chore(deps): update dependency vite to v5.3.6 [security]

[renovate[bot]]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
vite (source)	5.3.3 -> 5.3.6

GitHub Vulnerability Alerts

CVE-2024-45811

Summary

The contents of arbitrary files can be returned to the browser.

Details

@fs denies access to files outside of Vite serving allow list. Adding ?import&raw to the URL bypasses this limitation and returns the file content if it exists.

PoC

$ npm create vite@latest
$ cd vite-project/
$ npm install
$ npm run dev

$ echo "top secret content" > /tmp/secret.txt

# expected behaviour
$ curl "http://localhost:5173/@​fs/tmp/secret.txt"

    <body>
      <h1>403 Restricted</h1>
      <p>The request url &quot;/tmp/secret.txt&quot; is outside of Vite serving allow list.

# security bypassed
$ curl "http://localhost:5173/@&#8203;fs/tmp/secret.txt?import&raw"
export default "top secret content\n"
//# sourceMappingURL=data:application/json;base64,eyJ2...

---

Release Notes

vitejs/vite (vite)

### [`v5.3.6`](https://redirect.github.com/vitejs/vite/releases/tag/v5.3.6) [Compare Source](https://redirect.github.com/vitejs/vite/compare/v5.3.5...v5.3.6) Please refer to [CHANGELOG.md](https://redirect.github.com/vitejs/vite/blob/v5.3.6/packages/vite/CHANGELOG.md) for details. ### [`v5.3.5`](https://redirect.github.com/vitejs/vite/blob/HEAD/packages/vite/CHANGELOG.md#small535-2024-07-25-small) [Compare Source](https://redirect.github.com/vitejs/vite/compare/v5.3.4...v5.3.5) - refactor(asset): remove rollup 3 public file watch workaround ([#​16331](https://redirect.github.com/vitejs/vite/issues/16331)) ([66bdb1d](https://redirect.github.com/vitejs/vite/commit/66bdb1d7b41e46b5361606ff3811bdad6f625bcc)), closes [#​16331](https://redirect.github.com/vitejs/vite/issues/16331) - fix: make `server` type less restrictive (fix [#​17627](https://redirect.github.com/vitejs/vite/issues/17627)) ([#​17628](https://redirect.github.com/vitejs/vite/issues/17628)) ([b55c32f](https://redirect.github.com/vitejs/vite/commit/b55c32f7e36ee7cc3754a5d667785d066dece10a)), closes [#​17627](https://redirect.github.com/vitejs/vite/issues/17627) [#​17628](https://redirect.github.com/vitejs/vite/issues/17628) - fix: show error if vite client cannot be loaded ([#​17419](https://redirect.github.com/vitejs/vite/issues/17419)) ([db5ab1d](https://redirect.github.com/vitejs/vite/commit/db5ab1dfc4fb55c6387136ee31fed35910a046b0)), closes [#​17419](https://redirect.github.com/vitejs/vite/issues/17419) - fix(build): env output is not stable ([#​17748](https://redirect.github.com/vitejs/vite/issues/17748)) ([b240a83](https://redirect.github.com/vitejs/vite/commit/b240a8347e7b62bee9d2212625732bb0d8c78633)), closes [#​17748](https://redirect.github.com/vitejs/vite/issues/17748) - fix(client): fix vite error path ([#​17744](https://redirect.github.com/vitejs/vite/issues/17744)) ([3c1bde3](https://redirect.github.com/vitejs/vite/commit/3c1bde340693e1de89ed2853225a5c1b6812accc)), closes [#​17744](https://redirect.github.com/vitejs/vite/issues/17744) - fix(css): resolve url aliases with fragments (fix: [#​17690](https://redirect.github.com/vitejs/vite/issues/17690)) ([#​17691](https://redirect.github.com/vitejs/vite/issues/17691)) ([d906d3f](https://redirect.github.com/vitejs/vite/commit/d906d3f8e1199fb9fc09f4c3397a91b274bb65c8)) - fix(deps): update all non-major dependencies ([#​17629](https://redirect.github.com/vitejs/vite/issues/17629)) ([93281b0](https://redirect.github.com/vitejs/vite/commit/93281b0e09ff8b00e21c24b80ed796db89cbc1ef)), closes [#​17629](https://redirect.github.com/vitejs/vite/issues/17629) - fix(importMetaGlob): handle alias that starts with hash ([#​17743](https://redirect.github.com/vitejs/vite/issues/17743)) ([b58b423](https://redirect.github.com/vitejs/vite/commit/b58b423ba85a7cede97d00a0160a188770928ae4)), closes [#​17743](https://redirect.github.com/vitejs/vite/issues/17743) - fix(ssrTransform): sourcemaps with multiple sources ([#​17677](https://redirect.github.com/vitejs/vite/issues/17677)) ([f321fa8](https://redirect.github.com/vitejs/vite/commit/f321fa8de2c8cf4f1758365abad4e7b352363a2f)), closes [#​17677](https://redirect.github.com/vitejs/vite/issues/17677) - chore: extend commit hash ([#​17709](https://redirect.github.com/vitejs/vite/issues/17709)) ([4fc9b64](https://redirect.github.com/vitejs/vite/commit/4fc9b6424c27aca8004c368b69991a56264e4fdb)), closes [#​17709](https://redirect.github.com/vitejs/vite/issues/17709) - chore(deps): update all non-major dependencies ([#​17734](https://redirect.github.com/vitejs/vite/issues/17734)) ([9983731](https://redirect.github.com/vitejs/vite/commit/998373120c8306326469d4f342690c17774acdf9)), closes [#​17734](https://redirect.github.com/vitejs/vite/issues/17734) - chore(deps): update typescript ([#​17699](https://redirect.github.com/vitejs/vite/issues/17699)) ([df5ceb3](https://redirect.github.com/vitejs/vite/commit/df5ceb35b7f744cfcdfe3a28834f890f35f2b18f)), closes [#​17699](https://redirect.github.com/vitejs/vite/issues/17699) - revert: fix(logger): truncate log over 5000 characters long ([#​16581](https://redirect.github.com/vitejs/vite/issues/16581)) ([#​17729](https://redirect.github.com/vitejs/vite/issues/17729)) ([f4f488f](https://redirect.github.com/vitejs/vite/commit/f4f488fe83a0b710dd3de34a7075398cfce59605)), closes [#​16581](https://redirect.github.com/vitejs/vite/issues/16581) [#​17729](https://redirect.github.com/vitejs/vite/issues/17729) ### [`v5.3.4`](https://redirect.github.com/vitejs/vite/blob/HEAD/packages/vite/CHANGELOG.md#small534-2024-07-16-small) [Compare Source](https://redirect.github.com/vitejs/vite/compare/v5.3.3...v5.3.4) - fix: update Terser type definitions (fix [#​17668](https://redirect.github.com/vitejs/vite/issues/17668)) ([#​17669](https://redirect.github.com/vitejs/vite/issues/17669)) ([b723a75](https://redirect.github.com/vitejs/vite/commit/b723a75)), closes [#​17668](https://redirect.github.com/vitejs/vite/issues/17668) [#​17669](https://redirect.github.com/vitejs/vite/issues/17669) - fix(build): skip preload treeshaking for nested braces ([#​17687](https://redirect.github.com/vitejs/vite/issues/17687)) ([4be96b4](https://redirect.github.com/vitejs/vite/commit/4be96b4)), closes [#​17687](https://redirect.github.com/vitejs/vite/issues/17687) - fix(css): include `.css?url` in assets field of manifest ([#​17623](https://redirect.github.com/vitejs/vite/issues/17623)) ([1465b20](https://redirect.github.com/vitejs/vite/commit/1465b20)), closes [#​17623](https://redirect.github.com/vitejs/vite/issues/17623) - fix(worker): nested inlined worker always fallbacked to data URI worker instead of using blob worker ([07bc489](https://redirect.github.com/vitejs/vite/commit/07bc489)), closes [#​17509](https://redirect.github.com/vitejs/vite/issues/17509) - refactor: replace includes with logical operations ([#​17620](https://redirect.github.com/vitejs/vite/issues/17620)) ([c4a2227](https://redirect.github.com/vitejs/vite/commit/c4a2227)), closes [#​17620](https://redirect.github.com/vitejs/vite/issues/17620) - chore: add callback to http-proxy.d.ts jsdoc ([#​17646](https://redirect.github.com/vitejs/vite/issues/17646)) ([d8a5d70](https://redirect.github.com/vitejs/vite/commit/d8a5d70)), closes [#​17646](https://redirect.github.com/vitejs/vite/issues/17646)

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• [ ] If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.