npm audit: DOM Clobbering Gadget found in rollup bundled scripts that leads to XSS

[mozeryansky]

Is there an existing issue for this?

• I have checked for existing issues https://github.com/getsentry/sentry-javascript/issues
• I have reviewed the documentation https://docs.sentry.io/
• I am using the latest SDK release https://github.com/getsentry/sentry-javascript/releases

How do you use Sentry?

Sentry Saas (sentry.io)

Which SDK are you using?

@sentry/nextjs

SDK Version

8.31.0

Framework Version

No response

Link to Sentry event

No response

Reproduction Example/SDK Setup

When I run npm audit the suggestion is to download Sentry.

rollup  <3.29.5
Severity: high
DOM Clobbering Gadget found in rollup bundled scripts that leads to XSS - https://github.com/advisories/GHSA-gcx4-mw62-g8wm
fix available via `npm audit fix --force`
Will install @sentry/nextjs@7.11.1, which is a breaking change
node_modules/rollup
  @sentry/nextjs  >=7.12.0
  Depends on vulnerable versions of rollup
  node_modules/@sentry/nextjs

Steps to Reproduce

1. npm i @sentry/nextjs@latest
2. npm audit

Expected Result

No security issues

Actual Result

[mozeryansky]

npm ls rollup reveals this:

└─┬ @sentry/nextjs@8.31.0
  ├─┬ @rollup/plugin-commonjs@26.0.1
  │ ├─┬ @rollup/pluginutils@5.1.2
  │ │ └── rollup@3.29.4 deduped
  │ └── rollup@3.29.4 deduped
  └── rollup@3.29.4

But "rollup" is a peer dependency in the plugins defined as: "rollup": "^2.68.0||^3.0.0||^4.0.0", so the fix should come from Sentry.

[github-actions]

A PR closing this issue has just been released 🚀

This issue was closed by PR #13761, which was included in the 8.32.0 release.