chore(deps): update dependency vite to v2.9.16 [security] - autoclosed

[renovate[bot]]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
vite (source)	2.9.14 -> 2.9.16

GitHub Vulnerability Alerts

CVE-2023-34092

Summary

Vite Server Options (server.fs.deny) can be bypassed using double forward-slash (//) allows any unauthenticated user to read file from the Vite root-path of the application including the default fs.deny settings (['.env', '.env.*', '*.{crt,pem}'])

Impact

Only users explicitly exposing the Vite dev server to the network (using --host or server.host config option) are affected, and only files in the immediate Vite project root folder could be exposed.

Patches

Fixed in vite@4.3.9, vite@4.2.3, vite@4.1.5, vite@4.0.5 And in the latest minors of the previous two majors: vite@3.2.7, vite@2.9.16

Details

Vite serve the application with under the root-path of the project while running on the dev mode. By default, vite using server options fs.deny to protected the sensitive information of the file. But, with simply double forward-slash, we can bypass this fs restriction.

PoC

1. Create a new latest project of vite using any package manager. (here I'm using react and vue templates for tested and pnpm)
2. Serve the application on dev mode using pnpm run dev.
3. Directly access the file from url using double forward-slash (//) (e.g: //.env, //.env.local)
4. Server Options fs.deny restrict successfully bypassed.

Proof Images:

---

Release Notes

vitejs/vite

### [`v2.9.16`](https://togithub.com/vitejs/vite/releases/tag/v2.9.16) [Compare Source](https://togithub.com/vitejs/vite/compare/v2.9.15...v2.9.16) Please refer to [CHANGELOG.md](https://togithub.com/vitejs/vite/blob/v2.9.16/packages/vite/CHANGELOG.md) for details. ### [`v2.9.15`](https://togithub.com/vitejs/vite/releases/tag/v2.9.15) [Compare Source](https://togithub.com/vitejs/vite/compare/v2.9.14...v2.9.15) Please refer to [CHANGELOG.md](https://togithub.com/vitejs/vite/blob/v2.9.15/packages/vite/CHANGELOG.md) for details.

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• [ ] If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate. View repository job log here.

[vercel[bot]]

The latest updates on your projects. Learn more about Vercel for Git ↗︎

Name	Status	Preview	Comments	Updated (UTC)
chirpy	✅ Ready (Inspect)	Visit Preview	💬 Add feedback	Jun 23, 2023 0:59am

[changeset-bot[bot]]

⚠️ No Changeset found

Latest commit: d327a5a24cef74785b0968fff69ff43d3a9d905a

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[github-actions[bot]]

Coverage report for ./apps/main

St.:grey_question:	Category	Percentage	Covered / Total
🔴	Statements	8.7%	40/460
🔴	Branches	9.89%	9/91
🔴	Functions	4.29%	3/70
🔴	Lines	9.25%	38/411

Test suite run success

2 tests passing in 2 suites.

Report generated by 🧪jest coverage report action from d327a5a24cef74785b0968fff69ff43d3a9d905a

[relativeci[bot]]

Job #1381: Bundle Size — 2.12MiB (0%).

e813977(current) vs 7235eb7 main#1379(baseline)

:warning: Bundle contains 5 duplicate packages

Metrics (1 change)

	Current Job #1381	Baseline Job #1379
Initial JS	1.77MiB	1.77MiB
Initial CSS	82.86KiB	82.86KiB
Cache Invalidation	0%	98.09%
Chunks	53	53
Assets	65	65
Modules	1736	1736
Duplicate Modules	202	202
Duplicate Code	4.55%	4.55%
Packages	151	151
Duplicate Packages	5	5

Total size by type (no changes)

