chore(deps): update dependency vite to v5.4.6 [security] (#8164)

This PR contains the following updates: | Package | Change | Age | Adoption | Passing | Confidence | |---|---|---|---|---|---| | [vite](https://vitejs.dev) ([source](https://redirect.github.com/vitejs/vite/tree/HEAD/packages/vite)) | [`5.4.2` -> `5.4.6`](https://renovatebot.com/diffs/npm/vite/5.4.2/5.4.6) | [![age](https://developer.mend.io/api/mc/badges/age/npm/vite/5.4.6?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![adoption](https://developer.mend.io/api/mc/badges/adoption/npm/vite/5.4.6?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![passing](https://developer.mend.io/api/mc/badges/compatibility/npm/vite/5.4.2/5.4.6?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/vite/5.4.2/5.4.6?slim=true)](https://docs.renovatebot.com/merge-confidence/) | ### GitHub Vulnerability Alerts #### [CVE-2024-45811](https://redirect.github.com/vitejs/vite/security/advisories/GHSA-9cwx-2883-4wfx) ### Summary The contents of arbitrary files can be returned to the browser. ### Details `@fs` denies access to files outside of Vite serving allow list. Adding `?import&raw` to the URL bypasses this limitation and returns the file content if it exists. ### PoC ```sh $ npm create vite@latest $ cd vite-project/ $ npm install $ npm run dev $ echo "top secret content" > /tmp/secret.txt # expected behaviour $ curl "http://localhost:5173/@fs/tmp/secret.txt" <body> <h1>403 Restricted</h1> <p>The request url "/tmp/secret.txt" is outside of Vite serving allow list. # security bypassed $ curl "http://localhost:5173/@fs/tmp/secret.txt?import&raw" export default "top secret content\n" //# sourceMappingURL=data:application/json;base64,eyJ2... ``` --- ### Release Notes <details> <summary>vitejs/vite (vite)</summary> ### [`v5.4.6`](https://redirect.github.com/vitejs/vite/releases/tag/v5.4.6) [Compare Source](https://redirect.github.com/vitejs/vite/compare/v5.4.5...v5.4.6) Please refer to [CHANGELOG.md](https://redirect.github.com/vitejs/vite/blob/v5.4.6/packages/vite/CHANGELOG.md) for details. ### [`v5.4.5`](https://redirect.github.com/vitejs/vite/releases/tag/v5.4.5) [Compare Source](https://redirect.github.com/vitejs/vite/compare/v5.4.4...v5.4.5) Please refer to [CHANGELOG.md](https://redirect.github.com/vitejs/vite/blob/v5.4.5/packages/vite/CHANGELOG.md) for details. ### [`v5.4.4`](https://redirect.github.com/vitejs/vite/releases/tag/v5.4.4) [Compare Source](https://redirect.github.com/vitejs/vite/compare/v5.4.3...v5.4.4) Please refer to [CHANGELOG.md](https://redirect.github.com/vitejs/vite/blob/v5.4.4/packages/vite/CHANGELOG.md) for details. ### [`v5.4.3`](https://redirect.github.com/vitejs/vite/blob/HEAD/packages/vite/CHANGELOG.md#small543-2024-09-03-small) [Compare Source](https://redirect.github.com/vitejs/vite/compare/v5.4.2...v5.4.3) - fix: allow getting URL of JS files in publicDir ([#17915](https://redirect.github.com/vitejs/vite/issues/17915)) ([943ece1](https://redirect.github.com/vitejs/vite/commit/943ece177e7709b3ba574e810afce347c51d4442)), closes [#17915](https://redirect.github.com/vitejs/vite/issues/17915) - fix: cjs warning respect the logLevel flag ([#17993](https://redirect.github.com/vitejs/vite/issues/17993)) ([dc3c14f](https://redirect.github.com/vitejs/vite/commit/dc3c14f39fcd57867c8ae81b75ae768b53b4b880)), closes [#17993](https://redirect.github.com/vitejs/vite/issues/17993) - fix: improve CJS warning trace information ([#17926](https://redirect.github.com/vitejs/vite/issues/17926)) ([5c5f82c](https://redirect.github.com/vitejs/vite/commit/5c5f82c84bb64309875b42eee9d4dd525ab42e8c)), closes [#17926](https://redirect.github.com/vitejs/vite/issues/17926) - fix: only remove entry assets handled by Vite core ([#17916](https://redirect.github.com/vitejs/vite/issues/17916)) ([ebfaa7e](https://redirect.github.com/vitejs/vite/commit/ebfaa7e6019783f308db5e759a6a67abb7cc626c)), closes [#17916](https://redirect.github.com/vitejs/vite/issues/17916) - fix: waitForRequestIdle locked ([#17982](https://redirect.github.com/vitejs/vite/issues/17982)) ([ad13760](https://redirect.github.com/vitejs/vite/commit/ad1376018a94b42540a8488d897cc520849e1228)), closes [#17982](https://redirect.github.com/vitejs/vite/issues/17982) - fix(css): fix directory index import in sass modern api ([#17960](https://redirect.github.com/vitejs/vite/issues/17960)) ([9b001ba](https://redirect.github.com/vitejs/vite/commit/9b001baa70c8489ac5550107c110a5dca281cda4)), closes [#17960](https://redirect.github.com/vitejs/vite/issues/17960) - fix(css): fix sass `file://` reference ([#17909](https://redirect.github.com/vitejs/vite/issues/17909)) ([561b940](https://redirect.github.com/vitejs/vite/commit/561b940f6f963fbb78058a6e23b4adad53a2edb9)), closes [#17909](https://redirect.github.com/vitejs/vite/issues/17909) - fix(css): fix sass modern source map ([#17938](https://redirect.github.com/vitejs/vite/issues/17938)) ([d428e7e](https://redirect.github.com/vitejs/vite/commit/d428e7e3a05f8da5ea00bb1b6a0827a5cc225899)), closes [#17938](https://redirect.github.com/vitejs/vite/issues/17938) - fix(deps): bump tsconfck ([#17990](https://redirect.github.com/vitejs/vite/issues/17990)) ([8c661b2](https://redirect.github.com/vitejs/vite/commit/8c661b20e92f33eb2e3ba3841b20dd6f6076f1ef)), closes [#17990](https://redirect.github.com/vitejs/vite/issues/17990) - fix(html): rewrite assets url in <template> ([#17988](https://redirect.github.com/vitejs/vite/issues/17988)) ([413c86a](https://redirect.github.com/vitejs/vite/commit/413c86aa971bc1ad8958578c929f45a368799f74)), closes [#17988](https://redirect.github.com/vitejs/vite/issues/17988) - fix(preload): add crossorigin attribute in CSS link tags ([#17930](https://redirect.github.com/vitejs/vite/issues/17930)) ([15871c7](https://redirect.github.com/vitejs/vite/commit/15871c75e0722adeda23f771fd6c45fecba4d118)), closes [#17930](https://redirect.github.com/vitejs/vite/issues/17930) - chore: reduce diffs with v6 branch ([#17942](https://redirect.github.com/vitejs/vite/issues/17942)) ([bf9065a](https://redirect.github.com/vitejs/vite/commit/bf9065aa13da6a519014c3bc1d34cfb1cb49ccca)), closes [#17942](https://redirect.github.com/vitejs/vite/issues/17942) - chore(deps): update all non-major dependencies ([#17945](https://redirect.github.com/vitejs/vite/issues/17945)) ([cfb621e](https://redirect.github.com/vitejs/vite/commit/cfb621e7a5a3e24d710a9af156e6855e73caf891)), closes [#17945](https://redirect.github.com/vitejs/vite/issues/17945) - chore(deps): update all non-major dependencies ([#17991](https://redirect.github.com/vitejs/vite/issues/17991)) ([0ca53cf](https://redirect.github.com/vitejs/vite/commit/0ca53cff9ff49108fcec75ff01d2445f9c2f2a4c)), closes [#17991](https://redirect.github.com/vitejs/vite/issues/17991) </details> --- ### Configuration 📅 **Schedule**: Branch creation - "" in timezone Europe/Madrid, Automerge - At any time (no schedule defined). 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about these updates again. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/Unleash/unleash).  Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Unleash · Sep 17, 2024 · 011ebe2 · 011ebe2
1 parent f5fd42d
commit 011ebe2
Show file tree

