From 6cc594942f3cc85582968b5b9f7bcefbb8c5f367 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Wed, 3 Apr 2024 18:31:51 +0000 Subject: [PATCH] fix(deps): update dependency vite to v5.1.7 [security] (#10408) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit [![Mend Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com) This PR contains the following updates: | Package | Change | Age | Adoption | Passing | Confidence | |---|---|---|---|---|---| | [vite](https://vitejs.dev) ([source](https://togithub.com/vitejs/vite/tree/HEAD/packages/vite)) | [`5.1.6` -> `5.1.7`](https://renovatebot.com/diffs/npm/vite/5.1.6/5.1.7) | [![age](https://developer.mend.io/api/mc/badges/age/npm/vite/5.1.7?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![adoption](https://developer.mend.io/api/mc/badges/adoption/npm/vite/5.1.7?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![passing](https://developer.mend.io/api/mc/badges/compatibility/npm/vite/5.1.6/5.1.7?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/vite/5.1.6/5.1.7?slim=true)](https://docs.renovatebot.com/merge-confidence/) | ### GitHub Vulnerability Alerts #### [GHSA-8jhw-289h-jh2g](https://togithub.com/vitejs/vite/security/advisories/GHSA-8jhw-289h-jh2g) ### Summary [Vite dev server option](https://vitejs.dev/config/server-options.html#server-fs-deny) `server.fs.deny` did not deny requests for patterns with directories. An example of such a pattern is `/foo/**/*`. ### Impact Only apps setting a custom `server.fs.deny` that includes a pattern with directories, and explicitly exposing the Vite dev server to the network (using `--host` or [`server.host` config option](https://vitejs.dev/config/server-options.html#server-host)) are affected. ### Patches Fixed in vite@5.2.6, vite@5.1.7, vite@5.0.13, vite@4.5.3, vite@3.2.10, vite@2.9.18 ### Details `server.fs.deny` uses picomatch with the config of `{ matchBase: true }`. [matchBase](https://togithub.com/micromatch/picomatch/blob/master/README.md#options:~:text=Description-,basename,-boolean) only matches the basename of the file, not the path due to a bug ([https://github.com/micromatch/picomatch/issues/89](https://togithub.com/micromatch/picomatch/issues/89)). The vite config docs read like you should be able to set fs.deny to glob with picomatch. Vite also does not set `{ dot: true }` and that causes [dotfiles not to be denied](https://togithub.com/micromatch/picomatch/blob/master/README.md#options:~:text=error%20is%20thrown.-,dot,-boolean) unless they are explicitly defined. **Reproduction** Set fs.deny to `['**/.git/**']` and then curl for `/.git/config`. * with `matchBase: true`, you can get any file under `.git/` (config, HEAD, etc). * with `matchBase: false`, you cannot get any file under `.git/` (config, HEAD, etc). --- ### Release Notes
vitejs/vite (vite) ### [`v5.1.7`](https://togithub.com/vitejs/vite/releases/tag/v5.1.7) [Compare Source](https://togithub.com/vitejs/vite/compare/v5.1.6...v5.1.7) Please refer to [CHANGELOG.md](https://togithub.com/vitejs/vite/blob/v5.1.7/packages/vite/CHANGELOG.md) for details.
--- ### Configuration 📅 **Schedule**: Branch creation - "" (UTC), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://developer.mend.io/github/redwoodjs/redwood). Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> --- packages/vite/package.json | 2 +- yarn.lock | 10 +++++----- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/packages/vite/package.json b/packages/vite/package.json index 997c3b6e4a14..c418f7fb9af0 100644 --- a/packages/vite/package.json +++ b/packages/vite/package.json @@ -83,7 +83,7 @@ "isbot": "3.8.0", "react": "18.3.0-canary-a870b2d54-20240314", "react-server-dom-webpack": "18.3.0-canary-a870b2d54-20240314", - "vite": "5.1.6", + "vite": "5.1.7", "vite-plugin-cjs-interop": "2.1.0", "yargs-parser": "21.1.1" }, diff --git a/yarn.lock b/yarn.lock index 1befe9284638..7e8758897c43 100644 --- a/yarn.lock +++ b/yarn.lock @@ -8804,7 +8804,7 @@ __metadata: rollup: "npm:4.13.0" tsx: "npm:4.7.1" typescript: "npm:5.4.3" - vite: "npm:5.1.6" + vite: "npm:5.1.7" vite-plugin-cjs-interop: "npm:2.1.0" vitest: "npm:1.4.0" yargs-parser: "npm:21.1.1" @@ -33240,9 +33240,9 @@ __metadata: languageName: node linkType: hard -"vite@npm:5.1.6, vite@npm:^5.0.0": - version: 5.1.6 - resolution: "vite@npm:5.1.6" +"vite@npm:5.1.7, vite@npm:^5.0.0": + version: 5.1.7 + resolution: "vite@npm:5.1.7" dependencies: esbuild: "npm:^0.19.3" fsevents: "npm:~2.3.3" @@ -33276,7 +33276,7 @@ __metadata: optional: true bin: vite: bin/vite.js - checksum: 10c0/b935527544741d9313143a77f811d97b8b094757e42f9c02b7aca6294a4912674dbad5379e4759629b6ba895c93b5020cc7594f74b37846715336837fdce850a + checksum: 10c0/f64e1d8bcb237f600790c303447b95f0972e7c5377c0e1c38c1e62ef4864df2bff00c83315994da6e2e64fb51166199403a740b685c5b69a4af648b9244fc69c languageName: node linkType: hard