1
0
mirror of https://github.com/Unleash/unleash.git synced 2024-10-28 19:06:12 +01:00
unleash.unleash/frontend/package.json
renovate[bot] 8f4780c52f
chore(deps): update dependency vite to v5.0.12 [security] (#5977)
[![Mend
Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com)

This PR contains the following updates:

| Package | Change | Age | Adoption | Passing | Confidence |
|---|---|---|---|---|---|
| [vite](https://vitejs.dev)
([source](https://togithub.com/vitejs/vite/tree/HEAD/packages/vite)) |
[`5.0.11` ->
`5.0.12`](https://renovatebot.com/diffs/npm/vite/5.0.11/5.0.12) |
[![age](https://developer.mend.io/api/mc/badges/age/npm/vite/5.0.12?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![adoption](https://developer.mend.io/api/mc/badges/adoption/npm/vite/5.0.12?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![passing](https://developer.mend.io/api/mc/badges/compatibility/npm/vite/5.0.11/5.0.12?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/vite/5.0.11/5.0.12?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|

### GitHub Vulnerability Alerts

####
[CVE-2024-23331](https://togithub.com/vitejs/vite/security/advisories/GHSA-c24v-8rfc-w8vw)

### Summary
[Vite dev server
option](https://vitejs.dev/config/server-options.html#server-fs-deny)
`server.fs.deny` can be bypassed on case-insensitive file systems using
case-augmented versions of filenames. Notably this affects servers
hosted on Windows.

This bypass is similar to
https://nvd.nist.gov/vuln/detail/CVE-2023-34092 -- with surface area
reduced to hosts having case-insensitive filesystems.

### Patches
Fixed in vite@5.0.12, vite@4.5.2, vite@3.2.8, vite@2.9.17

### Details
Since `picomatch` defaults to case-sensitive glob matching, but the file
server doesn't discriminate; a blacklist bypass is possible.

See `picomatch` usage, where `nocase` is defaulted to `false`:
https://github.com/vitejs/vite/blob/v5.1.0-beta.1/packages/vite/src/node/server/index.ts#L632

By requesting raw filesystem paths using augmented casing, the matcher
derived from `config.server.fs.deny` fails to block access to sensitive
files.

### PoC
**Setup**
1. Created vanilla Vite project using `npm create vite@latest` on a
Standard Azure hosted Windows 10 instance.
    - `npm run dev -- --host 0.0.0.0`
- Publicly accessible for the time being here: http://20.12.242.81:5173/
2. Created dummy secret files, e.g. `custom.secret` and `production.pem`
3. Populated `vite.config.js` with
```javascript
export default { server: { fs: { deny: ['.env', '.env.*', '*.{crt,pem}', 'custom.secret'] } } }
```

**Reproduction**
1. `curl -s http://20.12.242.81:5173/@​fs//`
- Descriptive error page reveals absolute filesystem path to project
root
2. `curl -s
http://20.12.242.81:5173/@​fs/C:/Users/darbonzo/Desktop/vite-project/vite.config.js`
    - Discoverable configuration file reveals locations of secrets
3. `curl -s
http://20.12.242.81:5173/@​fs/C:/Users/darbonzo/Desktop/vite-project/custom.sEcReT`
- Secrets are directly accessible using case-augmented version of
filename

**Proof**
![Screenshot 2024-01-19
022736](https://user-images.githubusercontent.com/907968/298020728-3a8d3c06-fcfd-4009-9182-e842f66a6ea5.png)

### Impact
**Who**
- Users with exposed dev servers on environments with case-insensitive
filesystems

**What**
- Files protected by `server.fs.deny` are both discoverable, and
accessible

---

### Release Notes

<details>
<summary>vitejs/vite (vite)</summary>

### [`v5.0.12`](https://togithub.com/vitejs/vite/releases/tag/v5.0.12)

[Compare
Source](https://togithub.com/vitejs/vite/compare/v5.0.11...v5.0.12)

Please refer to
[CHANGELOG.md](https://togithub.com/vitejs/vite/blob/v5.0.12/packages/vite/CHANGELOG.md)
for details.

</details>

---

### Configuration

📅 **Schedule**: Branch creation - "" in timezone Europe/Madrid,
Automerge - At any time (no schedule defined).

