From a56f5f5ab484dd966c885f2d7281cf2a051dfdbc Mon Sep 17 00:00:00 2001
From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com>
Date: Wed, 3 Apr 2024 19:12:58 +0000
Subject: [PATCH] Update dependency vite to v5.1.7 [SECURITY] (#1996)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

[![Mend
Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com)

This PR contains the following updates:

| Package | Change | Age | Adoption | Passing | Confidence |
|---|---|---|---|---|---|
| [vite](https://vitejs.dev)
([source](https://togithub.com/vitejs/vite/tree/HEAD/packages/vite)) |
[`5.1.5` -> `5.1.7`](https://renovatebot.com/diffs/npm/vite/5.1.5/5.1.7)
|
[![age](https://developer.mend.io/api/mc/badges/age/npm/vite/5.1.7?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![adoption](https://developer.mend.io/api/mc/badges/adoption/npm/vite/5.1.7?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![passing](https://developer.mend.io/api/mc/badges/compatibility/npm/vite/5.1.5/5.1.7?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/vite/5.1.5/5.1.7?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|

### GitHub Vulnerability Alerts

####
[GHSA-8jhw-289h-jh2g](https://togithub.com/vitejs/vite/security/advisories/GHSA-8jhw-289h-jh2g)

### Summary
[Vite dev server
option](https://vitejs.dev/config/server-options.html#server-fs-deny)
`server.fs.deny` did not deny requests for patterns with directories. An
example of such a pattern is `/foo/**/*`.

### Impact
Only apps setting a custom `server.fs.deny` that includes a pattern with
directories, and explicitly exposing the Vite dev server to the network
(using `--host` or [`server.host` config
option](https://vitejs.dev/config/server-options.html#server-host)) are
affected.

### Patches
Fixed in vite@5.2.6, vite@5.1.7, vite@5.0.13, vite@4.5.3, vite@3.2.10,
vite@2.9.18

### Details
`server.fs.deny` uses picomatch with the config of `{ matchBase: true
}`.
[matchBase](https://togithub.com/micromatch/picomatch/blob/master/README.md#options:~:text=Description-,basename,-boolean)
only matches the basename of the file, not the path due to a bug
([https://github.com/micromatch/picomatch/issues/89](https://togithub.com/micromatch/picomatch/issues/89)).
The vite config docs read like you should be able to set fs.deny to glob
with picomatch. Vite also does not set `{ dot: true }` and that causes
[dotfiles not to be
denied](https://togithub.com/micromatch/picomatch/blob/master/README.md#options:~:text=error%20is%20thrown.-,dot,-boolean)
unless they are explicitly defined.

**Reproduction**

Set fs.deny to `['**/.git/**']` and then curl for `/.git/config`.

* with `matchBase: true`, you can get any file under `.git/` (config,
HEAD, etc).
* with `matchBase: false`, you cannot get any file under `.git/`
(config, HEAD, etc).

---

### Release Notes

<details>
<summary>vitejs/vite (vite)</summary>

### [`v5.1.7`](https://togithub.com/vitejs/vite/releases/tag/v5.1.7)

[Compare
Source](https://togithub.com/vitejs/vite/compare/v5.1.6...v5.1.7)

Please refer to
[CHANGELOG.md](https://togithub.com/vitejs/vite/blob/v5.1.7/packages/vite/CHANGELOG.md)
for details.

###
[`v5.1.6`](https://togithub.com/vitejs/vite/blob/HEAD/packages/vite/CHANGELOG.md#small516-2024-03-11-small)

[Compare
Source](https://togithub.com/vitejs/vite/compare/v5.1.5...v5.1.6)

- chore(deps): update all non-major dependencies
([#&#8203;16131](https://togithub.com/vitejs/vite/issues/16131))
([a862ecb](https://togithub.com/vitejs/vite/commit/a862ecb)), closes
[#&#8203;16131](https://togithub.com/vitejs/vite/issues/16131)
- fix: check for publicDir before checking if it is a parent directory
([#&#8203;16046](https://togithub.com/vitejs/vite/issues/16046))
([b6fb323](https://togithub.com/vitejs/vite/commit/b6fb323)), closes
[#&#8203;16046](https://togithub.com/vitejs/vite/issues/16046)
- fix: escape single quote when relative base is used
([#&#8203;16060](https://togithub.com/vitejs/vite/issues/16060))
([8f74ce4](https://togithub.com/vitejs/vite/commit/8f74ce4)), closes
[#&#8203;16060](https://togithub.com/vitejs/vite/issues/16060)
- fix: handle function property extension in namespace import
([#&#8203;16113](https://togithub.com/vitejs/vite/issues/16113))
([f699194](https://togithub.com/vitejs/vite/commit/f699194)), closes
[#&#8203;16113](https://togithub.com/vitejs/vite/issues/16113)
- fix: server middleware mode resolve
([#&#8203;16122](https://togithub.com/vitejs/vite/issues/16122))
([8403546](https://togithub.com/vitejs/vite/commit/8403546)), closes
[#&#8203;16122](https://togithub.com/vitejs/vite/issues/16122)
- fix(esbuild): update tsconfck to fix bug that could cause a deadlock
([#&#8203;16124](https://togithub.com/vitejs/vite/issues/16124))
([fd9de04](https://togithub.com/vitejs/vite/commit/fd9de04)), closes
[#&#8203;16124](https://togithub.com/vitejs/vite/issues/16124)
- fix(worker): hide "The emitted file overwrites" warning if the content
is same ([#&#8203;16094](https://togithub.com/vitejs/vite/issues/16094))
([60dfa9e](https://togithub.com/vitejs/vite/commit/60dfa9e)), closes
[#&#8203;16094](https://togithub.com/vitejs/vite/issues/16094)
- fix(worker): throw error when circular worker import is detected and
support self referencing worker
([eef9da1](https://togithub.com/vitejs/vite/commit/eef9da1)), closes
[#&#8203;16103](https://togithub.com/vitejs/vite/issues/16103)
- style(utils): remove null check
([#&#8203;16112](https://togithub.com/vitejs/vite/issues/16112))
([0d2df52](https://togithub.com/vitejs/vite/commit/0d2df52)), closes
[#&#8203;16112](https://togithub.com/vitejs/vite/issues/16112)
- refactor(runtime): share more code between runtime and main bundle
([#&#8203;16063](https://togithub.com/vitejs/vite/issues/16063))
([93be84e](https://togithub.com/vitejs/vite/commit/93be84e)), closes
[#&#8203;16063](https://togithub.com/vitejs/vite/issues/16063)

