search

crabnebula-dev / devtools

Inspect and Debug your Tauri applications in style 💃
https://devtools.crabnebula.dev
Other
266 stars 8 forks source link

chore(deps): update dependency vite to v5.1.7 [security] - autoclosed #269

Closed renovate[bot] closed 4 months ago

renovate[bot] commented 6 months ago

Mend Renovate

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
vite (source) 5.1.1 -> 5.1.7 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2024-31207

Summary

Vite dev server option server.fs.deny did not deny requests for patterns with directories. An example of such a pattern is /foo/**/*.

Impact

Only apps setting a custom server.fs.deny that includes a pattern with directories, and explicitly exposing the Vite dev server to the network (using --host or server.host config option) are affected.

Patches

Fixed in vite@5.2.6, vite@5.1.7, vite@5.0.13, vite@4.5.3, vite@3.2.10, vite@2.9.18

Details

server.fs.deny uses picomatch with the config of { matchBase: true }. matchBase only matches the basename of the file, not the path due to a bug (https://github.com/micromatch/picomatch/issues/89). The vite config docs read like you should be able to set fs.deny to glob with picomatch. Vite also does not set { dot: true } and that causes dotfiles not to be denied unless they are explicitly defined.

Reproduction

Set fs.deny to ['**/.git/**'] and then curl for /.git/config.

