Dependency 'rollup' vulnerability: DOM Clobbering Gadget found in rollup bundled scripts that leads to XSS

[sacru2red]

ref: #3354

workbox/packages/workbox-build/package.json

Line 42 in c77dceb

"rollup": "^2.43.1",

[westonruter]

Please elaborate.

[erlichmen]

I'll try to add:

The version of rollup is quite old and has CVE-2024-47068, all sort of projects that uses workbox are affected by it (we got here by using docusaurus).

github depenbot gives this an 8.3 which is quite high.

[quarryman]

This is fixed in roll-up 3.29.5, 4.22.4.
Any plans to update roll-up?

[westonruter]

It seems to also be fixed in v2.79.2, and according to CVE-2024-47068 this version does not have the vulnerability:

This is the version which appears in the main branch:

workbox/package.json

Line 74 in acb3c2b

"rollup": "^2.79.2",

And in the most recent release:

workbox/package.json

Line 74 in c77dceb

"rollup": "^2.79.2",

This was done in #3359.

[quarryman]

This has been fixed for workbox directly, workbox-build still points to vulnerable version though

[westonruter]

@quarryman OK, I see that here:

workbox/packages/workbox-build/package.json

Line 42 in acb3c2b

"rollup": "^2.43.1",

And the actual version appearing in package-lock.json is 2.79.1:

workbox/packages/workbox-build/package-lock.json

Lines 2665 to 2667 in acb3c2b

	"node_modules/rollup": {
	"version": "2.79.1",
	"resolved": "https://registry.npmjs.org/rollup/-/rollup-2.79.1.tgz",

This needs to be 2.79.2 to include the fix. I'll open a PR to address that.