From 85d21d3846240844c3059e94d1bae08eedd11973 Mon Sep 17 00:00:00 2001
From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com>
Date: Tue, 17 Sep 2024 23:35:35 +0200
Subject: [PATCH] =?UTF-8?q?=E2=AC=86=EF=B8=8F=20Update=20dependency=20vite?=
 =?UTF-8?q?=20to=20v5.4.6=20[SECURITY]=20(#5261)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

This PR contains the following updates:

| Package | Change | Age | Adoption | Passing | Confidence |
|---|---|---|---|---|---|
| [vite](https://vitejs.dev)
([source](https://redirect.github.com/vitejs/vite/tree/HEAD/packages/vite))
| [`5.4.2` ->
`5.4.6`](https://renovatebot.com/diffs/npm/vite/5.4.2/5.4.6) |
[![age](https://developer.mend.io/api/mc/badges/age/npm/vite/5.4.6?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![adoption](https://developer.mend.io/api/mc/badges/adoption/npm/vite/5.4.6?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![passing](https://developer.mend.io/api/mc/badges/compatibility/npm/vite/5.4.2/5.4.6?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/vite/5.4.2/5.4.6?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|

### GitHub Vulnerability Alerts

####
[CVE-2024-45811](https://redirect.github.com/vitejs/vite/security/advisories/GHSA-9cwx-2883-4wfx)

### Summary
The contents of arbitrary files can be returned to the browser.

### Details
`@fs` denies access to files outside of Vite serving allow list. Adding
`?import&raw` to the URL bypasses this limitation and returns the file
content if it exists.

### PoC
```sh
$ npm create vite@latest
$ cd vite-project/
$ npm install
$ npm run dev

$ echo "top secret content" > /tmp/secret.txt

# expected behaviour
$ curl "http://localhost:5173/@&#8203;fs/tmp/secret.txt"

    <body>
      <h1>403 Restricted</h1>
      <p>The request url &quot;/tmp/secret.txt&quot; is outside of Vite serving allow list.

# security bypassed
$ curl "http://localhost:5173/@&#8203;fs/tmp/secret.txt?import&raw"
export default "top secret content\n"
//# sourceMappingURL=data:application/json;base64,eyJ2...
```

---

### Release Notes

<details>
<summary>vitejs/vite (vite)</summary>

###
[`v5.4.6`](https://redirect.github.com/vitejs/vite/releases/tag/v5.4.6)

[Compare
Source](https://redirect.github.com/vitejs/vite/compare/v5.4.5...v5.4.6)

Please refer to
[CHANGELOG.md](https://redirect.github.com/vitejs/vite/blob/v5.4.6/packages/vite/CHANGELOG.md)
for details.

###
[`v5.4.5`](https://redirect.github.com/vitejs/vite/releases/tag/v5.4.5)

[Compare
Source](https://redirect.github.com/vitejs/vite/compare/v5.4.4...v5.4.5)

Please refer to
[CHANGELOG.md](https://redirect.github.com/vitejs/vite/blob/v5.4.5/packages/vite/CHANGELOG.md)
for details.

###
[`v5.4.4`](https://redirect.github.com/vitejs/vite/releases/tag/v5.4.4)

[Compare
Source](https://redirect.github.com/vitejs/vite/compare/v5.4.3...v5.4.4)

Please refer to
[CHANGELOG.md](https://redirect.github.com/vitejs/vite/blob/v5.4.4/packages/vite/CHANGELOG.md)
for details.

###
[`v5.4.3`](https://redirect.github.com/vitejs/vite/blob/HEAD/packages/vite/CHANGELOG.md#small543-2024-09-03-small)

[Compare
Source](https://redirect.github.com/vitejs/vite/compare/v5.4.2...v5.4.3)

- fix: allow getting URL of JS files in publicDir
([#&#8203;17915](https://redirect.github.com/vitejs/vite/issues/17915))
([943ece1](https://redirect.github.com/vitejs/vite/commit/943ece177e7709b3ba574e810afce347c51d4442)),
closes
[#&#8203;17915](https://redirect.github.com/vitejs/vite/issues/17915)
- fix: cjs warning respect the logLevel flag
([#&#8203;17993](https://redirect.github.com/vitejs/vite/issues/17993))
([dc3c14f](https://redirect.github.com/vitejs/vite/commit/dc3c14f39fcd57867c8ae81b75ae768b53b4b880)),
closes
[#&#8203;17993](https://redirect.github.com/vitejs/vite/issues/17993)
- fix: improve CJS warning trace information
([#&#8203;17926](https://redirect.github.com/vitejs/vite/issues/17926))
([5c5f82c](https://redirect.github.com/vitejs/vite/commit/5c5f82c84bb64309875b42eee9d4dd525ab42e8c)),
closes
[#&#8203;17926](https://redirect.github.com/vitejs/vite/issues/17926)
- fix: only remove entry assets handled by Vite core
([#&#8203;17916](https://redirect.github.com/vitejs/vite/issues/17916))
([ebfaa7e](https://redirect.github.com/vitejs/vite/commit/ebfaa7e6019783f308db5e759a6a67abb7cc626c)),
closes
[#&#8203;17916](https://redirect.github.com/vitejs/vite/issues/17916)
- fix: waitForRequestIdle locked
([#&#8203;17982](https://redirect.github.com/vitejs/vite/issues/17982))
([ad13760](https://redirect.github.com/vitejs/vite/commit/ad1376018a94b42540a8488d897cc520849e1228)),
closes
[#&#8203;17982](https://redirect.github.com/vitejs/vite/issues/17982)
- fix(css): fix directory index import in sass modern api
([#&#8203;17960](https://redirect.github.com/vitejs/vite/issues/17960))
([9b001ba](https://redirect.github.com/vitejs/vite/commit/9b001baa70c8489ac5550107c110a5dca281cda4)),
closes
[#&#8203;17960](https://redirect.github.com/vitejs/vite/issues/17960)
- fix(css): fix sass `file://` reference
([#&#8203;17909](https://redirect.github.com/vitejs/vite/issues/17909))
([561b940](https://redirect.github.com/vitejs/vite/commit/561b940f6f963fbb78058a6e23b4adad53a2edb9)),
closes
[#&#8203;17909](https://redirect.github.com/vitejs/vite/issues/17909)
- fix(css): fix sass modern source map
([#&#8203;17938](https://redirect.github.com/vitejs/vite/issues/17938))
([d428e7e](https://redirect.github.com/vitejs/vite/commit/d428e7e3a05f8da5ea00bb1b6a0827a5cc225899)),
closes
[#&#8203;17938](https://redirect.github.com/vitejs/vite/issues/17938)
- fix(deps): bump tsconfck
([#&#8203;17990](https://redirect.github.com/vitejs/vite/issues/17990))
([8c661b2](https://redirect.github.com/vitejs/vite/commit/8c661b20e92f33eb2e3ba3841b20dd6f6076f1ef)),
closes
[#&#8203;17990](https://redirect.github.com/vitejs/vite/issues/17990)
- fix(html): rewrite assets url in <template>
([#&#8203;17988](https://redirect.github.com/vitejs/vite/issues/17988))
([413c86a](https://redirect.github.com/vitejs/vite/commit/413c86aa971bc1ad8958578c929f45a368799f74)),
closes
[#&#8203;17988](https://redirect.github.com/vitejs/vite/issues/17988)
- fix(preload): add crossorigin attribute in CSS link tags
([#&#8203;17930](https://redirect.github.com/vitejs/vite/issues/17930))
([15871c7](https://redirect.github.com/vitejs/vite/commit/15871c75e0722adeda23f771fd6c45fecba4d118)),
closes
[#&#8203;17930](https://redirect.github.com/vitejs/vite/issues/17930)
- chore: reduce diffs with v6 branch
([#&#8203;17942](https://redirect.github.com/vitejs/vite/issues/17942))
([bf9065a](https://redirect.github.com/vitejs/vite/commit/bf9065aa13da6a519014c3bc1d34cfb1cb49ccca)),
closes
[#&#8203;17942](https://redirect.github.com/vitejs/vite/issues/17942)
- chore(deps): update all non-major dependencies
([#&#8203;17945](https://redirect.github.com/vitejs/vite/issues/17945))
([cfb621e](https://redirect.github.com/vitejs/vite/commit/cfb621e7a5a3e24d710a9af156e6855e73caf891)),
closes
[#&#8203;17945](https://redirect.github.com/vitejs/vite/issues/17945)
- chore(deps): update all non-major dependencies
([#&#8203;17991](https://redirect.github.com/vitejs/vite/issues/17991))
([0ca53cf](https://redirect.github.com/vitejs/vite/commit/0ca53cff9ff49108fcec75ff01d2445f9c2f2a4c)),
closes
[#&#8203;17991](https://redirect.github.com/vitejs/vite/issues/17991)

</details>

---

### Configuration

📅 **Schedule**: Branch creation - "" (UTC), Automerge - At any time (no
schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR was generated by [Mend Renovate](https://mend.io/renovate/).
View the [repository job
log](https://developer.mend.io/github/dubzzz/fast-check).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzOC44MC4wIiwidXBkYXRlZEluVmVyIjoiMzguODAuMCIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOlsiZGVwZW5kZW5jaWVzIl19-->

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
---
 yarn.lock | 36 ++++++++++++++++++------------------
 1 file changed, 18 insertions(+), 18 deletions(-)
diff --git a/yarn.lock b/yarn.lock
index cc18b85da2a..2d3896a4b11 100644
--- a/yarn.lock
+++ b/yarn.lock
@@ -15650,10 +15650,10 @@ __metadata:
   languageName: node
   linkType: hard
 
