From 14b4809c8edb4a0b6d1abd2a65934975a63ab17b Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Tue, 21 Oct 2025 08:00:01 +0000 Subject: [PATCH] chore(deps): update dependency vite to v5.4.21 [security] (#10834) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This PR contains the following updates: | Package | Change | Age | Confidence | |---|---|---|---| | [vite](https://vite.dev) ([source](https://redirect.github.com/vitejs/vite/tree/HEAD/packages/vite)) | [`5.4.20` -> `5.4.21`](https://renovatebot.com/diffs/npm/vite/5.4.20/5.4.21) | [![age](https://developer.mend.io/api/mc/badges/age/npm/vite/5.4.21?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/vite/5.4.20/5.4.21?slim=true)](https://docs.renovatebot.com/merge-confidence/) | ### GitHub Vulnerability Alerts #### [CVE-2025-62522](https://redirect.github.com/vitejs/vite/security/advisories/GHSA-93m4-6634-74q7) ### Summary Files denied by [`server.fs.deny`](https://vitejs.dev/config/server-options.html#server-fs-deny) were sent if the URL ended with `\` when the dev server is running on Windows. ### Impact Only apps that match the following conditions are affected: - explicitly exposes the Vite dev server to the network (using --host or [`server.host` config option](https://vitejs.dev/config/server-options.html#server-host)) - running the dev server on Windows ### Details `server.fs.deny` can contain patterns matching against files (by default it includes `.env`, `.env.*`, `*.{crt,pem}` as such patterns). These patterns were able to bypass by using a back slash(`\`). The root cause is that `fs.readFile('/foo.png/')` loads `/foo.png`. ### PoC ```shell npm create vite@latest cd vite-project/ cat "secret" > .env npm install npm run dev curl --request-target /.env\ http://localhost:5173 ``` image --- ### Release Notes
vitejs/vite (vite) ### [`v5.4.21`](https://redirect.github.com/vitejs/vite/releases/tag/v5.4.21) [Compare Source](https://redirect.github.com/vitejs/vite/compare/v5.4.20...v5.4.21) Please refer to [CHANGELOG.md](https://redirect.github.com/vitejs/vite/blob/v5.4.21/packages/vite/CHANGELOG.md) for details.
--- ### Configuration 📅 **Schedule**: Branch creation - "" in timezone Europe/Madrid, Automerge - At any time (no schedule defined). 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about these updates again. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/Unleash/unleash). Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> --- frontend/package.json | 4 ++-- frontend/yarn.lock | 10 +++++----- 2 files changed, 7 insertions(+), 7 deletions(-) diff --git a/frontend/package.json b/frontend/package.json index 984f18b495..a65ba17f1c 100644 --- a/frontend/package.json +++ b/frontend/package.json @@ -122,7 +122,7 @@ "unleash-proxy-client": "^3.7.3", "use-query-params": "^2.2.1", "vanilla-jsoneditor": "^0.23.0", - "vite": "5.4.20", + "vite": "5.4.21", "vite-plugin-env-compatible": "2.0.1", "vite-plugin-svgr": "3.3.0", "vite-tsconfig-paths": "4.3.2", @@ -134,7 +134,7 @@ "@xmldom/xmldom": "^0.9.0", "jsonpath-plus": "10.3.0", "json5": "^2.2.2", - "vite": "5.4.20", + "vite": "5.4.21", "semver": "7.7.2", "ws": "^8.18.0", "@types/react": "18.3.23" diff --git a/frontend/yarn.lock b/frontend/yarn.lock index 4b1390e53e..70b27bd543 100644 --- a/frontend/yarn.lock +++ b/frontend/yarn.lock @@ -10587,7 +10587,7 @@ __metadata: unleash-proxy-client: "npm:^3.7.3" use-query-params: "npm:^2.2.1" vanilla-jsoneditor: "npm:^0.23.0" - vite: "npm:5.4.20" + vite: "npm:5.4.21" vite-plugin-env-compatible: "npm:2.0.1" vite-plugin-svgr: "npm:3.3.0" vite-tsconfig-paths: "npm:4.3.2" @@ -10879,9 +10879,9 @@ __metadata: languageName: node linkType: hard -"vite@npm:5.4.20": - version: 5.4.20 - resolution: "vite@npm:5.4.20" +"vite@npm:5.4.21": + version: 5.4.21 + resolution: "vite@npm:5.4.21" dependencies: esbuild: "npm:^0.21.3" fsevents: "npm:~2.3.3" @@ -10918,7 +10918,7 @@ __metadata: optional: true bin: vite: bin/vite.js - checksum: 10c0/391a1fdd7e05445d60aa3b15d6c1cffcdd92c5d154da375bf06b9cd5633c2387ebee0e8f2fceed3226a63dff36c8ef18fb497662dde8c135133c46670996c7a1 + checksum: 10c0/468336a1409f728b464160cbf02672e72271fb688d0e605e776b74a89d27e1029509eef3a3a6c755928d8011e474dbf234824d054d07960be5f23cd176bc72de languageName: node linkType: hard