Validate bundle stays within output dir by lukastaegert · Pull Request #6275 · rollup/rollup

lukastaegert · 2026-02-21T06:21:53Z

This PR contains:

Are tests included?

yes (bugfixes and features will not be merged without tests)
no

Breaking Changes?

yes (breaking changes will not be merged unless absolutely necessary)
no

List any relevant issue numbers:

Description

While this is technically a breaking change, I would still release it in a minor version as this could also be seen as an unexpected quirk and because it has some security implications.
Previously, it was possible to leave the designated output directory by using paths with ".." in the entry/chunk/assetFileNames properties, and for plugins by using such file names when emitting assets.
This change adds a validation at the end of the bundling process—but before files would be written—that throws an error in such cases.

vercel · 2026-02-21T06:21:58Z

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
rollup	Ready	Preview, Comment	Feb 21, 2026 6:33pm

github-actions · 2026-02-21T06:27:15Z

Thank you for your contribution! ❤️

You can try out this pull request locally by installing Rollup via

npm install rollup/rollup#prevent-path-traversal

Notice: Ensure you have installed the latest nightly Rust toolchain. If you haven't installed it yet, please see https://www.rust-lang.org/tools/install to learn how to download Rustup and install Rust.

or load it into the REPL:
https://rollup-rejjlm077-rollup-js.vercel.app/repl/?pr=6275

github-actions · 2026-02-21T06:28:27Z

Performance report

BUILD: 6933ms, 831 MB
- initialize: 0ms, 23.9 MB (+8%)
- generate module graph: 2617ms, 634 MB
  - generate ast: 1415ms, 627 MB
- sort and bind modules: 406ms, 692 MB
- mark included statements: 3902ms, 831 MB
  - treeshaking pass 1: 2273ms, 829 MB
  - treeshaking pass 2: 458ms, 845 MB
  - treeshaking pass 3: 396ms, 829 MB
  - treeshaking pass 4: 381ms, 853 MB
  - treeshaking pass 5: 379ms, 831 MB
GENERATE: 686ms, 936 MB
- initialize render: 0ms, 831 MB
- generate chunks: 37ms, 844 MB
  - optimize chunks: 0ms, 839 MB
- render chunks: 632ms, 909 MB
- transform chunks: 17ms, 936 MB
- generate bundle: 0ms, 936 MB

Copilot

Pull request overview

This PR adds validation to ensure all output file names remain within the designated output directory, preventing path traversal attacks where malicious or misconfigured code could write files outside the intended location. The validation occurs after the generateBundle plugin hook but before files are written, catching both configuration issues and plugin-injected paths that bypass earlier validation.

Changes:

Adds validation function to check all output bundle file names after finalization
Implements browser-compatible path.join() function for path normalization
Adds comprehensive test coverage for both valid and invalid path scenarios

Reviewed changes

Copilot reviewed 21 out of 22 changed files in this pull request and generated no comments.

Show a summary per file

File	Description
src/Bundle.ts	Adds `validateOutputBundleFileNames()` function and calls it after bundle finalization
src/utils/logs.ts	Adds `logFileNameOutsideOutputDirectory()` error log function and error code
src/utils/path.ts	Exports `join` function from Node.js path module
browser/src/path.ts	Implements browser-compatible `join()` function and refactors `resolve()` to share normalization logic
test/function/samples/file-name-*	Adds tests for valid subdirectory paths, mid-path traversal, and leading dot-slash
test/function/samples/error-file-name-*	Adds tests for invalid path traversal, "..", ".", and deep traversal scenarios
test/browser/samples/error-file-name-path-traversal	Adds browser-specific test for path traversal detection
package-lock.json	Unrelated dependency lock file updates from running npm install

codecov · 2026-02-21T06:34:39Z

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 98.77%. Comparing base (33f39c1) to head (20a27a6).
⚠️ Report is 1 commits behind head on master.

Additional details and impacted files

@@           Coverage Diff           @@
##           master    #6275   +/-   ##
=======================================
  Coverage   98.77%   98.77%           
=======================================
  Files         273      273           
  Lines       10712    10725   +13     
  Branches     2855     2859    +4     
=======================================
+ Hits        10581    10594   +13     
  Misses         89       89           
  Partials       42       42

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

Copilot

Pull request overview

Copilot reviewed 25 out of 26 changed files in this pull request and generated no new comments.

Copilot

Pull request overview

Copilot reviewed 26 out of 27 changed files in this pull request and generated 1 comment.

browser/src/path.ts

Copilot

Pull request overview

Copilot reviewed 31 out of 32 changed files in this pull request and generated 3 comments.

browser/src/path.ts

test/function/samples/file-name-subdirectory-is-valid/_config.js

src/Bundle.ts

Copilot

Pull request overview

Copilot reviewed 35 out of 36 changed files in this pull request and generated no new comments.

Copilot

Pull request overview

Copilot reviewed 35 out of 36 changed files in this pull request and generated 2 comments.

src/Bundle.ts

src/utils/logs.ts

When a file would leave the output dir, an error is thrown.

Copilot

Pull request overview

Copilot reviewed 35 out of 36 changed files in this pull request and generated no new comments.

github-actions · 2026-02-22T07:34:09Z

This PR has been released as part of rollup@4.59.0. You can test it via npm install rollup.

