Mirrors/unleash.unleash
1
0
Fork 0
mirror of https://github.com/Unleash/unleash.git synced 2025-07-21 13:47:39 +02:00
Code Issues Projects Releases Wiki Activity

chore(deps): update dependency vite to v5.4.19 [security] (#9899)

Browse Source 
This PR contains the following updates:

| Package | Change | Age | Adoption | Passing | Confidence |
|---|---|---|---|---|---|
| [vite](https://vite.dev)
([source](https://redirect.github.com/vitejs/vite/tree/HEAD/packages/vite))
| [`5.4.18` ->
`5.4.19`](https://renovatebot.com/diffs/npm/vite/5.4.18/5.4.19) |
[![age](https://developer.mend.io/api/mc/badges/age/npm/vite/5.4.19?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![adoption](https://developer.mend.io/api/mc/badges/adoption/npm/vite/5.4.19?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![passing](https://developer.mend.io/api/mc/badges/compatibility/npm/vite/5.4.18/5.4.19?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/vite/5.4.18/5.4.19?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|

### GitHub Vulnerability Alerts

####
[CVE-2025-46565](https://redirect.github.com/vitejs/vite/security/advisories/GHSA-859w-5945-r5v3)

### Summary
The contents of files in [the project
`root`](https://vite.dev/config/shared-options.html#root) that are
denied by a file matching pattern can be returned to the browser.

### Impact

Only apps explicitly exposing the Vite dev server to the network (using
--host or [server.host config
option](https://vitejs.dev/config/server-options.html#server-host)) are
affected.
Only files that are under [project
`root`](https://vite.dev/config/shared-options.html#root) and are denied
by a file matching pattern can be bypassed.

- Examples of file matching patterns: `.env`, `.env.*`, `*.{crt,pem}`,
`**/.env`
- Examples of other patterns: `**/.git/**`, `.git/**`, `.git/**/*`

### Details

[`server.fs.deny`](https://vite.dev/config/server-options.html#server-fs-deny)
can contain patterns matching against files (by default it includes
`.env`, `.env.*`, `*.{crt,pem}` as such patterns).
These patterns were able to bypass for files under `root` by using a
combination of slash and dot (`/.`).

### PoC
```
npm create vite@latest
cd vite-project/
cat "secret" > .env
npm install
npm run dev
curl --request-target /.env/. http://localhost:5173
```


![image](https://redirect.github.com/user-attachments/assets/822f4416-aa42-461f-8c95-a88d155e674b)

![image](https://redirect.github.com/user-attachments/assets/42902144-863a-4afb-ac5b-fc16effa37cc)

---

### Release Notes

<details>
<summary>vitejs/vite (vite)</summary>

###
[`v5.4.19`](https://redirect.github.com/vitejs/vite/releases/tag/v5.4.19)

[Compare
Source](https://redirect.github.com/vitejs/vite/compare/v5.4.18...v5.4.19)

Please refer to
[CHANGELOG.md](https://redirect.github.com/vitejs/vite/blob/v5.4.19/packages/vite/CHANGELOG.md)
for details.

</details>

---

### Configuration

📅 **Schedule**: Branch creation - "" in timezone Europe/Madrid,
Automerge - At any time (no schedule defined).

🚦 **Automerge**: Enabled.

♻ **Rebasing**: Whenever PR is behind base branch, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about these
updates again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR was generated by [Mend Renovate](https://mend.io/renovate/).
View the [repository job
log](https://developer.mend.io/github/Unleash/unleash).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzOS4yNjQuMCIsInVwZGF0ZWRJblZlciI6IjM5LjI2NC4wIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJkZXBlbmRlbmNpZXMiXX0=-->

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
This commit is contained in:
renovate[bot] 2025-05-06 08:15:37 +00:00 committed by GitHub
parent 9d6c18b94a
commit 6a2953f768
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
2 changed files with 7 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
frontend/package.json
View File

@ -120,7 +120,7 @@
"unleash-proxy-client": "^3.7.3",
"use-query-params": "^2.2.1",
"vanilla-jsoneditor": "^0.23.0",
"vite": "5.4.18",
"vite": "5.4.19",
"vite-plugin-env-compatible": "2.0.1",
"vite-plugin-svgr": "3.3.0",
"vite-tsconfig-paths": "4.3.2",
@ -132,7 +132,7 @@
"@xmldom/xmldom": "^0.9.0",
"jsonpath-plus": "10.3.0",
"json5": "^2.2.2",
"vite": "5.4.18",
"vite": "5.4.19",
"semver": "7.7.1",
"ws": "^8.18.0",
"@types/react": "18.3.18"

10
frontend/yarn.lock
View File

@ -10193,7 +10193,7 @@ __metadata:
unleash-proxy-client: "npm:^3.7.3"
use-query-params: "npm:^2.2.1"
vanilla-jsoneditor: "npm:^0.23.0"
vite: "npm:5.4.18"
vite: "npm:5.4.19"
vite-plugin-env-compatible: "npm:2.0.1"
vite-plugin-svgr: "npm:3.3.0"
vite-tsconfig-paths: "npm:4.3.2"
@ -10485,9 +10485,9 @@ __metadata:
languageName: node
linkType: hard
"vite@npm:5.4.18":
version: 5.4.18
resolution: "vite@npm:5.4.18"
"vite@npm:5.4.19":
version: 5.4.19
resolution: "vite@npm:5.4.19"
dependencies:
esbuild: "npm:^0.21.3"
fsevents: "npm:~2.3.3"
@ -10524,7 +10524,7 @@ __metadata:
optional: true
bin:
vite: bin/vite.js
checksum: 10c0/a8cbbec6bdf399e62c386d70b8485e4f2f1b427beb19bc7c5d52b402a0c3750b7ff469fc20a8333755ea13bc1b0af5df3f22c8fd37d1739ee51d709b7a4740b6
checksum: 10c0/c97601234dba482cea5290f2a2ea0fcd65e1fab3df06718ea48adc8ceb14bc3129508216c4989329c618f6a0470b42f439677a207aef62b0c76f445091c2d89e
languageName: node
linkType: hard