fix(deps): upgrade rollup 4.22.4+ to ensure avoiding XSS (#18180)

delihiros · SholomAber · web-flow · commit ea1d0b9af9b2 · 2024-09-30T14:06:20.000+09:00
Co-authored-by: Sholom Aber &lt;SholomAber@users.noreply.github.com&gt;
diff --git a/package.json b/package.json
@@ -68,7 +68,7 @@
     "playwright-chromium": "^1.47.2",
     "prettier": "3.3.3",
     "rimraf": "^5.0.10",
-    "rollup": "^4.20.0",
+    "rollup": "^4.22.5",
     "rollup-plugin-esbuild": "^6.1.1",
     "simple-git-hooks": "^2.11.1",
     "tslib": "^2.7.0",
diff --git a/packages/vite/package.json b/packages/vite/package.json
@@ -87,7 +87,7 @@
   "dependencies": {
     "esbuild": "^0.24.0",
     "postcss": "^8.4.47",
-    "rollup": "^4.20.0"
+    "rollup": "^4.22.5"
   },
   "optionalDependencies": {
     "fsevents": "~2.3.3"
diff --git a/packages/vite/src/node/plugins/importAnalysis.ts b/packages/vite/src/node/plugins/importAnalysis.ts
@@ -13,6 +13,7 @@ import type { StaticImport } from 'mlly'
 import { ESM_STATIC_IMPORT_RE, parseStaticImport } from 'mlly'
 import { makeLegalIdentifier } from '@rollup/pluginutils'
 import type { PartialResolvedId } from 'rollup'
+import type { Identifier } from 'estree'
 import {
   CLIENT_DIR,
   CLIENT_PUBLIC_PATH,
@@ -984,7 +985,7 @@ export function transformCjsImport(
       ) {
         // for ExportSpecifier, local name is same as imported name
         // prefix the variable name to avoid clashing with other local variables
-        const importedName = spec.local.name
+        const importedName = (spec.local as Identifier).name
         // we want to specify exported name as variable and re-export it
         const exportedName = spec.exported.name
         if (exportedName === 'default') {
diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml
