Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bump vite from 6.0.7 to 6.0.9 in /docs #11610

Merged
merged 1 commit into from
Jan 21, 2025
Merged

Bump vite from 6.0.7 to 6.0.9 in /docs #11610

merged 1 commit into from
Jan 21, 2025

Conversation

dependabot[bot]
Copy link
Contributor

@dependabot dependabot bot commented on behalf of github Jan 21, 2025

Bumps vite from 6.0.7 to 6.0.9.

Release notes

Sourced from vite's releases.

v6.0.9

This version contains a breaking change due to security fixes. See GHSA-vg6x-rcgg-rjx6 for more details.

Please refer to CHANGELOG.md for details.

v6.0.8

Please refer to CHANGELOG.md for details.

Changelog

Sourced from vite's changelog.

6.0.9 (2025-01-20)

  • fix!: check host header to prevent DNS rebinding attacks and introduce server.allowedHosts (bd896fb)
  • fix!: default server.cors: false to disallow fetching from untrusted origins (b09572a)
  • fix: verify token for HMR WebSocket connection (029dcd6)

6.0.8 (2025-01-20)

Commits
  • a55f8ba release: v6.0.9
  • bd896fb fix!: check host header to prevent DNS rebinding attacks and introduce `serve...
  • 029dcd6 fix: verify token for HMR WebSocket connection
  • b09572a fix!: default server.cors: false to disallow fetching from untrusted origins
  • c0f72a6 release: v6.0.8
  • f2aed62 fix: tree shake stringified JSON imports (#19189)
  • db81c2d fix: ensure server.close() only called once (#19204)
  • 47039f4 fix: use shared sigterm callback (#19203)
  • 3bd55bc fix: avoid SSR HMR for HTML files (#19193)
  • e690d8b fix(optimizer): use correct default install state path for yarn PnP (#19119)
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    You can disable automated security fix PRs for this repo from the Security Alerts page.

@dependabot
Bump vite from 6.0.7 to 6.0.9 in /docs
bda54f8 
Bumps [vite](https://github.com/vitejs/vite/tree/HEAD/packages/vite) from 6.0.7 to 6.0.9.
- [Release notes](https://github.com/vitejs/vite/releases)
- [Changelog](https://github.com/vitejs/vite/blob/main/packages/vite/CHANGELOG.md)
- [Commits](https://github.com/vitejs/vite/commits/v6.0.9/packages/vite)

---
updated-dependencies:
- dependency-name: vite
  dependency-type: direct:development
...

Signed-off-by: dependabot[bot] <[email protected]>
@dependabot dependabot bot added dependencies Pull requests that update a dependency file javascript Pull requests that update Javascript code labels Jan 21, 2025
@github-actions github-actions bot added the docs label Jan 21, 2025
@dryrunsecurity DryRunSecurity
Copy link

DryRun Security Summary

The pull request updates the vite development dependency from version 6.0.0 to 6.0.9 in the package.json and package-lock.json files, with a recommendation to review the release notes for potential security implications.

Expand for full summary

Summary:

The changes in this pull request are focused on updating the vite development dependency in the package.json and package-lock.json files. Updating dependencies to their latest versions is generally a good practice, as it allows the application to benefit from bug fixes and security patches. However, it's important to thoroughly test any dependency updates to ensure they don't introduce unexpected issues or regressions.

Since the package.json and package-lock.json files are configuration files that describe the project's dependencies and other metadata, the security impact of these changes is limited to the development environment and build process. As an application security engineer, I would recommend reviewing the release notes for the new vite version to ensure there are no known security vulnerabilities or breaking changes that could impact the project.

Files Changed:

  1. docs/package.json: The code change updates the vite development dependency from version 6.0.0 to 6.0.9. This is a routine update to keep the dependency up-to-date with the latest version.

  2. docs/package-lock.json: This file is updated to reflect the change in the vite dependency version from 6.0.0 to 6.0.9.

Code Analysis

We ran 9 analyzers against 2 files and 1 analyzer had findings. 8 analyzers had no findings.

