fix!: Rollup build XSS vulnerability (CVE-2024-43788)

[userquin]

Description

This PR removes Rollup from dependencies, using the exported types from Vite.

This is breaking since we need Vite 4.2.0+ to re-use exported Rollup types included in this PR vitejs/vite#12316 (included in Vite 4.2.0-beta.2 (2023-03-13)).

This PR doesn't solve CVE-2024-43788 since workbox-build and Vite have the same problem as pointed in the linked issue, the consumer should use overrides, resolutions or pnpm.overrides to override Rollup version.

Once Vite and workbox-build fix the vulnerability the PWA plugin should be ready.

superseded by #781

Linked Issues

closes #758

Additional Context

This PR may or may not work when overriding Rollup 4.22.4:

• the consumer using some missing options in the new version
• same problem with Vite
• same problem with workbox-build

---

Tip

The author of this PR can publish a preview release by commenting /publish below.

[netlify]

✅ Deploy Preview for vite-plugin-pwa-legacy ready!

Name	Link
🔨 Latest commit	71ddc24
🔍 Latest deploy log	https://app.netlify.com/sites/vite-plugin-pwa-legacy/deploys/66f2ffa3e0c7300008b044af
😎 Deploy Preview	https://deploy-preview-759--vite-plugin-pwa-legacy.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify site configuration.

[pkg-pr-new]

pnpm add https://pkg.pr.new/vite-plugin-pwa@759

commit: 71ddc24

[leeobrum]

when will it work this update?

[userquin]

Check #758 (comment) (I need to do some final test)

[fabianszabo]

Dropping support for vite 3 seems a bit drastic to me. 👀

[userquin]

This workbox PR merged but not yet released: GoogleChrome/workbox#3359

I guess we don't need this PR, we can just update Rollup version.

[userquin]

Dropping support for vite 3 seems a bit drastic to me. 👀

Tested this new PR with Vite 3.2.1 and it is working: #781

[userquin]

superseded by #781