Bump rollup from 2.50.1 to 2.79.2 in /js-intl-polyfill

[dependabot]

Bumps rollup from 2.50.1 to 2.79.2.

Changelog

Sourced from rollup's changelog.

rollup changelog

4.22.4

2024-09-21

Bug Fixes

• Fix a vulnerability in generated code that affects IIFE, UMD and CJS bundles when run in a browser context (#5671)

Pull Requests

• #5670: refactor: Use object.prototype to check for reserved properties (@​YuHyeonWook)
• #5671: Fix DOM Clobbering CVE (@​lukastaegert)

4.22.3

2024-09-21

Bug Fixes

• Ensure that mutations in modules without side effects are observed while properly handling transitive dependencies (#5669)

Pull Requests

• #5669: Ensure impure dependencies of pure modules are added (@​lukastaegert)

4.22.2

2024-09-20

Bug Fixes

• Revert fix for side effect free modules until other issues are investigated (#5667)

Pull Requests

• #5667: Partially revert #5658 and re-apply #5644 (@​lukastaegert)

4.22.1

2024-09-20

Bug Fixes

• Revert #5644 "stable chunk hashes" while issues are being investigated

Pull Requests

• #5663: chore(deps): update dependency inquirer to v11 (@​renovate[bot], @​lukastaegert)

... (truncated)

Commits

• c9bd03d 2.79.2
• 48aef33 fix: resolve DOM Clobbering CVE-2024-43788 (backport to v2) (#5677)
• 69ff418 2.79.1
• 04dce1b Update changelog
• 159137e fix: typo docs and contributors link in CONTRIBUTING.md (#4639)
• e1392b3 Update type definition of resolveId (#4641)
• 7836357 Improve performance of chunk naming collision check (#4643)
• 71d20c9 Reduce permissions for repl-artefacts.yml workflow (#4630)
• 8193ea5 Adapt workflow to use Node 14 sub-version to work with branch protection
• 8477f8f 2.79.0
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.

[hitachivantarasonarqube]

Quality Gate passed

Issues
0 New issues
0 Fixed issues
0 Accepted issues

Measures
0 Security Hotspots
No data about Coverage
No data about Duplication

See analysis details on SonarQube

[buildguy]

❌ Build failed in 19m 7s

Build command:

mvn clean verify -B -e -Daudit -Djs.no.sandbox

---

👌 All tests passed!

Tests run: 2, Failures: 0, Skipped: 0    Test Results

---

ℹ️ This is an automatic message

[hitachivantarasonarqube]

Quality Gate passed

Issues

• 0 New Issues
• 0 Fixed Issues
• 0 Accepted Issues

Measures

• 0 Security Hotspots
• No data about coverage (33.70% Estimated after merge)
• No data about duplications (0.90% Estimated after merge)

Project ID: org.pentaho.ctools:cgg-parent

View in SonarQube

[buildguy]

📦 Vulnerable Dependencies

✍️ Summary

SEVERITY	DIRECT DEPENDENCIES	IMPACTED DEPENDENCY	FIXED VERSIONS	CVES
High	pentaho:pentaho-platform-core:10.3.0.0-SNAPSHOT	org.hibernate:hibernate-core 5.4.24.Final	-	CVE-2026-0603
High	pentaho:pentaho-platform-core:10.3.0.0-SNAPSHOT	org.springframework:spring-core 5.3.39	[6.2.11]	CVE-2025-41249
High	pentaho:pentaho-platform-api:10.3.0.0-SNAPSHOT	com.sun.mail:javax.mail 1.6.1	-	CVE-2025-7962
Medium	pentaho:pentaho-platform-core:10.3.0.0-SNAPSHOT	org.springframework:spring-context 5.3.39	[6.1.14]	CVE-2024-38820
Low	pentaho:pentaho-platform-core:10.3.0.0-SNAPSHOT	org.springframework:spring-context 5.3.39	[6.1.20] [6.2.7]	CVE-2025-22233

🔬 Research Details

[ CVE-2026-0603 ] org.hibernate:hibernate-core 5.4.24.Final

Description:
Hibernate ORM is a powerful object/relational mapping solution for Java, which allows developing persistence logic for applications, libraries, and frameworks.

[ CVE-2025-41249 ] org.springframework:spring-core 5.3.39

Description:
The Spring Framework is a widely used Java-based application framework that provides infrastructure support for the development of enterprise-level Java applications.
Spring Security's @EnableMethodSecurity is an annotation used to enable method-level security in a Spring application. It allows you to apply security constraints directly on methods (which represent web application endpoints) using annotations such as: @PreAuthorize, @PostAuthorize and more.

The core of the vulnerability lies in how the Spring Framework's MergedAnnotations API resolves annotations on methods within a type hierarchy that uses unresolved generics. For example, if a method with a security annotation is defined in a generic interface or superclass, and its child class or interface doesn't explicitly resolve the generic type, the Spring Framework might fail to detect the annotation.

The most significant impact of this vulnerability is the potential for authorization bypass in applications that use Spring Security's @EnableMethodSecurity feature. If an application's security is based on annotations and methods in a generic class hierarchy, this flaw could cause the security check to be incorrectly skipped.

For example, a developer might place a security annotation like @PreAuthorize on a method within a generic superclass. Due to the vulnerability, a call to the overridden method in a child class could bypass the security check, allowing an unauthorized user to execute the method's logic. This can lead to a denial of service or, in a worst-case scenario, authorization bypass.

Vulnerable code example:

import org.springframework.security.access.prepost.PreAuthorize;

// 1. Generic Superinterface with a security annotation
public interface GenericService<T> {

    @PreAuthorize("hasRole('ADMIN')")
    void performAction(T data);
}

// This class implements the generic interface but leaves the generic type unresolved.
public class ChildService<T> implements GenericService<...

**Remediation:**
##### Development mitigations

Do not use security annotations on methods in generic superclasses or generic interfaces. Define the security annotations directly on the child class. Other security annotations are not vulnerable.

</details>

<details>
<summary> <b>[ CVE-2025-7962 ] com.sun.mail:javax.mail 1.6.1</b> </summary>
<br>


**Description:**
Jakarta Mail defines a platform-independent and protocol-independent framework to build mail and messaging applications. The API allows sending and receiving emails using standard protocols like SMTP, POP3, and IMAP, supporting both text and multimedia content.
SMTP (Simple Mail Transfer Protocol) is used to send email between clients and servers. It is a text-based protocol that uses simple commands. In the SMTP protocol, CRLF (Carriage Return and Line Feed characters) act as the command separator. 

The vulnerability allows a SMTP Injection where an attacker injects the CRLF sequence into a data field (like an email address) to prematurely terminate the current command and inject new unauthorized SMTP commands, causing the server to relay forged messages.

When the vulnerable Jakarta Mail code gets the recipient address as a Unicode String, it first converts this string into raw ASCII byte stream for the SMTP connection. 

Specifically, the flaw is in the `sendCommand()` function that transmitted the attacker's input to the mail server, with no validation that the conversion to ASCII bytes does not contain the illegal CRLF characters. 

The attacker can use a specific sequence of non-ASCII Unicode characters (e.g. CJK characters) that would get substituted into the ASCII byte codes for the CRLF, and by this smuggle also unauthorized SMTP commands

The vulnerability is exploitable in any application that uses a vulnerable Jakarta Mail version and allows an attacker to input a string that is then used as a parameter (like a recipient address) in an outgoing email command (e.g. a form in the application where an unauthenticated user can enter an email address for a confirmation or follow-up.).

The attacker can provide as input to the application a non-ASCII Unicode string, which the vulnerable library converts into the full injection payload:

1ue@qq.com>\r\nRCPT TO:phising-victim@qq.com\r\nDATA\r\nSubject:PWNED\r\n\r\nHack!\r\n.\r\nQUIT\r\n

The injected CRLF at the beginning of t...

</details>

<details>
<summary> <b>[ CVE-2024-38820 ] org.springframework:spring-context 5.3.39</b> </summary>
<br>


**Description:**
The fix for CVE-2022-22968 made disallowedFields patterns in DataBinder case insensitive. However, String.toLowerCase() has some Locale dependent exceptions that could potentially result in fields not protected as expected.

</details>

<details>
<summary> <b>[ CVE-2025-22233 ] org.springframework:spring-context 5.3.39</b> </summary>
<br>


**Description:**
CVE-2024-38820 ensured Locale-independent, lowercase conversion for both the configured disallowedFields patterns and for request parameter names. However, there are still cases where it is possible to bypass the disallowedFields checks.

Affected Spring Products and Versions

Spring Framework:
  *  6.2.0 - 6.2.6

  *  6.1.0 - 6.1.19

  *  6.0.0 - 6.0.27

  *  5.3.0 - 5.3.42
  *  Older, unsupported versions are also affected



Mitigation

Users of affected versions should upgrade to the corresponding fixed version.

Affected version(s)Fix Version Availability 6.2.x
 6.2.7
OSS6.1.x
 6.1.20
OSS6.0.x
 6.0.28
 Commercial https://enterprise.spring.io/ 5.3.x
 5.3.43
 Commercial https://enterprise.spring.io/ 
No further mitigation steps are necessary.


Generally, we recommend using a dedicated model object with properties only for data binding, or using constructor binding since constructor arguments explicitly declare what to bind together with turning off setter binding through the declarativeBinding flag. See the Model Design section in the reference documentation.

For setting binding, prefer the use of allowedFields (an explicit list) over disallowedFields.

Credit

This issue was responsibly reported by the TERASOLUNA Framework Development Team from NTT DATA Group Corporation.

</details>

<details>
<summary> <b>Note:</b> </summary>


---
<div align='center'>

**Frogbot** also supports **Contextual Analysis, Secret Detection, IaC and SAST Vulnerabilities Scanning**. This features are included as part of the [JFrog Advanced Security](https://jfrog.com/advanced-security) package, which isn't enabled on your system.

</div>


</details>


---
<div align='center'>

[🐸 JFrog Frogbot](https://docs.jfrog-applications.jfrog.io/jfrog-applications/frogbot)

</div>

[dependabot]

OK, I won't notify you again about this release, but will get in touch when a new version is available. If you'd rather skip all updates until the next major or minor version, let me know by commenting @dependabot ignore this major version or @dependabot ignore this minor version.

If you change your mind, just re-open this PR and I'll resolve any conflicts on it.