chore(deps): update dependency vite to v5.4.6 [security] (#8164)

This PR contains the following updates: | Package | Change | Age | Adoption | Passing | Confidence | |---|---|---|---|---|---| | [vite](https://vitejs.dev) ([source](https://redirect.github.com/vitejs/vite/tree/HEAD/packages/vite)) | [`5.4.2` -> `5.4.6`](https://renovatebot.com/diffs/npm/vite/5.4.2/5.4.6) | [![age](https://developer.mend.io/api/mc/badges/age/npm/vite/5.4.6?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![adoption](https://developer.mend.io/api/mc/badges/adoption/npm/vite/5.4.6?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![passing](https://developer.mend.io/api/mc/badges/compatibility/npm/vite/5.4.2/5.4.6?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/vite/5.4.2/5.4.6?slim=true)](https://docs.renovatebot.com/merge-confidence/) | ### GitHub Vulnerability Alerts #### [CVE-2024-45811](https://redirect.github.com/vitejs/vite/security/advisories/GHSA-9cwx-2883-4wfx) ### Summary The contents of arbitrary files can be returned to the browser. ### Details `@fs` denies access to files outside of Vite serving allow list. Adding `?import&raw` to the URL bypasses this limitation and returns the file content if it exists. ### PoC ```sh $ npm create vite@latest $ cd vite-project/ $ npm install $ npm run dev $ echo "top secret content" > /tmp/secret.txt # expected behaviour $ curl "http://localhost:5173/@fs/tmp/secret.txt" <body> <h1>403 Restricted</h1> <p>The request url "/tmp/secret.txt" is outside of Vite serving allow list. # security bypassed $ curl "http://localhost:5173/@fs/tmp/secret.txt?import&raw" export default "top secret content\n" //# sourceMappingURL=data:application/json;base64,eyJ2... ``` --- ### Release Notes <details> <summary>vitejs/vite (vite)</summary> ### [`v5.4.6`](https://redirect.github.com/vitejs/vite/releases/tag/v5.4.6) [Compare Source](https://redirect.github.com/vitejs/vite/compare/v5.4.5...v5.4.6) Please refer to [CHANGELOG.md](https://redirect.github.com/vitejs/vite/blob/v5.4.6/packages/vite/CHANGELOG.md) for details. ### [`v5.4.5`](https://redirect.github.com/vitejs/vite/releases/tag/v5.4.5) [Compare Source](https://redirect.github.com/vitejs/vite/compare/v5.4.4...v5.4.5) Please refer to [CHANGELOG.md](https://redirect.github.com/vitejs/vite/blob/v5.4.5/packages/vite/CHANGELOG.md) for details. ### [`v5.4.4`](https://redirect.github.com/vitejs/vite/releases/tag/v5.4.4) [Compare Source](https://redirect.github.com/vitejs/vite/compare/v5.4.3...v5.4.4) Please refer to [CHANGELOG.md](https://redirect.github.com/vitejs/vite/blob/v5.4.4/packages/vite/CHANGELOG.md) for details. ### [`v5.4.3`](https://redirect.github.com/vitejs/vite/blob/HEAD/packages/vite/CHANGELOG.md#small543-2024-09-03-small) [Compare Source](https://redirect.github.com/vitejs/vite/compare/v5.4.2...v5.4.3) - fix: allow getting URL of JS files in publicDir ([#17915](https://redirect.github.com/vitejs/vite/issues/17915)) ([943ece1](943ece177e)), closes [#17915](https://redirect.github.com/vitejs/vite/issues/17915) - fix: cjs warning respect the logLevel flag ([#17993](https://redirect.github.com/vitejs/vite/issues/17993)) ([dc3c14f](dc3c14f39f)), closes [#17993](https://redirect.github.com/vitejs/vite/issues/17993) - fix: improve CJS warning trace information ([#17926](https://redirect.github.com/vitejs/vite/issues/17926)) ([5c5f82c](5c5f82c84b)), closes [#17926](https://redirect.github.com/vitejs/vite/issues/17926) - fix: only remove entry assets handled by Vite core ([#17916](https://redirect.github.com/vitejs/vite/issues/17916)) ([ebfaa7e](ebfaa7e601)), closes [#17916](https://redirect.github.com/vitejs/vite/issues/17916) - fix: waitForRequestIdle locked ([#17982](https://redirect.github.com/vitejs/vite/issues/17982)) ([ad13760](ad1376018a)), closes [#17982](https://redirect.github.com/vitejs/vite/issues/17982) - fix(css): fix directory index import in sass modern api ([#17960](https://redirect.github.com/vitejs/vite/issues/17960)) ([9b001ba](9b001baa70)), closes [#17960](https://redirect.github.com/vitejs/vite/issues/17960) - fix(css): fix sass `file://` reference ([#17909](https://redirect.github.com/vitejs/vite/issues/17909)) ([561b940](561b940f6f)), closes [#17909](https://redirect.github.com/vitejs/vite/issues/17909) - fix(css): fix sass modern source map ([#17938](https://redirect.github.com/vitejs/vite/issues/17938)) ([d428e7e](d428e7e3a0)), closes [#17938](https://redirect.github.com/vitejs/vite/issues/17938) - fix(deps): bump tsconfck ([#17990](https://redirect.github.com/vitejs/vite/issues/17990)) ([8c661b2](8c661b20e9)), closes [#17990](https://redirect.github.com/vitejs/vite/issues/17990) - fix(html): rewrite assets url in <template> ([#17988](https://redirect.github.com/vitejs/vite/issues/17988)) ([413c86a](413c86aa97)), closes [#17988](https://redirect.github.com/vitejs/vite/issues/17988) - fix(preload): add crossorigin attribute in CSS link tags ([#17930](https://redirect.github.com/vitejs/vite/issues/17930)) ([15871c7](15871c75e0)), closes [#17930](https://redirect.github.com/vitejs/vite/issues/17930) - chore: reduce diffs with v6 branch ([#17942](https://redirect.github.com/vitejs/vite/issues/17942)) ([bf9065a](bf9065aa13)), closes [#17942](https://redirect.github.com/vitejs/vite/issues/17942) - chore(deps): update all non-major dependencies ([#17945](https://redirect.github.com/vitejs/vite/issues/17945)) ([cfb621e](cfb621e7a5)), closes [#17945](https://redirect.github.com/vitejs/vite/issues/17945) - chore(deps): update all non-major dependencies ([#17991](https://redirect.github.com/vitejs/vite/issues/17991)) ([0ca53cf](0ca53cff9f)), closes [#17991](https://redirect.github.com/vitejs/vite/issues/17991) </details> --- ### Configuration 📅 **Schedule**: Branch creation - "" in timezone Europe/Madrid, Automerge - At any time (no schedule defined). 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about these updates again. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/Unleash/unleash).  Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2025-10-27 11:02:16 +01:00 · 2024-09-17 19:55:41 +00:00 · 2024-09-17 19:55:41 +00:00 · 011ebe2f79
commit 011ebe2f79
parent f5fd42d966
2 changed files with 29 additions and 15 deletions
--- a/frontend/package.json
+++ b/frontend/package.json
@ -117,7 +117,7 @@
    "typescript": "5.4.5",
    "use-query-params": "^2.2.1",
    "vanilla-jsoneditor": "^0.23.0",
-    "vite": "5.4.2",
+    "vite": "5.4.6",
    "vite-plugin-env-compatible": "2.0.1",
    "vite-plugin-svgr": "3.3.0",
    "vite-tsconfig-paths": "4.3.2",
@ -131,7 +131,7 @@
    "@codemirror/state": "6.4.1",
    "@xmldom/xmldom": "^0.9.0",
    "json5": "^2.2.2",
-    "vite": "5.4.2",
+    "vite": "5.4.6",
    "semver": "7.6.3",
    "ws": "^8.18.0",
    "@types/react": "18.3.5"
--- a/frontend/yarn.lock
+++ b/frontend/yarn.lock
@ -7848,6 +7848,13 @@ __metadata:
  languageName: node
  linkType: hard

