-
-
Notifications
You must be signed in to change notification settings - Fork 6.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix: upgrade rollup 4.22.4 to avoid XSS #18180
base: main
Are you sure you want to change the base?
Conversation
Run & review this pull request in StackBlitz Codeflow. |
Hi, I've resolved the conflict. Could you please review it again so it can be merged? Thank you. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Let's wait until rollup/rollup#5672 is fixed, otherwise this will break many apps. (note that the CVE only affects non-ESM outputs)
For now, you can simply bump the transitive dependency on your side.
Co-authored-by: Sholom Aber <[email protected]>
Co-authored-by: Sholom Aber <[email protected]>
The type definition has changed in You can view the relevant commit here: DefinitelyTyped Commit. One possible solution to this issue is to use a type assertion, as I understand that the const importedName = (spec.local as Identifier).name; |
Description
rollup before version 4.22.4 has a DOM Clobbering vulnerability which leads to XSS.
Considering the risk, we would like to upgrade the version.
DOM Clobbering Gadget found in rollup bundled scripts that leads to XSS
GHSA-gcx4-mw62-g8wm
Read the Contributing Guidelines at https://github.com/vitejs/vite/blob/main/CONTRIBUTING.md.
Check that there isn't already a PR that solves the problem the same way. If you find a duplicate, please help us reviewing it.