Skip to content

Bump rollup from 4.43.0 to 4.59.0 in /src/boilerplates/vue/chi-vue-boilerplate#1964

Open
dependabot[bot] wants to merge 1 commit into
masterfrom
dependabot/npm_and_yarn/src/boilerplates/vue/chi-vue-boilerplate/rollup-4.59.0
Open

Bump rollup from 4.43.0 to 4.59.0 in /src/boilerplates/vue/chi-vue-boilerplate#1964
dependabot[bot] wants to merge 1 commit into
masterfrom
dependabot/npm_and_yarn/src/boilerplates/vue/chi-vue-boilerplate/rollup-4.59.0

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Feb 26, 2026

Copy link
Copy Markdown
Contributor

Bumps rollup from 4.43.0 to 4.59.0.

Release notes

Sourced from rollup's releases.

v4.59.0

4.59.0

2026-02-22

Features

  • Throw when the generated bundle contains paths that would leave the output directory (#6276)

Pull Requests

v4.58.0

4.58.0

2026-02-20

Features

  • Also support __NO_SIDE_EFFECTS__ annotation before variable declarations declaring function expressions (#6272)

Pull Requests

v4.57.1

4.57.1

2026-01-30

Bug Fixes

  • Fix heap corruption issue in Windows (#6251)
  • Ensure exports of a dynamic import are fully included when called from a try...catch (#6254)

Pull Requests

... (truncated)

Changelog

Sourced from rollup's changelog.

4.59.0

2026-02-22

Features

  • Throw when the generated bundle contains paths that would leave the output directory (#6276)

Pull Requests

4.58.0

2026-02-20

Features

  • Also support __NO_SIDE_EFFECTS__ annotation before variable declarations declaring function expressions (#6272)

Pull Requests

4.57.1

2026-01-30

Bug Fixes

  • Fix heap corruption issue in Windows (#6251)
  • Ensure exports of a dynamic import are fully included when called from a try...catch (#6254)

Pull Requests

... (truncated)

Commits
Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for rollup since your current version.

Install script changes

This version modifies prepare script that runs during installation. Review the package contents before updating.


Dependabot compatibility score

You can trigger a rebase of this PR by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    You can disable automated security fix PRs for this repo from the Security Alerts page.

Note
Automatic rebases have been disabled on this pull request as it has been open for over 30 days.

Bumps [rollup](https://github.com/rollup/rollup) from 4.43.0 to 4.59.0.
- [Release notes](https://github.com/rollup/rollup/releases)
- [Changelog](https://github.com/rollup/rollup/blob/master/CHANGELOG.md)
- [Commits](rollup/rollup@v4.43.0...v4.59.0)

---
updated-dependencies:
- dependency-name: rollup
  dependency-version: 4.59.0
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot requested a review from a team as a code owner February 26, 2026 15:30
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Feb 26, 2026
@cl-aifel-test

cl-aifel-test Bot commented Jun 29, 2026

Copy link
Copy Markdown

🔖 aifel-verdict — AiFEL dependency-triage verdict (schema 1.1)

AiFEL verdict — 🚨 Escalate (ci-health) — human review required

Minor rollup bump (4.43.0→4.59.0) in a Vue boilerplate lockfile; no code impact and no applicable security advisories, but critical CI on master is passing at only 64% — stabilise the build pipeline before merging.

TL;DR

  • Merge: 🔍 review, then merge — the dependency itself is safe, but critical CI on master is below the health threshold (64.3% pass rate); confirm or address the failing critical checks before merging.
  • Breaks your code? ✅ Most likely not.
  • Security? ✅ no applicable advisories.
  • Update: rollupyou have 4.43.0, this PR installs 4.59.0 (minor, spans 21+ releases). Routine minor refresh spanning 21+ releases of features, bug fixes, and new platform targets; no breaking changes and no code impact.
Signal Value Interpretation
Bump type minor The y component advanced from 4.43.0 to 4.59.0 within major version 4; semver contract guarantees backward-compatible additions only — no breaking changes are expected by version contract
Dependency risk low Minor bump within major 4; rollup is not imported anywhere in this repo's source (api_usage_found: false); the changelog for 4.43.0→4.59.0 contains only feature additions, bug fixes, and new platform targets — no breaking changes documented; nothing in this repo can be broken
Security risk low Advisory database returned 2 entries for rollup (GHSA-mw96-cpmx-2vgc and GHSA-gcx4-mw62-g8wm) but neither affects versions in the 4.43.x–4.59.x range; advisory_ids: [], max_cvss: null — clear on the security axis
CI health risk high 28 critical runs on master: pass 64.3%, flaky 0% → confidence low (pass rate below the 70% medium threshold); multiple Dependabot update-group workflows are failing; informational excluded: none
API usage in repo false Scanned for from 'rollup', require('rollup'), import('rollup'), and export … from 'rollup' — zero hits; rollup is not used directly in source; lockfile-only dependency in the Vue boilerplate subdirectory
Cross-repo signal standalone No publishable root manifest found in the repository root
Data completeness complete All 5 signals obtained (classification, api_usage, ci_health, cascade, release_notes)
📋 Why this route + what AiFEL checked (click to expand)

Why this route?

escalate because: critical CI confidence is low — pass rate 64.3% (28 critical runs on master) is below the 70% threshold required for medium.