Analyzer Findings
Sensitive Files Analyzer 2 findings

View PR in the DryRun Dashboard.

1 similar comment
@dryrunsecurity DryRunSecurity
Copy link

DryRun Security Summary

The pull request updates the vite development dependency from version 6.0.0 to 6.0.9 in the package.json and package-lock.json files, with a recommendation to review the release notes for potential security implications.

Expand for full summary

Summary:

The changes in this pull request are focused on updating the vite development dependency in the package.json and package-lock.json files. Updating dependencies to their latest versions is generally a good practice, as it allows the application to benefit from bug fixes and security patches. However, it's important to thoroughly test any dependency updates to ensure they don't introduce unexpected issues or regressions.

Since the package.json and package-lock.json files are configuration files that describe the project's dependencies and other metadata, the security impact of these changes is limited to the development environment and build process. As an application security engineer, I would recommend reviewing the release notes for the new vite version to ensure there are no known security vulnerabilities or breaking changes that could impact the project.

Files Changed:

  1. docs/package.json: The code change updates the vite development dependency from version 6.0.0 to 6.0.9. This is a routine update to keep the dependency up-to-date with the latest version.

  2. docs/package-lock.json: This file is updated to reflect the change in the vite dependency version from 6.0.0 to 6.0.9.

Code Analysis

We ran 9 analyzers against 2 files and 1 analyzer had findings. 8 analyzers had no findings.

Analyzer Findings
Sensitive Files Analyzer 2 findings

View PR in the DryRun Dashboard.

mtesauro
mtesauro approved these changes Jan 21, 2025
View reviewed changes
Copy link
Contributor

@mtesauro mtesauro left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approved

@Maffooch Maffooch merged commit ac08db2 into master Jan 21, 2025
72 of 73 checks passed
@dependabot dependabot bot deleted the dependabot/npm_and_yarn/docs/vite-6.0.9 branch January 21, 2025 21:28
Maffooch added a commit that referenced this pull request Jan 24, 2025
@dependabot @paulOsinski @Maffooch
Bump asteval from 1.0.5 to 1.0.6 (#11633)
85e0e46 
* Bump vite from 6.0.7 to 6.0.9 in /docs (#11610)

Bumps [vite](https://github.com/vitejs/vite/tree/HEAD/packages/vite) from 6.0.7 to 6.0.9.
- [Release notes](https://github.com/vitejs/vite/releases)
- [Changelog](https://github.com/vitejs/vite/blob/main/packages/vite/CHANGELOG.md)
- [Commits](https://github.com/vitejs/vite/commits/v6.0.9/packages/vite)

---
updated-dependencies:
- dependency-name: vite
  dependency-type: direct:development
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* Pro Release Notes 2.42.2 (#11611)

* update changelog 2.42.2

* add additional 2.42.1 features

---------

Co-authored-by: Paul Osinski <[email protected]>

* Update .dryrunsecurity.yaml (#11617)

* Readme docs - followup PR (#11525)

* follow on to readme update

* remove broken /pricing link

* chg local_settings refs ldap-authentication.md

---------

Co-authored-by: Paul Osinski <[email protected]>

* Bump asteval from 1.0.5 to 1.0.6

Bumps [asteval](https://github.com/lmfit/asteval) from 1.0.5 to 1.0.6.
- [Release notes](https://github.com/lmfit/asteval/releases)
- [Commits](lmfit/asteval@1.0.5...1.0.6)

---
updated-dependencies:
- dependency-name: asteval
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <[email protected]>

---------

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Paul Osinski <[email protected]>
Co-authored-by: Paul Osinski <[email protected]>
Co-authored-by: Cody Maffucci <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Maffooch Maffooch Maffooch approved these changes

@mtesauro mtesauro mtesauro approved these changes

Assignees
No one assigned
Labels
dependencies Pull requests that update a dependency file docs javascript Pull requests that update Javascript code
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@mtesauro @Maffooch