[Security] Bump rollup from 4.17.2 to 4.34.1

Bumps rollup from 4.17.2 to 4.34.1. This update includes a security fix.

Vulnerabilities fixed

DOM Clobbering Gadget found in rollup bundled scripts that leads to XSS

Summary

We discovered a DOM Clobbering vulnerability in rollup when bundling scripts that use import.meta.url or with plugins that emit and reference asset files from code in cjs/umd/iife format. The DOM Clobbering gadget can lead to cross-site scripting (XSS) in web pages where scriptless attacker-controlled HTML elements (e.g., an img tag with an unsanitized name attribute) are present.

It's worth noting that we’ve identifed similar issues in other popular bundlers like Webpack (CVE-2024-43788), which might serve as a good reference.

Details

Backgrounds

DOM Clobbering is a type of code-reuse attack where the attacker first embeds a piece of non-script, seemingly benign HTML markups in the webpage (e.g. through a post or comment) and leverages the gadgets (pieces of js code) living in the existing javascript code to transform it into executable code. More for information about DOM Clobbering, here are some references:

[1] https://scnps.co/papers/sp23_domclob.pdf [2] https://research.securitum.com/xss-in-amp4email-dom-clobbering/

Gadget found in rollup

We have identified a DOM Clobbering vulnerability in rollup bundled scripts, particularly when the scripts uses import.meta and set output in format of cjs/umd/iife. In such cases, rollup replaces meta property with the URL retrieved from document.currentScript.

https://github.com/rollup/rollup/blob/b86ffd776cfa906573d36c3f019316d02445d9ef/src/ast/nodes/MetaProperty.ts#L157-L162

... (truncated)

Patched versions: 2.79.2; 3.29.5; 4.22.4 Affected versions: = 4.0.0, < 4.22.4

Release notes

Sourced from rollup's releases.

v4.34.1

4.34.1

2025-02-03

Bug Fixes

• Ensure throwing objects includes the entire object (#5825)

Pull Requests

• #5825: Ensure that all properties of throw statements are included (@​lukastaegert)

v4.34.0

4.34.0

2025-02-01

Features

• Tree-shake unused properties in object literals (re-implements #5420) (#5737)

Pull Requests

• #5737: Reapply object tree-shaking (@​lukastaegert, @​TrickyPi)

v4.33.0

4.33.0

2025-02-01

Features

• Correctly detect literal value of more negated expressions (#5812)

Bug Fixes

• Use the correct with/assert attribute key in dynamic imports (#5818)
• Fix an issue where logical expressions were considered to have the wrong value (#5819)

Pull Requests

• #5812: feat: optimize the literal value of unary expressions (@​TrickyPi)
• #5816: fix(deps): update swc monorepo (major) (@​renovate[bot], @​lukastaegert)
• #5817: fix(deps): lock file maintenance minor/patch updates (@​renovate[bot], @​lukastaegert)
• #5818: support for changing the attributes key for dynamic imports (@​TrickyPi)
• #5819: Return UnknownValue if getLiteralValueAtPath is called recursively within logical expressions (@​TrickyPi)
• #5820: return null (@​kingma-sbw)

v4.32.1

... (truncated)

Changelog

Sourced from rollup's changelog.

4.34.1

2025-02-03

Bug Fixes

• Ensure throwing objects includes the entire object (#5825)

Pull Requests

• #5825: Ensure that all properties of throw statements are included (@​lukastaegert)

4.34.0

2025-02-01

Features

• Tree-shake unused properties in object literals (re-implements #5420) (#5737)

Pull Requests

• #5737: Reapply object tree-shaking (@​lukastaegert, @​TrickyPi)

4.33.0

2025-02-01

Features

• Correctly detect literal value of more negated expressions (#5812)

Bug Fixes

• Use the correct with/assert attribute key in dynamic imports (#5818)
• Fix an issue where logical expressions were considered to have the wrong value (#5819)

Pull Requests

• #5812: feat: optimize the literal value of unary expressions (@​TrickyPi)
• #5816: fix(deps): update swc monorepo (major) (@​renovate[bot], @​lukastaegert)
• #5817: fix(deps): lock file maintenance minor/patch updates (@​renovate[bot], @​lukastaegert)
• #5818: support for changing the attributes key for dynamic imports (@​TrickyPi)
• #5819: Return UnknownValue if getLiteralValueAtPath is called recursively within logical expressions (@​TrickyPi)
• #5820: return null (@​kingma-sbw)

4.32.1

2025-01-28

... (truncated)

Commits

• 0f20524 4.34.1
• 32504b3 Ensure that all properties of throw statements are included (#5825)
• 979d628 4.34.0
• d7062ef Reapply object tree-shaking (#5737)
• 494483e 4.33.0
• 74a251f return null (#5820)
• 93c9c0e support for changing the attributes key for dynamic imports (#5818)
• caeffb3 Return UnknownValue if getLiteralValueAtPath is called recursively within log...
• acd142c fix(deps): lock file maintenance minor/patch updates (#5817)
• f412abd fix(deps): update swc monorepo (major) (#5816)
• Additional commits viewable in compare view