1
0
mirror of https://github.com/Unleash/unleash.git synced 2024-12-22 19:07:54 +01:00
unleash.unleash/frontend
renovate[bot] bf99f6fa6e
chore(deps): update dependency vite to v4.3.9 [security] (#3905)
[![Mend
Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com)

This PR contains the following updates:

| Package | Change | Age | Adoption | Passing | Confidence |
|---|---|---|---|---|---|
| [vite](https://togithub.com/vitejs/vite/tree/main/#readme)
([source](https://togithub.com/vitejs/vite)) | [`4.3.8` ->
`4.3.9`](https://renovatebot.com/diffs/npm/vite/4.3.8/4.3.9) |
[![age](https://badges.renovateapi.com/packages/npm/vite/4.3.9/age-slim)](https://docs.renovatebot.com/merge-confidence/)
|
[![adoption](https://badges.renovateapi.com/packages/npm/vite/4.3.9/adoption-slim)](https://docs.renovatebot.com/merge-confidence/)
|
[![passing](https://badges.renovateapi.com/packages/npm/vite/4.3.9/compatibility-slim/4.3.8)](https://docs.renovatebot.com/merge-confidence/)
|
[![confidence](https://badges.renovateapi.com/packages/npm/vite/4.3.9/confidence-slim/4.3.8)](https://docs.renovatebot.com/merge-confidence/)
|

### GitHub Vulnerability Alerts

####
[CVE-2023-34092](https://togithub.com/vitejs/vite/security/advisories/GHSA-353f-5xf4-qw67)

### Summary
Vite Server Options (`server.fs.deny`) can be bypassed using double
forward-slash (//) allows any unauthenticated user to read file from the
Vite root-path of the application including the default [`fs.deny`
settings](https://vitejs.dev/config/server-options.html#server-fs-deny)
(`['.env', '.env.*', '*.{crt,pem}']`)

### Impact
Only users explicitly exposing the Vite dev server to the network (using
`--host` or [`server.host` config
option](https://vitejs.dev/config/server-options.html#server-host)) are
affected, and only files in the immediate Vite project root folder could
be exposed.

### Patches
Fixed in vite@4.3.9, vite@4.2.3, vite@4.1.5, vite@4.0.5
And in the latest minors of the previous two majors: vite@3.2.7,
vite@2.9.16

### Details
Vite serve the application with under the root-path of the project while
running on the dev mode. By default, vite using server options fs.deny
to protected the sensitive information of the file. But, with simply
double forward-slash, we can bypass this fs restriction.

### PoC
1. Create a new latest project of vite using any package manager. (here
I'm using react and vue templates for tested and pnpm)
2. Serve the application on dev mode using pnpm run dev.
3. Directly access the file from url using double forward-slash (`//`)
(e.g: `//.env`, `//.env.local`)
4. Server Options `fs.deny` restrict successfully bypassed.

Proof Images:

![proof-1](https://user-images.githubusercontent.com/30733517/241105344-6ecbc7f6-57b7-45c7-856a-6421a577dda1.png)

![proof-2](https://user-images.githubusercontent.com/30733517/241105349-ab9561e7-8aff-4f29-97f9-b784e673c122.png)

---

### Release Notes

<details>
<summary>vitejs/vite</summary>

###
[`v4.3.9`](https://togithub.com/vitejs/vite/blob/HEAD/packages/vite/CHANGELOG.md#small439-2023-05-26-small)

[Compare
Source](https://togithub.com/vitejs/vite/compare/v4.3.8...v4.3.9)

