Mirrors/unleash.unleash
1
0
Fork 0
mirror of https://github.com/Unleash/unleash.git synced 2025-10-27 11:02:16 +01:00
Code Issues Projects Releases Wiki Activity

chore(deps): update dependency vite to v5.4.21 [security] (#10834)

Browse Source 
This PR contains the following updates:

| Package | Change | Age | Confidence |
|---|---|---|---|
| [vite](https://vite.dev)
([source](https://redirect.github.com/vitejs/vite/tree/HEAD/packages/vite))
| [`5.4.20` ->
`5.4.21`](https://renovatebot.com/diffs/npm/vite/5.4.20/5.4.21) |
[![age](https://developer.mend.io/api/mc/badges/age/npm/vite/5.4.21?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/vite/5.4.20/5.4.21?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|

### GitHub Vulnerability Alerts

####
[CVE-2025-62522](https://redirect.github.com/vitejs/vite/security/advisories/GHSA-93m4-6634-74q7)

### Summary
Files denied by
[`server.fs.deny`](https://vitejs.dev/config/server-options.html#server-fs-deny)
were sent if the URL ended with `\` when the dev server is running on
Windows.

### Impact
Only apps that match the following conditions are affected:

- explicitly exposes the Vite dev server to the network (using --host or
[`server.host` config
option](https://vitejs.dev/config/server-options.html#server-host))
- running the dev server on Windows

### Details
`server.fs.deny` can contain patterns matching against files (by default
it includes `.env`, `.env.*`, `*.{crt,pem}` as such patterns). These
patterns were able to bypass by using a back slash(`\`). The root cause
is that `fs.readFile('/foo.png/')` loads `/foo.png`.

### PoC
```shell
npm create vite@latest
cd vite-project/
cat "secret" > .env
npm install
npm run dev
curl --request-target /.env\ http://localhost:5173
```
<img width="1593" height="616" alt="image"
src="https://github.com/user-attachments/assets/36212f4e-1d3c-4686-b16f-16b35ca9e175"
/>

---

### Release Notes

<details>
<summary>vitejs/vite (vite)</summary>

###
[`v5.4.21`](https://redirect.github.com/vitejs/vite/releases/tag/v5.4.21)

[Compare
Source](https://redirect.github.com/vitejs/vite/compare/v5.4.20...v5.4.21)

Please refer to
[CHANGELOG.md](https://redirect.github.com/vitejs/vite/blob/v5.4.21/packages/vite/CHANGELOG.md)
for details.

</details>

---

### Configuration

📅 **Schedule**: Branch creation - "" in timezone Europe/Madrid,
Automerge - At any time (no schedule defined).

🚦 **Automerge**: Enabled.

♻ **Rebasing**: Whenever PR is behind base branch, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about these
updates again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR was generated by [Mend Renovate](https://mend.io/renovate/).
View the [repository job
log](https://developer.mend.io/github/Unleash/unleash).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0MS4xNDMuMSIsInVwZGF0ZWRJblZlciI6IjQxLjE0My4xIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJkZXBlbmRlbmNpZXMiXX0=-->

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
This commit is contained in:
renovate[bot] 2025-10-21 08:00:01 +00:00 committed by GitHub
parent 1b60ed5df8
commit 14b4809c8e
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
2 changed files with 7 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
frontend/package.json
View File

@ -122,7 +122,7 @@
"unleash-proxy-client": "^3.7.3",
"use-query-params": "^2.2.1",
"vanilla-jsoneditor": "^0.23.0",
"vite": "5.4.20",
"vite": "5.4.21",
"vite-plugin-env-compatible": "2.0.1",
"vite-plugin-svgr": "3.3.0",
"vite-tsconfig-paths": "4.3.2",
@ -134,7 +134,7 @@
"@xmldom/xmldom": "^0.9.0",
"jsonpath-plus": "10.3.0",
"json5": "^2.2.2",
"vite": "5.4.20",
"vite": "5.4.21",
"semver": "7.7.2",
"ws": "^8.18.0",
"@types/react": "18.3.23"

10
frontend/yarn.lock
View File

@ -10587,7 +10587,7 @@ __metadata:
unleash-proxy-client: "npm:^3.7.3"
use-query-params: "npm:^2.2.1"
vanilla-jsoneditor: "npm:^0.23.0"
vite: "npm:5.4.20"
vite: "npm:5.4.21"
vite-plugin-env-compatible: "npm:2.0.1"
vite-plugin-svgr: "npm:3.3.0"
vite-tsconfig-paths: "npm:4.3.2"
@ -10879,9 +10879,9 @@ __metadata:
languageName: node
linkType: hard
"vite@npm:5.4.20":
version: 5.4.20
resolution: "vite@npm:5.4.20"
"vite@npm:5.4.21":
version: 5.4.21
resolution: "vite@npm:5.4.21"
dependencies:
esbuild: "npm:^0.21.3"
fsevents: "npm:~2.3.3"
@ -10918,7 +10918,7 @@ __metadata:
optional: true
bin:
vite: bin/vite.js
checksum: 10c0/391a1fdd7e05445d60aa3b15d6c1cffcdd92c5d154da375bf06b9cd5633c2387ebee0e8f2fceed3226a63dff36c8ef18fb497662dde8c135133c46670996c7a1
checksum: 10c0/468336a1409f728b464160cbf02672e72271fb688d0e605e776b74a89d27e1029509eef3a3a6c755928d8011e474dbf234824d054d07960be5f23cd176bc72de
languageName: node
linkType: hard