Skip to content

security: update rollup plugins and fix potential XSS in idle sample #1607

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
oliverdunk merged 5 commits into from
Jan 8, 2026
Merged

security: update rollup plugins and fix potential XSS in idle sample #1607

oliverdunk merged 5 commits into from
Jan 8, 2026

Conversation

@RinZ27
Copy link
Contributor

@RinZ27 RinZ27 commented Jan 8, 2026
edited
Loading

Hi, I've updated this PR to include a fix for a potential XSS vulnerability in the idle API sample.

Key Changes:

  1. Security Hardening: Refactored api-samples/idle/history.js to replace insecure .innerHTML usage with safe DOM manipulation (textContent and replaceChildren). This mitigates potential XSS risks from untrusted data in the history log.
  2. Dependency Updates: Bumped @rollup/plugin-commonjs and @rollup/plugin-node-resolve to their latest stable versions across multiple functional samples:
    • functional-samples/ai.gemini-on-device
    • functional-samples/ai.gemini-on-device-calendar-mate
    • functional-samples/ai.gemini-on-device-summarization
    • functional-samples/libraries-xhr-in-sw

These changes ensure the samples follow modern security standards and protect against potential supply chain vulnerabilities.

@google-cla
Copy link

google-cla bot commented Jan 8, 2026

Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).

View this failed invocation of the CLA check for more information.

For the most up to date status, view the checks section at the bottom of the pull request.

@RinZ27 RinZ27 force-pushed the security/update-outdated-rollup-plugins branch from d25ad72 to f254339 Compare January 8, 2026 05:42
@RinZ27 RinZ27 changed the title security: update outdated rollup plugins to mitigate potential vulnerabilities security: update rollup plugins and fix potential XSS in idle sample Jan 8, 2026
oliverdunk
oliverdunk requested changes Jan 8, 2026
View reviewed changes
Copy link
Member

@oliverdunk oliverdunk left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the contribution. Can you merge with main and remove the package updates? I'd be happy to accept the changes to avoid innerHTML, but we have Dependabot to update packages (we are a little behind on merging those PRs which I will try to do soon).

@RinZ27
Copy link
Contributor Author

RinZ27 commented Jan 8, 2026

Reverted the package updates and merged main as requested. Left the innerHTML fixes as is.

oliverdunk
oliverdunk reviewed Jan 8, 2026
View reviewed changes
@RinZ27
Copy link
Contributor Author

RinZ27 commented Jan 8, 2026

Added the missing newline as requested.

@oliverdunk oliverdunk merged commit 43a7939 into GoogleChrome:main Jan 8, 2026
2 checks passed
@RinZ27 RinZ27 deleted the security/update-outdated-rollup-plugins branch January 9, 2026 12:53
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@oliverdunk oliverdunk oliverdunk approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@RinZ27 @oliverdunk