:arrow_up: Update dependency vite to v5.1.7 [SECURITY] - autoclosed

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
vite (source)	`5.1.3` -> `5.1.7`

GitHub Vulnerability Alerts

CVE-2024-31207

Summary

Vite dev server option server.fs.deny did not deny requests for patterns with directories. An example of such a pattern is /foo/**/*.

Impact

Only apps setting a custom server.fs.deny that includes a pattern with directories, and explicitly exposing the Vite dev server to the network (using --host or server.host config option) are affected.

Patches

Fixed in vite@5.2.6, vite@5.1.7, vite@5.0.13, vite@4.5.3, vite@3.2.10, vite@2.9.18

Details

server.fs.deny uses picomatch with the config of { matchBase: true }. matchBase only matches the basename of the file, not the path due to a bug (https://github.com/micromatch/picomatch/issues/89). The vite config docs read like you should be able to set fs.deny to glob with picomatch. Vite also does not set { dot: true } and that causes dotfiles not to be denied unless they are explicitly defined.

Reproduction

Set fs.deny to ['**/.git/**'] and then curl for /.git/config.

with matchBase: true, you can get any file under .git/ (config, HEAD, etc).
with matchBase: false, you cannot get any file under .git/ (config, HEAD, etc).

Release Notes

vitejs/vite (vite)

