This PR contains the following updates:
| Package | Change | Age | Confidence |
|---|---|---|---|
| [vite](https://vite.dev)
([source](https://redirect.github.com/vitejs/vite/tree/HEAD/packages/vite))
| [`5.4.19` ->
`5.4.20`](https://renovatebot.com/diffs/npm/vite/5.4.19/5.4.20) |
[](https://docs.renovatebot.com/merge-confidence/)
|
[](https://docs.renovatebot.com/merge-confidence/)
|
### GitHub Vulnerability Alerts
####
[CVE-2025-58752](https://redirect.github.com/vitejs/vite/security/advisories/GHSA-jqfw-vq24-v9c3)
### Summary
Any HTML files on the machine were served regardless of the `server.fs`
settings.
### Impact
Only apps that match the following conditions are affected:
- explicitly exposes the Vite dev server to the network (using --host or
[server.host config
option](https://vitejs.dev/config/server-options.html#server-host))
- `appType: 'spa'` (default) or `appType: 'mpa'` is used
This vulnerability also affects the preview server. The preview server
allowed HTML files not under the output directory to be served.
### Details
The
[serveStaticMiddleware](9719497ade/packages/vite/src/node/server/middlewares/static.ts (L123))
function is in charge of serving static files from the server. It
returns the
[viteServeStaticMiddleware](9719497ade/packages/vite/src/node/server/middlewares/static.ts (L136))
function which runs the needed tests and serves the page. The
viteServeStaticMiddleware function [checks if the extension of the
requested file is
".html"](9719497ade/packages/vite/src/node/server/middlewares/static.ts (L144)).
If so, it doesn't serve the page. Instead, the server will go on to the
next middlewares, in this case
[htmlFallbackMiddleware](9719497ade/packages/vite/src/node/server/middlewares/htmlFallback.ts (L14)),
and then to
[indexHtmlMiddleware](9719497ade/packages/vite/src/node/server/middlewares/indexHtml.ts (L438)).
These middlewares don't perform any test against allow or deny rules,
and they don't make sure that the accessed file is in the root directory
of the server. They just find the file and send back its contents to the
client.
### PoC
Execute the following shell commands:
```
npm create vite@latest
cd vite-project/
echo "secret" > /tmp/secret.html
npm install
npm run dev
```
Then, in a different shell, run the following command:
`curl -v --path-as-is
'http://localhost:5173/../../../../../../../../../../../tmp/secret.html'`
The contents of /tmp/secret.html will be returned.
This will also work for HTML files that are in the root directory of the
project, but are in the deny list (or not in the allow list). Test that
by stopping the running server (CTRL+C), and running the following
commands in the server's shell:
```
echo 'import path from "node:path"; import { defineConfig } from "vite"; export default defineConfig({server: {fs: {deny: [path.resolve(__dirname, "secret_files/*")]}}})' > [vite.config.js](http://vite.config.js)
mkdir secret_files
echo "secret txt" > secret_files/secret.txt
echo "secret html" > secret_files/secret.html
npm run dev
```
Then, in a different shell, run the following command:
`curl -v --path-as-is 'http://localhost:5173/secret_files/secret.txt'`
You will receive a 403 HTTP Response, because everything in the
secret_files directory is denied.
Now in the same shell run the following command:
`curl -v --path-as-is 'http://localhost:5173/secret_files/secret.html'`
You will receive the contents of secret_files/secret.html.
####
[CVE-2025-58751](https://redirect.github.com/vitejs/vite/security/advisories/GHSA-g4jq-h2w9-997c)
### Summary
Files starting with the same name with the public directory were served
bypassing the `server.fs` settings.
### Impact
Only apps that match the following conditions are affected:
- explicitly exposes the Vite dev server to the network (using --host or
[`server.host` config
option](https://vitejs.dev/config/server-options.html#server-host))
- uses [the public directory
feature](https://vite.dev/guide/assets.html#the-public-directory)
(enabled by default)
- a symlink exists in the public directory
### Details
The
[servePublicMiddleware](9719497ade/packages/vite/src/node/server/middlewares/static.ts (L79))
function is in charge of serving public files from the server. It
returns the
[viteServePublicMiddleware](9719497ade/packages/vite/src/node/server/middlewares/static.ts (L106))
function which runs the needed tests and serves the page. The
viteServePublicMiddleware function [checks if the publicFiles variable
is
defined](9719497ade/packages/vite/src/node/server/middlewares/static.ts (L111)),
and then uses it to determine if the requested page is public. In the
case that the publicFiles is undefined, the code will treat the
requested page as a public page, and go on with the serving function.
[publicFiles may be undefined if there is a symbolic link anywhere
inside the public
directory](9719497ade/packages/vite/src/node/publicDir.ts (L21)).
In that case, every requested page will be passed to the public serving
function. The serving function is based on the
[sirv](https://redirect.github.com/lukeed/sirv) library. Vite patches
the library to add the possibility to test loading access to pages, but
when the public page middleware [disables this
functionality](9719497ade/packages/vite/src/node/server/middlewares/static.ts (L89))
since public pages are meant to be available always, regardless of
whether they are in the allow or deny list.
In the case of public pages, the serving function is [provided with the
path to the public
directory](9719497ade/packages/vite/src/node/server/middlewares/static.ts (L85))
as a root directory. The code of the sirv library [uses the join
function to get the full path to the requested
file](d061616827/packages/sirv/index.mjs (L42)).