|            |       Current
[Job #1381](https://app.relative-ci.com/projects/rYoEVFddayylGRgFiBEd/jobs/1381-tkCCGyPmTZamEP1W08Us?utm_source=github&utm_medium=pr-report "View job report") |      Baseline
[Job #1379](https://app.relative-ci.com/projects/rYoEVFddayylGRgFiBEd/jobs/1379-do19mbq6eri1UZNUmFyW?utm_source=github&utm_medium=pr-report "View baseline job report") | |:--|--:|--:| | [CSS](https://app.relative-ci.com/projects/rYoEVFddayylGRgFiBEd/jobs/1381-tkCCGyPmTZamEP1W08Us/assets?ba=%7B%22filters%22%3A%7B%22ft.CSS%22%3Atrue%2C%22ft.JS%22%3Afalse%2C%22ft.IMG%22%3Afalse%2C%22ft.MEDIA%22%3Afalse%2C%22ft.FONT%22%3Afalse%2C%22ft.HTML%22%3Afalse%2C%22ft.OTHER%22%3Afalse%7D%7D "View all CSS assets") | `82.86KiB` | `82.86KiB` | | [Fonts](https://app.relative-ci.com/projects/rYoEVFddayylGRgFiBEd/jobs/1381-tkCCGyPmTZamEP1W08Us/assets?ba=%7B%22filters%22%3A%7B%22ft.CSS%22%3Afalse%2C%22ft.JS%22%3Afalse%2C%22ft.IMG%22%3Afalse%2C%22ft.MEDIA%22%3Afalse%2C%22ft.FONT%22%3Atrue%2C%22ft.HTML%22%3Afalse%2C%22ft.OTHER%22%3Afalse%7D%7D "View all Fonts assets") | `0B` | `0B` | | [HTML](https://app.relative-ci.com/projects/rYoEVFddayylGRgFiBEd/jobs/1381-tkCCGyPmTZamEP1W08Us/assets?ba=%7B%22filters%22%3A%7B%22ft.CSS%22%3Afalse%2C%22ft.JS%22%3Afalse%2C%22ft.IMG%22%3Afalse%2C%22ft.MEDIA%22%3Afalse%2C%22ft.FONT%22%3Afalse%2C%22ft.HTML%22%3Atrue%2C%22ft.OTHER%22%3Afalse%7D%7D "View all HTML assets") | `0B` | `0B` | | [IMG](https://app.relative-ci.com/projects/rYoEVFddayylGRgFiBEd/jobs/1381-tkCCGyPmTZamEP1W08Us/assets?ba=%7B%22filters%22%3A%7B%22ft.CSS%22%3Afalse%2C%22ft.JS%22%3Afalse%2C%22ft.IMG%22%3Atrue%2C%22ft.MEDIA%22%3Afalse%2C%22ft.FONT%22%3Afalse%2C%22ft.HTML%22%3Afalse%2C%22ft.OTHER%22%3Afalse%7D%7D "View all IMG assets") | `1.45KiB` | `1.45KiB` | | [JS](https://app.relative-ci.com/projects/rYoEVFddayylGRgFiBEd/jobs/1381-tkCCGyPmTZamEP1W08Us/assets?ba=%7B%22filters%22%3A%7B%22ft.CSS%22%3Afalse%2C%22ft.JS%22%3Atrue%2C%22ft.IMG%22%3Afalse%2C%22ft.MEDIA%22%3Afalse%2C%22ft.FONT%22%3Afalse%2C%22ft.HTML%22%3Afalse%2C%22ft.OTHER%22%3Afalse%7D%7D "View all JS assets") | `2.03MiB` | `2.03MiB` | | [Media](https://app.relative-ci.com/projects/rYoEVFddayylGRgFiBEd/jobs/1381-tkCCGyPmTZamEP1W08Us/assets?ba=%7B%22filters%22%3A%7B%22ft.CSS%22%3Afalse%2C%22ft.JS%22%3Afalse%2C%22ft.IMG%22%3Afalse%2C%22ft.MEDIA%22%3Atrue%2C%22ft.FONT%22%3Afalse%2C%22ft.HTML%22%3Afalse%2C%22ft.OTHER%22%3Afalse%7D%7D "View all Media assets") | `0B` | `0B` | | [Other](https://app.relative-ci.com/projects/rYoEVFddayylGRgFiBEd/jobs/1381-tkCCGyPmTZamEP1W08Us/assets?ba=%7B%22filters%22%3A%7B%22ft.CSS%22%3Afalse%2C%22ft.JS%22%3Afalse%2C%22ft.IMG%22%3Afalse%2C%22ft.MEDIA%22%3Afalse%2C%22ft.FONT%22%3Afalse%2C%22ft.HTML%22%3Afalse%2C%22ft.OTHER%22%3Atrue%7D%7D "View all Other assets") | `12.76KiB` | `12.76KiB` |

---

View job #1381 report View refs/pull/573/merge branch activity

[cypress[bot]]

2 failed tests on run #1914 ↗︎

2

4

0

1

0

Details:

chore(deps): update dependency vite to v2.9.16 [security]
Project: chirpy	Commit: d327a5a24c
Status: Failed	Duration: 02:29 💡
Started: Jun 23, 2023 1:01 PM	Ended: Jun 23, 2023 1:03 PM

  home/header.spec.ts • 1 failed test • Cypress Actions

View Output Video

Test		Artifacts
Header > should show user menu		Output Screenshots Video

  dashboard/project.spec.ts • 1 failed test • Cypress Actions

View Output Video

Test		Artifacts
Project > should show integration doc		Output Screenshots Video

_{This comment has been generated by cypress-bot as a result of this project's GitHub integration settings.}