[Security] Bump rollup and @sentry/nextjs
-
Review changes -
-
Download -
Patches
-
Plain diff
Bumps rollup to 3.29.5 and updates ancestor dependency @sentry/nextjs. These dependencies need to be updated together.
Updates rollup
from 3.29.4 to 3.29.5 This update includes a security fix.
Vulnerabilities fixed
DOM Clobbering Gadget found in rollup bundled scripts that leads to XSS
Summary
We discovered a DOM Clobbering vulnerability in rollup when bundling scripts that use
import.meta.url
or with plugins that emit and reference asset files from code incjs
/umd
/iife
format. The DOM Clobbering gadget can lead to cross-site scripting (XSS) in web pages where scriptless attacker-controlled HTML elements (e.g., animg
tag with an unsanitizedname
attribute) are present.It's worth noting that we’ve identifed similar issues in other popular bundlers like Webpack (CVE-2024-43788), which might serve as a good reference.
Details
Backgrounds
DOM Clobbering is a type of code-reuse attack where the attacker first embeds a piece of non-script, seemingly benign HTML markups in the webpage (e.g. through a post or comment) and leverages the gadgets (pieces of js code) living in the existing javascript code to transform it into executable code. More for information about DOM Clobbering, here are some references:
[1] https://scnps.co/papers/sp23_domclob.pdf [2] https://research.securitum.com/xss-in-amp4email-dom-clobbering/
Gadget found in
rollup
We have identified a DOM Clobbering vulnerability in
rollup
bundled scripts, particularly when the scripts usesimport.meta
and set output in format ofcjs
/umd
/iife
. In such cases,rollup
replaces meta property with the URL retrieved fromdocument.currentScript
.
... (truncated)
Patched versions: 3.29.5 Affected versions: >= 3.0.0, < 3.29.5
Changelog
Sourced from rollup's changelog.
rollup changelog
4.22.4
2024-09-21
Bug Fixes
- Fix a vulnerability in generated code that affects IIFE, UMD and CJS bundles when run in a browser context (#5671)
Pull Requests
- #5670: refactor: Use object.prototype to check for reserved properties (
@YuHyeonWook
)- #5671: Fix DOM Clobbering CVE (
@lukastaegert
)4.22.3
2024-09-21
Bug Fixes
- Ensure that mutations in modules without side effects are observed while properly handling transitive dependencies (#5669)
Pull Requests
- #5669: Ensure impure dependencies of pure modules are added (
@lukastaegert
)4.22.2
2024-09-20
Bug Fixes
- Revert fix for side effect free modules until other issues are investigated (#5667)
Pull Requests
- #5667: Partially revert #5658 and re-apply #5644 (
@lukastaegert
)4.22.1
2024-09-20
Bug Fixes
- Revert #5644 "stable chunk hashes" while issues are being investigated
Pull Requests
- #5663: chore(deps): update dependency inquirer to v11 (
@renovate
[bot],@lukastaegert
)
... (truncated)
Commits
-
dfd233d
3.29.5 -
2ef77c0
Fix DOM Clobbering CVE - See full diff in compare view
Updates @sentry/nextjs
from 8.30.0 to 8.32.0
Release notes
Sourced from @sentry/nextjs
's releases.
8.32.0
Important Changes
- ref(browser): Move navigation span descriptions into op (#13527)
Moves the description of navigation related browser spans into the op, e.g. browser - cache -> browser.cache and sets the description to the performanceEntry objects' names (in this context it is the URL of the page).
feat(node): Add amqplibIntegration (#13714)
feat(nestjs): Add
SentryGlobalGenericFilter
and allow specifying application ref in global filter (#13673)Adds a
SentryGlobalGenericFilter
that filters both graphql and http exceptions depending on the context.
- feat: Set log level for Fetch/XHR breadcrumbs based on status code (#13711)
Sets log levels in breadcrumbs for 5xx to error and 4xx to warning.
