VULN UPGRADE: rollup (major → 4.59.0) [node_modules/node-fetch]

[campaigner-prod]

Summary: High-severity security update — 1 package upgraded (MAJOR changes included)

Manifests changed:

• node_modules/node-fetch (npm)

Updates

Package	From	To	Type	Vulnerabilities Fixed
rollup	0.63.4	4.59.0	major	4 HIGH

---

Warning

Major Version Upgrade

This update includes major version changes that may contain breaking changes. Please:

• Review the changelog/release notes for breaking changes
• Test thoroughly in a staging environment
• Update any code that depends on changed APIs
• Ensure all tests pass before merging

Security Details

🚨 Critical & High Severity (4 fixed)

Package	CVE	Severity	Summary	Unsafe Version	Fixed In
rollup	GHSA-gcx4-mw62-g8wm	HIGH	DOM Clobbering Gadget found in rollup bundled scripts that leads to XSS	0.63.4	3.29.5
rollup	CVE-2024-47068	HIGH	DOM Clobbering Gadget found in rollup bundled scripts that leads to XSS	0.63.4	-
rollup	GHSA-mw96-cpmx-2vgc	HIGH	Rollup 4 has Arbitrary File Write via Path Traversal	0.63.4	2.80.0
rollup	CVE-2026-27606	HIGH	Rollup 4 has Arbitrary File Write via Path Traversal	0.63.4	-

---

Review Checklist

Extra review is recommended for this update:

• Review changes for compatibility with your code
• Check release notes for breaking changes
• Run integration tests to verify service behavior
• Test in staging environment before production
• Monitor key metrics after deployment

---

Update Mode: Vulnerability Remediation (High)

🤖 Generated by DataDog Automated Dependency Management System