Adds the error added in rollup/rollup#6275

Copilot AI review requested due to automatic review settings February 21, 2026 06:21

Copilot started reviewing on behalf of lukastaegert February 21, 2026 06:25 View session

Copilot AI reviewed Feb 21, 2026

View reviewed changes

vercel bot deployed to Preview February 21, 2026 06:46 View deployment

lukastaegert mentioned this pull request Feb 21, 2026

Validate bundle stays within output dir #6276

Merged

9 tasks

lukastaegert force-pushed the prevent-path-traversal branch from 79045d7 to f09bce5 Compare February 21, 2026 11:04

vercel bot deployed to Preview February 21, 2026 11:06 View deployment

lukastaegert mentioned this pull request Feb 21, 2026

Validate bundle stays within output dir #6277

Merged

9 tasks

lukastaegert force-pushed the prevent-path-traversal branch from f09bce5 to bab860a Compare February 21, 2026 12:18

vercel bot deployed to Preview February 21, 2026 12:20 View deployment

vercel bot deployed to Preview February 21, 2026 12:23 View deployment

lukastaegert requested a review from Copilot February 21, 2026 12:57

Copilot started reviewing on behalf of lukastaegert February 21, 2026 12:58 View session

Copilot AI reviewed Feb 21, 2026

View reviewed changes

lukastaegert force-pushed the prevent-path-traversal branch 2 times, most recently from a2827ee to b7cbb89 Compare February 21, 2026 14:17

lukastaegert requested a review from Copilot February 21, 2026 14:17

vercel bot deployed to Preview February 21, 2026 14:19 View deployment

Copilot started reviewing on behalf of lukastaegert February 21, 2026 14:20 View session

Copilot AI reviewed Feb 21, 2026

View reviewed changes

browser/src/path.ts Outdated Show resolved Hide resolved

lukastaegert force-pushed the prevent-path-traversal branch from b7cbb89 to c46a01b Compare February 21, 2026 15:33

vercel bot deployed to Preview February 21, 2026 15:35 View deployment

lukastaegert requested a review from Copilot February 21, 2026 16:07

Copilot started reviewing on behalf of lukastaegert February 21, 2026 16:07 View session

Copilot AI reviewed Feb 21, 2026

View reviewed changes

browser/src/path.ts Outdated Show resolved Hide resolved

test/function/samples/file-name-subdirectory-is-valid/_config.js Show resolved Hide resolved

src/Bundle.ts Outdated Show resolved Hide resolved

lukastaegert force-pushed the prevent-path-traversal branch from c46a01b to ed69ca8 Compare February 21, 2026 16:53

lukastaegert requested a review from Copilot February 21, 2026 16:53

vercel bot deployed to Preview February 21, 2026 16:55 View deployment

Copilot started reviewing on behalf of lukastaegert February 21, 2026 16:55 View session

Copilot AI reviewed Feb 21, 2026

View reviewed changes

lukastaegert force-pushed the prevent-path-traversal branch from ed69ca8 to 2cd521d Compare February 21, 2026 18:07

lukastaegert requested a review from Copilot February 21, 2026 18:07

vercel bot deployed to Preview February 21, 2026 18:09 View deployment

Copilot started reviewing on behalf of lukastaegert February 21, 2026 18:10 View session

Copilot AI reviewed Feb 21, 2026

View reviewed changes

src/Bundle.ts Show resolved Hide resolved

src/utils/logs.ts Show resolved Hide resolved

lukastaegert added 3 commits February 21, 2026 19:31

Validate bundle stays within output dir

493da73

When a file would leave the output dir, an error is thrown.

Update audit-resolve again

816e2e6

Update agent instructions

20a27a6

lukastaegert force-pushed the prevent-path-traversal branch from 2cd521d to 20a27a6 Compare February 21, 2026 18:31

lukastaegert requested a review from Copilot February 21, 2026 18:33

vercel bot deployed to Preview February 21, 2026 18:33 View deployment

Copilot started reviewing on behalf of lukastaegert February 21, 2026 18:34 View session

Copilot AI reviewed Feb 21, 2026

View reviewed changes

lukastaegert merged commit c60770d into master Feb 22, 2026
52 checks passed

lukastaegert deleted the prevent-path-traversal branch February 22, 2026 06:58

sapphi-red mentioned this pull request Feb 24, 2026

feat: validate bundle stays within output dir rolldown/rolldown#8441

Merged

graphite-app bot pushed a commit to rolldown/rolldown that referenced this pull request Feb 24, 2026

feat: validate bundle stays within output dir (#8441)

69c2083

Adds the error added in rollup/rollup#6275

Uh oh!

Conversation

lukastaegert commented Feb 21, 2026

Description

Uh oh!

vercel bot commented Feb 21, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

github-actions bot commented Feb 21, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Thank you for your contribution! ❤️

Uh oh!

github-actions bot commented Feb 21, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Performance report

Uh oh!

Copilot AI left a comment

Choose a reason for hiding this comment

Pull request overview

Reviewed changes

Uh oh!

codecov bot commented Feb 21, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Codecov Report

Uh oh!

Copilot AI left a comment

Choose a reason for hiding this comment

Pull request overview

Uh oh!

Copilot AI left a comment

Choose a reason for hiding this comment

Pull request overview

Uh oh!

Uh oh!

Copilot AI left a comment

Choose a reason for hiding this comment

Pull request overview

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Copilot AI left a comment

Choose a reason for hiding this comment

Pull request overview

Uh oh!

Copilot AI left a comment

Choose a reason for hiding this comment

Pull request overview

Uh oh!

Uh oh!

Uh oh!

Copilot AI left a comment

Choose a reason for hiding this comment

Pull request overview

Uh oh!

Uh oh!

github-actions bot commented Feb 22, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

vercel bot commented Feb 21, 2026 •

edited

Loading

github-actions bot commented Feb 21, 2026 •

edited

Loading

github-actions bot commented Feb 21, 2026 •

edited

Loading

codecov bot commented Feb 21, 2026 •

edited

Loading