js(deps): Pin rollup and flatted to fix CVE-2026-27606 and CVE-2026-33228

[danielinniss]

Summary

Fixes CVE-2026-27606 (rollup path traversal) and CVE-2026-33228 (flatted prototype pollution) by pinning safe versions:

• rollup: ≥4.59.0
• flatted: ≥3.4.2

Also fixes ESM compatibility issue by scoping minimatch/debug/diff to mocha (preventing ESM-only package resolution that breaks CommonJS tooling).

These vulnerabilities were identified during the CKEditor v47 upgrade assessment (LOB-1938).

Test plan

• Verify dependencies resolve correctly
• Build completes successfully
• Run test suite to ensure no regressions

---

Note

Medium Risk
Primarily dependency resolution changes, but upgrading rollup (and related tooling in yarn.lock) could affect build output or packaging behavior if the toolchain has subtle breaking changes.

Overview
Pins dependency resolutions to address security issues by forcing rollup (>=4.59.0) and flatted (>=3.4.2) to patched versions.

Adds additional resolutions overrides for Mocha transitive deps (debug, diff, minimatch) and refreshes yarn.lock to reflect the new pinned versions (including updated @babel/helpers and Rollup platform binaries).

^{Written by Cursor Bugbot for commit 5380e9c. This will update automatically on new commits. Configure here.}

[tony]

ckeditor5-math on  ckeditor5-spring-2026 ❯ yarn ts:build; yarn build:dist
yarn run v1.22.22
$ tsc -p ./tsconfig.release.json
✨  Done in 0.87s.
yarn run v1.22.22
$ node ./scripts/build-dist.mjs
1/2: Generating NPM build...
2/2: Generating browser build...
Browserslist: caniuse-lite is outdated. Please run:
  npx update-browserslist-db@latest
  Why you should do it regularly: https://github.com/browserslist/update-db#readme
✨  Done in 3.68s.
ckeditor5-math on  fix/rollup-flatted-cves ❯