🚦 **Automerge**: Enabled.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR has been generated by [Mend
Renovate](https://www.mend.io/free-developer-tools/renovate/). View
repository job log
[here](https://developer.mend.io/github/Unleash/unleash).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy4xMzUuMCIsInVwZGF0ZWRJblZlciI6IjM3LjEzNS4wIiwidGFyZ2V0QnJhbmNoIjoibWFpbiJ9-->

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2024-01-20 01:38:23 +00:00

158 lines
5.8 KiB
JSON

{
"name": "unleash-frontend-local",
"version": "0.0.0",
"private": true,
"files": [
"index.js",
"build"
],
"engines": {
"node": ">=18"
},
"scripts": {
"build": "vite build",
"dev": "vite",
"start": "vite",
"start:prod": "vite build && vite preview",
"start:sandbox": "UNLEASH_API=https://sandbox.getunleash.io/ospro yarn run start",
"start:sandbox:enterprise": "UNLEASH_API=https://sandbox.getunleash.io/ VITE_TEST_REDIRECT=true UNLEASH_BASE_PATH=/enterprise/ yarn run start",
"start:demo2": "UNLEASH_API=https://sandbox.getunleash.io/ UNLEASH_BASE_PATH=/demo2/ yarn run start",
"start:enterprise": "UNLEASH_API=https://unleash.herokuapp.com VITE_TEST_REDIRECT=true yarn run start",
"start:demo": "UNLEASH_BASE_PATH=/demo/ UNLEASH_API=https://app.unleash-hosted.com/ yarn run start",
"test": "NODE_OPTIONS=\"${NODE_OPTIONS} --no-experimental-fetch\" vitest run",
"test:snapshot": "NODE_OPTIONS=\"${NODE_OPTIONS} --no-experimental-fetch\" yarn test -u",
"test:watch": "NODE_OPTIONS=\"${NODE_OPTIONS} --no-experimental-fetch\" vitest watch",
"lint": "biome lint src --apply",
"lint:check": "biome check src",
"fmt": "biome format src --write",
"fmt:check": "biome check src",
"ts:check": "tsc",
"e2e": "NODE_OPTIONS=\"${NODE_OPTIONS} --no-experimental-fetch\" yarn run cypress open --config baseUrl='http://localhost:3000' --env AUTH_USER=admin,AUTH_PASSWORD=unleash4all",
"e2e:oss": "yarn --cwd frontend run cypress run --spec \"cypress/oss/**/*.spec.ts\" --config baseUrl=\"http://localhost:${EXPOSED_PORT:-4242}\" --env AUTH_USER=admin,AUTH_PASSWORD=unleash4all",
"e2e:heroku": "NODE_OPTIONS=\"${NODE_OPTIONS} --no-experimental-fetch\" yarn run cypress open --config baseUrl='https://unleash.herokuapp.com' --env AUTH_USER=admin,AUTH_PASSWORD=unleash4all",
"gen:api": "NODE_OPTIONS=\"${NODE_OPTIONS} --no-experimental-fetch\" orval --config orval.config.js",
"gen:api:demo": "NODE_OPTIONS=\"${NODE_OPTIONS} --no-experimental-fetch\" UNLEASH_OPENAPI_URL=https://app.unleash-hosted.com/demo/docs/openapi.json yarn run gen:api",
"gen:api:sandbox": "NODE_OPTIONS=\"${NODE_OPTIONS} --no-experimental-fetch\" UNLEASH_OPENAPI_URL=https://sandbox.getunleash.io/demo2/docs/openapi.json yarn run gen:api"
},
"devDependencies": {
"@biomejs/biome": "1.5.1",
"@codemirror/lang-json": "6.0.1",
"@emotion/react": "11.11.3",
"@emotion/styled": "11.11.0",
"@mui/icons-material": "5.15.3",
"@mui/lab": "5.0.0-alpha.159",
"@mui/material": "5.15.3",
