Validate bundle stays within output dir

[lukastaegert]

This PR contains:

• bugfix
• feature
• refactor
• documentation
• other

Are tests included?

• yes (bugfixes and features will not be merged without tests)
• no

Breaking Changes?

• yes (breaking changes will not be merged unless absolutely necessary)
• no

List any relevant issue numbers:

Description

This is the backport of #6275 for Rollup 3

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
rollup	Error		Feb 21, 2026 6:47pm

[Copilot]

Pull request overview

This pull request backports #6275 from Rollup 4 to Rollup 3. It adds security validation to prevent bundle files from escaping the designated output directory through path traversal or other means. The validation is performed after the bundle is generated but before files are written.

Changes:

• Adds validation function to check output file names stay within the output directory
• Introduces new error code FILE_NAME_OUTSIDE_OUTPUT_DIRECTORY with descriptive error message
• Implements path normalization and validation logic in both Node.js and browser builds
• Adds comprehensive test coverage for valid and invalid path scenarios

Reviewed changes

Copilot reviewed 21 out of 21 changed files in this pull request and generated 1 comment.

Show a summary per file

File	Description
src/Bundle.ts	Adds validateOutputBundleFileNames function and integrates it into bundle generation
src/utils/logs.ts	Adds FILE_NAME_OUTSIDE_OUTPUT_DIRECTORY error code and logFileNameOutsideOutputDirectory function
src/utils/path.ts	Exports join function from Node.js path module for path normalization
browser/src/path.ts	Implements browser-compatible join function and refactors resolve to use shared normalizePathSegments helper
test/function/samples/*	Adds comprehensive tests for valid subdirectory paths, normalized paths with .., and leading ./
test/function/samples/error-*	Adds tests for invalid scenarios: path traversal, dot, dot-dot, and deep traversal
test/browser/samples/error-file-name-path-traversal	Adds browser-specific test for path traversal validation

[Copilot]

Pull request overview

Copilot reviewed 23 out of 23 changed files in this pull request and generated 1 comment.

[Copilot]

Pull request overview

Copilot reviewed 24 out of 24 changed files in this pull request and generated 2 comments.

[Copilot]

Pull request overview

Copilot reviewed 29 out of 29 changed files in this pull request and generated no new comments.

[codecov]

Codecov Report

❌ Patch coverage is 92.30769% with 1 line in your changes missing coverage. Please review.
⚠️ Please upload report for BASE (backports-rollup-3@dfd233d). Learn more about missing BASE report.

Files with missing lines	Patch %	Lines
src/Bundle.ts	90.90%	0 Missing and 1 partial ⚠️

Additional details and impacted files

@@                  Coverage Diff                  @@
##             backports-rollup-3    #6276   +/-   ##
=====================================================
  Coverage                      ?   98.93%           
=====================================================
  Files                         ?      226           
  Lines                         ?     8460           
  Branches                      ?     2323           
=====================================================
  Hits                          ?     8370           
  Misses                        ?       32           
  Partials                      ?       58           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[Copilot]

Pull request overview

Copilot reviewed 33 out of 33 changed files in this pull request and generated no new comments.

[lukastaegert]

This PR has been released as part of rollup@3.30.0. You can test it via npm install rollup.