- fix: fs.deny with leading double slash
([#&#8203;13348](https://togithub.com/vitejs/vite/issues/13348))
([813ddd6](https://togithub.com/vitejs/vite/commit/813ddd6)), closes
[#&#8203;13348](https://togithub.com/vitejs/vite/issues/13348)
- fix: optimizeDeps during build and external ids
([#&#8203;13274](https://togithub.com/vitejs/vite/issues/13274))
([e3db771](https://togithub.com/vitejs/vite/commit/e3db771)), closes
[#&#8203;13274](https://togithub.com/vitejs/vite/issues/13274)
- fix(css): return deps if have no postcss plugins
([#&#8203;13344](https://togithub.com/vitejs/vite/issues/13344))
([28923fb](https://togithub.com/vitejs/vite/commit/28923fb)), closes
[#&#8203;13344](https://togithub.com/vitejs/vite/issues/13344)
- fix(legacy): style insert order
([#&#8203;13266](https://togithub.com/vitejs/vite/issues/13266))
([e444375](https://togithub.com/vitejs/vite/commit/e444375)), closes
[#&#8203;13266](https://togithub.com/vitejs/vite/issues/13266)
- chore: revert prev release commit
([2a30a07](https://togithub.com/vitejs/vite/commit/2a30a07))
- release: v4.3.9
([5c9abf7](https://togithub.com/vitejs/vite/commit/5c9abf7))
- docs: optimizeDeps.needsInterop
([#&#8203;13323](https://togithub.com/vitejs/vite/issues/13323))
([b34e79c](https://togithub.com/vitejs/vite/commit/b34e79c)), closes
[#&#8203;13323](https://togithub.com/vitejs/vite/issues/13323)
- test: respect commonjs options in playgrounds
([#&#8203;13273](https://togithub.com/vitejs/vite/issues/13273))
([19e8c68](https://togithub.com/vitejs/vite/commit/19e8c68)), closes
[#&#8203;13273](https://togithub.com/vitejs/vite/issues/13273)
- refactor: simplify SSR options' if statement
([#&#8203;13254](https://togithub.com/vitejs/vite/issues/13254))
([8013a66](https://togithub.com/vitejs/vite/commit/8013a66)), closes
[#&#8203;13254](https://togithub.com/vitejs/vite/issues/13254)
- perf(ssr): calculate stacktrace offset lazily
([#&#8203;13256](https://togithub.com/vitejs/vite/issues/13256))
([906c4c1](https://togithub.com/vitejs/vite/commit/906c4c1)), closes
[#&#8203;13256](https://togithub.com/vitejs/vite/issues/13256)

</details>

---

### Configuration

📅 **Schedule**: Branch creation - "" (UTC), Automerge - At any time (no
schedule defined).

🚦 **Automerge**: Enabled.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR has been generated by [Mend
Renovate](https://www.mend.io/free-developer-tools/renovate/). View
repository job log
[here](https://app.renovatebot.com/dashboard#github/Unleash/unleash).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNS4xMTAuMCIsInVwZGF0ZWRJblZlciI6IjM1LjExMC4wIiwidGFyZ2V0QnJhbmNoIjoibWFpbiJ9-->

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2023-06-06 16:08:48 +00:00
..
cypress
public
scripts
src
.editorconfig
.gitignore
.nvmrc
.prettierignore
.prettierrc
cypress.config.ts
cypress.d.ts
index.html
index.js
orval.config.js
package.json
README.md
tsconfig.json
tsconfig.node.json
vercel.json
vite.config.ts
yarn.lock

frontend

This directory contains the Unleash Admin UI frontend app.

Run with a local instance of the unleash-api

Refer to the Contributing to Unleash guide for instructions. The frontend dev server runs (in port 3000) simultaneously with the backend dev server (in port 4242):

yarn install
yarn dev

Run with a sandbox instance of the Unleash API

Alternatively, instead of running unleash-api on localhost, you can use a remote instance:

cd ./frontend
yarn install
yarn run start:sandbox

Running end-to-end tests

We have a set of Cypress tests that run on the build before a PR can be merged so it's important that you check these yourself before submitting a PR. On the server the tests will run against the deployed Heroku app so this is what you probably want to test against:

yarn run start:sandbox

In a different shell, you can run the tests themselves:

yarn run e2e:heroku

If you need to test against patches against a local server instance, you'll need to run that, and then run the end to end tests using:

yarn run e2e

You may also need to test that a feature works against the enterprise version of unleash. Assuming the Heroku instance is still running, this can be done by:

yarn run start:enterprise
yarn run e2e

Generating the OpenAPI client

The frontend uses an OpenAPI client generated from the backend's OpenAPI spec. Whenever there are changes to the backend API, the client should be regenerated:

./scripts/generate-openapi.sh

This script assumes that you have a running instance of the enterprise backend at http://localhost:4242. The new OpenAPI client will be generated from the runtime schema of this instance. The target URL can be changed by setting the UNLEASH_OPENAPI_URL env var.

Analyzing bundle size

npx vite-bundle-visualizer in the root of the frontend directory