fix(deps): update dependency vite to v5.2.14 [security] #4381

renovate · 2024-09-17T22:28:51Z

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
vite (source)	`5.0.13` -> `5.2.14`

GitHub Vulnerability Alerts

CVE-2024-45811

Summary

The contents of arbitrary files can be returned to the browser.

Details

@fs denies access to files outside of Vite serving allow list. Adding ?import&raw to the URL bypasses this limitation and returns the file content if it exists.

PoC

$ npm create vite@latest
$ cd vite-project/
$ npm install
$ npm run dev

$ echo "top secret content" > /tmp/secret.txt

# expected behaviour
$ curl "http://localhost:5173/@&#8203;fs/tmp/secret.txt"

    <body>
      <h1>403 Restricted</h1>
      <p>The request url &quot;/tmp/secret.txt&quot; is outside of Vite serving allow list.

# security bypassed
$ curl "http://localhost:5173/@&#8203;fs/tmp/secret.txt?import&raw"
export default "top secret content\n"
//# sourceMappingURL=data:application/json;base64,eyJ2...

Release Notes

vitejs/vite (vite)

`v5.2.14`

Compare Source

Please refer to CHANGELOG.md for details.

`v5.2.13`

Compare Source

Please refer to CHANGELOG.md for details.

`v5.2.12`

Compare Source

chore: move to eslint flat config (#16743) (8f16765), closes #16743
chore(deps): remove unused deps (#17329) (5a45745), closes #17329
chore(deps): update all non-major dependencies (#16722) (b45922a), closes #16722
fix: mention build.rollupOptions.output.manualChunks instead of build.rollupOutput.manualChunks (89378c0), closes #16721
fix(build): make SystemJSWrapRE match lazy (#16633) (6583ad2), closes #16633
fix(css): avoid generating empty JS files when JS files becomes empty but has CSS files imported (#1 (95fe5a7), closes #16078
fix(css): handle lightningcss compiled css in Deno (#17301) (8e4e932), closes #17301
fix(css): only use files the current bundle contains (#16684) (15a6ebb), closes #16684
fix(css): page reload was not happening with .css?raw (#16455) (8041846), closes #16455
fix(deps): update all non-major dependencies (#16603) (6711553), closes #16603
fix(deps): update all non-major dependencies (#16660) (bf2f014), closes #16660
fix(deps): update all non-major dependencies (#17321) (4a89766), closes #17321
fix(error-logging): rollup errors weren't displaying id and codeframe (#16540) (22dc196), closes #16540
fix(hmr): normalize the path info (#14255) (6a085d0), closes #14255
fix(hmr): trigger page reload when calling invalidate on root module (#16636) (2b61cc3), closes #16636
fix(logger): truncate log over 5000 characters long (#16581) (b0b839a), closes #16581
fix(optimizer): log dependencies added by plugins (#16729) (f0fb987), closes #16729
fix(sourcemap): improve sourcemap compatibility for vue2 (#16594) (913c040), closes #16594
docs: correct proxy shorthand example (#15938) (abf766e), closes #15938
docs: deprecate server.hot (#16741) (e7d38ab), closes #16741

`v5.2.11`

Compare Source

feat: improve dynamic import variable failure error message (#16519) (f8feeea), closes #16519
fix: dynamic-import-vars plugin normalize path issue (#16518) (f71ba5b), closes #16518
fix: scripts and styles were missing from built HTML on Windows (#16421) (0e93f58), closes #16421
fix(deps): update all non-major dependencies (#16488) (2d50be2), closes #16488
fix(deps): update all non-major dependencies (#16549) (2d6a13b), closes #16549
fix(dev): watch publicDir explicitly to include it outside the root (#16502) (4d83eb5), closes #16502
fix(preload): skip preload for non-static urls (#16556) (bb79c9b), closes #16556
fix(ssr): handle class declaration and expression name scoping (#16569) (c071eb3), closes #16569
fix(ssr): handle function expression name scoping (#16563) (02db947), closes #16563

`v5.2.10`

Compare Source

revert: perf: use workspace root for fs cache (#15712) (#16476) (77e7359), closes #15712 #16476
fix: add base to virtual html (#16442) (721f94d), closes #16442
fix: adjust esm syntax judgment logic (#16436) (af72eab), closes #16436
fix: don't add outDirs to watch.ignored if emptyOutDir is false (#16453) (6a127d6), closes #16453
fix(cspNonce): don't overwrite existing nonce values (#16415) (b872635), closes #16415
feat: show warning if root is in build.outDir (#16454) (11444dc), closes #16454
feat: write cspNonce to style tags (#16419) (8e54bbd), closes #16419
chore(deps): update dependency eslint-plugin-n to v17 (#16381) (6cccef7), closes #16381

`v5.2.9`

Compare Source

fix: fsp.rm removing files does not take effect (#16032) (b05c405), closes #16032
fix: fix accumulated stacks in error overlay (#16393) (102c2fd), closes #16393
fix(deps): update all non-major dependencies (#16376) (58a2938), closes #16376
chore: update region comment (#16380) (77562c3), closes #16380
perf: reduce size of injected __vite__mapDeps code (#16184) (c0ec6be), closes #16184
perf(css): only replace empty chunk if imported (#16349) (e2658ad), closes #16349

