carbon-design-system / carbon-labs

An innovation space for the creation of components leveraging Carbon Design System
Apache License 2.0
18 stars 16 forks source link

chore(deps): update dependency vite to v5.2.14 [security] - autoclosed #260

Closed renovate[bot] closed 1 month ago

renovate[bot] commented 2 months ago

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
vite (source) 5.2.10 -> 5.2.14 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2024-45811

Summary

The contents of arbitrary files can be returned to the browser.

Details

@fs denies access to files outside of Vite serving allow list. Adding ?import&raw to the URL bypasses this limitation and returns the file content if it exists.

PoC

$ npm create vite@latest
$ cd vite-project/
$ npm install
$ npm run dev

$ echo "top secret content" > /tmp/secret.txt

# expected behaviour
$ curl "http://localhost:5173/@​fs/tmp/secret.txt"

    <body>
      <h1>403 Restricted</h1>
      <p>The request url &quot;/tmp/secret.txt&quot; is outside of Vite serving allow list.

# security bypassed
$ curl "http://localhost:5173/@&#8203;fs/tmp/secret.txt?import&raw"
export default "top secret content\n"
//# sourceMappingURL=data:application/json;base64,eyJ2...

Release Notes

vitejs/vite (vite) ### [`v5.2.14`](https://redirect.github.com/vitejs/vite/releases/tag/v5.2.14) [Compare Source](https://redirect.github.com/vitejs/vite/compare/v5.2.13...v5.2.14) Please refer to [CHANGELOG.md](https://redirect.github.com/vitejs/vite/blob/v5.2.14/packages/vite/CHANGELOG.md) for details. ### [`v5.2.13`](https://redirect.github.com/vitejs/vite/releases/tag/v5.2.13) [Compare Source](https://redirect.github.com/vitejs/vite/compare/v5.2.12...v5.2.13) Please refer to [CHANGELOG.md](https://redirect.github.com/vitejs/vite/blob/v5.2.13/packages/vite/CHANGELOG.md) for details. ### [`v5.2.12`](https://redirect.github.com/vitejs/vite/blob/HEAD/packages/vite/CHANGELOG.md#small5212-2024-05-28-small) [Compare Source](https://redirect.github.com/vitejs/vite/compare/v5.2.11...v5.2.12) - chore: move to eslint flat config ([#​16743](https://redirect.github.com/vitejs/vite/issues/16743)) ([8f16765](https://redirect.github.com/vitejs/vite/commit/8f16765)), closes [#​16743](https://redirect.github.com/vitejs/vite/issues/16743) - chore(deps): remove unused deps ([#​17329](https://redirect.github.com/vitejs/vite/issues/17329)) ([5a45745](https://redirect.github.com/vitejs/vite/commit/5a45745)), closes [#​17329](https://redirect.github.com/vitejs/vite/issues/17329) - chore(deps): update all non-major dependencies ([#​16722](https://redirect.github.com/vitejs/vite/issues/16722)) ([b45922a](https://redirect.github.com/vitejs/vite/commit/b45922a)), closes [#​16722](https://redirect.github.com/vitejs/vite/issues/16722) - fix: mention `build.rollupOptions.output.manualChunks` instead of `build.rollupOutput.manualChunks` ([89378c0](https://redirect.github.com/vitejs/vite/commit/89378c0)), closes [#​16721](https://redirect.github.com/vitejs/vite/issues/16721) - fix(build): make SystemJSWrapRE match lazy ([#​16633](https://redirect.github.com/vitejs/vite/issues/16633)) ([6583ad2](https://redirect.github.com/vitejs/vite/commit/6583ad2)), closes [#​16633](https://redirect.github.com/vitejs/vite/issues/16633) - fix(css): avoid generating empty JS files when JS files becomes empty but has CSS files imported ([#​1](https://redirect.github.com/vitejs/vite/issues/1) ([95fe5a7](https://redirect.github.com/vitejs/vite/commit/95fe5a7)), closes [#​16078](https://redirect.github.com/vitejs/vite/issues/16078) - fix(css): handle lightningcss compiled css in Deno ([#​17301](https://redirect.github.com/vitejs/vite/issues/17301)) ([8e4e932](https://redirect.github.com/vitejs/vite/commit/8e4e932)), closes [#​17301](https://redirect.github.com/vitejs/vite/issues/17301) - fix(css): only use files the current bundle contains ([#​16684](https://redirect.github.com/vitejs/vite/issues/16684)) ([15a6ebb](https://redirect.github.com/vitejs/vite/commit/15a6ebb)), closes [#​16684](https://redirect.github.com/vitejs/vite/issues/16684) - fix(css): page reload was not happening with .css?raw ([#​16455](https://redirect.github.com/vitejs/vite/issues/16455)) ([8041846](https://redirect.github.com/vitejs/vite/commit/8041846)), closes [#​16455](https://redirect.github.com/vitejs/vite/issues/16455) - fix(deps): update all non-major dependencies ([#​16603](https://redirect.github.com/vitejs/vite/issues/16603)) ([6711553](https://redirect.github.com/vitejs/vite/commit/6711553)), closes [#​16603](https://redirect.github.com/vitejs/vite/issues/16603) - fix(deps): update all non-major dependencies ([#​16660](https://redirect.github.com/vitejs/vite/issues/16660)) ([bf2f014](https://redirect.github.com/vitejs/vite/commit/bf2f014)), closes [#​16660](https://redirect.github.com/vitejs/vite/issues/16660) - fix(deps): update all non-major dependencies ([#​17321](https://redirect.github.com/vitejs/vite/issues/17321)) ([4a89766](https://redirect.github.com/vitejs/vite/commit/4a89766)), closes [#​17321](https://redirect.github.com/vitejs/vite/issues/17321) - fix(error-logging): rollup errors weren't displaying id and codeframe ([#​16540](https://redirect.github.com/vitejs/vite/issues/16540)) ([22dc196](https://redirect.github.com/vitejs/vite/commit/22dc196)), closes [#​16540](https://redirect.github.com/vitejs/vite/issues/16540) - fix(hmr): normalize the path info ([#​14255](https://redirect.github.com/vitejs/vite/issues/14255)) ([6a085d0](https://redirect.github.com/vitejs/vite/commit/6a085d0)), closes [#​14255](https://redirect.github.com/vitejs/vite/issues/14255) - fix(hmr): trigger page reload when calling invalidate on root module ([#​16636](https://redirect.github.com/vitejs/vite/issues/16636)) ([2b61cc3](https://redirect.github.com/vitejs/vite/commit/2b61cc3)), closes [#​16636](https://redirect.github.com/vitejs/vite/issues/16636) - fix(logger): truncate log over 5000 characters long ([#​16581](https://redirect.github.com/vitejs/vite/issues/16581)) ([b0b839a](https://redirect.github.com/vitejs/vite/commit/b0b839a)), closes [#​16581](https://redirect.github.com/vitejs/vite/issues/16581) - fix(optimizer): log dependencies added by plugins ([#​16729](https://redirect.github.com/vitejs/vite/issues/16729)) ([f0fb987](https://redirect.github.com/vitejs/vite/commit/f0fb987)), closes [#​16729](https://redirect.github.com/vitejs/vite/issues/16729) - fix(sourcemap): improve sourcemap compatibility for vue2 ([#​16594](https://redirect.github.com/vitejs/vite/issues/16594)) ([913c040](https://redirect.github.com/vitejs/vite/commit/913c040)), closes [#​16594](https://redirect.github.com/vitejs/vite/issues/16594) - docs: correct proxy shorthand example ([#​15938](https://redirect.github.com/vitejs/vite/issues/15938)) ([abf766e](https://redirect.github.com/vitejs/vite/commit/abf766e)), closes [#​15938](https://redirect.github.com/vitejs/vite/issues/15938) - docs: deprecate server.hot ([#​16741](https://redirect.github.com/vitejs/vite/issues/16741)) ([e7d38ab](https://redirect.github.com/vitejs/vite/commit/e7d38ab)), closes [#​16741](https://redirect.github.com/vitejs/vite/issues/16741) ### [`v5.2.11`](https://redirect.github.com/vitejs/vite/blob/HEAD/packages/vite/CHANGELOG.md#small5211-2024-05-02-small) [Compare Source](https://redirect.github.com/vitejs/vite/compare/v5.2.10...v5.2.11) - feat: improve dynamic import variable failure error message ([#​16519](https://redirect.github.com/vitejs/vite/issues/16519)) ([f8feeea](https://redirect.github.com/vitejs/vite/commit/f8feeea)), closes [#​16519](https://redirect.github.com/vitejs/vite/issues/16519) - fix: dynamic-import-vars plugin normalize path issue ([#​16518](https://redirect.github.com/vitejs/vite/issues/16518)) ([f71ba5b](https://redirect.github.com/vitejs/vite/commit/f71ba5b)), closes [#​16518](https://redirect.github.com/vitejs/vite/issues/16518) - fix: scripts and styles were missing from built HTML on Windows ([#​16421](https://redirect.github.com/vitejs/vite/issues/16421)) ([0e93f58](https://redirect.github.com/vitejs/vite/commit/0e93f58)), closes [#​16421](https://redirect.github.com/vitejs/vite/issues/16421) - fix(deps): update all non-major dependencies ([#​16488](https://redirect.github.com/vitejs/vite/issues/16488)) ([2d50be2](https://redirect.github.com/vitejs/vite/commit/2d50be2)), closes [#​16488](https://redirect.github.com/vitejs/vite/issues/16488) - fix(deps): update all non-major dependencies ([#​16549](https://redirect.github.com/vitejs/vite/issues/16549)) ([2d6a13b](https://redirect.github.com/vitejs/vite/commit/2d6a13b)), closes [#​16549](https://redirect.github.com/vitejs/vite/issues/16549) - fix(dev): watch publicDir explicitly to include it outside the root ([#​16502](https://redirect.github.com/vitejs/vite/issues/16502)) ([4d83eb5](https://redirect.github.com/vitejs/vite/commit/4d83eb5)), closes [#​16502](https://redirect.github.com/vitejs/vite/issues/16502) - fix(preload): skip preload for non-static urls ([#​16556](https://redirect.github.com/vitejs/vite/issues/16556)) ([bb79c9b](https://redirect.github.com/vitejs/vite/commit/bb79c9b)), closes [#​16556](https://redirect.github.com/vitejs/vite/issues/16556) - fix(ssr): handle class declaration and expression name scoping ([#​16569](https://redirect.github.com/vitejs/vite/issues/16569)) ([c071eb3](https://redirect.github.com/vitejs/vite/commit/c071eb3)), closes [#​16569](https://redirect.github.com/vitejs/vite/issues/16569) - fix(ssr): handle function expression name scoping ([#​16563](https://redirect.github.com/vitejs/vite/issues/16563)) ([02db947](https://redirect.github.com/vitejs/vite/commit/02db947)), closes [#​16563](https://redirect.github.com/vitejs/vite/issues/16563)

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Never, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.



This PR was generated by Mend Renovate. View the repository job log.

netlify[bot] commented 2 months ago

Deploy Preview for carbon-labs ready!

Name Link
Latest commit 7699d6db12e0d020c1da38713e78352849df0131
Latest deploy log https://app.netlify.com/sites/carbon-labs/deploys/66ea019f4f57b20008c055df
Deploy Preview https://deploy-preview-260--carbon-labs.netlify.app
Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify site configuration.