Skip to content

chore(package): bump rollup to ^2.80.0 to fix DOM clobbering vulnerability#47

Open
Jerricho93 wants to merge 1 commit into
videojs:mainfrom
Jerricho93:fix/security-vulnerabilities
Open

chore(package): bump rollup to ^2.80.0 to fix DOM clobbering vulnerability#47
Jerricho93 wants to merge 1 commit into
videojs:mainfrom
Jerricho93:fix/security-vulnerabilities

Conversation

@Jerricho93

@Jerricho93 Jerricho93 commented May 19, 2026

Copy link
Copy Markdown

Description

Fix security vulnerability in npm dependencies.

rollup was on a range that included versions <=2.79.2, which are affected by a DOM clobbering vulnerability (high severity). Bumped to ^2.80.0.

Specific Changes proposed

  • Bump rollup from ^2.38.0 to ^2.80.0 in devDependencies

Requirements Checklist

  • Feature implemented / Bug fixed
  • Unit Tests updated or fixed
  • Docs/guides updated
  • Reviewed by Two Core Contributors

@Jerricho93 @claude
chore(package): bump rollup to ^2.80.0 to fix DOM clobbering vulnerab…
7500a34 
…ility

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This was referenced May 19, 2026
Open
Draft
@codecov

codecov Bot commented May 20, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 87.80%. Comparing base (4833fd2) to head (7500a34).

Additional details and impacted files 
@@           Coverage Diff           @@
##             main      #47   +/-   ##
=======================================
  Coverage   87.80%   87.80%           
=======================================
  Files          18       18           
  Lines        1279     1279           
  Branches      338      338           
=======================================
  Hits         1123     1123           
  Misses        156      156

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@mister-ben

mister-ben commented May 20, 2026

Copy link
Copy Markdown
Contributor

npm audit flags issues with various dependencies of further videojs dev dependencies. Will you be updating those packages too?
@videojs/babel-config
@videojs/generator-helpers
videojs-generate-karma-config
videojs-generate-rollup-config
videojs-generator-verify
videojs-standard

@Jerricho93

Jerricho93 commented May 20, 2026

Copy link
Copy Markdown
Author

Thanks for the feedback! You're right, there were additional vulnerabilities coming from the videojs build toolchain packages (@videojs/babel-config, @videojs/generator-helpers, videojs-generate-karma-config, videojs-generate-rollup-config, videojs-generator-verify, videojs-standard), sorry I missed those. I've opened PRs for all of them as well:

videojs/babel-config#5
videojs/generator-helpers#10
videojs/videojs-generate-rollup-config#49
videojs/videojs-generate-karma-config#48
videojs/standard#71
videojs/videojs-generator-verify#16
Once these are merged and published, reinstalling in any downstream repo (like vhs-utils) should show found 0 vulnerabilities across the board.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Jerricho93 @mister-ben