mirror of
https://github.com/Unleash/unleash.git
synced 2025-09-05 17:53:12 +02:00
chore(deps): update dependency vite to v5.4.16 [security] (#9666)
This PR contains the following updates: | Package | Change | Age | Adoption | Passing | Confidence | |---|---|---|---|---|---| | [vite](https://vite.dev) ([source](https://redirect.github.com/vitejs/vite/tree/HEAD/packages/vite)) | [`5.4.15` -> `5.4.16`](https://renovatebot.com/diffs/npm/vite/5.4.15/5.4.16) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | ### GitHub Vulnerability Alerts #### [CVE-2025-31125](https://redirect.github.com/vitejs/vite/security/advisories/GHSA-4r4m-qw57-chr8) ### Summary The contents of arbitrary files can be returned to the browser. ### Impact Only apps explicitly exposing the Vite dev server to the network (using `--host` or [`server.host` config option](https://vitejs.dev/config/server-options.html#server-host)) are affected. ### Details - base64 encoded content of non-allowed files is exposed using `?inline&import` (originally reported as `?import&?inline=1.wasm?init`) - content of non-allowed files is exposed using `?raw?import` `/@​fs/` isn't needed to reproduce the issue for files inside the project root. ### PoC Original report (check details above for simplified cases): The ?import&?inline=1.wasm?init ending allows attackers to read arbitrary files and returns the file content if it exists. Base64 decoding needs to be performed twice ``` $ npm create vite@latest $ cd vite-project/ $ npm install $ npm run dev ``` Example full URL `http://localhost:5173/@​fs/C:/windows/win.ini?import&?inline=1.wasm?init` --- ### Release Notes <details> <summary>vitejs/vite (vite)</summary> ### [`v5.4.16`](https://redirect.github.com/vitejs/vite/compare/v5.4.15...v5.4.16) [Compare Source](https://redirect.github.com/vitejs/vite/compare/v5.4.15...v5.4.16) </details> --- ### Configuration 📅 **Schedule**: Branch creation - "" in timezone Europe/Madrid, Automerge - At any time (no schedule defined). 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about these updates again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/Unleash/unleash). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzOS4yMjcuMyIsInVwZGF0ZWRJblZlciI6IjM5LjIyNy4zIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJkZXBlbmRlbmNpZXMiXX0=--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
This commit is contained in:
parent
096e466148
commit
097c83edfb
@ -120,7 +120,7 @@
|
||||
"typescript": "5.4.5",
|
||||
"use-query-params": "^2.2.1",
|
||||
"vanilla-jsoneditor": "^0.23.0",
|
||||
"vite": "5.4.15",
|
||||
"vite": "5.4.16",
|
||||
"vite-plugin-env-compatible": "2.0.1",
|
||||
"vite-plugin-svgr": "3.3.0",
|
||||
"vite-tsconfig-paths": "4.3.2",
|
||||
@ -132,7 +132,7 @@
|
||||
"@xmldom/xmldom": "^0.9.0",
|
||||
"jsonpath-plus": "10.3.0",
|
||||
"json5": "^2.2.2",
|
||||
"vite": "5.4.15",
|
||||
"vite": "5.4.16",
|
||||
"semver": "7.7.1",
|
||||
"ws": "^8.18.0",
|
||||
"@types/react": "18.3.18"
|
||||
|
@ -10175,7 +10175,7 @@ __metadata:
|
||||
typescript: "npm:5.4.5"
|
||||
use-query-params: "npm:^2.2.1"
|
||||
vanilla-jsoneditor: "npm:^0.23.0"
|
||||
vite: "npm:5.4.15"
|
||||
vite: "npm:5.4.16"
|
||||
vite-plugin-env-compatible: "npm:2.0.1"
|
||||
vite-plugin-svgr: "npm:3.3.0"
|
||||
vite-tsconfig-paths: "npm:4.3.2"
|
||||
@ -10448,9 +10448,9 @@ __metadata:
|
||||
languageName: node
|
||||
linkType: hard
|
||||
|
||||
"vite@npm:5.4.15":
|
||||
version: 5.4.15
|
||||
resolution: "vite@npm:5.4.15"
|
||||
"vite@npm:5.4.16":
|
||||
version: 5.4.16
|
||||
resolution: "vite@npm:5.4.16"
|
||||
dependencies:
|
||||
esbuild: "npm:^0.21.3"
|
||||
fsevents: "npm:~2.3.3"
|
||||
@ -10487,7 +10487,7 @@ __metadata:
|
||||
optional: true
|
||||
bin:
|
||||
vite: bin/vite.js
|
||||
checksum: 10c0/f8a4893bf9d57fe3ded6dc0a2278e8ded707fc9cf38d5a3255fe3caaeea41c52f29bf4deb5e85c9e8dbc8848e9046a7306727ca3fb7b67847d75ee2f2afda5e5
|
||||
checksum: 10c0/10faad2614c24a4ff65a680acfe9f71a90eba6c291ecf2d98919eb72c16d7d39b40e54e859d6a48c139a497829c3546cd2ae95be31f1a4145cba560d3d6e1b12
|
||||
languageName: node
|
||||
linkType: hard
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user