Skip to content

[Security] Bump rollup from 4.17.2 to 4.42.0

Dependabotrequested to merge
dependabot-npm_and_yarn-rollup-4.42.0 into main

Bumps rollup from 4.17.2 to 4.42.0. This update includes a security fix.

Vulnerabilities fixed

DOM Clobbering Gadget found in rollup bundled scripts that leads to XSS

Summary

We discovered a DOM Clobbering vulnerability in rollup when bundling scripts that use import.meta.url or with plugins that emit and reference asset files from code in cjs/umd/iife format. The DOM Clobbering gadget can lead to cross-site scripting (XSS) in web pages where scriptless attacker-controlled HTML elements (e.g., an img tag with an unsanitized name attribute) are present.

It's worth noting that we’ve identifed similar issues in other popular bundlers like Webpack (CVE-2024-43788), which might serve as a good reference.

Details

Backgrounds

DOM Clobbering is a type of code-reuse attack where the attacker first embeds a piece of non-script, seemingly benign HTML markups in the webpage (e.g. through a post or comment) and leverages the gadgets (pieces of js code) living in the existing javascript code to transform it into executable code. More for information about DOM Clobbering, here are some references:

[1] https://scnps.co/papers/sp23_domclob.pdf [2] https://research.securitum.com/xss-in-amp4email-dom-clobbering/

Gadget found in rollup

We have identified a DOM Clobbering vulnerability in rollup bundled scripts, particularly when the scripts uses import.meta and set output in format of cjs/umd/iife. In such cases, rollup replaces meta property with the URL retrieved from document.currentScript.

https://github.com/rollup/rollup/blob/b86ffd776cfa906573d36c3f019316d02445d9ef/src/ast/nodes/MetaProperty.ts#L157-L162

... (truncated)

Patched versions: 2.79.2; 3.29.5; 4.22.4 Affected versions: = 4.0.0, < 4.22.4

Release notes

Sourced from rollup's releases.

v4.42.0

4.42.0

2025-06-06

Features

  • Add option to allow the input to be located in the output in watch mode (#5966)

Pull Requests

v4.41.2

4.41.2

2025-06-06

Bug Fixes

  • Detect named export usages in dynamic imports with then and non-arrow function expressions (#5977)
  • Do not replace usages of constant variables with their values for readability (#5968)

Pull Requests

v4.41.1

4.41.1

2025-05-24

Bug Fixes

  • If a plugin calls this.resolve with skipSelf: true, subsequent calls when handling this by the same plugin with same parameters will return null to avoid infinite recursions (#5945)

Pull Requests

v4.41.0

... (truncated)

Changelog

Sourced from rollup's changelog.

4.42.0

2025-06-06

Features

  • Add option to allow the input to be located in the output in watch mode (#5966)

Pull Requests

4.41.2

2025-06-06

Bug Fixes

  • Detect named export usages in dynamic imports with then and non-arrow function expressions (#5977)
  • Do not replace usages of constant variables with their values for readability (#5968)

Pull Requests

4.41.1

2025-05-24

Bug Fixes

  • If a plugin calls this.resolve with skipSelf: true, subsequent calls when handling this by the same plugin with same parameters will return null to avoid infinite recursions (#5945)

Pull Requests

4.41.0

2025-05-18

... (truncated)

Commits
  • f763394 4.42.0
  • dddc00d feat: watch mode add allowInputInsideOutputPath option (#5966)
  • 13b4669 4.41.2
  • 149d94c Debug/fix watch pipeline (#5982)
  • 13992f2 Update README.md (#5976)
  • 224c900 fix: preserve constant identifiers in unary expressions instead of magic numb...
  • da88626 fix: consider function expression in thenable when tree-shaking dynamic impor...
  • 8f0dbc9 fix(deps): lock file maintenance minor/patch updates (#5981)
  • 4f69d33 chore(deps): update dependency yargs-parser to v22 (#5969)
  • 0fbd796 chore(deps): lock file maintenance (#5971)
  • Additional commits viewable in compare view

Merge request reports