[Security] Bump rollup from 4.21.0 to 4.22.4 in /frontend
Bumps rollup from 4.21.0 to 4.22.4. This update includes a security fix.
Vulnerabilities fixed
DOM Clobbering Gadget found in rollup bundled scripts that leads to XSS
Summary
A DOM Clobbering vulnerability was discovered in rollup when bundling scripts that use
import.meta.url
or with plugins that emit and reference asset files from code incjs
/umd
/iife
format. The DOM Clobbering gadget can lead to cross-site scripting (XSS) in web pages where scriptless attacker-controlled HTML elements (e.g., animg
tag with an unsanitizedname
attribute) are present.It's worth noting that similar issues in other popular bundlers like Webpack (CVE-2024-43788) have been reported, which might serve as a good reference.
Details
Backgrounds
DOM Clobbering is a type of code-reuse attack where the attacker first embeds a piece of non-script, seemingly benign HTML markups in the webpage (e.g. through a post or comment) and leverages the gadgets (pieces of js code) living in the existing javascript code to transform it into executable code. More for information about DOM Clobbering, here are some references:
[1] https://scnps.co/papers/sp23_domclob.pdf [2] https://research.securitum.com/xss-in-amp4email-dom-clobbering/
Gadget found in
rollup
A DOM Clobbering vulnerability in
rollup
bundled scripts was identified, particularly when the scripts usesimport.meta
and set output in format ofcjs
/umd
/iife
. In such cases,rollup
replaces meta property with the URL retrieved fromdocument.currentScript
.
... (truncated)
Patched versions: 4.22.4; 3.29.5 Affected versions: >= 4.0.0, < 4.22.4; < 3.29.5
Release notes
Sourced from rollup's releases.
v4.22.4
4.22.4
2024-09-21
Bug Fixes
- Fix a vulnerability in generated code that affects IIFE, UMD and CJS bundles when run in a browser context (#5671)
Pull Requests
- #5670: refactor: Use object.prototype to check for reserved properties (
@YuHyeonWook
)- #5671: Fix DOM Clobbering CVE (
@lukastaegert
)v4.22.3
4.22.3
2024-09-21
Bug Fixes
- Ensure that mutations in modules without side effects are observed while properly handling transitive dependencies (#5669)
Pull Requests
- #5669: Ensure impure dependencies of pure modules are added (
@lukastaegert
)v4.22.2
4.22.2
2024-09-20
Bug Fixes
- Revert fix for side effect free modules until other issues are investigated (#5667)
Pull Requests
- #5667: Partially revert #5658 and re-apply #5644 (
@lukastaegert
)v4.22.1
4.22.1
2024-09-20
Bug Fixes
- Revert #5644 "stable chunk hashes" while issues are being investigated
Pull Requests
... (truncated)
Changelog
Sourced from rollup's changelog.
4.22.4
2024-09-21
Bug Fixes
- Fix a vulnerability in generated code that affects IIFE, UMD and CJS bundles when run in a browser context (#5671)
Pull Requests
- #5670: refactor: Use object.prototype to check for reserved properties (
@YuHyeonWook
)- #5671: Fix DOM Clobbering CVE (
@lukastaegert
)4.22.3
2024-09-21
Bug Fixes
- Ensure that mutations in modules without side effects are observed while properly handling transitive dependencies (#5669)
Pull Requests
- #5669: Ensure impure dependencies of pure modules are added (
@lukastaegert
)4.22.2
2024-09-20
Bug Fixes
- Revert fix for side effect free modules until other issues are investigated (#5667)
Pull Requests
- #5667: Partially revert #5658 and re-apply #5644 (
@lukastaegert
)4.22.1
2024-09-20
Bug Fixes
- Revert #5644 "stable chunk hashes" while issues are being investigated
Pull Requests
- #5663: chore(deps): update dependency inquirer to v11 (
@renovate
[bot],@lukastaegert
)- #5664: chore(deps): lock file maintenance minor/patch updates (
@renovate
[bot])- #5665: fix: type in CI file (
@YuHyeonWook
)
... (truncated)
Commits
-
79c0aba
4.22.4 -
e2552c9
Fix DOM Clobbering CVE (#5671) -
10ab90e
refactor: Use object.prototype to check for reserved properties (#5670) -
e1cba8e
4.22.3 -
59cec3e
Ensure impure dependencies of pure modules are added (#5669) -
b86ffd7
4.22.2 -
d5ff63d
Partially revert #5658 and re-apply #5644 (#5667) -
0a821d9
Create SECURITY.md -
76e962d
4.22.1 -
68c23da
Partially revert #5644 - Additional commits viewable in compare view
Dependabot commands
You can trigger Dependabot actions by commenting on this MR
-
$dependabot recreate
will recreate this MR rewriting all the manual changes and resolving conflicts