chore(deps): update dependency tsup to v8.3.5 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
tsup (source)	8.3.0 -> 8.3.5

---

tsup DOM Clobbering vulnerability

CVE-2024-53384 / GHSA-3mv9-4h5g-vhg3

More information

Details

A DOM Clobbering vulnerability in tsup v8.3.4 allows attackers to execute arbitrary code via a crafted script in the import.meta.url to document.currentScript in cjs_shims.js components

Severity

• CVSS Score: Unknown
• Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:P

References

• https://nvd.nist.gov/vuln/detail/CVE-2024-53384
• https://gist.github.com/jackfromeast/36f98bf7542d11835c883c1d175d9b92
• https://github.com/egoist/tsup

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

egoist/tsup (tsup)

v8.3.5

Compare Source

   🐞 Bug Fixes

• Run experimentalDts only once  -  by @​aryaemami59 in https://github.com/egoist/tsup/issues/1236 (fddd4)

    View changes on GitHub

v8.3.4

Compare Source

No significant changes

    View changes on GitHub

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[socket-security]

New, updated, and removed dependencies detected. Learn more about Socket for GitHub ↗︎

Package	New capabilities	Transitives	Size	Publisher
npm/tsup@8.3.0 ➜ 8.3.5	Transitive: environment, network, shell, unsafe	+58	9.03 MB	egoist

View full report↗︎