From 6a2953f768743e98a4be71ca851c093657fba264 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Tue, 6 May 2025 08:15:37 +0000 Subject: [PATCH] chore(deps): update dependency vite to v5.4.19 [security] (#9899) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This PR contains the following updates: | Package | Change | Age | Adoption | Passing | Confidence | |---|---|---|---|---|---| | [vite](https://vite.dev) ([source](https://redirect.github.com/vitejs/vite/tree/HEAD/packages/vite)) | [`5.4.18` -> `5.4.19`](https://renovatebot.com/diffs/npm/vite/5.4.18/5.4.19) | [![age](https://developer.mend.io/api/mc/badges/age/npm/vite/5.4.19?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![adoption](https://developer.mend.io/api/mc/badges/adoption/npm/vite/5.4.19?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![passing](https://developer.mend.io/api/mc/badges/compatibility/npm/vite/5.4.18/5.4.19?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/vite/5.4.18/5.4.19?slim=true)](https://docs.renovatebot.com/merge-confidence/) | ### GitHub Vulnerability Alerts #### [CVE-2025-46565](https://redirect.github.com/vitejs/vite/security/advisories/GHSA-859w-5945-r5v3) ### Summary The contents of files in [the project `root`](https://vite.dev/config/shared-options.html#root) that are denied by a file matching pattern can be returned to the browser. ### Impact Only apps explicitly exposing the Vite dev server to the network (using --host or [server.host config option](https://vitejs.dev/config/server-options.html#server-host)) are affected. Only files that are under [project `root`](https://vite.dev/config/shared-options.html#root) and are denied by a file matching pattern can be bypassed. - Examples of file matching patterns: `.env`, `.env.*`, `*.{crt,pem}`, `**/.env` - Examples of other patterns: `**/.git/**`, `.git/**`, `.git/**/*` ### Details [`server.fs.deny`](https://vite.dev/config/server-options.html#server-fs-deny) can contain patterns matching against files (by default it includes `.env`, `.env.*`, `*.{crt,pem}` as such patterns). These patterns were able to bypass for files under `root` by using a combination of slash and dot (`/.`). ### PoC ``` npm create vite@latest cd vite-project/ cat "secret" > .env npm install npm run dev curl --request-target /.env/. http://localhost:5173 ``` ![image](https://redirect.github.com/user-attachments/assets/822f4416-aa42-461f-8c95-a88d155e674b) ![image](https://redirect.github.com/user-attachments/assets/42902144-863a-4afb-ac5b-fc16effa37cc) --- ### Release Notes
vitejs/vite (vite) ### [`v5.4.19`](https://redirect.github.com/vitejs/vite/releases/tag/v5.4.19) [Compare Source](https://redirect.github.com/vitejs/vite/compare/v5.4.18...v5.4.19) Please refer to [CHANGELOG.md](https://redirect.github.com/vitejs/vite/blob/v5.4.19/packages/vite/CHANGELOG.md) for details.
--- ### Configuration 📅 **Schedule**: Branch creation - "" in timezone Europe/Madrid, Automerge - At any time (no schedule defined). 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about these updates again. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/Unleash/unleash). Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> --- frontend/package.json | 4 ++-- frontend/yarn.lock | 10 +++++----- 2 files changed, 7 insertions(+), 7 deletions(-) diff --git a/frontend/package.json b/frontend/package.json index ae5e7ce630..f635dc807d 100644 --- a/frontend/package.json +++ b/frontend/package.json @@ -120,7 +120,7 @@ "unleash-proxy-client": "^3.7.3", "use-query-params": "^2.2.1", "vanilla-jsoneditor": "^0.23.0", - "vite": "5.4.18", + "vite": "5.4.19", "vite-plugin-env-compatible": "2.0.1", "vite-plugin-svgr": "3.3.0", "vite-tsconfig-paths": "4.3.2", @@ -132,7 +132,7 @@ "@xmldom/xmldom": "^0.9.0", "jsonpath-plus": "10.3.0", "json5": "^2.2.2", - "vite": "5.4.18", + "vite": "5.4.19", "semver": "7.7.1", "ws": "^8.18.0", "@types/react": "18.3.18" diff --git a/frontend/yarn.lock b/frontend/yarn.lock index 8976897c93..00a0edc33e 100644 --- a/frontend/yarn.lock +++ b/frontend/yarn.lock @@ -10193,7 +10193,7 @@ __metadata: unleash-proxy-client: "npm:^3.7.3" use-query-params: "npm:^2.2.1" vanilla-jsoneditor: "npm:^0.23.0" - vite: "npm:5.4.18" + vite: "npm:5.4.19" vite-plugin-env-compatible: "npm:2.0.1" vite-plugin-svgr: "npm:3.3.0" vite-tsconfig-paths: "npm:4.3.2" @@ -10485,9 +10485,9 @@ __metadata: languageName: node linkType: hard -"vite@npm:5.4.18": - version: 5.4.18 - resolution: "vite@npm:5.4.18" +"vite@npm:5.4.19": + version: 5.4.19 + resolution: "vite@npm:5.4.19" dependencies: esbuild: "npm:^0.21.3" fsevents: "npm:~2.3.3" @@ -10524,7 +10524,7 @@ __metadata: optional: true bin: vite: bin/vite.js - checksum: 10c0/a8cbbec6bdf399e62c386d70b8485e4f2f1b427beb19bc7c5d52b402a0c3750b7ff469fc20a8333755ea13bc1b0af5df3f22c8fd37d1739ee51d709b7a4740b6 + checksum: 10c0/c97601234dba482cea5290f2a2ea0fcd65e1fab3df06718ea48adc8ceb14bc3129508216c4989329c618f6a0470b42f439677a207aef62b0c76f445091c2d89e languageName: node linkType: hard