[Security] Bump rollup from 4.17.2 to 4.32.0

Bumps rollup from 4.17.2 to 4.32.0. This update includes a security fix.

Vulnerabilities fixed

DOM Clobbering Gadget found in rollup bundled scripts that leads to XSS

Summary

We discovered a DOM Clobbering vulnerability in rollup when bundling scripts that use import.meta.url or with plugins that emit and reference asset files from code in cjs/umd/iife format. The DOM Clobbering gadget can lead to cross-site scripting (XSS) in web pages where scriptless attacker-controlled HTML elements (e.g., an img tag with an unsanitized name attribute) are present.

It's worth noting that we’ve identifed similar issues in other popular bundlers like Webpack (CVE-2024-43788), which might serve as a good reference.

Details

Backgrounds

DOM Clobbering is a type of code-reuse attack where the attacker first embeds a piece of non-script, seemingly benign HTML markups in the webpage (e.g. through a post or comment) and leverages the gadgets (pieces of js code) living in the existing javascript code to transform it into executable code. More for information about DOM Clobbering, here are some references:

[1] https://scnps.co/papers/sp23_domclob.pdf [2] https://research.securitum.com/xss-in-amp4email-dom-clobbering/

Gadget found in rollup

We have identified a DOM Clobbering vulnerability in rollup bundled scripts, particularly when the scripts uses import.meta and set output in format of cjs/umd/iife. In such cases, rollup replaces meta property with the URL retrieved from document.currentScript.

https://github.com/rollup/rollup/blob/b86ffd776cfa906573d36c3f019316d02445d9ef/src/ast/nodes/MetaProperty.ts#L157-L162

... (truncated)

Patched versions: 2.79.2; 3.29.5; 4.22.4 Affected versions: = 4.0.0, < 4.22.4

Release notes

Sourced from rollup's releases.

v4.32.0

4.32.0

2025-01-24

Features

• Add watch.onInvalidate option to trigger actions immediately when a file is changed (#5799)

Bug Fixes

• Fix incorrect urls in CLI warnings (#5809)

Pull Requests

• #5799: Feature/watch on invalidate (@​drebrez, @​lukastaegert)
• #5808: chore(deps): update dependency vite to v6.0.9 [security] (@​renovate[bot])
• #5809: fix: avoid duplicate rollupjs.org prefix (@​GauBen, @​lukastaegert)
• #5810: chore(deps): update dependency @​shikijs/vitepress-twoslash to v2 (@​renovate[bot])
• #5811: fix(deps): lock file maintenance minor/patch updates (@​renovate[bot])

v4.31.0

4.31.0

2025-01-19

Features

• Do not immediately quit when trying to use watch mode from within non-TTY environments (#5803)

Bug Fixes

• Handle files with more than one UTF-8 BOM header (#5806)

Pull Requests

• #5792: fix(deps): update rust crate swc_compiler_base to v8 (@​renovate[bot])
• #5793: fix(deps): lock file maintenance minor/patch updates (@​renovate[bot])
• #5794: chore(deps): lock file maintenance (@​renovate[bot])
• #5801: chore(deps): update dependency eslint-config-prettier to v10 (@​renovate[bot])
• #5802: fix(deps): lock file maintenance minor/patch updates (@​renovate[bot])
• #5803: Support watch mode in yarn, gradle and containers (@​lukastaegert)
• #5806: fix: strip all BOMs (@​TrickyPi)

v4.30.1

4.30.1

2025-01-07

Bug Fixes

... (truncated)

Changelog

Sourced from rollup's changelog.

4.32.0

2025-01-24

Features

• Add watch.onInvalidate option to trigger actions immediately when a file is changed (#5799)

Bug Fixes

• Fix incorrect urls in CLI warnings (#5809)

Pull Requests

• #5799: Feature/watch on invalidate (@​drebrez, @​lukastaegert)
• #5808: chore(deps): update dependency vite to v6.0.9 [security] (@​renovate[bot])
• #5809: fix: avoid duplicate rollupjs.org prefix (@​GauBen, @​lukastaegert)
• #5810: chore(deps): update dependency @​shikijs/vitepress-twoslash to v2 (@​renovate[bot])
• #5811: fix(deps): lock file maintenance minor/patch updates (@​renovate[bot])

4.31.0

2025-01-19

Features

• Do not immediately quit when trying to use watch mode from within non-TTY environments (#5803)

Bug Fixes

• Handle files with more than one UTF-8 BOM header (#5806)

Pull Requests

• #5792: fix(deps): update rust crate swc_compiler_base to v8 (@​renovate[bot])
• #5793: fix(deps): lock file maintenance minor/patch updates (@​renovate[bot])
• #5794: chore(deps): lock file maintenance (@​renovate[bot])
• #5801: chore(deps): update dependency eslint-config-prettier to v10 (@​renovate[bot])
• #5802: fix(deps): lock file maintenance minor/patch updates (@​renovate[bot])
• #5803: Support watch mode in yarn, gradle and containers (@​lukastaegert)
• #5806: fix: strip all BOMs (@​TrickyPi)

4.30.1

2025-01-07

Bug Fixes

• Prevent invalid code when simplifying unary expressions in switch cases (#5786)

... (truncated)

Commits

• 2538304 4.32.0
• 41d01c2 fix: avoid duplicate rollupjs.org prefix (#5809)
• 56ba60f chore(deps): update dependency @​shikijs/vitepress-twoslash to v2 (#5810)
• 52b9e78 Feature/watch on invalidate (#5799)
• 6ba5278 fix(deps): lock file maintenance minor/patch updates (#5811)
• b3695a2 chore(deps): update dependency vite to v6.0.9 [security] (#5808)
• 15c264d 4.31.0
• b9eeec2 fix: strip all BOMs (#5806)
• 0e77fb7 Support watch mode in yarn, gradle and containers (#5803)
• 8e814a5 chore(deps): update dependency eslint-config-prettier to v10 (#5801)
• Additional commits viewable in compare view