Other Changes
- chore(nextjs): Bump rollup to 3.29.5 (#13761)
- fix(core): Remove
sampled
flag from dynamic sampling context in Tracing without Performance mode (#13753)- fix(node): Ensure node-fetch does not emit spans without tracing (#13765)
- fix(nuxt): Use Nuxt error hooks instead of errorHandler to prevent 500 (#13748)
- fix(test): Unflake LCP test (#13741)
Work in this release was contributed by
@Zen-cronic
and@Sjoertjuh
. Thank you for your contributions!Bundle size
Path Size @sentry/browser
22.63 KB @sentry/browser
- with treeshaking flags21.42 KB @sentry/browser
(incl. Tracing)34.86 KB @sentry/browser
(incl. Tracing, Replay)71.36 KB @sentry/browser
(incl. Tracing, Replay) - with treeshaking flags61.79 KB @sentry/browser
(incl. Tracing, Replay with Canvas)75.71 KB @sentry/browser
(incl. Tracing, Replay, Feedback)88.48 KB @sentry/browser
(incl. Tracing, Replay, Feedback, metrics)90.36 KB @sentry/browser
(incl. metrics)26.91 KB @sentry/browser
(incl. Feedback)39.77 KB @sentry/browser
(incl. sendFeedback)27.29 KB @sentry/browser
(incl. FeedbackAsync)32.08 KB @sentry/react
25.38 KB @sentry/react
(incl. Tracing)37.84 KB @sentry/vue
26.8 KB @sentry/vue
(incl. Tracing)36.75 KB @sentry/svelte
22.76 KB CDN Bundle 23.94 KB
... (truncated)
Changelog
Sourced from @sentry/nextjs
's changelog.
8.32.0
Important Changes
- ref(browser): Move navigation span descriptions into op (#13527)
Moves the description of navigation related browser spans into the op, e.g. browser - cache -> browser.cache and sets the description to the performanceEntry objects' names (in this context it is the URL of the page).
feat(node): Add amqplibIntegration (#13714)
feat(nestjs): Add
SentryGlobalGenericFilter
and allow specifying application ref in global filter (#13673)Adds a
SentryGlobalGenericFilter
that filters both graphql and http exceptions depending on the context.
- feat: Set log level for Fetch/XHR breadcrumbs based on status code (#13711)
Sets log levels in breadcrumbs for 5xx to error and 4xx to warning.
Other Changes
- chore(nextjs): Bump rollup to 3.29.5 (#13761)
- fix(core): Remove
sampled
flag from dynamic sampling context in Tracing without Performance mode (#13753)- fix(node): Ensure node-fetch does not emit spans without tracing (#13765)
- fix(nuxt): Use Nuxt error hooks instead of errorHandler to prevent 500 (#13748)
- fix(test): Unflake LCP test (#13741)
Work in this release was contributed by
@Zen-cronic
and@Sjoertjuh
. Thank you for your contributions!8.31.0
Important Changes
- feat(node): Add
dataloader
integration (#13664)This release adds a new integration for the
dataloader
package. The Node SDK (and all SDKs that depend on it) will now automatically instrumentdataloader
instances. You can also add it manually:Sentry.init({ integrations: [Sentry.dataloaderIntegration()], });
... (truncated)
Commits
-
f1a8bea
release: 8.32.0 -
ae901c3
Merge pull request #13770 from getsentry/prepare-release/8.32.0 -
0a21708
meta(changelog): Update changelog for 8.32.0 -
efd7a70
docs: Fix changelog (#13786) -
0aac3c6
Merge pull request #13772 from getsentry/fn/manual-sync -
9018132
test: Unflake some node-integration-tests (#13771) -
07d9d35
wip: add browser utils dep -
354dcee
fix(core): Removesampled
flag from dynamic sampling context in Tracing wit... -
cb7f16e
ref: Add external contributor to CHANGELOG.md (#13764) -
ed150ed
chore(nextjs): Bump rollup to 3.29.5 (#13761) - Additional commits viewable in compare view
Merge request reports
- Side-by-side
- Inline
Some changes are not shown
For a faster browsing experience, some files are collapsed by default.
Files
2Generated files are collapsed by default. To change this behavior, edit the .gitattributes
file. Learn more.