From 71ddc247b70d5ab54b8b86e86c377045a624fad3 Mon Sep 17 00:00:00 2001
From: userquin <userquin@gmail.com>
Date: Tue, 24 Sep 2024 19:56:49 +0200
Subject: [PATCH] fix!: Rollup build XSS vulnerability (CVE-2024-43788)

---
 package.json   |  3 +--
 pnpm-lock.yaml |  3 ---
 src/types.ts   | 11 +++++------
 3 files changed, 6 insertions(+), 11 deletions(-)

diff --git a/package.json b/package.json
index 5551c99e..7beb6cf2 100644
--- a/package.json
+++ b/package.json
@@ -111,7 +111,7 @@
   },
   "peerDependencies": {
     "@vite-pwa/assets-generator": "^0.2.6",
-    "vite": "^3.1.0 || ^4.0.0 || ^5.0.0",
+    "vite": "^4.2.0 || ^5.0.0",
     "workbox-build": "^7.1.0",
     "workbox-window": "^7.1.0"
   },
@@ -145,7 +145,6 @@
     "prompts": "^2.4.2",
     "publint": "^0.2.5",
     "react": "^18.2.0",
-    "rollup": "^4.4.1",
     "solid-js": "^1.8.5",
     "svelte": "^4.2.5",
     "tsup": "^7.3.0",
diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml
index a73f9486..a5638730 100644
--- a/pnpm-lock.yaml
+++ b/pnpm-lock.yaml
@@ -75,9 +75,6 @@ importers:
       react:
         specifier: ^18.2.0
         version: 18.2.0
-      rollup:
-        specifier: ^4.4.1
-        version: 4.4.1
       solid-js:
         specifier: ^1.8.5
         version: 1.8.5
diff --git a/src/types.ts b/src/types.ts
index 808ed167..3e833299 100644
--- a/src/types.ts
+++ b/src/types.ts
@@ -1,6 +1,5 @@
-import type { BuildOptions, InlineConfig, Plugin, ResolvedConfig, UserConfig } from 'vite'
+import type { BuildOptions, InlineConfig, Plugin, ResolvedConfig, Rollup, UserConfig } from 'vite'
 import type { GenerateSWOptions, InjectManifestOptions, ManifestEntry } from 'workbox-build'
-import type { OutputBundle, RollupOptions } from 'rollup'
 import type { BuiltInPreset, Preset } from '@vite-pwa/assets-generator/config'
 import type { HtmlLinkPreset } from '@vite-pwa/assets-generator/api'
 import type { PWAAssetsGenerator } from './pwa-assets/types'
@@ -78,13 +77,13 @@ export type CustomInjectManifestOptions = InjectManifestOptions & {
    * **WARN**: this option is for advanced usage, beware, you can break your application build.
    */
   buildPlugins?: {
-    rollup?: RollupOptions['plugins']
+    rollup?: Rollup.RollupOptions['plugins']
     vite?: UserConfig['plugins']
   }
   /**
    * Since `v0.15.0` you can add custom Rollup options to build your service worker: we expose the same configuration to build a worker using Vite.
    */
-  rollupOptions?: Omit<RollupOptions, 'plugins' | 'output'>
+  rollupOptions?: Omit<Rollup.RollupOptions, 'plugins' | 'output'>
 
   /**
    * Environment options.
@@ -407,7 +406,7 @@ export interface VitePWAOptions {
 export interface ResolvedServiceWorkerOptions {
   format: 'es' | 'iife'
   plugins?: Plugin[]
-  rollupOptions: RollupOptions
+  rollupOptions: Rollup.RollupOptions
 }
 
 export interface ResolvedVitePWAOptions extends Required<Omit<VitePWAOptions, 'pwaAssets' | 'showMaximumFileSizeToCacheInBytesWarning'>> {
@@ -706,7 +705,7 @@ export interface VitePluginPWAAPI {
   /*
    * Explicitly generate the manifests.
    */
-  generateBundle(bundle?: OutputBundle): OutputBundle | undefined
+  generateBundle(bundle?: Rollup.OutputBundle): Rollup.OutputBundle | undefined
   /*
    * Explicitly generate the PWA services worker.
    */