`v5.2.8`

Compare Source

fix: csp nonce injection when no closing tag (#16281) (#16282) (3c85c6b), closes #16281 #16282
fix: do not access document in /@vite/client when not defined (#16318) (646319c), closes #16318
fix: fix sourcemap when using object as define value (#15805) (445c4f2), closes #15805
fix(css): unknown file error happened with lightningcss (#16306) (01af308), closes #16306
fix(hmr): multiple updates happened when invalidate is called while multiple tabs open (#16307) (21cc10b), closes #16307
fix(scanner): duplicate modules for same id if glob is used in html-like types (#16305) (eca68fa), closes #16305
chore(deps): update all non-major dependencies (#16325) (a78e265), closes #16325
refactor: use types from sass instead of @types/sass (#16340) (4581e83), closes #16340

`v5.2.7`

Compare Source

chore: deprecate splitVendorChunkPlugin (#16274) (45a06da), closes #16274
fix: skip injecting __vite__mapDeps when it's not used (#16271) (890538a), closes #16271
fix(deps): update all non-major dependencies (#16258) (7caef42), closes #16258
fix(hmr): don't mutate module graph when collecting modules (#16302) (dfffea1), closes #16302
fix(hmr): trigger hmr for missing file import errored module after file creation (#16303) (ffedc06), closes #16303
fix(sourcemap): don't warn even if the sourcesContent is an empty string (#16273) (24e376a), closes #16273
feat(hmr): reload when HTML file is created/deleted (#16288) (1f53796), closes #16288

`v5.2.6`

Compare Source

fix: fs.deny with globs with directories (#16250) (ba5269c), closes #16250

`v5.2.5`

Compare Source

fix: avoid SSR requests in waitForRequestIdle (#16246) (7093f77), closes #16246
docs: clarify enforce vs hook.order (#16226) (3a73e48), closes #16226

`v5.2.4`

Compare Source

fix: dont resolve imports with malformed URI (#16244) (fbf69d5), closes #16244

`v5.2.3`

Compare Source

fix: handle warmup request error correctly (#16223) (d7c5256), closes #16223
fix: skip encode if is data uri (#16233) (8617e76), closes #16233
fix(optimizer): fix optimizeDeps.include glob syntax for ./* exports (#16230) (f184c80), closes #16230
fix(runtime): fix sourcemap with prepareStackTrace (#16220) (dad7f4f), closes #16220
chore: utf8 replaced with utf-8 (#16232) (9800c73), closes #16232

`v5.2.2`

Compare Source

fix(importAnalysis): skip encode in ssr (#16213) (e4d2d60), closes #16213

`v5.2.1`

Compare Source

fix: encode path uri only (#16212) (0b2e40b), closes #16212

`v5.2.0`

Compare Source

fix: update client.ts@cleanUrl to accomodate blob protocol (#16182) (1a3b1d7), closes #16182
fix(assets): avoid splitting , inside query parameter of image URI in srcset property (#16081) (50caf67), closes #16081
chore(deps): update all non-major dependencies (#16186) (842643d), closes #16186
perf(transformRequest): fast-path watch and sourcemap handling (#16170) (de60f1e), closes #16170
docs: add @shikiji/vitepress-twoslash (#16168) (6f8a320), closes #16168

`v5.1.7`

Compare Source

Please refer to CHANGELOG.md for details.

`v5.1.6`

Compare Source

chore(deps): update all non-major dependencies (#16131) (a862ecb), closes #16131
fix: check for publicDir before checking if it is a parent directory (#16046) (b6fb323), closes #16046
fix: escape single quote when relative base is used (#16060) (8f74ce4), closes #16060
fix: handle function property extension in namespace import (#16113) (f699194), closes #16113
fix: server middleware mode resolve (#16122) (8403546), closes #16122
fix(esbuild): update tsconfck to fix bug that could cause a deadlock (#16124) (fd9de04), closes #16124
fix(worker): hide "The emitted file overwrites" warning if the content is same (#16094) (60dfa9e), closes #16094
fix(worker): throw error when circular worker import is detected and support self referencing worker (eef9da1), closes #16103
style(utils): remove null check (#16112) (0d2df52), closes #16112
refactor(runtime): share more code between runtime and main bundle (#16063) (93be84e), closes #16063

`v5.1.5`

Compare Source

fix: __vite__mapDeps code injection (#15732) (aff54e1), closes #15732
fix: analysing build chunk without dependencies (#15469) (bd52283), closes #15469
fix: import with query with imports field (#16085) (ab823ab), closes #16085
fix: normalize literal-only entry pattern (#16010) (1dccc37), closes #16010
fix: optimizeDeps.entries with literal-only pattern(s) (#15853) (49300b3), closes #15853
fix: output correct error for empty import specifier (#16055) (a9112eb), closes #16055
fix: upgrade esbuild to 0.20.x (#16062) (899d9b1), closes #16062
fix(runtime): runtime HMR affects only imported files (#15898) (57463fc), closes #15898
fix(scanner): respect experimentalDecorators: true (#15206) (4144781), closes #15206
revert: "fix: upgrade esbuild to 0.20.x" (#16072) (11cceea), closes #16072
refactor: share code with vite runtime (#15907) (b20d542), closes #15907
refactor(runtime): use functions from pathe (#16061) (aac2ef7), closes #16061
chore(deps): update all non-major dependencies (#16028) (7cfe80d), closes #16028

