fix: upgrade rollup 4.22.4 to avoid XSS

[delihiros]

Description

rollup before version 4.22.4 has a DOM Clobbering vulnerability which leads to XSS.
Considering the risk, we would like to upgrade the version.

• DOM Clobbering Gadget found in rollup bundled scripts that leads to XSS
  GHSA-gcx4-mw62-g8wm

• Read the Contributing Guidelines at https://github.com/vitejs/vite/blob/main/CONTRIBUTING.md.

• Check that there isn't already a PR that solves the problem the same way. If you find a duplicate, please help us reviewing it.

[stackblitz]

Run & review this pull request in StackBlitz Codeflow.

[delihiros]

Hi, I've resolved the conflict. Could you please review it again so it can be merged? Thank you.

[sapphi-red]

Let's wait until rollup/rollup#5672 is fixed, otherwise this will break many apps. (note that the CVE only affects non-ESM outputs)

For now, you can simply bump the transitive dependency on your side.

[delihiros]

The type definition has changed in estree 1.0.6, and vite needs to be addressed in order to successfully build the commit.

You can view the relevant commit here: DefinitelyTyped Commit.

One possible solution to this issue is to use a type assertion, as I understand that the local variable is of type Identifier.
We could modify the code in vite/packages/vite/src/node/plugins/importAnalysis.ts as follows:

  const importedName = (spec.local as Identifier).name;