[Security] Bump rollup from 4.17.2 to 4.46.1

Bumps rollup from 4.17.2 to 4.46.1. This update includes a security fix.

Vulnerabilities fixed

DOM Clobbering Gadget found in rollup bundled scripts that leads to XSS

Summary

We discovered a DOM Clobbering vulnerability in rollup when bundling scripts that use import.meta.url or with plugins that emit and reference asset files from code in cjs/umd/iife format. The DOM Clobbering gadget can lead to cross-site scripting (XSS) in web pages where scriptless attacker-controlled HTML elements (e.g., an img tag with an unsanitized name attribute) are present.

It's worth noting that we’ve identifed similar issues in other popular bundlers like Webpack (CVE-2024-43788), which might serve as a good reference.

Details

Backgrounds

DOM Clobbering is a type of code-reuse attack where the attacker first embeds a piece of non-script, seemingly benign HTML markups in the webpage (e.g. through a post or comment) and leverages the gadgets (pieces of js code) living in the existing javascript code to transform it into executable code. More for information about DOM Clobbering, here are some references:

[1] https://scnps.co/papers/sp23_domclob.pdf [2] https://research.securitum.com/xss-in-amp4email-dom-clobbering/

Gadget found in rollup

We have identified a DOM Clobbering vulnerability in rollup bundled scripts, particularly when the scripts uses import.meta and set output in format of cjs/umd/iife. In such cases, rollup replaces meta property with the URL retrieved from document.currentScript.

https://github.com/rollup/rollup/blob/b86ffd776cfa906573d36c3f019316d02445d9ef/src/ast/nodes/MetaProperty.ts#L157-L162

... (truncated)

Patched versions: 2.79.2; 3.29.5; 4.22.4 Affected versions: = 4.0.0, < 4.22.4

Release notes

Sourced from rollup's releases.

v4.46.1

4.46.1

2025-07-28

Bug Fixes

• Do not fail when using the in operator on external namespaces (#6036)

Pull Requests

• #6036: disables optimization for external namespace when using the in operator (@​TrickyPi)

v4.46.0

4.46.0

2025-07-27

Features

• Optimize in checks on namespaces to keep them treeshake-able (#6029)

Pull Requests

• #5991: feat: update linux-loongarch64-gnu (@​wojiushixiaobai, @​lukastaegert)
• #6029: feat: optimize in checks on namespaces to keep them treeshake-able (@​cyyynthia, @​lukastaegert)
• #6033: fix(deps): update swc monorepo (major) (@​renovate[bot], @​lukastaegert)

v4.45.3

4.45.3

2025-07-26

Bug Fixes

• Do not fail build if a const is reassigned but warn instead (#6020)
• Fail with a helpful error message if an exported binding is not defined (#6023)

Pull Requests

• #6014: chore(deps): update dependency @​vue/language-server to v3 (@​renovate[bot])
• #6015: chore(deps): update dependency vue-tsc to v3 (@​renovate[bot], @​lukastaegert)
• #6016: fix(deps): update swc monorepo (major) (@​renovate[bot], @​lukastaegert)
• #6017: fix(deps): lock file maintenance minor/patch updates (@​renovate[bot], @​lukastaegert)
• #6020: Make const reassignments only a warning (@​lukastaegert)
• #6023: Throw descriptive error message for used export is not defined (@​TrickyPi)
• #6027: feat: upgrade to NAPI-RS 3 stable (@​Brooooooklyn)
• #6028: Update eslint-plugin-unicorn to resolve vulnerability (@​lukastaegert)
• #6034: fix(deps): lock file maintenance minor/patch updates (@​renovate[bot], @​lukastaegert)

... (truncated)

Changelog

Sourced from rollup's changelog.

4.46.1

2025-07-28

Bug Fixes

• Do not fail when using the in operator on external namespaces (#6036)

Pull Requests

• #6036: disables optimization for external namespace when using the in operator (@​TrickyPi)

4.46.0

2025-07-27

Features

• Optimize in checks on namespaces to keep them treeshake-able (#6029)

Pull Requests

• #5991: feat: update linux-loongarch64-gnu (@​wojiushixiaobai, @​lukastaegert)
• #6029: feat: optimize in checks on namespaces to keep them treeshake-able (@​cyyynthia, @​lukastaegert)
• #6033: fix(deps): update swc monorepo (major) (@​renovate[bot], @​lukastaegert)

4.45.3

2025-07-26

Bug Fixes

• Do not fail build if a const is reassigned but warn instead (#6020)
• Fail with a helpful error message if an exported binding is not defined (#6023)

Pull Requests

• #6014: chore(deps): update dependency @​vue/language-server to v3 (@​renovate[bot])
• #6015: chore(deps): update dependency vue-tsc to v3 (@​renovate[bot], @​lukastaegert)
• #6016: fix(deps): update swc monorepo (major) (@​renovate[bot], @​lukastaegert)
• #6017: fix(deps): lock file maintenance minor/patch updates (@​renovate[bot], @​lukastaegert)
• #6020: Make const reassignments only a warning (@​lukastaegert)
• #6023: Throw descriptive error message for used export is not defined (@​TrickyPi)
• #6027: feat: upgrade to NAPI-RS 3 stable (@​Brooooooklyn)
• #6028: Update eslint-plugin-unicorn to resolve vulnerability (@​lukastaegert)
• #6034: fix(deps): lock file maintenance minor/patch updates (@​renovate[bot], @​lukastaegert)

4.45.1

2025-07-15

... (truncated)

Commits

• 244dc20 4.46.1
• 6031a33 disables optimization for external namespace when using the in operator (#6036)
• 09794f1 4.46.0
• 9a8614f feat: optimize in checks on namespaces to keep them treeshake-able (#6029)
• fdd48a9 feat: update linux-loongarch64-gnu (#5991)
• 461b1ac fix(deps): update swc monorepo (major) (#6033)
• d6908c9 4.45.3
• ccdde29 Fix option name
• a29ef7a 4.45.2
• 9f3835e Fix package name for ppc64 architecture
• Additional commits viewable in compare view