fix(deps): upgrade rollup 4.22.4+ to ensure avoiding XSS (#18180)

Co-authored-by: Sholom Aber <[email protected]>
vitejs · Sep 30, 2024 · ea1d0b9 · ea1d0b9
1 parent a44b0a2
commit ea1d0b9
Show file tree

Hide file tree

Showing 4 changed files with 446 additions and 445 deletions.
diff --git a/package.json b/package.json
@@ -68,7 +68,7 @@
     "playwright-chromium": "^1.47.2",
     "prettier": "3.3.3",
     "rimraf": "^5.0.10",
-    "rollup": "^4.20.0",
+    "rollup": "^4.22.5",
     "rollup-plugin-esbuild": "^6.1.1",
     "simple-git-hooks": "^2.11.1",
     "tslib": "^2.7.0",

diff --git a/packages/vite/package.json b/packages/vite/package.json
@@ -87,7 +87,7 @@
   "dependencies": {
     "esbuild": "^0.24.0",
     "postcss": "^8.4.47",
-    "rollup": "^4.20.0"
+    "rollup": "^4.22.5"
   },
   "optionalDependencies": {
     "fsevents": "~2.3.3"

diff --git a/packages/vite/src/node/plugins/importAnalysis.ts b/packages/vite/src/node/plugins/importAnalysis.ts
@@ -13,6 +13,7 @@ import type { StaticImport } from 'mlly'
 import { ESM_STATIC_IMPORT_RE, parseStaticImport } from 'mlly'
 import { makeLegalIdentifier } from '@rollup/pluginutils'
 import type { PartialResolvedId } from 'rollup'
+import type { Identifier } from 'estree'
 import {
   CLIENT_DIR,
   CLIENT_PUBLIC_PATH,
@@ -984,7 +985,7 @@ export function transformCjsImport(
       ) {
         // for ExportSpecifier, local name is same as imported name
         // prefix the variable name to avoid clashing with other local variables
-        const importedName = spec.local.name
+        const importedName = (spec.local as Identifier).name
         // we want to specify exported name as variable and re-export it
         const exportedName = spec.exported.name
         if (exportedName === 'default') {