</details>

---

### Configuration

📅 **Schedule**: Branch creation - "" (UTC), Automerge - At any time (no
schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR has been generated by [Mend
Renovate](https://www.mend.io/free-developer-tools/renovate/). View
repository job log [here](https://developer.mend.io/github/ni/nimble).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy4yNjkuMiIsInVwZGF0ZWRJblZlciI6IjM3LjI2OS4yIiwidGFyZ2V0QnJhbmNoIjoibWFpbiJ9-->

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
---
 package-lock.json | 24 ++++++++++++------------
 1 file changed, 12 insertions(+), 12 deletions(-)

diff --git a/package-lock.json b/package-lock.json
index f175613d93..8bfadc69db 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -29179,9 +29179,9 @@
       }
     },
     "node_modules/source-map-js": {
-      "version": "1.0.2",
-      "resolved": "https://registry.npmjs.org/source-map-js/-/source-map-js-1.0.2.tgz",
-      "integrity": "sha512-R0XvVJ9WusLiqTCEiGCmICCMplcCkIwwR11mOSD9CR5u+IXYdiseeEuXCVAjS54zqwkLcPNnmU4OeJ6tUrWhDw==",
+      "version": "1.2.0",
+      "resolved": "https://registry.npmjs.org/source-map-js/-/source-map-js-1.2.0.tgz",
+      "integrity": "sha512-itJW8lvSA0TXEphiRoawsCksnlf8SyvmFzIhltqAHluXd88pkCd+cXJVHTDwdCr0IzwptSm035IHQktUu1QUMg==",
       "dev": true,
       "engines": {
         "node": ">=0.10.0"
@@ -31637,9 +31637,9 @@
       }
     },
     "node_modules/vite": {
-      "version": "5.1.5",
-      "resolved": "https://registry.npmjs.org/vite/-/vite-5.1.5.tgz",
-      "integrity": "sha512-BdN1xh0Of/oQafhU+FvopafUp6WaYenLU/NFoL5WyJL++GxkNfieKzBhM24H3HVsPQrlAqB7iJYTHabzaRed5Q==",
+      "version": "5.1.7",
+      "resolved": "https://registry.npmjs.org/vite/-/vite-5.1.7.tgz",
+      "integrity": "sha512-sgnEEFTZYMui/sTlH1/XEnVNHMujOahPLGMxn1+5sIT45Xjng1Ec1K78jRP15dSmVgg5WBin9yO81j3o9OxofA==",
       "dev": true,
       "dependencies": {
         "esbuild": "^0.19.3",
@@ -32096,9 +32096,9 @@
       }
     },
     "node_modules/vite/node_modules/postcss": {
-      "version": "8.4.35",
-      "resolved": "https://registry.npmjs.org/postcss/-/postcss-8.4.35.tgz",
-      "integrity": "sha512-u5U8qYpBCpN13BsiEB0CbR1Hhh4Gc0zLFuedrHJKMctHCHAGrMdG0PRM/KErzAL3CU6/eckEtmHNB3x6e3c0vA==",
+      "version": "8.4.38",
+      "resolved": "https://registry.npmjs.org/postcss/-/postcss-8.4.38.tgz",
+      "integrity": "sha512-Wglpdk03BSfXkHoQa3b/oulrotAkwrlLDRSOb9D0bN86FdRyE9lppSp33aHNPgBa0JKCoB+drFLZkQoRRYae5A==",
       "dev": true,
       "funding": [
         {
@@ -32117,7 +32117,7 @@
       "dependencies": {
         "nanoid": "^3.3.7",
         "picocolors": "^1.0.0",
-        "source-map-js": "^1.0.2"
+        "source-map-js": "^1.2.0"
       },
       "engines": {
         "node": "^10 || ^12 || >=14"
@@ -33355,7 +33355,7 @@
       "devDependencies": {
         "@lhci/cli": "^0.13.0",
         "typescript": "~4.9.5",
-        "vite": "^5.1.5"
+        "vite": "^5.1.7"
       }
     },
     "packages/site": {
@@ -33367,7 +33367,7 @@
       "devDependencies": {
         "@11ty/eleventy": "^2.0.1",
         "typescript": "~4.9.5",
-        "vite": "^5.1.5"
+        "vite": "^5.1.7"
       }
     },
     "packages/xliff-to-json-converter": {