup
Open

fix: upgrade rollup to fix CVE-2026-27606#175
gilescope wants to merge 1 commit intoLFDT-Minokawa:mainfrom
gilescope:giles-upgrade-rollup

Conversation

@gilescope
Copy link
Copy Markdown

@gilescope gilescope commented Feb 26, 2026

Upgrade rollup to >= 4.59.0 (or >= 3.30.0 for v3) to fix CVE-2026-27606 (GHSA-mw96-cpmx-2vgc)- Lock-file-only change, no package.json modifications.

@gilescope
fix: upgrade rollup to fix CVE-2026-27606
6ba8a12 
Signed-off-by: Giles Cope <gilescope@gmail.com>
@gilescope gilescope requested review from a team as code owners February 26, 2026 09:58
@kmillikin
Copy link
Copy Markdown
Contributor

kmillikin commented Feb 26, 2026

Thanks for the submission! I've enabled the CI actions for you.

@kmillikin kmillikin self-requested a review February 26, 2026 15:28
@kmillikin
Copy link
Copy Markdown
Contributor

kmillikin commented Feb 26, 2026

@gilescope this is failing on the CI tests, the compiler doesn't build. I don't know if you can see the failures or not.

It looks like it's trying to pull onchain-runtime-v3 from private GitHub instead of public npmjs (https://www.npmjs.com/package/@midnight-ntwrk/onchain-runtime-v3). The error is:

error: Cannot build '/nix/store/34wa4bbdzfrjd859ygmw5y3vcbkpx7rk-309476cd2c6ccb4c9b93c33dc927ac4f34a27910.drv'.
       Reason: builder failed with exit code 1.
       Output paths:
         /nix/store/yxvm47w9alqpx3wbyp1f9y0444rda2yq-309476cd2c6ccb4c9b93c33dc927ac4f34a27910
       Last 18 log lines:
       > structuredAttrs is enabled
       >
       > trying https://npm.pkg.github.com/download/@midnight-ntwrk/onchain-runtime-v3/3.0.0-rc.1/309476cd2c6ccb4c9b93c33dc927ac4f34a27910
       >   % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
       >                                  Dload  Upload   Total   Spent    Left  Speed
       >   0     0   0     0   0     0     0     0  --:--:-- --:--:-- --:--:--     0
       > curl: (22) SSL certificate OpenSSL verify result: unable to get local issuer certificate (20)
       > Warning: Problem (retrying all errors). Will retry in 1 second. 3 retries left.
       >   0     0   0     0   0     0     0     0  --:--:-- --:--:-- --:--:--     0
       > curl: (22) The requested URL returned error: 401
       > Warning: Problem (retrying all errors). Will retry in 2 seconds. 2 retries
       > Warning: left.
       >   0     0   0     0   0     0     0     0  --:--:-- --:--:-- --:--:--     0
       > curl: (22) The requested URL returned error: 401
       > Warning: Problem (retrying all errors). Will retry in 4 seconds. 1 retry left.
       >   0     0   0     0   0     0     0     0  --:--:--  0:00:01 --:--:--     0
       > curl: (22) The requested URL returned error: 401
       > error: cannot download 309476cd2c6ccb4c9b93c33dc927ac4f34a27910 from any mirror

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@kmillikin kmillikin Awaiting requested review from kmillikin

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@gilescope @kmillikin