fix(security): patch rollup and minimatch CVEs via pnpm overrides

[ComBba]

Summary

Resolves all 3 high-severity Dependabot security alerts by updating pnpm overrides.

Changes

Package	Before	After	CVE
rollup	4.57.1	4.59.0	Arbitrary File Write via Path Traversal
minimatch	10.2.2	10.2.4	ReDoS (GLOBSTAR segments + nested extglobs)

Details

• rollup (transitive via vite → vitest): Added override "rollup@>=4.0.0 <4.59.0": "4.59.0"
• minimatch (transitive via typedoc → orval): Updated existing override from "minimatch@<10.2.1": "10.2.2" to "minimatch@<10.2.3": "10.2.4"

Verification

• Typecheck: ✅
• Build: ✅
• Unit Tests: 1196/1196 pass ✅
• No vulnerable versions remain in lockfile ✅

Resolves Dependabot alerts #6, #7, #8.

Summary by CodeRabbit

릴리스 노트

• Chores
  • 핵심 의존성 버전을 업데이트하여 안정성과 호환성을 개선했습니다.

[gemini-code-assist]

Summary of Changes

Hello, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request significantly enhances the project's security by patching critical vulnerabilities in the rollup and minimatch packages. By leveraging pnpm overrides, specific secure versions of these transitive dependencies are enforced, directly resolving multiple high-severity Dependabot alerts and safeguarding against potential arbitrary file writes and regular expression denial-of-service attacks.

Highlights

• Security Patches: Addressed three high-severity Dependabot security alerts by updating vulnerable packages.
• Rollup Update: Updated the rollup package from version 4.57.1 to 4.59.0 to mitigate an Arbitrary File Write via Path Traversal vulnerability.
• Minimatch Update: Updated the minimatch package from version 10.2.2 to 10.2.4 to resolve a Regular Expression Denial of Service (ReDoS) vulnerability.
• Dependency Management: Implemented these security fixes by configuring pnpm overrides in package.json and pnpm-lock.yaml to enforce the patched versions.

Changelog

• package.json
  • Updated the minimatch override range from <10.2.1 to <10.2.3 and its target version from 10.2.2 to 10.2.4.
  • Added a new rollup override for versions >=4.0.0 <4.59.0 to enforce 4.59.0.
• pnpm-lock.yaml
  • Modified the minimatch override to target 10.2.4 for versions <10.2.3.
  • Added a rollup override to enforce version 4.59.0 for versions >=4.0.0 <4.59.0.
  • Updated resolutions for various @rollup/rollup-* platform-specific packages from 4.57.1 to 4.59.0.
  • Removed the explicit entry for [email protected].
  • Updated the rollup dependency version from 4.57.1 to 4.59.0 in the snapshots section.
  • Updated the minimatch dependency version from 10.2.2 to 10.2.4 in the snapshots section.

Activity

• No specific human activity (comments, reviews, etc.) has been recorded for this pull request yet.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 9b499f6 and 09faf88.

⛔ Files ignored due to path filters (1)

• pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml

📒 Files selected for processing (1)

• package.json

---

Walkthrough

package.json의 pnpm overrides 섹션이 업데이트되었습니다. minimatch 버전 제약 조건을 "<10.2.1": "10.2.2"에서 "<10.2.3": "10.2.4"로 변경하고, rollup의 새로운 override "rollup@>=4.0.0 <4.59.0": "4.59.0"을 추가했습니다. 제어 흐름 변화는 없습니다.

Changes

Cohort / File(s)	Summary
Dependency Overrides package.json	minimatch 버전 제약 조건 업데이트 (<10.2.3으로 변경) 및 rollup 새 override 추가 (4.59.0 고정)

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

Possibly related PRs

• fix(deps): update lockfile for uWebSockets.js HTTPS resolution #65: pnpm.overrides 섹션에서 패키지 의존성 버전 제약 조건을 수정하는 유사한 변경을 포함합니다.

Suggested labels

size/XS

Poem

🐰 의존성을 다듬으며,
버전의 춤을 맞춥니다,
minimatch와 rollup이
조화로운 숲을 이루네요,
작은 변화, 큰 안정성! ✨

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Description check	❓ Inconclusive	The PR description covers the summary and changes, but lacks required checklist items and verification output sections from the template.	완성된 검증 명령 결과(typecheck, lint, build, test)와 함께 체크리스트 섹션을 추가하여 설명을 작성해 주세요.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately summarizes the main change: patching security vulnerabilities in rollup and minimatch via pnpm overrides.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch fix/security-dependabot-alerts

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[gemini-code-assist]

Code Review

This pull request updates pnpm overrides in package.json to resolve security vulnerabilities in rollup and minimatch. The version for minimatch is updated, and a new override for rollup is added to enforce patched versions. The pnpm-lock.yaml file is updated to reflect these dependency changes. The modifications align with the goal of mitigating the described security risks.