For example, if the public directory is "/www/public", and the requested
file is "myfile", the code will join them to the string
"/www/public/myfile". The code will then pass this string to the
normalize function. Afterwards, the code will [use the string's
startsWith
function](d061616827/packages/sirv/index.mjs (L43))
to determine whether the created path is within the given directory or
not. Only if it is, it will be served.
Since [sirv trims the trailing slash of the public
directory](d061616827/packages/sirv/index.mjs (L119)),
the string's startsWith function may return true even if the created
path is not within the public directory. For example, if the server's
root is at "/www", and the public directory is at "/www/p", if the
created path will be "/www/private.txt", the startsWith function will
still return true, because the string "/www/private.txt" starts with
"/www/p". To achieve this, the attacker will use ".." to ask for the
file "../private.txt". The code will then join it to the "/www/p"
string, and will receive "/www/p/../private.txt". Then, the normalize
function will return "/www/private.txt", which will then be passed to
the startsWith function, which will return true, and the processing of
the page will continue without checking the deny list (since this is the
public directory middleware which doesn't check that).
### PoC
Execute the following shell commands:
```
npm create vite@latest
cd vite-project/
mkdir p
cd p
ln -s a b
cd ..
echo 'import path from "node:path"; import { defineConfig } from "vite"; export default defineConfig({publicDir: path.resolve(__dirname, "p/"), server: {fs: {deny: [path.resolve(__dirname, "private.txt")]}}})' > vite.config.js
echo "secret" > private.txt
npm install
npm run dev
```
Then, in a different shell, run the following command:
`curl -v --path-as-is 'http://localhost:5173/private.txt'`
You will receive a 403 HTTP Response, because private.txt is denied.
Now in the same shell run the following command:
`curl -v --path-as-is 'http://localhost:5173/../private.txt'`
You will receive the contents of private.txt.
### Related links
-
f0113f3f82
---
### Release Notes
<details>
<summary>vitejs/vite (vite)</summary>
###
[`v5.4.20`](https://redirect.github.com/vitejs/vite/compare/v5.4.19...v5.4.20)
[Compare
Source](https://redirect.github.com/vitejs/vite/compare/v5.4.19...v5.4.20)
</details>
---
### Configuration
📅 **Schedule**: Branch creation - "" in timezone Europe/Madrid,
Automerge - At any time (no schedule defined).
🚦 **Automerge**: Enabled.
♻ **Rebasing**: Whenever PR is behind base branch, or you tick the
rebase/retry checkbox.
🔕 **Ignore**: Close this PR and you won't be reminded about these
updates again.
---
- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box
---
This PR was generated by [Mend Renovate](https://mend.io/renovate/).
View the [repository job
log](https://developer.mend.io/github/Unleash/unleash).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0MS45Ny4xMCIsInVwZGF0ZWRJblZlciI6IjQxLjk3LjEwIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJkZXBlbmRlbmNpZXMiXX0=-->
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
This PR cleans up the addConfiguration flag. These changes were
automatically generated by AI and should be reviewed carefully.
Fixes#10627
## 🧹 AI Flag Cleanup Summary
This change removes the `addConfiguration` feature flag. The feature was
discarded, so this cleanup reverts the UI to its state before the
`addConfiguration` flag was introduced. The primary change is in the
strategy
menu, where the single "Add configuration" button is removed and the
original
"Use template," "Add strategy," and "More" buttons are restored.
### 🚮 Removed
- **Flag Definitions**
- `addConfiguration` flag from `experimental.ts` on the backend.
- `addConfiguration` flag from `uiConfig.ts` on the frontend.
- `addConfiguration: true` from the `server-dev.ts` config.
- **UI Components & Logic**
- The conditional rendering in `FeatureStrategyMenu.tsx` that showed an
"Add
configuration" button.
- The `useUiFlag('addConfiguration')` hook call and its import from
`FeatureStrategyMenu.tsx`.
### 🛠 Kept
- **UI Components & Logic**
- The original set of buttons in `FeatureStrategyMenu.tsx`: "Use
template",
"Add strategy", and a "More strategies" icon button. This was the code
path for
when the flag was disabled.
### 📝 Why
The `addConfiguration` feature flag was marked as completed with the
outcome
"discarded". This cleanup removes the flag and all related code,
preserving only
the intended code path, which is the UI behavior from before the flag
was
introduced.
---------
Co-authored-by: unleash-bot <194219037+unleash-bot[bot]@users.noreply.github.com>
Co-authored-by: Nuno Góis <github@nunogois.com>
CookieYes was throwing an uncaught error triggered by GA and GTM
scripts. We don't want analytics to run in development anyway, so I
disabled them in these environments.
The previous implementation had a small bug where it would show "not
enough data" even if the graph was loading. This commit fixes that.
While working, I thought that maybe we should keep the current data
while we're fetching new data instead of adding a cover, but all the
other graphs use a cover when loading, so I've not made any changes to
that effect.
Uses the same custom highlighter that we've used for the other analytics
charts, but customizes it for the archive : creation ratio chart. Also
removes the color change on hover from the bars.
Because this plugin (or a version of it) is also used in the network
traffic graphs, I've consolidated all the uses into a more configurable
one (because I was mistakenly working in the wrong file).
Before:
<img width="596" height="392" alt="image"
src="https://github.com/user-attachments/assets/d4270a6d-b1c6-47ff-8e98-424d0e7fe089"
/>
After:
<img width="1141" height="476" alt="image"
src="https://github.com/user-attachments/assets/aa10aa87-e111-4a75-8dce-4a2fec7af8ad"
/>