+"picocolors@npm:^1.1.0":
+  version: 1.1.0
+  resolution: "picocolors@npm:1.1.0"
+  checksum: 10c0/86946f6032148801ef09c051c6fb13b5cf942eaf147e30ea79edb91dd32d700934edebe782a1078ff859fb2b816792e97ef4dab03d7f0b804f6b01a0df35e023
+  languageName: node
+  linkType: hard
+
 "picomatch@npm:^2.0.4, picomatch@npm:^2.2.1, picomatch@npm:^2.2.3, picomatch@npm:^2.3.1":
  version: 2.3.1
  resolution: "picomatch@npm:2.3.1"
@ -7908,14 +7915,14 @@ __metadata:
  languageName: node
  linkType: hard

-"postcss@npm:^8.4.41":
-  version: 8.4.45
-  resolution: "postcss@npm:8.4.45"
+"postcss@npm:^8.4.43":
+  version: 8.4.47
+  resolution: "postcss@npm:8.4.47"
  dependencies:
    nanoid: "npm:^3.3.7"
-    picocolors: "npm:^1.0.1"
-    source-map-js: "npm:^1.2.0"
-  checksum: 10c0/ad6f8b9b1157d678560373696109745ab97a947d449f8a997acac41c7f1e4c0f3ca4b092d6df1387f430f2c9a319987b1780dbdc27e35800a88cde9b606c1e8f
+    picocolors: "npm:^1.1.0"
+    source-map-js: "npm:^1.2.1"
+  checksum: 10c0/929f68b5081b7202709456532cee2a145c1843d391508c5a09de2517e8c4791638f71dd63b1898dba6712f8839d7a6da046c72a5e44c162e908f5911f57b5f44
  languageName: node
  linkType: hard

@ -8915,13 +8922,20 @@ __metadata:
  languageName: node
  linkType: hard

-"source-map-js@npm:>=0.6.2 <2.0.0, source-map-js@npm:^1.0.1, source-map-js@npm:^1.2.0":
+"source-map-js@npm:>=0.6.2 <2.0.0, source-map-js@npm:^1.0.1":
  version: 1.2.0
  resolution: "source-map-js@npm:1.2.0"
  checksum: 10c0/7e5f896ac10a3a50fe2898e5009c58ff0dc102dcb056ed27a354623a0ece8954d4b2649e1a1b2b52ef2e161d26f8859c7710350930751640e71e374fe2d321a4
  languageName: node
  linkType: hard

+"source-map-js@npm:^1.2.1":
+  version: 1.2.1
+  resolution: "source-map-js@npm:1.2.1"
+  checksum: 10c0/7bda1fc4c197e3c6ff17de1b8b2c20e60af81b63a52cb32ec5a5d67a20a7d42651e2cb34ebe93833c5a2a084377e17455854fee3e21e7925c64a51b6a52b0faf
+  languageName: node
+  linkType: hard
+
 "source-map@npm:^0.5.7":
  version: 0.5.7
  resolution: "source-map@npm:0.5.7"
@ -9801,7 +9815,7 @@ __metadata:
    typescript: "npm:5.4.5"
    use-query-params: "npm:^2.2.1"
    vanilla-jsoneditor: "npm:^0.23.0"
-    vite: "npm:5.4.2"
+    vite: "npm:5.4.6"
    vite-plugin-env-compatible: "npm:2.0.1"
    vite-plugin-svgr: "npm:3.3.0"
    vite-tsconfig-paths: "npm:4.3.2"
@ -10063,13 +10077,13 @@ __metadata:
  languageName: node
  linkType: hard

-"vite@npm:5.4.2":
-  version: 5.4.2
-  resolution: "vite@npm:5.4.2"
+"vite@npm:5.4.6":
+  version: 5.4.6
+  resolution: "vite@npm:5.4.6"
  dependencies:
    esbuild: "npm:^0.21.3"
    fsevents: "npm:~2.3.3"
-    postcss: "npm:^8.4.41"
+    postcss: "npm:^8.4.43"
    rollup: "npm:^4.20.0"
  peerDependencies:
    "@types/node": ^18.0.0 || >=20.0.0
@ -10102,7 +10116,7 @@ __metadata:
      optional: true
  bin:
    vite: bin/vite.js
-  checksum: 10c0/23e347ca8aa6f0a774227e4eb7abae228f12c6806a727b046aa75e7ee37ffc2d68cff74360e12a42c347f79adc294e2363bc723b957bf4b382b5a8fb39e4df9d
+  checksum: 10c0/5f87be3a10e970eaf9ac52dfab39cf9fff583036685252fb64570b6d7bfa749f6d221fb78058f5ef4b5664c180d45a8e7a7ff68d7f3770e69e24c7c68b958bde
  languageName: node
  linkType: hard