-"picocolors@npm:^1.0.0, picocolors@npm:^1.0.1":
-  version: 1.0.1
-  resolution: "picocolors@npm:1.0.1"
-  checksum: 10c0/c63cdad2bf812ef0d66c8db29583802355d4ca67b9285d846f390cc15c2f6ccb94e8cb7eb6a6e97fc5990a6d3ad4ae42d86c84d3146e667c739a4234ed50d400
+"picocolors@npm:^1.0.0, picocolors@npm:^1.0.1, picocolors@npm:^1.1.0":
+  version: 1.1.0
+  resolution: "picocolors@npm:1.1.0"
+  checksum: 10c0/86946f6032148801ef09c051c6fb13b5cf942eaf147e30ea79edb91dd32d700934edebe782a1078ff859fb2b816792e97ef4dab03d7f0b804f6b01a0df35e023
   languageName: node
   linkType: hard
 
@@ -16193,14 +16193,14 @@ __metadata:
   languageName: node
   linkType: hard
 
-"postcss@npm:^8.4.21, postcss@npm:^8.4.24, postcss@npm:^8.4.26, postcss@npm:^8.4.33, postcss@npm:^8.4.38, postcss@npm:^8.4.41":
-  version: 8.4.41
-  resolution: "postcss@npm:8.4.41"
+"postcss@npm:^8.4.21, postcss@npm:^8.4.24, postcss@npm:^8.4.26, postcss@npm:^8.4.33, postcss@npm:^8.4.38, postcss@npm:^8.4.43":
+  version: 8.4.47
+  resolution: "postcss@npm:8.4.47"
   dependencies:
     nanoid: "npm:^3.3.7"
-    picocolors: "npm:^1.0.1"
-    source-map-js: "npm:^1.2.0"
-  checksum: 10c0/c1828fc59e7ec1a3bf52b3a42f615dba53c67960ed82a81df6441b485fe43c20aba7f4e7c55425762fd99c594ecabbaaba8cf5b30fd79dfec5b52a9f63a2d690
+    picocolors: "npm:^1.1.0"
+    source-map-js: "npm:^1.2.1"
+  checksum: 10c0/929f68b5081b7202709456532cee2a145c1843d391508c5a09de2517e8c4791638f71dd63b1898dba6712f8839d7a6da046c72a5e44c162e908f5911f57b5f44
   languageName: node
   linkType: hard
 
@@ -17982,10 +17982,10 @@ __metadata:
   languageName: node
   linkType: hard
 
-"source-map-js@npm:^1.0.1, source-map-js@npm:^1.2.0":
-  version: 1.2.0
-  resolution: "source-map-js@npm:1.2.0"
-  checksum: 10c0/7e5f896ac10a3a50fe2898e5009c58ff0dc102dcb056ed27a354623a0ece8954d4b2649e1a1b2b52ef2e161d26f8859c7710350930751640e71e374fe2d321a4
+"source-map-js@npm:^1.0.1, source-map-js@npm:^1.2.0, source-map-js@npm:^1.2.1":
+  version: 1.2.1
+  resolution: "source-map-js@npm:1.2.1"
+  checksum: 10c0/7bda1fc4c197e3c6ff17de1b8b2c20e60af81b63a52cb32ec5a5d67a20a7d42651e2cb34ebe93833c5a2a084377e17455854fee3e21e7925c64a51b6a52b0faf
   languageName: node
   linkType: hard
 
@@ -19569,12 +19569,12 @@ __metadata:
   linkType: hard
 
 "vite@npm:^5.0.0, vite@npm:^5.4.2":
-  version: 5.4.2
-  resolution: "vite@npm:5.4.2"
+  version: 5.4.6
+  resolution: "vite@npm:5.4.6"
   dependencies:
     esbuild: "npm:^0.21.3"
     fsevents: "npm:~2.3.3"
-    postcss: "npm:^8.4.41"
+    postcss: "npm:^8.4.43"
     rollup: "npm:^4.20.0"
   peerDependencies:
     "@types/node": ^18.0.0 || >=20.0.0
@@ -19607,7 +19607,7 @@ __metadata:
       optional: true
   bin:
     vite: bin/vite.js
-  checksum: 10c0/23e347ca8aa6f0a774227e4eb7abae228f12c6806a727b046aa75e7ee37ffc2d68cff74360e12a42c347f79adc294e2363bc723b957bf4b382b5a8fb39e4df9d
+  checksum: 10c0/5f87be3a10e970eaf9ac52dfab39cf9fff583036685252fb64570b6d7bfa749f6d221fb78058f5ef4b5664c180d45a8e7a7ff68d7f3770e69e24c7c68b958bde
   languageName: node
   linkType: hard
 