`v5.1.4`

Compare Source

perf: remove unnecessary regex s modifier (#15766) (8dc1b73), closes #15766
fix: fs cached checks disabled by default for yarn pnp (#15920) (8b11fea), closes #15920
fix: resolve directory correctly when fs.cachedChecks: true (#15983) (4fe971f), closes #15983
fix: srcSet with optional descriptor (#15905) (81b3bd0), closes #15905
fix(deps): update all non-major dependencies (#15959) (571a3fd), closes #15959
fix(watch): build watch fails when outDir is empty string (#15979) (1d263d3), closes #15979

`v5.1.3`

Compare Source

fix: cachedTransformMiddleware for direct css requests (#15919) (5099028), closes #15919
refactor(runtime): minor tweaks (#15904) (63a39c2), closes #15904
refactor(runtime): seal ES module namespace object instead of feezing (#15914) (4172f02), closes #15914

`v5.1.2`

Compare Source

fix: normalize import file path info (#15772) (306df44), closes #15772
fix(build): do not output build time when build fails (#15711) (added3e), closes #15711
fix(runtime): pass path instead of fileURL to isFilePathESM (#15908) (7b15607), closes #15908
fix(worker): support UTF-8 encoding in inline workers (fixes #12117) (#15866) (570e0f1), closes #12117 #15866
chore: update license file (#15885) (d9adf18), closes #15885
chore(deps): update all non-major dependencies (#15874) (d16ce5d), closes #15874
chore(deps): update dependency dotenv-expand to v11 (#15875) (642d528), closes #15875

`v5.1.1`

Compare Source

fix: empty CSS file was output when only .css?url is used (#15846) (b2873ac), closes #15846
fix: skip not only .js but also .mjs manifest entries (#15841) (3d860e7), closes #15841
chore: post 5.1 release edits (#15840) (9da6502), closes #15840

`v5.1.0`

Compare Source

chore: revert #15746 (#15839) (ed875f8), closes #15746 #15839
fix: pass customLogger to loadConfigFromFile (fix #15824) (#15831) (55a3427), closes #15824 #15831
fix(deps): update all non-major dependencies (#15803) (e0a6ef2), closes #15803
refactor: remove vite build --force (#15837) (f1a4242), closes #15837

Configuration

📅 Schedule: Branch creation - "" in timezone Europe/London, Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

codecov · 2024-09-17T22:45:12Z

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 99.46%. Comparing base (150a172) to head (b1a17fc).
Report is 1 commits behind head on master.

Additional details and impacted files

@@           Coverage Diff           @@
##           master    #4381   +/-   ##
=======================================
  Coverage   99.46%   99.46%           
=======================================
  Files        1051     1051           
  Lines       20205    20205           
  Branches     6355     6355           
=======================================
  Hits        20096    20096           
  Misses        109      109

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

fix(deps): update dependency vite to v5.2.14 [security]

b1a17fc

renovate bot enabled auto-merge (squash) September 17, 2024 22:28

renovate-approve bot approved these changes Sep 17, 2024

View reviewed changes

renovate bot temporarily deployed to Branch September 17, 2024 22:28 Inactive

renovate bot temporarily deployed to Branch September 17, 2024 22:29 Inactive

renovate bot temporarily deployed to Branch September 17, 2024 22:36 Inactive

renovate bot temporarily deployed to Branch September 17, 2024 22:43 Inactive

renovate bot temporarily deployed to Branch September 17, 2024 22:52 Inactive

renovate bot temporarily deployed to Branch September 17, 2024 23:00 Inactive

renovate bot deployed to Branch September 17, 2024 23:02 View deployment

renovate bot merged commit 799bc5a into master Sep 17, 2024
62 of 63 checks passed

renovate bot deleted the renovate/npm-vite-vulnerability branch September 17, 2024 23:03

renovate bot temporarily deployed to Branch September 17, 2024 23:03 Inactive

AkosuaA mentioned this pull request Sep 18, 2024

resolve conflicting vite versions #4383

Merged

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

fix(deps): update dependency vite to v5.2.14 [security] #4381

fix(deps): update dependency vite to v5.2.14 [security] #4381

renovate bot commented Sep 17, 2024

codecov bot commented Sep 17, 2024 •

edited

Loading

fix(deps): update dependency vite to v5.2.14 [security] #4381

fix(deps): update dependency vite to v5.2.14 [security] #4381

Conversation

renovate bot commented Sep 17, 2024

GitHub Vulnerability Alerts

Summary

Details

PoC

Release Notes

Configuration

codecov bot commented Sep 17, 2024 • edited Loading

Codecov Report

codecov bot commented Sep 17, 2024 •

edited

Loading