fix(deps): upgrade rollup 4.22.4+ to ensure avoiding XSS

[delihiros]

Description

rollup before version 4.22.4 has a DOM Clobbering vulnerability which leads to XSS.
Considering the risk, we would like to upgrade the version.

• DOM Clobbering Gadget found in rollup bundled scripts that leads to XSS
  GHSA-gcx4-mw62-g8wm

• Read the Contributing Guidelines at https://github.com/vitejs/vite/blob/main/CONTRIBUTING.md.

• Check that there isn't already a PR that solves the problem the same way. If you find a duplicate, please help us reviewing it.

[stackblitz]

Run & review this pull request in StackBlitz Codeflow.

[delihiros]

Hi, I've resolved the conflict. Could you please review it again so it can be merged? Thank you.

[sapphi-red]

Let's wait until rollup/rollup#5672 is fixed, otherwise this will break many apps. (note that the CVE only affects non-ESM outputs)

For now, you can simply bump the transitive dependency on your side.

[delihiros]

The type definition has changed in estree 1.0.6, and vite needs to be addressed in order to successfully build the commit.

You can view the relevant commit here: DefinitelyTyped Commit.

One possible solution to this issue is to use a type assertion, as I understand that the local variable is of type Identifier.
We could modify the code in vite/packages/vite/src/node/plugins/importAnalysis.ts as follows:

  const importedName = (spec.local as Identifier).name;

[bluwy]

In case it's not clear for those blocked by this, you can already use your package manager to update Vite's Rollup dependency transitively, you don't need Vite to bump it for the version to be bumped in your project, so this shouldn't block anyone.

[sapphi-red]

The type definition has changed in estree 1.0.6, and vite needs to be addressed in order to successfully build the commit.

You can view the relevant commit here: DefinitelyTyped Commit.

One possible solution to this issue is to use a type assertion, as I understand that the local variable is of type Identifier. We could modify the code in vite/packages/vite/src/node/plugins/importAnalysis.ts as follows:

  const importedName = (spec.local as Identifier).name;

For this PR, I think this change is fine to focus on updating rollup.

[BreakBB]

Are there any plans to cherry-pick this to a v5 update? Currently the vulnerability is only fixed in the v6 beta versions.

[sapphi-red]

No, because it's not necessary to do so.
Quoting the message above:

In case it's not clear for those blocked by this, you can already use your package manager to update Vite's Rollup dependency transitively, you don't need Vite to bump it for the version to be bumped in your project, so this shouldn't block anyone.