chore(deps): update dependency vite to v5.2.14 [security] - autoclosed

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
vite (source)	`5.2.10` -> `5.2.14`

GitHub Vulnerability Alerts

CVE-2024-45811

Summary

The contents of arbitrary files can be returned to the browser.

Details

@fs denies access to files outside of Vite serving allow list. Adding ?import&raw to the URL bypasses this limitation and returns the file content if it exists.

PoC

$ npm create vite@latest
$ cd vite-project/
$ npm install
$ npm run dev

$ echo "top secret content" > /tmp/secret.txt

# expected behaviour
$ curl "http://localhost:5173/@&#8203;fs/tmp/secret.txt"

    <body>
      <h1>403 Restricted</h1>
      <p>The request url &quot;/tmp/secret.txt&quot; is outside of Vite serving allow list.

# security bypassed
$ curl "http://localhost:5173/@&#8203;fs/tmp/secret.txt?import&raw"
export default "top secret content\n"
//# sourceMappingURL=data:application/json;base64,eyJ2...

Release Notes

vitejs/vite (vite)

### [`v5.2.14`](https://redirect.github.com/vitejs/vite/releases/tag/v5.2.14) [Compare Source](https://redirect.github.com/vitejs/vite/compare/v5.2.13...v5.2.14) Please refer to [CHANGELOG.md](https://redirect.github.com/vitejs/vite/blob/v5.2.14/packages/vite/CHANGELOG.md) for details. ### [`v5.2.13`](https://redirect.github.com/vitejs/vite/releases/tag/v5.2.13) [Compare Source](https://redirect.github.com/vitejs/vite/compare/v5.2.12...v5.2.13) Please refer to [CHANGELOG.md](https://redirect.github.com/vitejs/vite/blob/v5.2.13/packages/vite/CHANGELOG.md) for details. ### [`v5.2.12`](https://redirect.github.com/vitejs/vite/blob/HEAD/packages/vite/CHANGELOG.md#small5212-2024-05-28-small) [Compare Source](https://redirect.github.com/vitejs/vite/compare/v5.2.11...v5.2.12) - chore: move to eslint flat config ([#16743](https://redirect.github.com/vitejs/vite/issues/16743)) ([8f16765](https://redirect.github.com/vitejs/vite/commit/8f16765)), closes [#16743](https://redirect.github.com/vitejs/vite/issues/16743) - chore(deps): remove unused deps ([#17329](https://redirect.github.com/vitejs/vite/issues/17329)) ([5a45745](https://redirect.github.com/vitejs/vite/commit/5a45745)), closes [#17329](https://redirect.github.com/vitejs/vite/issues/17329) - chore(deps): update all non-major dependencies ([#16722](https://redirect.github.com/vitejs/vite/issues/16722)) ([b45922a](https://redirect.github.com/vitejs/vite/commit/b45922a)), closes [#16722](https://redirect.github.com/vitejs/vite/issues/16722) - fix: mention `build.rollupOptions.output.manualChunks` instead of `build.rollupOutput.manualChunks` ([89378c0](https://redirect.github.com/vitejs/vite/commit/89378c0)), closes [#16721](https://redirect.github.com/vitejs/vite/issues/16721) - fix(build): make SystemJSWrapRE match lazy ([#16633](https://redirect.github.com/vitejs/vite/issues/16633)) ([6583ad2](https://redirect.github.com/vitejs/vite/commit/6583ad2)), closes [#16633](https://redirect.github.com/vitejs/vite/issues/16633) - fix(css): avoid generating empty JS files when JS files becomes empty but has CSS files imported ([#1](https://redirect.github.com/vitejs/vite/issues/1) ([95fe5a7](https://redirect.github.com/vitejs/vite/commit/95fe5a7)), closes [#16078](https://redirect.github.com/vitejs/vite/issues/16078) - fix(css): handle lightningcss compiled css in Deno ([#17301](https://redirect.github.com/vitejs/vite/issues/17301)) ([8e4e932](https://redirect.github.com/vitejs/vite/commit/8e4e932)), closes [#17301](https://redirect.github.com/vitejs/vite/issues/17301) - fix(css): only use files the current bundle contains ([#16684](https://redirect.github.com/vitejs/vite/issues/16684)) ([15a6ebb](https://redirect.github.com/vitejs/vite/commit/15a6ebb)), closes [#16684](https://redirect.github.com/vitejs/vite/issues/16684) - fix(css): page reload was not happening with .css?raw ([#16455](https://redirect.github.com/vitejs/vite/issues/16455)) ([8041846](https://redirect.github.com/vitejs/vite/commit/8041846)), closes [#16455](https://redirect.github.com/vitejs/vite/issues/16455) - fix(deps): update all non-major dependencies ([#16603](https://redirect.github.com/vitejs/vite/issues/16603)) ([6711553](https://redirect.github.com/vitejs/vite/commit/6711553)), closes [#16603](https://redirect.github.com/vitejs/vite/issues/16603) - fix(deps): update all non-major dependencies ([#16660](https://redirect.github.com/vitejs/vite/issues/16660)) ([bf2f014](https://redirect.github.com/vitejs/vite/commit/bf2f014)), closes [#16660](https://redirect.github.com/vitejs/vite/issues/16660) - fix(deps): update all non-major dependencies ([#17321](https://redirect.github.com/vitejs/vite/issues/17321)) ([4a89766](https://redirect.github.com/vitejs/vite/commit/4a89766)), closes [#17321](https://redirect.github.com/vitejs/vite/issues/17321) - fix(error-logging): rollup errors weren't displaying id and codeframe ([#16540](https://redirect.github.com/vitejs/vite/issues/16540)) ([22dc196](https://redirect.github.com/vitejs/vite/commit/22dc196)), closes [#16540](https://redirect.github.com/vitejs/vite/issues/16540) - fix(hmr): normalize the path info ([#14255](https://redirect.github.com/vitejs/vite/issues/14255)) ([6a085d0](https://redirect.github.com/vitejs/vite/commit/6a085d0)), closes [#14255](https://redirect.github.com/vitejs/vite/issues/14255) - fix(hmr): trigger page reload when calling invalidate on root module ([#16636](https://redirect.github.com/vitejs/vite/issues/16636)) ([2b61cc3](https://redirect.github.com/vitejs/vite/commit/2b61cc3)), closes [#16636](https://redirect.github.com/vitejs/vite/issues/16636) - fix(logger): truncate log over 5000 characters long ([#16581](https://redirect.github.com/vitejs/vite/issues/16581)) ([b0b839a](https://redirect.github.com/vitejs/vite/commit/b0b839a)), closes [#16581](https://redirect.github.com/vitejs/vite/issues/16581) - fix(optimizer): log dependencies added by plugins ([#16729](https://redirect.github.com/vitejs/vite/issues/16729)) ([f0fb987](https://redirect.github.com/vitejs/vite/commit/f0fb987)), closes [#16729](https://redirect.github.com/vitejs/vite/issues/16729) - fix(sourcemap): improve sourcemap compatibility for vue2 ([#16594](https://redirect.github.com/vitejs/vite/issues/16594)) ([913c040](https://redirect.github.com/vitejs/vite/commit/913c040)), closes [#16594](https://redirect.github.com/vitejs/vite/issues/16594) - docs: correct proxy shorthand example ([#15938](https://redirect.github.com/vitejs/vite/issues/15938)) ([abf766e](https://redirect.github.com/vitejs/vite/commit/abf766e)), closes [#15938](https://redirect.github.com/vitejs/vite/issues/15938) - docs: deprecate server.hot ([#16741](https://redirect.github.com/vitejs/vite/issues/16741)) ([e7d38ab](https://redirect.github.com/vitejs/vite/commit/e7d38ab)), closes [#16741](https://redirect.github.com/vitejs/vite/issues/16741) ### [`v5.2.11`](https://redirect.github.com/vitejs/vite/blob/HEAD/packages/vite/CHANGELOG.md#small5211-2024-05-02-small) [Compare Source](https://redirect.github.com/vitejs/vite/compare/v5.2.10...v5.2.11) - feat: improve dynamic import variable failure error message ([#16519](https://redirect.github.com/vitejs/vite/issues/16519)) ([f8feeea](https://redirect.github.com/vitejs/vite/commit/f8feeea)), closes [#16519](https://redirect.github.com/vitejs/vite/issues/16519) - fix: dynamic-import-vars plugin normalize path issue ([#16518](https://redirect.github.com/vitejs/vite/issues/16518)) ([f71ba5b](https://redirect.github.com/vitejs/vite/commit/f71ba5b)), closes [#16518](https://redirect.github.com/vitejs/vite/issues/16518) - fix: scripts and styles were missing from built HTML on Windows ([#16421](https://redirect.github.com/vitejs/vite/issues/16421)) ([0e93f58](https://redirect.github.com/vitejs/vite/commit/0e93f58)), closes [#16421](https://redirect.github.com/vitejs/vite/issues/16421) - fix(deps): update all non-major dependencies ([#16488](https://redirect.github.com/vitejs/vite/issues/16488)) ([2d50be2](https://redirect.github.com/vitejs/vite/commit/2d50be2)), closes [#16488](https://redirect.github.com/vitejs/vite/issues/16488) - fix(deps): update all non-major dependencies ([#16549](https://redirect.github.com/vitejs/vite/issues/16549)) ([2d6a13b](https://redirect.github.com/vitejs/vite/commit/2d6a13b)), closes [#16549](https://redirect.github.com/vitejs/vite/issues/16549) - fix(dev): watch publicDir explicitly to include it outside the root ([#16502](https://redirect.github.com/vitejs/vite/issues/16502)) ([4d83eb5](https://redirect.github.com/vitejs/vite/commit/4d83eb5)), closes [#16502](https://redirect.github.com/vitejs/vite/issues/16502) - fix(preload): skip preload for non-static urls ([#16556](https://redirect.github.com/vitejs/vite/issues/16556)) ([bb79c9b](https://redirect.github.com/vitejs/vite/commit/bb79c9b)), closes [#16556](https://redirect.github.com/vitejs/vite/issues/16556) - fix(ssr): handle class declaration and expression name scoping ([#16569](https://redirect.github.com/vitejs/vite/issues/16569)) ([c071eb3](https://redirect.github.com/vitejs/vite/commit/c071eb3)), closes [#16569](https://redirect.github.com/vitejs/vite/issues/16569) - fix(ssr): handle function expression name scoping ([#16563](https://redirect.github.com/vitejs/vite/issues/16563)) ([02db947](https://redirect.github.com/vitejs/vite/commit/02db947)), closes [#16563](https://redirect.github.com/vitejs/vite/issues/16563)

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Never, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

[ ] If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

Name	Link
Latest commit	7699d6db12e0d020c1da38713e78352849df0131
Latest deploy log	https://app.netlify.com/sites/carbon-labs/deploys/66ea019f4f57b20008c055df
Deploy Preview	https://deploy-preview-260--carbon-labs.netlify.app
Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

carbon-design-system / carbon-labs