Merge branch 'master' of https://github.com/rollup/rollup into sync-79c0aba3

Author: docschina-bot

CHANGELOG.md

@@ -1,5 +1,30 @@
 # rollup changelog
 
+## 4.22.4
+
+_2024-09-21_
+
+### Bug Fixes
+
+- Fix a vulnerability in generated code that affects IIFE, UMD and CJS bundles when run in a browser context (#5671)
+
+### Pull Requests
+
+- [#5670](https://github.com/rollup/rollup/pull/5670): refactor: Use object.prototype to check for reserved properties (@YuHyeonWook)
+- [#5671](https://github.com/rollup/rollup/pull/5671): Fix DOM Clobbering CVE (@lukastaegert)
+
+## 4.22.3
+
+_2024-09-21_
+
+### Bug Fixes
+
+- Ensure that mutations in modules without side effects are observed while properly handling transitive dependencies (#5669)
+
+### Pull Requests
+
+- [#5669](https://github.com/rollup/rollup/pull/5669): Ensure impure dependencies of pure modules are added (@lukastaegert)
+
 ## 4.22.2
 
 _2024-09-20_

browser/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@rollup/browser",
-  "version": "4.22.2",
+  "version": "4.22.4",
   "description": "Next-generation ES module bundler browser build",
   "main": "dist/rollup.browser.js",
   "module": "dist/es/rollup.browser.js",

package-lock.json

@@ -1,6 +1,6 @@
 {
   "name": "rollup",
-  "version": "4.22.2",
+  "version": "4.22.4",
   "description": "Next-generation ES module bundler",
   "main": "dist/rollup.js",
   "module": "dist/es/rollup.js",

package.json

@@ -10,7 +10,6 @@ import type {
 	NormalizedOutputOptions,
 	OutputBundle
 } from './rollup/types';
-import type { PluginDriver } from './utils/PluginDriver';
 import { getChunkAssignments } from './utils/chunkAssignment';
 import commondir from './utils/commondir';
 import { sortByExecutionOrder } from './utils/executionOrder';
@@ -28,6 +27,7 @@ import type { OutputBundleWithPlaceholders } from './utils/outputBundle';
 import { getOutputBundle, removeUnreferencedAssets } from './utils/outputBundle';
 import { parseAst } from './utils/parseAst';
 import { isAbsolute } from './utils/path';
+import type { PluginDriver } from './utils/PluginDriver';
 import { renderChunks } from './utils/renderChunks';
 import { timeEnd, timeStart } from './utils/timers';
 import {

src/Bundle.ts

@@ -1,8 +1,5 @@
 import MagicString, { Bundle as MagicStringBundle, type SourceMap } from 'magic-string';
 import { relative } from '../browser/src/path';
-import ExternalChunk from './ExternalChunk';
-import ExternalModule from './ExternalModule';
-import Module from './Module';
 import ExportDefaultDeclaration from './ast/nodes/ExportDefaultDeclaration';
 import FunctionDeclaration from './ast/nodes/FunctionDeclaration';
 import type ImportExpression from './ast/nodes/ImportExpression';
@@ -13,7 +10,10 @@ import LocalVariable from './ast/variables/LocalVariable';
 import NamespaceVariable from './ast/variables/NamespaceVariable';
 import SyntheticNamedExportVariable from './ast/variables/SyntheticNamedExportVariable';
 import type Variable from './ast/variables/Variable';
+import ExternalChunk from './ExternalChunk';
+import ExternalModule from './ExternalModule';
 import finalisers from './finalisers/index';
+import Module from './Module';
 import type {
 	GetInterop,
 	GlobalsOption,
@@ -26,7 +26,6 @@ import type {
 	RenderedChunk,
 	RenderedModule
 } from './rollup/types';
-import type { PluginDriver } from './utils/PluginDriver';
 import { createAddons } from './utils/addons';
 import { deconflictChunk, type DependenciesToBeDeconflicted } from './utils/deconflictChunk';
 import { escapeId } from './utils/escapeId';
@@ -58,6 +57,7 @@ import {
 import type { OutputBundleWithPlaceholders } from './utils/outputBundle';
 import { FILE_PLACEHOLDER } from './utils/outputBundle';
 import { basename, extname, isAbsolute, normalize, resolve } from './utils/path';
+import type { PluginDriver } from './utils/PluginDriver';
 import { getAliasName, getImportPath } from './utils/relativeId';
 import type { RenderOptions } from './utils/renderHelpers';
 import { makeUnique, renderNamePattern } from './utils/renderNamePattern';

src/Chunk.ts

@@ -172,6 +172,7 @@ export default class Graph {
 				this.needsTreeshakingPass = false;
 				for (const module of this.modules) {
 					if (module.isExecuted) {
+						module.hasTreeShakingPassStarted = true;
 						if (module.info.moduleSideEffects === 'no-treeshake') {
 							module.includeAllInBundle();
 						} else {

