search

GoogleChrome / workbox

📦 Workbox: JavaScript libraries for Progressive Web Apps
https://developers.google.com/web/tools/workbox/
MIT License
12.3k stars 811 forks source link

Update rollup to latest version from 2.79.1 to 4.21.1 #3347

Open neelrocketbots opened 1 month ago

neelrocketbots commented 1 month ago

The rollup dependency is quite behind and require an update since it's in devDependencies, not peerDependencies, it affects the package-lock.json causing versioning conflicts

MCW77 commented 3 weeks ago

+1

qwertychouskie commented 1 week ago

This is now the subject of an 8.3 score CVE: https://github.com/advisories/GHSA-gcx4-mw62-g8wm

For now, this is my overrides list in packages.json:

  "overrides": {
    "svgo": {
      "nth-check": ">=2.0.2"
    },
    "react-scripts": {
      "postcss": ">=8.4.31",
      "workbox-webpack-plugin": ">=7.1.0"
    },
    "workbox-build": {
      "rollup": ">=3.29.5"
    },
    "@rollup/plugin-babel": {
      "rollup": ">=3.29.5"
    },
    "@rollup/plugin-replace": {
      "rollup": ">=3.29.5"
    }
  },

I haven't seen any obvious breakages, but please test this before blindly using it in prod.

tajirhas9 commented 1 week ago

as mentioned by @qwertychouskie, rollup version >= 4.0.0 and < 4.22.4 are subjected 8.3 score CVE: GHSA-gcx4-mw62-g8wm. So, instead of updating to rollup version 4.21.1, 4.22.4 should be used as version 4.22.4 contains patch for the mentioned vulnerability.