Release Notes

vitejs/vite (vite) ### [`v5.1.7`](https://togithub.com/vitejs/vite/releases/tag/v5.1.7) [Compare Source](https://togithub.com/vitejs/vite/compare/v5.1.6...v5.1.7) Please refer to [CHANGELOG.md](https://togithub.com/vitejs/vite/blob/v5.1.7/packages/vite/CHANGELOG.md) for details. ### [`v5.1.6`](https://togithub.com/vitejs/vite/blob/HEAD/packages/vite/CHANGELOG.md#small516-2024-03-11-small) [Compare Source](https://togithub.com/vitejs/vite/compare/v5.1.5...v5.1.6) - chore(deps): update all non-major dependencies ([#​16131](https://togithub.com/vitejs/vite/issues/16131)) ([a862ecb](https://togithub.com/vitejs/vite/commit/a862ecb)), closes [#​16131](https://togithub.com/vitejs/vite/issues/16131) - fix: check for publicDir before checking if it is a parent directory ([#​16046](https://togithub.com/vitejs/vite/issues/16046)) ([b6fb323](https://togithub.com/vitejs/vite/commit/b6fb323)), closes [#​16046](https://togithub.com/vitejs/vite/issues/16046) - fix: escape single quote when relative base is used ([#​16060](https://togithub.com/vitejs/vite/issues/16060)) ([8f74ce4](https://togithub.com/vitejs/vite/commit/8f74ce4)), closes [#​16060](https://togithub.com/vitejs/vite/issues/16060) - fix: handle function property extension in namespace import ([#​16113](https://togithub.com/vitejs/vite/issues/16113)) ([f699194](https://togithub.com/vitejs/vite/commit/f699194)), closes [#​16113](https://togithub.com/vitejs/vite/issues/16113) - fix: server middleware mode resolve ([#​16122](https://togithub.com/vitejs/vite/issues/16122)) ([8403546](https://togithub.com/vitejs/vite/commit/8403546)), closes [#​16122](https://togithub.com/vitejs/vite/issues/16122) - fix(esbuild): update tsconfck to fix bug that could cause a deadlock ([#​16124](https://togithub.com/vitejs/vite/issues/16124)) ([fd9de04](https://togithub.com/vitejs/vite/commit/fd9de04)), closes [#​16124](https://togithub.com/vitejs/vite/issues/16124) - fix(worker): hide "The emitted file overwrites" warning if the content is same ([#​16094](https://togithub.com/vitejs/vite/issues/16094)) ([60dfa9e](https://togithub.com/vitejs/vite/commit/60dfa9e)), closes [#​16094](https://togithub.com/vitejs/vite/issues/16094) - fix(worker): throw error when circular worker import is detected and support self referencing worker ([eef9da1](https://togithub.com/vitejs/vite/commit/eef9da1)), closes [#​16103](https://togithub.com/vitejs/vite/issues/16103) - style(utils): remove null check ([#​16112](https://togithub.com/vitejs/vite/issues/16112)) ([0d2df52](https://togithub.com/vitejs/vite/commit/0d2df52)), closes [#​16112](https://togithub.com/vitejs/vite/issues/16112) - refactor(runtime): share more code between runtime and main bundle ([#​16063](https://togithub.com/vitejs/vite/issues/16063)) ([93be84e](https://togithub.com/vitejs/vite/commit/93be84e)), closes [#​16063](https://togithub.com/vitejs/vite/issues/16063) ### [`v5.1.5`](https://togithub.com/vitejs/vite/blob/HEAD/packages/vite/CHANGELOG.md#small515-2024-03-04-small) [Compare Source](https://togithub.com/vitejs/vite/compare/v5.1.4...v5.1.5) - fix: `__vite__mapDeps` code injection ([#​15732](https://togithub.com/vitejs/vite/issues/15732)) ([aff54e1](https://togithub.com/vitejs/vite/commit/aff54e1)), closes [#​15732](https://togithub.com/vitejs/vite/issues/15732) - fix: analysing build chunk without dependencies ([#​15469](https://togithub.com/vitejs/vite/issues/15469)) ([bd52283](https://togithub.com/vitejs/vite/commit/bd52283)), closes [#​15469](https://togithub.com/vitejs/vite/issues/15469) - fix: import with query with imports field ([#​16085](https://togithub.com/vitejs/vite/issues/16085)) ([ab823ab](https://togithub.com/vitejs/vite/commit/ab823ab)), closes [#​16085](https://togithub.com/vitejs/vite/issues/16085) - fix: normalize literal-only entry pattern ([#​16010](https://togithub.com/vitejs/vite/issues/16010)) ([1dccc37](https://togithub.com/vitejs/vite/commit/1dccc37)), closes [#​16010](https://togithub.com/vitejs/vite/issues/16010) - fix: optimizeDeps.entries with literal-only pattern(s) ([#​15853](https://togithub.com/vitejs/vite/issues/15853)) ([49300b3](https://togithub.com/vitejs/vite/commit/49300b3)), closes [#​15853](https://togithub.com/vitejs/vite/issues/15853) - fix: output correct error for empty import specifier ([#​16055](https://togithub.com/vitejs/vite/issues/16055)) ([a9112eb](https://togithub.com/vitejs/vite/commit/a9112eb)), closes [#​16055](https://togithub.com/vitejs/vite/issues/16055) - fix: upgrade esbuild to 0.20.x ([#​16062](https://togithub.com/vitejs/vite/issues/16062)) ([899d9b1](https://togithub.com/vitejs/vite/commit/899d9b1)), closes [#​16062](https://togithub.com/vitejs/vite/issues/16062) - fix(runtime): runtime HMR affects only imported files ([#​15898](https://togithub.com/vitejs/vite/issues/15898)) ([57463fc](https://togithub.com/vitejs/vite/commit/57463fc)), closes [#​15898](https://togithub.com/vitejs/vite/issues/15898) - fix(scanner): respect `experimentalDecorators: true` ([#​15206](https://togithub.com/vitejs/vite/issues/15206)) ([4144781](https://togithub.com/vitejs/vite/commit/4144781)), closes [#​15206](https://togithub.com/vitejs/vite/issues/15206) - revert: "fix: upgrade esbuild to 0.20.x" ([#​16072](https://togithub.com/vitejs/vite/issues/16072)) ([11cceea](https://togithub.com/vitejs/vite/commit/11cceea)), closes [#​16072](https://togithub.com/vitejs/vite/issues/16072) - refactor: share code with vite runtime ([#​15907](https://togithub.com/vitejs/vite/issues/15907)) ([b20d542](https://togithub.com/vitejs/vite/commit/b20d542)), closes [#​15907](https://togithub.com/vitejs/vite/issues/15907) - refactor(runtime): use functions from `pathe` ([#​16061](https://togithub.com/vitejs/vite/issues/16061)) ([aac2ef7](https://togithub.com/vitejs/vite/commit/aac2ef7)), closes [#​16061](https://togithub.com/vitejs/vite/issues/16061) - chore(deps): update all non-major dependencies ([#​16028](https://togithub.com/vitejs/vite/issues/16028)) ([7cfe80d](https://togithub.com/vitejs/vite/commit/7cfe80d)), closes [#​16028](https://togithub.com/vitejs/vite/issues/16028) ### [`v5.1.4`](https://togithub.com/vitejs/vite/blob/HEAD/packages/vite/CHANGELOG.md#small514-2024-02-21-small) [Compare Source](https://togithub.com/vitejs/vite/compare/v5.1.3...v5.1.4) - perf: remove unnecessary regex s modifier ([#​15766](https://togithub.com/vitejs/vite/issues/15766)) ([8dc1b73](https://togithub.com/vitejs/vite/commit/8dc1b73)), closes [#​15766](https://togithub.com/vitejs/vite/issues/15766) - fix: fs cached checks disabled by default for yarn pnp ([#​15920](https://togithub.com/vitejs/vite/issues/15920)) ([8b11fea](https://togithub.com/vitejs/vite/commit/8b11fea)), closes [#​15920](https://togithub.com/vitejs/vite/issues/15920) - fix: resolve directory correctly when `fs.cachedChecks: true` ([#​15983](https://togithub.com/vitejs/vite/issues/15983)) ([4fe971f](https://togithub.com/vitejs/vite/commit/4fe971f)), closes [#​15983](https://togithub.com/vitejs/vite/issues/15983) - fix: srcSet with optional descriptor ([#​15905](https://togithub.com/vitejs/vite/issues/15905)) ([81b3bd0](https://togithub.com/vitejs/vite/commit/81b3bd0)), closes [#​15905](https://togithub.com/vitejs/vite/issues/15905) - fix(deps): update all non-major dependencies ([#​15959](https://togithub.com/vitejs/vite/issues/15959)) ([571a3fd](https://togithub.com/vitejs/vite/commit/571a3fd)), closes [#​15959](https://togithub.com/vitejs/vite/issues/15959) - fix(watch): build watch fails when outDir is empty string ([#​15979](https://togithub.com/vitejs/vite/issues/15979)) ([1d263d3](https://togithub.com/vitejs/vite/commit/1d263d3)), closes [#​15979](https://togithub.com/vitejs/vite/issues/15979) ### [`v5.1.3`](https://togithub.com/vitejs/vite/blob/HEAD/packages/vite/CHANGELOG.md#small513-2024-02-15-small) [Compare Source](https://togithub.com/vitejs/vite/compare/v5.1.2...v5.1.3) - fix: cachedTransformMiddleware for direct css requests ([#​15919](https://togithub.com/vitejs/vite/issues/15919)) ([5099028](https://togithub.com/vitejs/vite/commit/5099028)), closes [#​15919](https://togithub.com/vitejs/vite/issues/15919) - refactor(runtime): minor tweaks ([#​15904](https://togithub.com/vitejs/vite/issues/15904)) ([63a39c2](https://togithub.com/vitejs/vite/commit/63a39c2)), closes [#​15904](https://togithub.com/vitejs/vite/issues/15904) - refactor(runtime): seal ES module namespace object instead of feezing ([#​15914](https://togithub.com/vitejs/vite/issues/15914)) ([4172f02](https://togithub.com/vitejs/vite/commit/4172f02)), closes [#​15914](https://togithub.com/vitejs/vite/issues/15914) ### [`v5.1.2`](https://togithub.com/vitejs/vite/blob/HEAD/packages/vite/CHANGELOG.md#small512-2024-02-14-small) [Compare Source](https://togithub.com/vitejs/vite/compare/v5.1.1...v5.1.2) - fix: normalize import file path info ([#​15772](https://togithub.com/vitejs/vite/issues/15772)) ([306df44](https://togithub.com/vitejs/vite/commit/306df44)), closes [#​15772](https://togithub.com/vitejs/vite/issues/15772) - fix(build): do not output build time when build fails ([#​15711](https://togithub.com/vitejs/vite/issues/15711)) ([added3e](https://togithub.com/vitejs/vite/commit/added3e)), closes [#​15711](https://togithub.com/vitejs/vite/issues/15711) - fix(runtime): pass path instead of fileURL to `isFilePathESM` ([#​15908](https://togithub.com/vitejs/vite/issues/15908)) ([7b15607](https://togithub.com/vitejs/vite/commit/7b15607)), closes [#​15908](https://togithub.com/vitejs/vite/issues/15908) - fix(worker): support UTF-8 encoding in inline workers (fixes [#​12117](https://togithub.com/vitejs/vite/issues/12117)) ([#​15866](https://togithub.com/vitejs/vite/issues/15866)) ([570e0f1](https://togithub.com/vitejs/vite/commit/570e0f1)), closes [#​12117](https://togithub.com/vitejs/vite/issues/12117) [#​15866](https://togithub.com/vitejs/vite/issues/15866) - chore: update license file ([#​15885](https://togithub.com/vitejs/vite/issues/15885)) ([d9adf18](https://togithub.com/vitejs/vite/commit/d9adf18)), closes [#​15885](https://togithub.com/vitejs/vite/issues/15885) - chore(deps): update all non-major dependencies ([#​15874](https://togithub.com/vitejs/vite/issues/15874)) ([d16ce5d](https://togithub.com/vitejs/vite/commit/d16ce5d)), closes [#​15874](https://togithub.com/vitejs/vite/issues/15874) - chore(deps): update dependency dotenv-expand to v11 ([#​15875](https://togithub.com/vitejs/vite/issues/15875)) ([642d528](https://togithub.com/vitejs/vite/commit/642d528)), closes [#​15875](https://togithub.com/vitejs/vite/issues/15875)

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

This PR has been generated by Mend Renovate. View repository job log here.

netlify[bot] commented 6 months ago

Deploy Preview for cn-devtools-app ready!

Name Link
Latest commit 32e52363e77a1e070fc0a054a5ed45700937e20e
Latest deploy log https://app.netlify.com/sites/cn-devtools-app/deploys/663c511964b6570008b854ed
Deploy Preview https://deploy-preview-269--cn-devtools-app.netlify.app
Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify site configuration.