src/Graph.ts

@@ -220,6 +220,7 @@ export default class Module {
 	readonly dynamicImports: DynamicImport[] = [];
 	excludeFromSourcemap: boolean;
 	execIndex = Infinity;
+	hasTreeShakingPassStarted = false;
 	readonly implicitlyLoadedAfter = new Set<Module>();
 	readonly implicitlyLoadedBefore = new Set<Module>();
 	readonly importDescriptions = new Map<string, ImportDescription>();

src/Module.ts

@@ -5,6 +5,7 @@ import { BLANK } from '../../utils/blank';
 import { logIllegalImportReassignment } from '../../utils/logs';
 import { PureFunctionKey } from '../../utils/pureFunctions';
 import type { NodeRenderOptions, RenderOptions } from '../../utils/renderHelpers';
+import { markModuleAndImpureDependenciesAsExecuted } from '../../utils/traverseStaticDependencies';
 import type { DeoptimizableEntity } from '../DeoptimizableEntity';
 import type { HasEffectsContext, InclusionContext } from '../ExecutionContext';
 import type { NodeInteraction, NodeInteractionCalled } from '../NodeInteractions';
@@ -220,9 +221,10 @@ export default class Identifier extends NodeBase implements PatternNode {
 				this.variable instanceof LocalVariable &&
 				this.variable.kind &&
 				tdzVariableKinds.has(this.variable.kind) &&
-				// we ignore possible TDZs due to circular module dependencies as
-				// otherwise we get many false positives
-				this.variable.module === this.scope.context.module
+				// We ignore modules that did not receive a treeshaking pass yet as that
+				// causes many false positives due to circular dependencies or disabled
+				// moduleSideEffects.
+				this.variable.module.hasTreeShakingPassStarted
 			)
 		) {
 			return (this.isTDZAccess = false);
@@ -241,9 +243,7 @@ export default class Identifier extends NodeBase implements PatternNode {
 			return (this.isTDZAccess = true);
 		}
 
-		// We ignore the case where the module is not yet executed because
-		// moduleSideEffects are false.
-		if (!this.variable.initReached && this.scope.context.module.isExecuted) {
+		if (!this.variable.initReached) {
 			// Either a const/let TDZ violation or
 			// var use before declaration was encountered.
 			return (this.isTDZAccess = true);
@@ -294,6 +294,12 @@ export default class Identifier extends NodeBase implements PatternNode {
 	protected applyDeoptimizations(): void {
 		this.deoptimized = true;
 		if (this.variable instanceof LocalVariable) {
+			// When accessing a variable from a module without side effects, this
+			// means we use an export of that module and therefore need to potentially
+			// include it in the bundle.
+			if (!this.variable.module.isExecuted) {
+				markModuleAndImpureDependenciesAsExecuted(this.variable.module);
+			}
 			this.variable.consolidateInitializers();
 			this.scope.context.requestTreeshakingPass();
 		}

src/ast/nodes/Identifier.ts

@@ -1,10 +1,10 @@
 import type MagicString from 'magic-string';
 import type { InternalModuleFormat } from '../../rollup/types';
-import type { PluginDriver } from '../../utils/PluginDriver';
 import { escapeId } from '../../utils/escapeId';
 import type { GenerateCodeSnippets } from '../../utils/generateCodeSnippets';
 import { DOCUMENT_CURRENT_SCRIPT } from '../../utils/interopHelpers';
 import { dirname, normalize, relative } from '../../utils/path';
+import type { PluginDriver } from '../../utils/PluginDriver';
 import type { RenderOptions } from '../../utils/renderHelpers';
 import type { NodeInteraction } from '../NodeInteractions';
 import { INTERACTION_ACCESSED } from '../NodeInteractions';
@@ -158,7 +158,7 @@ const getRelativeUrlFromDocument = (relativePath: string, umd = false) =>
 	getResolveUrl(
 		`'${escapeId(relativePath)}', ${
 			umd ? `typeof document === 'undefined' ? location.href : ` : ''
-		}document.currentScript && document.currentScript.src || document.baseURI`
+		}document.currentScript && document.currentScript.tagName.toUpperCase() === 'SCRIPT' && document.currentScript.src || document.baseURI`
 	);
 
 const getGenericImportMetaMechanism =
@@ -180,7 +180,7 @@ const getFileUrlFromRelativePath = (path: string) =>
 const getUrlFromDocument = (chunkId: string, umd = false) =>
 	`${
 		umd ? `typeof document === 'undefined' ? location.href : ` : ''
-	}(${DOCUMENT_CURRENT_SCRIPT} && ${DOCUMENT_CURRENT_SCRIPT}.src || new URL('${escapeId(
+	}(${DOCUMENT_CURRENT_SCRIPT} && ${DOCUMENT_CURRENT_SCRIPT}.tagName.toUpperCase() === 'SCRIPT' && ${DOCUMENT_CURRENT_SCRIPT}.src || new URL('${escapeId(
 		chunkId
 	)}', document.baseURI).href)`;