### [`v5.1.7`](https://togithub.com/vitejs/vite/releases/tag/v5.1.7) [Compare Source](https://togithub.com/vitejs/vite/compare/v5.1.6...v5.1.7) Please refer to [CHANGELOG.md](https://togithub.com/vitejs/vite/blob/v5.1.7/packages/vite/CHANGELOG.md) for details. ### [`v5.1.6`](https://togithub.com/vitejs/vite/blob/HEAD/packages/vite/CHANGELOG.md#small516-2024-03-11-small) [Compare Source](https://togithub.com/vitejs/vite/compare/v5.1.5...v5.1.6) - chore(deps): update all non-major dependencies ([#16131](https://togithub.com/vitejs/vite/issues/16131)) ([a862ecb](https://togithub.com/vitejs/vite/commit/a862ecb)), closes [#16131](https://togithub.com/vitejs/vite/issues/16131) - fix: check for publicDir before checking if it is a parent directory ([#16046](https://togithub.com/vitejs/vite/issues/16046)) ([b6fb323](https://togithub.com/vitejs/vite/commit/b6fb323)), closes [#16046](https://togithub.com/vitejs/vite/issues/16046) - fix: escape single quote when relative base is used ([#16060](https://togithub.com/vitejs/vite/issues/16060)) ([8f74ce4](https://togithub.com/vitejs/vite/commit/8f74ce4)), closes [#16060](https://togithub.com/vitejs/vite/issues/16060) - fix: handle function property extension in namespace import ([#16113](https://togithub.com/vitejs/vite/issues/16113)) ([f699194](https://togithub.com/vitejs/vite/commit/f699194)), closes [#16113](https://togithub.com/vitejs/vite/issues/16113) - fix: server middleware mode resolve ([#16122](https://togithub.com/vitejs/vite/issues/16122)) ([8403546](https://togithub.com/vitejs/vite/commit/8403546)), closes [#16122](https://togithub.com/vitejs/vite/issues/16122) - fix(esbuild): update tsconfck to fix bug that could cause a deadlock ([#16124](https://togithub.com/vitejs/vite/issues/16124)) ([fd9de04](https://togithub.com/vitejs/vite/commit/fd9de04)), closes [#16124](https://togithub.com/vitejs/vite/issues/16124) - fix(worker): hide "The emitted file overwrites" warning if the content is same ([#16094](https://togithub.com/vitejs/vite/issues/16094)) ([60dfa9e](https://togithub.com/vitejs/vite/commit/60dfa9e)), closes [#16094](https://togithub.com/vitejs/vite/issues/16094) - fix(worker): throw error when circular worker import is detected and support self referencing worker ([eef9da1](https://togithub.com/vitejs/vite/commit/eef9da1)), closes [#16103](https://togithub.com/vitejs/vite/issues/16103) - style(utils): remove null check ([#16112](https://togithub.com/vitejs/vite/issues/16112)) ([0d2df52](https://togithub.com/vitejs/vite/commit/0d2df52)), closes [#16112](https://togithub.com/vitejs/vite/issues/16112) - refactor(runtime): share more code between runtime and main bundle ([#16063](https://togithub.com/vitejs/vite/issues/16063)) ([93be84e](https://togithub.com/vitejs/vite/commit/93be84e)), closes [#16063](https://togithub.com/vitejs/vite/issues/16063) ### [`v5.1.5`](https://togithub.com/vitejs/vite/blob/HEAD/packages/vite/CHANGELOG.md#small515-2024-03-04-small) [Compare Source](https://togithub.com/vitejs/vite/compare/v5.1.4...v5.1.5) - fix: `__vite__mapDeps` code injection ([#15732](https://togithub.com/vitejs/vite/issues/15732)) ([aff54e1](https://togithub.com/vitejs/vite/commit/aff54e1)), closes [#15732](https://togithub.com/vitejs/vite/issues/15732) - fix: analysing build chunk without dependencies ([#15469](https://togithub.com/vitejs/vite/issues/15469)) ([bd52283](https://togithub.com/vitejs/vite/commit/bd52283)), closes [#15469](https://togithub.com/vitejs/vite/issues/15469) - fix: import with query with imports field ([#16085](https://togithub.com/vitejs/vite/issues/16085)) ([ab823ab](https://togithub.com/vitejs/vite/commit/ab823ab)), closes [#16085](https://togithub.com/vitejs/vite/issues/16085) - fix: normalize literal-only entry pattern ([#16010](https://togithub.com/vitejs/vite/issues/16010)) ([1dccc37](https://togithub.com/vitejs/vite/commit/1dccc37)), closes [#16010](https://togithub.com/vitejs/vite/issues/16010) - fix: optimizeDeps.entries with literal-only pattern(s) ([#15853](https://togithub.com/vitejs/vite/issues/15853)) ([49300b3](https://togithub.com/vitejs/vite/commit/49300b3)), closes [#15853](https://togithub.com/vitejs/vite/issues/15853) - fix: output correct error for empty import specifier ([#16055](https://togithub.com/vitejs/vite/issues/16055)) ([a9112eb](https://togithub.com/vitejs/vite/commit/a9112eb)), closes [#16055](https://togithub.com/vitejs/vite/issues/16055) - fix: upgrade esbuild to 0.20.x ([#16062](https://togithub.com/vitejs/vite/issues/16062)) ([899d9b1](https://togithub.com/vitejs/vite/commit/899d9b1)), closes [#16062](https://togithub.com/vitejs/vite/issues/16062) - fix(runtime): runtime HMR affects only imported files ([#15898](https://togithub.com/vitejs/vite/issues/15898)) ([57463fc](https://togithub.com/vitejs/vite/commit/57463fc)), closes [#15898](https://togithub.com/vitejs/vite/issues/15898) - fix(scanner): respect `experimentalDecorators: true` ([#15206](https://togithub.com/vitejs/vite/issues/15206)) ([4144781](https://togithub.com/vitejs/vite/commit/4144781)), closes [#15206](https://togithub.com/vitejs/vite/issues/15206) - revert: "fix: upgrade esbuild to 0.20.x" ([#16072](https://togithub.com/vitejs/vite/issues/16072)) ([11cceea](https://togithub.com/vitejs/vite/commit/11cceea)), closes [#16072](https://togithub.com/vitejs/vite/issues/16072) - refactor: share code with vite runtime ([#15907](https://togithub.com/vitejs/vite/issues/15907)) ([b20d542](https://togithub.com/vitejs/vite/commit/b20d542)), closes [#15907](https://togithub.com/vitejs/vite/issues/15907) - refactor(runtime): use functions from `pathe` ([#16061](https://togithub.com/vitejs/vite/issues/16061)) ([aac2ef7](https://togithub.com/vitejs/vite/commit/aac2ef7)), closes [#16061](https://togithub.com/vitejs/vite/issues/16061) - chore(deps): update all non-major dependencies ([#16028](https://togithub.com/vitejs/vite/issues/16028)) ([7cfe80d](https://togithub.com/vitejs/vite/commit/7cfe80d)), closes [#16028](https://togithub.com/vitejs/vite/issues/16028) ### [`v5.1.4`](https://togithub.com/vitejs/vite/blob/HEAD/packages/vite/CHANGELOG.md#small514-2024-02-21-small) [Compare Source](https://togithub.com/vitejs/vite/compare/v5.1.3...v5.1.4) - perf: remove unnecessary regex s modifier ([#15766](https://togithub.com/vitejs/vite/issues/15766)) ([8dc1b73](https://togithub.com/vitejs/vite/commit/8dc1b73)), closes [#15766](https://togithub.com/vitejs/vite/issues/15766) - fix: fs cached checks disabled by default for yarn pnp ([#15920](https://togithub.com/vitejs/vite/issues/15920)) ([8b11fea](https://togithub.com/vitejs/vite/commit/8b11fea)), closes [#15920](https://togithub.com/vitejs/vite/issues/15920) - fix: resolve directory correctly when `fs.cachedChecks: true` ([#15983](https://togithub.com/vitejs/vite/issues/15983)) ([4fe971f](https://togithub.com/vitejs/vite/commit/4fe971f)), closes [#15983](https://togithub.com/vitejs/vite/issues/15983) - fix: srcSet with optional descriptor ([#15905](https://togithub.com/vitejs/vite/issues/15905)) ([81b3bd0](https://togithub.com/vitejs/vite/commit/81b3bd0)), closes [#15905](https://togithub.com/vitejs/vite/issues/15905) - fix(deps): update all non-major dependencies ([#15959](https://togithub.com/vitejs/vite/issues/15959)) ([571a3fd](https://togithub.com/vitejs/vite/commit/571a3fd)), closes [#15959](https://togithub.com/vitejs/vite/issues/15959) - fix(watch): build watch fails when outDir is empty string ([#15979](https://togithub.com/vitejs/vite/issues/15979)) ([1d263d3](https://togithub.com/vitejs/vite/commit/1d263d3)), closes [#15979](https://togithub.com/vitejs/vite/issues/15979)

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

[ ] If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

Sebclem / hassio-nextcloud-backup