From 2082bb61fed9a86393d0cc2d74689a2c37e7c1dd Mon Sep 17 00:00:00 2001
From: Matt Van Horn <455140+mvanhorn@users.noreply.github.com>
Date: Sat, 4 Apr 2026 23:15:04 -0700
Subject: [PATCH 1/2] fix(security): bump multer to 2.1.1 to fix HIGH CVEs

Bumps multer from ^2.0.2 to ^2.1.1 in server/package.json to resolve
three HIGH-severity DoS vulnerabilities:

- GHSA-xf7r-hgr6-v32p (incomplete cleanup)
- GHSA-v52c-386h-88mc (crafted multipart)
- GHSA-2m88-8c7h-36gr (resource exhaustion)

All three are fixed in multer >= 2.1.0.

Fixes #2753
---
 server/package.json | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/server/package.json b/server/package.json
index b2d17ad3..a4d1407d 100644
--- a/server/package.json
+++ b/server/package.json
@@ -68,7 +68,7 @@
     "express": "^5.1.0",
     "hermes-paperclip-adapter": "^0.2.0",
     "jsdom": "^28.1.0",
-    "multer": "^2.0.2",
+    "multer": "^2.1.1",
     "open": "^11.0.0",
     "pino": "^9.6.0",
     "pino-http": "^10.4.0",

From 866032eaaa0209af4a9a25694253814b646d2101 Mon Sep 17 00:00:00 2001
From: Matt Van Horn <455140+mvanhorn@users.noreply.github.com>
Date: Sun, 5 Apr 2026 14:33:05 -0700
Subject: [PATCH 2/2] fix(security): bump rollup to 4.59.0 to fix
 path-traversal CVE

Addresses GHSA-mw96-cpmx-2vgc (arbitrary file write via path
traversal in rollup <4.59.0). Bumps the direct dependency in the
plugin authoring example and adds a pnpm override for transitive
copies via Vite.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 package.json                                                   | 3 +++
 .../examples/plugin-authoring-smoke-example/package.json       | 2 +-
 2 files changed, 4 insertions(+), 1 deletion(-)

diff --git a/package.json b/package.json
index 311a092f..58ffa103 100644
--- a/package.json
+++ b/package.json
@@ -51,6 +51,9 @@
   "pnpm": {
     "patchedDependencies": {
       "embedded-postgres@18.1.0-beta.16": "patches/embedded-postgres@18.1.0-beta.16.patch"
+    },
+    "overrides": {
+      "rollup": ">=4.59.0"
     }
   }
 }
diff --git a/packages/plugins/examples/plugin-authoring-smoke-example/package.json b/packages/plugins/examples/plugin-authoring-smoke-example/package.json
index 66657e4a..61b27ab9 100644
--- a/packages/plugins/examples/plugin-authoring-smoke-example/package.json
+++ b/packages/plugins/examples/plugin-authoring-smoke-example/package.json
@@ -34,7 +34,7 @@
     "@types/node": "^24.6.0",
     "@types/react": "^19.0.8",
     "esbuild": "^0.27.3",
-    "rollup": "^4.38.0",
+    "rollup": "^4.59.0",
     "tslib": "^2.8.1",
     "typescript": "^5.7.3",
     "vitest": "^3.0.5"