-
-
Notifications
You must be signed in to change notification settings - Fork 214
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix!: Rollup build XSS vulnerability (CVE-2024-43788) #759
Conversation
✅ Deploy Preview for vite-plugin-pwa-legacy ready!
To edit notification comments on pull requests, go to your Netlify site configuration. |
commit: |
when will it work this update? |
Check #758 (comment) (I need to do some final test) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Dropping support for vite 3 seems a bit drastic to me. 👀
This workbox PR merged but not yet released: GoogleChrome/workbox#3359 I guess we don't need this PR, we can just update Rollup version. |
Tested this new PR with Vite 3.2.1 and it is working: #781 |
superseded by #781 |
Description
This PR removes Rollup from dependencies, using the exported types from Vite.
This is breaking since we need Vite
4.2.0+
to re-use exported Rollup types included in this PR vitejs/vite#12316 (included in Vite4.2.0-beta.2 (2023-03-13)
).This PR doesn't solve CVE-2024-43788 since
workbox-build
and Vite have the same problem as pointed in the linked issue, the consumer should useoverrides
,resolutions
orpnpm.overrides
to override Rollup version.Once Vite and
workbox-build
fix the vulnerability the PWA plugin should be ready.superseded by #781
Linked Issues
closes #758
Additional Context
This PR may or may not work when overriding Rollup 4.22.4:
workbox-build
Tip
The author of this PR can publish a preview release by commenting
/publish
below.