search

vite-pwa / vite-plugin-pwa

Zero-config PWA for Vite
https://vite-pwa-org.netlify.app/
MIT License
3.23k stars 210 forks source link

fix!: Rollup build XSS vulnerability (CVE-2024-43788) #759

Closed userquin closed 1 week ago

userquin commented 2 months ago

Description

This PR removes Rollup from dependencies, using the exported types from Vite.

This is breaking since we need Vite 4.2.0+ to re-use exported Rollup types included in this PR https://github.com/vitejs/vite/pull/12316 (included in Vite 4.2.0-beta.2 (2023-03-13)).

This PR doesn't solve CVE-2024-43788 since workbox-build and Vite have the same problem as pointed in the linked issue, the consumer should use overrides, resolutions or pnpm.overrides to override Rollup version.

Once Vite and workbox-build fix the vulnerability the PWA plugin should be ready.

superseded by #781

Linked Issues

closes #758

Additional Context

This PR may or may not work when overriding Rollup 4.22.4:

[!TIP] The author of this PR can publish a preview release by commenting /publish below.

netlify[bot] commented 2 months ago

Deploy Preview for vite-plugin-pwa-legacy ready!

Name Link
Latest commit 71ddc247b70d5ab54b8b86e86c377045a624fad3
Latest deploy log https://app.netlify.com/sites/vite-plugin-pwa-legacy/deploys/66f2ffa3e0c7300008b044af
Deploy Preview https://deploy-preview-759--vite-plugin-pwa-legacy.netlify.app
Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify site configuration.

pkg-pr-new[bot] commented 2 months ago 
pnpm add https://pkg.pr.new/vite-plugin-pwa@759

commit: 71ddc24

leeobrum commented 1 month ago

when will it work this update?

userquin commented 1 month ago

Check https://github.com/vite-pwa/vite-plugin-pwa/issues/758#issuecomment-2385354781 (I need to do some final test)

userquin commented 1 month ago

This workbox PR merged but not yet released: https://github.com/GoogleChrome/workbox/pull/3359

I guess we don't need this PR, we can just update Rollup version.

userquin commented 1 week ago

Dropping support for vite 3 seems a bit drastic to me. 👀

Tested this new PR with Vite 3.2.1 and it is working: https://github.com/vite-pwa/vite-plugin-pwa/pull/781

userquin commented 1 week ago

superseded by #781