VULN UPGRADE: minor upgrades — 18 packages (minor: 6 · patch: 12) [packages/tests]

[campaigner-prod]

Summary: High-severity security update — 23 packages upgraded (MINOR changes included)

Manifests changed:

• packages/tests (npm)

Updates

Package	From	To	Type	Vulnerabilities Fixed
rollup	4.45.1	4.59.0	minor	2 HIGH
vite	6.3.5	6.3.7	patch	2 MODERATE, 4 LOW
@datadog/browser-rum	6.26.0	6.28.1	minor	-
@jest/globals	30.0.5	30.2.0	minor	-
@playwright/test	1.49.1	1.58.2	minor	-
jest	30.0.5	30.2.0	minor	-
webpack	5.100.2	5.105.3	minor	4 LOW
@rollup/plugin-commonjs	28.0.1	28.0.9	patch	-
@rspack/core	1.4.9	1.4.11	patch	-
chalk	2.3.1	2.3.2	patch	-
chalk	2.3.1	2.3.2	patch	-
chalk	2.3.1	2.3.2	patch	-
esbuild	0.25.8	0.25.12	patch	-
nock	14.0.1	14.0.11	patch	-
react	19.0.0	19.0.4	patch	-
react	19.0.0	19.0.4	patch	-
react-dom	19.0.0	19.0.4	patch	-
react-dom	19.0.0	19.0.4	patch	-
react-router-dom	6.28.0	6.28.2	patch	-
react-router-dom	6.28.0	6.28.2	patch	-
ts-jest	29.4.0	29.4.6	patch	-
ts-loader	9.5.2	9.5.4	patch	-
typescript	5.4.3	5.4.5	patch	-

Packages marked with "-" are updated due to dependency constraints.

---

Security Details

🚨 Critical & High Severity (2 fixed)

Package	CVE	Severity	Summary	Unsafe Version	Fixed In
rollup	GHSA-mw96-cpmx-2vgc	HIGH	Rollup 4 has Arbitrary File Write via Path Traversal	4.45.1	2.80.0
rollup	CVE-2026-27606	HIGH	Rollup 4 has Arbitrary File Write via Path Traversal	4.45.1	-

ℹ️ Other Vulnerabilities (10)

Package	CVE	Severity	Summary	Unsafe Version	Fixed In
vite	GHSA-93m4-6634-74q7	MODERATE	vite allows server.fs.deny bypass via backslash on Windows	6.3.5	7.1.11
vite	CVE-2025-62522	MODERATE	vite allows server.fs.deny bypass via backslash on Windows	6.3.5	-
vite	GHSA-jqfw-vq24-v9c3	LOW	Vite's server.fs settings were not applied to HTML files	6.3.5	7.1.5
vite	CVE-2025-58752	LOW	Vite's server.fs settings were not applied to HTML files	6.3.5	-
vite	GHSA-g4jq-h2w9-997c	LOW	Vite middleware may serve files starting with the same name with the public directory	6.3.5	7.1.5
vite	CVE-2025-58751	LOW	Vite middleware may serve files starting with the same name with the public directory	6.3.5	-
webpack	GHSA-8fgc-7cc6-rx7x	LOW	webpack buildHttp: allowedUris allow-list bypass via URL userinfo (@) leading to build-time SSRF behavior	5.100.2	5.104.1
webpack	CVE-2025-68458	LOW	webpack buildHttp: allowedUris allow-list bypass via URL userinfo (@) leading to build-time SSRF behavior	5.100.2	-
webpack	GHSA-38r7-794h-5758	LOW	webpack buildHttp HttpUriPlugin allowedUris bypass via HTTP redirects → SSRF + cache persistence	5.100.2	5.104.0
webpack	CVE-2025-68157	LOW	webpack buildHttp HttpUriPlugin allowedUris bypass via HTTP redirects	5.100.2	-

---

Review Checklist

Standard review:

• Review changes for compatibility with your code
• Check for breaking changes in release notes
• Run tests locally or wait for CI

---

Update Mode: Vulnerability Remediation (High)

🤖 Generated by DataDog Automated Dependency Management System

[datadog-official]

⚠️ Tests

✨ Fix all issues with BitsAI or with Cursor

⚠️ Warnings

🧪 9 Tests failed

Factory Helpers getContext [esbuild|3.1.1] Should have the right initial context. from ../factory/src/helpers/context.test.ts (Datadog) (Fix with Cursor)

expect(received).toBe(expected) // Object.is equality

Expected: "0.25.12"
Received: "0.25.8"

Factory Helpers getContext [rspack|3.1.1] Should have the right initial context. from ../factory/src/helpers/context.test.ts (Datadog) (Fix with Cursor)

expect(received).toBe(expected) // Object.is equality

Expected: "1.4.11"
Received: "1.4.9"

Factory Helpers getContext [vite|3.1.1] Should have the right initial context. from ../factory/src/helpers/context.test.ts (Datadog) (Fix with Cursor)

expect(received).toBe(expected) // Object.is equality

Expected: "6.3.7"
Received: "6.3.5"

View all

ℹ️ Info

❄️ No new flaky tests detected

_{This comment will be updated automatically if new data arrives.
🔗 Commit SHA: a88dcc0 | Docs | Datadog PR Page | Was this helpful? React with 👍/👎 or give us feedback!}