⬆️ Update dependency vite to v5.4.6 [SECURITY]

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
vite (source)	5.4.2 -> 5.4.6

GitHub Vulnerability Alerts

CVE-2024-45811

Summary

The contents of arbitrary files can be returned to the browser.

Details

@fs denies access to files outside of Vite serving allow list. Adding ?import&raw to the URL bypasses this limitation and returns the file content if it exists.

PoC

$ npm create vite@latest
$ cd vite-project/
$ npm install
$ npm run dev

$ echo "top secret content" > /tmp/secret.txt

# expected behaviour
$ curl "http://localhost:5173/@​fs/tmp/secret.txt"

    <body>
      <h1>403 Restricted</h1>
      <p>The request url &quot;/tmp/secret.txt&quot; is outside of Vite serving allow list.

# security bypassed
$ curl "http://localhost:5173/@&#8203;fs/tmp/secret.txt?import&raw"
export default "top secret content\n"
//# sourceMappingURL=data:application/json;base64,eyJ2...

---

Release Notes

vitejs/vite (vite)

v5.4.6

Compare Source

Please refer to CHANGELOG.md for details.

v5.4.5

Compare Source

Please refer to CHANGELOG.md for details.

v5.4.4

Compare Source

Please refer to CHANGELOG.md for details.

v5.4.3

Compare Source

• fix: allow getting URL of JS files in publicDir (#​17915) (943ece1), closes #​17915
• fix: cjs warning respect the logLevel flag (#​17993) (dc3c14f), closes #​17993
• fix: improve CJS warning trace information (#​17926) (5c5f82c), closes #​17926
• fix: only remove entry assets handled by Vite core (#​17916) (ebfaa7e), closes #​17916
• fix: waitForRequestIdle locked (#​17982) (ad13760), closes #​17982
• fix(css): fix directory index import in sass modern api (#​17960) (9b001ba), closes #​17960
• fix(css): fix sass file:// reference (#​17909) (561b940), closes #​17909
• fix(css): fix sass modern source map (#​17938) (d428e7e), closes #​17938
• fix(deps): bump tsconfck (#​17990) (8c661b2), closes #​17990
• fix(html): rewrite assets url in (#​17988) (413c86a), closes #​17988
• fix(preload): add crossorigin attribute in CSS link tags (#​17930) (15871c7), closes #​17930
• chore: reduce diffs with v6 branch (#​17942) (bf9065a), closes #​17942
• chore(deps): update all non-major dependencies (#​17945) (cfb621e), closes #​17945
• chore(deps): update all non-major dependencies (#​17991) (0ca53cf), closes #​17991

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[changeset-bot]

⚠️ No Changeset found

Latest commit: 3cfe6d3

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[codesandbox-ci]

This pull request is automatically built and testable in CodeSandbox.

To see build info of the built libraries, click here or the icon next to each commit SHA.

Latest deployment of this branch, based on commit 3cfe6d3:

Sandbox	Source
@fast-check/examples	Configuration

[github-actions]

👋 A preview of the new documentation is available at: http://66e9d8d35c98a7646805d438--dubzzz-fast-check.netlify.app

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 95.32%. Comparing base (58798b8) to head (3cfe6d3).
Report is 2 commits behind head on main.

Additional details and impacted files

@@           Coverage Diff           @@
##             main    #5261   +/-   ##
=======================================
  Coverage   95.32%   95.32%           
=======================================
  Files         234      234           
  Lines       10414    10414           
  Branches     2774     2774           
=======================================
  Hits         9927     9927           
  Misses        487      487           

Flag	Coverage Δ
unit-tests	95.32% <ø> (ø)
unit-tests-18.x-Linux	95.32% <ø> (ø)
unit-tests-20.x-Linux	95.32% <ø> (ø)
unit-tests-22.x-Linux	95.32% <ø> (ø)
unit-tests-latest-Linux	95.32% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.