Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update rollup to latest version from 2.79.1 to 4.21.1 #3347

Open
neelrocketbots opened this issue Aug 29, 2024 · 3 comments
Open

Update rollup to latest version from 2.79.1 to 4.21.1 #3347

neelrocketbots opened this issue Aug 29, 2024 · 3 comments

Comments

@neelrocketbots
Copy link

The rollup dependency is quite behind and require an update since it's in devDependencies, not peerDependencies, it affects the package-lock.json causing versioning conflicts
@MCW77
Copy link

MCW77 commented Sep 13, 2024

+1

@qwertychouskie
Copy link

This is now the subject of an 8.3 score CVE: GHSA-gcx4-mw62-g8wm

For now, this is my overrides list in packages.json:

  "overrides": {
    "svgo": {
      "nth-check": ">=2.0.2"
    },
    "react-scripts": {
      "postcss": ">=8.4.31",
      "workbox-webpack-plugin": ">=7.1.0"
    },
    "workbox-build": {
      "rollup": ">=3.29.5"
    },
    "@rollup/plugin-babel": {
      "rollup": ">=3.29.5"
    },
    "@rollup/plugin-replace": {
      "rollup": ">=3.29.5"
    }
  },

I haven't seen any obvious breakages, but please test this before blindly using it in prod.

@tajirhas9
Copy link

as mentioned by @qwertychouskie, rollup version >= 4.0.0 and < 4.22.4 are subjected 8.3 score CVE: GHSA-gcx4-mw62-g8wm.
So, instead of updating to rollup version 4.21.1, 4.22.4 should be used as version 4.22.4 contains patch for the mentioned vulnerability.

@wojtekmaj wojtekmaj mentioned this issue Sep 24, 2024
Closed
wtfiwtz added a commit to orchestrated-io/orcs-design-system that referenced this issue Sep 25, 2024
@wtfiwtz
Fix security vulnerabilities with older versions of Rollup
3366788 
See GoogleChrome/workbox#3347 (comment)
@wtfiwtz wtfiwtz mentioned this issue Sep 25, 2024
Merged
wtfiwtz added a commit to orchestrated-io/orcs-design-system that referenced this issue Sep 25, 2024
@wtfiwtz
Fix security vulnerabilities with older versions of Rollup (#339)
8150f5b 
See GoogleChrome/workbox#3347 (comment)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@MCW77 @qwertychouskie @tajirhas9 @neelrocketbots