"@mui/x-date-pickers": "^6.18.3",
"@tanstack/react-table": "^8.10.7",
"@testing-library/dom": "8.20.1",
"@testing-library/jest-dom": "6.2.0",
"@testing-library/react": "12.1.5",
"@testing-library/react-hooks": "7.0.2",
"@testing-library/user-event": "14.5.2",
"@types/debounce": "1.2.4",
"@types/deep-diff": "1.0.5",
"@types/jest": "29.5.11",
"@types/lodash.clonedeep": "4.5.9",
"@types/lodash.isequal": "^4.5.8",
"@types/lodash.mapvalues": "^4.6.9",
"@types/lodash.omit": "4.5.9",
"@types/node": "18.19.6",
"@types/react": "17.0.74",
"@types/react-dom": "17.0.25",
"@types/react-linkify": "1.0.4",
"@types/react-router-dom": "5.3.3",
"@types/react-table": "7.7.19",
"@types/react-test-renderer": "17.0.9",
"@types/react-timeago": "4.1.7",
"@types/semver": "7.5.6",
"@types/uuid": "^9.0.0",
"@uiw/codemirror-theme-duotone": "4.21.21",
"@uiw/react-codemirror": "4.21.21",
"@vitejs/plugin-react": "4.2.1",
"cartesian": "^1.0.1",
"chart.js": "3.9.1",
"chartjs-adapter-date-fns": "3.0.0",
"classnames": "2.5.1",
"copy-to-clipboard": "3.3.3",
"countries-and-timezones": "^3.4.0",
"cypress": "13.6.2",
"cypress-vite": "^1.4.0",
"date-fns": "2.30.0",
"date-fns-tz": "^2.0.0",
"debounce": "2.0.0",
"deep-diff": "1.0.2",
"dequal": "2.0.3",
"fast-json-patch": "3.1.1",
"http-proxy-middleware": "2.0.6",
"immer": "9.0.21",
"jsdom": "23.1.0",
"lodash.clonedeep": "4.5.0",
"lodash.isequal": "^4.5.0",
"lodash.mapvalues": "^4.6.0",
"lodash.omit": "4.5.0",
"mermaid": "^9.3.0",
"millify": "^6.0.0",
"msw": "0.49.3",
"pkginfo": "0.4.1",
"plausible-tracker": "0.3.8",
"prop-types": "15.8.1",
"react": "17.0.2",
"react-chartjs-2": "4.3.1",
"react-confetti": "^6.1.0",
"react-dom": "17.0.2",
"react-dropzone": "14.2.3",
"react-error-boundary": "3.1.4",
"react-hooks-global-state": "2.1.0",
"react-joyride": "^2.5.3",
"react-linkify": "^1.0.0-alpha",
"react-markdown": "^8.0.4",
"react-router-dom": "6.21.2",
"react-table": "7.8.0",
"react-test-renderer": "17.0.2",
"react-timeago": "7.2.0",
"sass": "1.69.7",
"semver": "7.5.4",
"swr": "2.2.4",
"tss-react": "4.9.3",
"typescript": "4.8.4",
"use-query-params": "^2.2.1",
"vanilla-jsoneditor": "^0.21.0",
"vite": "5.0.12",
"vite-plugin-env-compatible": "2.0.1",
"vite-plugin-svgr": "3.3.0",
"vite-tsconfig-paths": "4.2.3",
"vitest": "1.1.3",
"whatwg-fetch": "3.6.20"
},
"optionalDependencies": {
"orval": "^6.17.0"
},
"resolutions": {
"@codemirror/state": "6.4.0",
"@xmldom/xmldom": "^0.8.4",
"json5": "^2.2.2",
"@types/react": "17.0.74",
"@types/react-dom": "17.0.25",
"semver": "7.5.4"
},
"jest": {
"moduleNameMapper": {
"\\.(jpg|jpeg|png|gif|eot|otf|webp|ttf|woff|woff2|mp4|webm|wav|mp3|m4a|aac|oga)$": "<rootDir>/src/__mocks__/fileMock.js",
"\\.svg": "<rootDir>/src/__mocks__/svgMock.js",
"\\.(css|scss)$": "identity-obj-proxy"
}
},
"browserslist": {
"production": [
">0.2%",
"not dead",
"not op_mini all"
],
"development": [
"last 1 chrome version",
"last 1 firefox version",
"last 1 safari version"
]
}
}