From 011ebe2f7907a7b3f590e7bd07b3a1d3feaf89f1 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Tue, 17 Sep 2024 19:55:41 +0000 Subject: [PATCH] chore(deps): update dependency vite to v5.4.6 [security] (#8164) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This PR contains the following updates: | Package | Change | Age | Adoption | Passing | Confidence | |---|---|---|---|---|---| | [vite](https://vitejs.dev) ([source](https://redirect.github.com/vitejs/vite/tree/HEAD/packages/vite)) | [`5.4.2` -> `5.4.6`](https://renovatebot.com/diffs/npm/vite/5.4.2/5.4.6) | [![age](https://developer.mend.io/api/mc/badges/age/npm/vite/5.4.6?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![adoption](https://developer.mend.io/api/mc/badges/adoption/npm/vite/5.4.6?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![passing](https://developer.mend.io/api/mc/badges/compatibility/npm/vite/5.4.2/5.4.6?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/vite/5.4.2/5.4.6?slim=true)](https://docs.renovatebot.com/merge-confidence/) | ### GitHub Vulnerability Alerts #### [CVE-2024-45811](https://redirect.github.com/vitejs/vite/security/advisories/GHSA-9cwx-2883-4wfx) ### Summary The contents of arbitrary files can be returned to the browser. ### Details `@fs` denies access to files outside of Vite serving allow list. Adding `?import&raw` to the URL bypasses this limitation and returns the file content if it exists. ### PoC ```sh $ npm create vite@latest $ cd vite-project/ $ npm install $ npm run dev $ echo "top secret content" > /tmp/secret.txt # expected behaviour $ curl "http://localhost:5173/@​fs/tmp/secret.txt"

403 Restricted

The request url "/tmp/secret.txt" is outside of Vite serving allow list. # security bypassed $ curl "http://localhost:5173/@​fs/tmp/secret.txt?import&raw" export default "top secret content\n" //# sourceMappingURL=data:application/json;base64,eyJ2... ``` --- ### Release Notes

vitejs/vite (vite) ### [`v5.4.6`](https://redirect.github.com/vitejs/vite/releases/tag/v5.4.6) [Compare Source](https://redirect.github.com/vitejs/vite/compare/v5.4.5...v5.4.6) Please refer to [CHANGELOG.md](https://redirect.github.com/vitejs/vite/blob/v5.4.6/packages/vite/CHANGELOG.md) for details. ### [`v5.4.5`](https://redirect.github.com/vitejs/vite/releases/tag/v5.4.5) [Compare Source](https://redirect.github.com/vitejs/vite/compare/v5.4.4...v5.4.5) Please refer to [CHANGELOG.md](https://redirect.github.com/vitejs/vite/blob/v5.4.5/packages/vite/CHANGELOG.md) for details. ### [`v5.4.4`](https://redirect.github.com/vitejs/vite/releases/tag/v5.4.4) [Compare Source](https://redirect.github.com/vitejs/vite/compare/v5.4.3...v5.4.4) Please refer to [CHANGELOG.md](https://redirect.github.com/vitejs/vite/blob/v5.4.4/packages/vite/CHANGELOG.md) for details. ### [`v5.4.3`](https://redirect.github.com/vitejs/vite/blob/HEAD/packages/vite/CHANGELOG.md#small543-2024-09-03-small) [Compare Source](https://redirect.github.com/vitejs/vite/compare/v5.4.2...v5.4.3) - fix: allow getting URL of JS files in publicDir ([#​17915](https://redirect.github.com/vitejs/vite/issues/17915)) ([943ece1](https://redirect.github.com/vitejs/vite/commit/943ece177e7709b3ba574e810afce347c51d4442)), closes [#​17915](https://redirect.github.com/vitejs/vite/issues/17915) - fix: cjs warning respect the logLevel flag ([#​17993](https://redirect.github.com/vitejs/vite/issues/17993)) ([dc3c14f](https://redirect.github.com/vitejs/vite/commit/dc3c14f39fcd57867c8ae81b75ae768b53b4b880)), closes [#​17993](https://redirect.github.com/vitejs/vite/issues/17993) - fix: improve CJS warning trace information ([#​17926](https://redirect.github.com/vitejs/vite/issues/17926)) ([5c5f82c](https://redirect.github.com/vitejs/vite/commit/5c5f82c84bb64309875b42eee9d4dd525ab42e8c)), closes [#​17926](https://redirect.github.com/vitejs/vite/issues/17926) - fix: only remove entry assets handled by Vite core ([#​17916](https://redirect.github.com/vitejs/vite/issues/17916)) ([ebfaa7e](https://redirect.github.com/vitejs/vite/commit/ebfaa7e6019783f308db5e759a6a67abb7cc626c)), closes [#​17916](https://redirect.github.com/vitejs/vite/issues/17916) - fix: waitForRequestIdle locked ([#​17982](https://redirect.github.com/vitejs/vite/issues/17982)) ([ad13760](https://redirect.github.com/vitejs/vite/commit/ad1376018a94b42540a8488d897cc520849e1228)), closes [#​17982](https://redirect.github.com/vitejs/vite/issues/17982) - fix(css): fix directory index import in sass modern api ([#​17960](https://redirect.github.com/vitejs/vite/issues/17960)) ([9b001ba](https://redirect.github.com/vitejs/vite/commit/9b001baa70c8489ac5550107c110a5dca281cda4)), closes [#​17960](https://redirect.github.com/vitejs/vite/issues/17960) - fix(css): fix sass `file://` reference ([#​17909](https://redirect.github.com/vitejs/vite/issues/17909)) ([561b940](https://redirect.github.com/vitejs/vite/commit/561b940f6f963fbb78058a6e23b4adad53a2edb9)), closes [#​17909](https://redirect.github.com/vitejs/vite/issues/17909) - fix(css): fix sass modern source map ([#​17938](https://redirect.github.com/vitejs/vite/issues/17938)) ([d428e7e](https://redirect.github.com/vitejs/vite/commit/d428e7e3a05f8da5ea00bb1b6a0827a5cc225899)), closes [#​17938](https://redirect.github.com/vitejs/vite/issues/17938) - fix(deps): bump tsconfck ([#​17990](https://redirect.github.com/vitejs/vite/issues/17990)) ([8c661b2](https://redirect.github.com/vitejs/vite/commit/8c661b20e92f33eb2e3ba3841b20dd6f6076f1ef)), closes [#​17990](https://redirect.github.com/vitejs/vite/issues/17990) - fix(html): rewrite assets url in