Escalation category: ci-health

Confidence breakdown — score: 0.85. List of factors:

  • ✅ Minor bump — backward-compatible by semver contract; no breaking changes in the 4.43.0→4.59.0 changelog

  • ✅ No in-repo usage of rollup API — api_usage_found: false; blast radius is zero

  • ✅ No advisories affecting 4.59.0advisory_ids: [], max_cvss: null

  • ✅ Release notes present and reviewed for the full range

  • ✅ Data complete — all 5 signals obtained

  • ⚠️ Critical CI confidence low: pass rate 64.3% (≈18/28 critical runs passing on master) — deducted 0.15

  • 💡 To reach a lower route: Fix the failing critical workflows on master so the CI pass rate rises to ≥ 70% (medium CI confidence). With medium CI and no other risk signals, this minor bump would route to spot_check. Fixing informational workflows (e.g. Dependency Submission) will NOT change the route — only the classified-critical check failures matter.

What AiFEL checked

  1. Triage — classified minor (rollup 4.43.0→4.59.0).
  2. Symbol extraction — none found (0 import sites across 0 files; searched 4 patterns: from 'rollup', require('rollup'), import('rollup'), export … from 'rollup').
  3. Release-notes comparator — changelog reviewed for 4.43.0→4.59.0 (21+ releases, changelog truncated); all entries are features, bug fixes, and new platform/architecture targets; no breaking changes documented in the entire range.
  4. CI health — 28 critical runs on master: pass 64.3%, flaky 0% → confidence low; informational excluded: none.
  5. Cascade coordinator — 1 conflict: PR [DPEDE-1784](deps): Bump rollup from 2.79.2 to 2.80.0 #1996 bumps rollup to 2.80.0 (vs 4.59.0 here) — different major version tracks, but the same package name bumped to a different target version.
  6. Data completeness — obtained 5/5 signals; missing: none.

Will merging break your code?

Per AiFEL analysis, most likely won't impact your code. rollup is not imported anywhere in this repo's source files — the bump only updates the lockfile entry in the Vue boilerplate subdirectory, and the documented changes across 4.43.0→4.59.0 touch no API your code calls.

Security advisories

Nothing still affects 4.59.0.

The advisory database returned 2 entries for rollup; neither applies to this version range:

  • GHSA-mw96-cpmx-2vgc (CVE-2026-27606, severity: high, CVSS: not scored): affected range < 2.80.0 — inapplicable to any v4 release; both 4.43.0 and 4.59.0 are unaffected.
  • GHSA-gcx4-mw62-g8wm (CVE-2024-47068, CVSS 6.4, severity: high): affected range >= 4.0.0, < 4.22.4 — both 4.43.0 and 4.59.0 are above 4.22.4 and outside the affected range.

Neither advisory is resolved by this bump; both were already inapplicable at the old version 4.43.0. Clear on the security axis.

Packages — what you have vs what this PR installs

Ecosystem Package You have This PR installs What changes for you
npm rollup 4.43.0 4.59.0 Routine minor refresh — 21+ releases of features, bug fixes, and new platform targets (loongarch64, openharmony-arm64, x86_64-pc-windows-gnu); no breaking changes, no code impact

Machine-readable verdict
{
  "schema_version": "1.1",
  "classification": "minor",
  "risk_band": "low",
  "ci_confidence": "low",
  "decision_route": "escalate",
  "data_completeness": "complete",
  "escalate_reason": "risk",
  "missing_signals": [],
  "confidence": 0.85,
  "packages": [{"ecosystem": "npm", "name": "rollup", "old_version": "4.43.0", "new_version": "4.59.0"}],
  "breaking_changes": [],
  "cascade_conflicts": [{"pr": 1996, "to_version": "2.80.0"}],
  "summary": "Minor rollup bump (4.43.0→4.59.0) in a Vue boilerplate lockfile; no code impact and no applicable advisories; escalated because critical CI pass rate is 64.3% (below the 70% medium threshold).",
  "upgrade_risk_note": null,
  "cross_repo_signal": "standalone",
  "api_usage_found": false,
  "advisory_ids": [],
  "max_cvss": null,
  "feedback_capture_marker": "aifel-CenturyLink-Chi-1964",
  "agent_version": "1.1.1-aw"
}

🤖 Generated by AiFEL — AI-assisted Dependabot triage. Advisory only; a human reviewer still decides and merges.
📝 Share your AiFEL experience

@cl-aifel-test cl-aifel-test Bot added the aifel/escalate AiFEL: human review required (breaking change or risk) label Jun 29, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

aifel/escalate AiFEL: human review required (breaking change or risk) dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants