Mirrors/unleash.unleash
1
0
Fork 0
mirror of https://github.com/Unleash/unleash.git synced 2025-06-27 01:19:00 +02:00
Code Issues Projects Releases Wiki Activity

chore(deps): update dependency vite to v5.4.15 [security] (#9663)

Browse Source 
This PR contains the following updates:

| Package | Change | Age | Adoption | Passing | Confidence |
|---|---|---|---|---|---|
| [vite](https://vite.dev)
([source](https://redirect.github.com/vitejs/vite/tree/HEAD/packages/vite))
| [`5.4.14` ->
`5.4.15`](https://renovatebot.com/diffs/npm/vite/5.4.14/5.4.15) |
[![age](https://developer.mend.io/api/mc/badges/age/npm/vite/5.4.15?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![adoption](https://developer.mend.io/api/mc/badges/adoption/npm/vite/5.4.15?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![passing](https://developer.mend.io/api/mc/badges/compatibility/npm/vite/5.4.14/5.4.15?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/vite/5.4.14/5.4.15?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|

### GitHub Vulnerability Alerts

####
[CVE-2025-30208](https://redirect.github.com/vitejs/vite/security/advisories/GHSA-x574-m823-4x7w)

### Summary
The contents of arbitrary files can be returned to the browser.

### Impact
Only apps explicitly exposing the Vite dev server to the network (using
`--host` or [`server.host` config
option](https://vitejs.dev/config/server-options.html#server-host)) are
affected.

### Details
`@fs` denies access to files outside of Vite serving allow list. Adding
`?raw??` or `?import&raw??` to the URL bypasses this limitation and
returns the file content if it exists. This bypass exists because
trailing separators such as `?` are removed in several places, but are
not accounted for in query string regexes.

### PoC
```bash
$ npm create vite@latest
$ cd vite-project/
$ npm install
$ npm run dev

$ echo "top secret content" > /tmp/secret.txt

# expected behaviour
$ curl "http://localhost:5173/@​fs/tmp/secret.txt"

    <body>
      <h1>403 Restricted</h1>
      <p>The request url &quot;/tmp/secret.txt&quot; is outside of Vite serving allow list.

# security bypassed
$ curl "http://localhost:5173/@&#8203;fs/tmp/secret.txt?import&raw??"
export default "top secret content\n"
//# sourceMappingURL=data:application/json;base64,eyJ2...
```

---

### Release Notes

<details>
<summary>vitejs/vite (vite)</summary>

###
[`v5.4.15`](https://redirect.github.com/vitejs/vite/releases/tag/v5.4.15)

[Compare
Source](https://redirect.github.com/vitejs/vite/compare/v5.4.14...v5.4.15)

Please refer to
[CHANGELOG.md](https://redirect.github.com/vitejs/vite/blob/v5.4.15/packages/vite/CHANGELOG.md)
for details.

</details>

---

### Configuration

📅 **Schedule**: Branch creation - "" in timezone Europe/Madrid,
Automerge - At any time (no schedule defined).

🚦 **Automerge**: Enabled.

♻ **Rebasing**: Whenever PR is behind base branch, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about these
updates again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR was generated by [Mend Renovate](https://mend.io/renovate/).
View the [repository job
log](https://developer.mend.io/github/Unleash/unleash).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzOS4yMDcuMSIsInVwZGF0ZWRJblZlciI6IjM5LjIwNy4xIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJkZXBlbmRlbmNpZXMiXX0=-->

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
This commit is contained in:
renovate[bot] 2025-03-31 16:20:38 +00:00 committed by GitHub
parent be41869568
commit 98a0fba1cb
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
2 changed files with 7 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
frontend/package.json
View File

@ -120,7 +120,7 @@
"typescript": "5.4.5",
"use-query-params": "^2.2.1",
"vanilla-jsoneditor": "^0.23.0",
"vite": "5.4.14",
"vite": "5.4.15",
"vite-plugin-env-compatible": "2.0.1",
"vite-plugin-svgr": "3.3.0",
"vite-tsconfig-paths": "4.3.2",
@ -132,7 +132,7 @@
"@xmldom/xmldom": "^0.9.0",
"jsonpath-plus": "10.3.0",
"json5": "^2.2.2",
"vite": "5.4.14",
"vite": "5.4.15",
"semver": "7.7.1",
"ws": "^8.18.0",
"@types/react": "18.3.18"

10
frontend/yarn.lock
View File

@ -10175,7 +10175,7 @@ __metadata:
typescript: "npm:5.4.5"
use-query-params: "npm:^2.2.1"
vanilla-jsoneditor: "npm:^0.23.0"
vite: "npm:5.4.14"
vite: "npm:5.4.15"
vite-plugin-env-compatible: "npm:2.0.1"
vite-plugin-svgr: "npm:3.3.0"
vite-tsconfig-paths: "npm:4.3.2"
@ -10448,9 +10448,9 @@ __metadata:
languageName: node
linkType: hard
"vite@npm:5.4.14":
version: 5.4.14
resolution: "vite@npm:5.4.14"
"vite@npm:5.4.15":
version: 5.4.15
resolution: "vite@npm:5.4.15"
dependencies:
esbuild: "npm:^0.21.3"
fsevents: "npm:~2.3.3"
@ -10487,7 +10487,7 @@ __metadata:
optional: true
bin:
vite: bin/vite.js
checksum: 10c0/8842933bd70ca6a98489a0bb9c8464bec373de00f9a97c8c7a4e64b24d15c88bfaa8c1acb38a68c3e5eb49072ffbccb146842c2d4edcdd036a9802964cffe3d1
checksum: 10c0/f8a4893bf9d57fe3ded6dc0a2278e8ded707fc9cf38d5a3255fe3caaeea41c52f29bf4deb5e85c9e8dbc8848e9046a7306727ca3fb7b67847d75ee2f2afda5e5
languageName: node
linkType: hard