[Security] Bump rollup from 4.17.2 to 4.45.0

Bumps rollup from 4.17.2 to 4.45.0. This update includes a security fix.

Vulnerabilities fixed

DOM Clobbering Gadget found in rollup bundled scripts that leads to XSS

Summary

We discovered a DOM Clobbering vulnerability in rollup when bundling scripts that use import.meta.url or with plugins that emit and reference asset files from code in cjs/umd/iife format. The DOM Clobbering gadget can lead to cross-site scripting (XSS) in web pages where scriptless attacker-controlled HTML elements (e.g., an img tag with an unsanitized name attribute) are present.

It's worth noting that we’ve identifed similar issues in other popular bundlers like Webpack (CVE-2024-43788), which might serve as a good reference.

Details

Backgrounds

DOM Clobbering is a type of code-reuse attack where the attacker first embeds a piece of non-script, seemingly benign HTML markups in the webpage (e.g. through a post or comment) and leverages the gadgets (pieces of js code) living in the existing javascript code to transform it into executable code. More for information about DOM Clobbering, here are some references:

[1] https://scnps.co/papers/sp23_domclob.pdf [2] https://research.securitum.com/xss-in-amp4email-dom-clobbering/

Gadget found in rollup

We have identified a DOM Clobbering vulnerability in rollup bundled scripts, particularly when the scripts uses import.meta and set output in format of cjs/umd/iife. In such cases, rollup replaces meta property with the URL retrieved from document.currentScript.

https://github.com/rollup/rollup/blob/b86ffd776cfa906573d36c3f019316d02445d9ef/src/ast/nodes/MetaProperty.ts#L157-L162

... (truncated)

Patched versions: 2.79.2; 3.29.5; 4.22.4 Affected versions: = 4.0.0, < 4.22.4

Release notes

Sourced from rollup's releases.

v4.45.0

4.45.0

2025-07-12

Features

• Improve tree-shaking when both branches of a conditional expression return the same boolean value (#6000)
• In environments that support both CJS and ESM, prefer the ESM build of Rollup (#6005)

Bug Fixes

• Ensure static blocks do not prevent tree-shaking if they access this (#6001)

Pull Requests

• #6000: feat: improve get literal value for conditional expression (@​ahabhgk, @​lukastaegert)
• #6001: Correct the parent scope for static blocks (@​TrickyPi, @​lukastaegert)
• #6005: fix: export field order prefer esm (@​DylanPiercey)

v4.44.2

4.44.2

2025-07-04

Bug Fixes

• Correctly handle @__PURE__ annotations after new keyword (#5998)
• Generate correct source mapping for closing braces of block statements (#5999)

Pull Requests

• #5998: Support @__PURE__ when nested after new in constructor invocations (@​TrickyPi)
• #5999: Add location info for closing brace of block statement (@​TrickyPi)
• #6002: chore(deps): update dependency vite to v7 (@​renovate[bot], @​lukastaegert)
• #6004: fix(deps): lock file maintenance minor/patch updates (@​renovate[bot], @​lukastaegert)

v4.44.1

4.44.1

2025-06-26

Bug Fixes

• Reinstate maxParallelFileOps limit of 1000 to resolve the issue for some (#5992)

Pull Requests

• #5988: fix(deps): lock file maintenance minor/patch updates (@​renovate[bot], @​lukastaegert)
• #5992: Set maxParallelFileOps to 1000 (@​lukastaegert)

... (truncated)

Changelog

Sourced from rollup's changelog.

4.45.0

2025-07-12

Features

• Improve tree-shaking when both branches of a conditional expression return the same boolean value (#6000)
• In environments that support both CJS and ESM, prefer the ESM build of Rollup (#6005)

Bug Fixes

• Ensure static blocks do not prevent tree-shaking if they access this (#6001)

Pull Requests

• #6000: feat: improve get literal value for conditional expression (@​ahabhgk, @​lukastaegert)
• #6001: Correct the parent scope for static blocks (@​TrickyPi, @​lukastaegert)
• #6005: fix: export field order prefer esm (@​DylanPiercey)

4.44.2

2025-07-04

Bug Fixes

• Correctly handle @__PURE__ annotations after new keyword (#5998)
• Generate correct source mapping for closing braces of block statements (#5999)

Pull Requests

• #5998: Support @__PURE__ when nested after new in constructor invocations (@​TrickyPi)
• #5999: Add location info for closing brace of block statement (@​TrickyPi)
• #6002: chore(deps): update dependency vite to v7 (@​renovate[bot], @​lukastaegert)
• #6004: fix(deps): lock file maintenance minor/patch updates (@​renovate[bot], @​lukastaegert)

4.44.1

2025-06-26

Bug Fixes

• Reinstate maxParallelFileOps limit of 1000 to resolve the issue for some (#5992)

Pull Requests

• #5988: fix(deps): lock file maintenance minor/patch updates (@​renovate[bot], @​lukastaegert)
• #5992: Set maxParallelFileOps to 1000 (@​lukastaegert)

4.44.0

... (truncated)

Commits

• b7c7c11 4.45.0
• 7be41cb feat: improve get literal value for conditional expression (#6000)
• 1923218 fix: export field order prefer esm (#6005)
• 9cebb0b Correct the parent scope for static blocks (#6001)
• d6dd1e7 4.44.2
• af9fb94 List included PRs before release
• 7155102 Add location info for closing brace of block statement (#5999)
• a916563 Support @PURE when nested after new in constructor invocations (#5998)
• bd2d98c chore(deps): update dependency vite to v7 (#6002)
• 960c246 fix(deps): lock file maintenance minor/patch updates (#6004)
• Additional commits viewable in compare view