Hide file tree

Showing 2 changed files with 29 additions and 15 deletions.
diff --git a/frontend/package.json b/frontend/package.json
@@ -117,7 +117,7 @@
     "typescript": "5.4.5",
     "use-query-params": "^2.2.1",
     "vanilla-jsoneditor": "^0.23.0",
-    "vite": "5.4.2",
+    "vite": "5.4.6",
     "vite-plugin-env-compatible": "2.0.1",
     "vite-plugin-svgr": "3.3.0",
     "vite-tsconfig-paths": "4.3.2",
@@ -131,7 +131,7 @@
     "@codemirror/state": "6.4.1",
     "@xmldom/xmldom": "^0.9.0",
     "json5": "^2.2.2",
-    "vite": "5.4.2",
+    "vite": "5.4.6",
     "semver": "7.6.3",
     "ws": "^8.18.0",
     "@types/react": "18.3.5"

diff --git a/frontend/yarn.lock b/frontend/yarn.lock
@@ -7848,6 +7848,13 @@ __metadata:
   languageName: node
   linkType: hard
 
+"picocolors@npm:^1.1.0":
+  version: 1.1.0
+  resolution: "picocolors@npm:1.1.0"
+  checksum: 10c0/86946f6032148801ef09c051c6fb13b5cf942eaf147e30ea79edb91dd32d700934edebe782a1078ff859fb2b816792e97ef4dab03d7f0b804f6b01a0df35e023
+  languageName: node
+  linkType: hard
+
 "picomatch@npm:^2.0.4, picomatch@npm:^2.2.1, picomatch@npm:^2.2.3, picomatch@npm:^2.3.1":
   version: 2.3.1
   resolution: "picomatch@npm:2.3.1"
@@ -7908,14 +7915,14 @@ __metadata:
   languageName: node
   linkType: hard
 
-"postcss@npm:^8.4.41":
-  version: 8.4.45
-  resolution: "postcss@npm:8.4.45"
+"postcss@npm:^8.4.43":
+  version: 8.4.47
+  resolution: "postcss@npm:8.4.47"
   dependencies:
     nanoid: "npm:^3.3.7"
-    picocolors: "npm:^1.0.1"
-    source-map-js: "npm:^1.2.0"
-  checksum: 10c0/ad6f8b9b1157d678560373696109745ab97a947d449f8a997acac41c7f1e4c0f3ca4b092d6df1387f430f2c9a319987b1780dbdc27e35800a88cde9b606c1e8f
+    picocolors: "npm:^1.1.0"
+    source-map-js: "npm:^1.2.1"
+  checksum: 10c0/929f68b5081b7202709456532cee2a145c1843d391508c5a09de2517e8c4791638f71dd63b1898dba6712f8839d7a6da046c72a5e44c162e908f5911f57b5f44
   languageName: node
   linkType: hard
 
@@ -8915,13 +8922,20 @@ __metadata:
   languageName: node
   linkType: hard
 
-"source-map-js@npm:>=0.6.2 <2.0.0, source-map-js@npm:^1.0.1, source-map-js@npm:^1.2.0":
+"source-map-js@npm:>=0.6.2 <2.0.0, source-map-js@npm:^1.0.1":
   version: 1.2.0
   resolution: "source-map-js@npm:1.2.0"
   checksum: 10c0/7e5f896ac10a3a50fe2898e5009c58ff0dc102dcb056ed27a354623a0ece8954d4b2649e1a1b2b52ef2e161d26f8859c7710350930751640e71e374fe2d321a4
   languageName: node
   linkType: hard
 
+"source-map-js@npm:^1.2.1":
+  version: 1.2.1
+  resolution: "source-map-js@npm:1.2.1"
+  checksum: 10c0/7bda1fc4c197e3c6ff17de1b8b2c20e60af81b63a52cb32ec5a5d67a20a7d42651e2cb34ebe93833c5a2a084377e17455854fee3e21e7925c64a51b6a52b0faf
+  languageName: node
+  linkType: hard
+
 "source-map@npm:^0.5.7":
   version: 0.5.7
   resolution: "source-map@npm:0.5.7"
@@ -9801,7 +9815,7 @@ __metadata:
     typescript: "npm:5.4.5"
     use-query-params: "npm:^2.2.1"
     vanilla-jsoneditor: "npm:^0.23.0"
-    vite: "npm:5.4.2"
+    vite: "npm:5.4.6"
     vite-plugin-env-compatible: "npm:2.0.1"
     vite-plugin-svgr: "npm:3.3.0"
     vite-tsconfig-paths: "npm:4.3.2"
@@ -10063,13 +10077,13 @@ __metadata:
   languageName: node
   linkType: hard
 
-"vite@npm:5.4.2":
-  version: 5.4.2
-  resolution: "vite@npm:5.4.2"
+"vite@npm:5.4.6":
+  version: 5.4.6
+  resolution: "vite@npm:5.4.6"
   dependencies:
     esbuild: "npm:^0.21.3"
     fsevents: "npm:~2.3.3"
-    postcss: "npm:^8.4.41"
+    postcss: "npm:^8.4.43"
     rollup: "npm:^4.20.0"
   peerDependencies:
     "@types/node": ^18.0.0 || >=20.0.0
@@ -10102,7 +10116,7 @@ __metadata:
       optional: true
   bin:
     vite: bin/vite.js
-  checksum: 10c0/23e347ca8aa6f0a774227e4eb7abae228f12c6806a727b046aa75e7ee37ffc2d68cff74360e12a42c347f79adc294e2363bc723b957bf4b382b5a8fb39e4df9d
+  checksum: 10c0/5f87be3a10e970eaf9ac52dfab39cf9fff583036685252fb64570b6d7bfa749f6d221fb78058f5ef4b5664c180d45a8e7a7ff68d7f3770e69e24c7c68b958bde
   languageName: node
   linkType: hard