changeset-bot[bot]
commented
5 months ago ⚠️ No Changeset found
Latest commit: 91c3f3a25eddb9fb6a27bbccf8e9ba99c6b5baf4
Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.
This PR includes no changesets
When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver typesClick here to learn what changesets are, and how to add one.
Click here if you're a maintainer who wants to add a changeset to this PR
This PR contains the following updates:
5.1.1->5.1.7GitHub Vulnerability Alerts
CVE-2024-31207
Summary
Vite dev server option
server.fs.denydid not deny requests for patterns with directories. An example of such a pattern is/foo/**/*.Impact
Only apps setting a custom
server.fs.denythat includes a pattern with directories, and explicitly exposing the Vite dev server to the network (using--hostorserver.hostconfig option) are affected.Patches
Fixed in vite@5.2.6, vite@5.1.7, vite@5.0.13, vite@4.5.3, vite@3.2.10, vite@2.9.18
Details
server.fs.denyuses picomatch with the config of{ matchBase: true }. matchBase only matches the basename of the file, not the path due to a bug (https://github.com/micromatch/picomatch/issues/89). The vite config docs read like you should be able to set fs.deny to glob with picomatch. Vite also does not set{ dot: true }and that causes dotfiles not to be denied unless they are explicitly defined.Reproduction
Set fs.deny to
['**/.git/**']and then curl for/.git/config.matchBase: true, you can get any file under.git/(config, HEAD, etc).matchBase: false, you cannot get any file under.git/(config, HEAD, etc).Release Notes
vitejs/vite (vite)
### [`v5.1.7`](https://togithub.com/vitejs/vite/releases/tag/v5.1.7) [Compare Source](https://togithub.com/vitejs/vite/compare/v5.1.6...v5.1.7) Please refer to [CHANGELOG.md](https://togithub.com/vitejs/vite/blob/v5.1.7/packages/vite/CHANGELOG.md) for details. ### [`v5.1.6`](https://togithub.com/vitejs/vite/blob/HEAD/packages/vite/CHANGELOG.md#small516-2024-03-11-small) [Compare Source](https://togithub.com/vitejs/vite/compare/v5.1.5...v5.1.6) - chore(deps): update all non-major dependencies ([#16131](https://togithub.com/vitejs/vite/issues/16131)) ([a862ecb](https://togithub.com/vitejs/vite/commit/a862ecb)), closes [#16131](https://togithub.com/vitejs/vite/issues/16131) - fix: check for publicDir before checking if it is a parent directory ([#16046](https://togithub.com/vitejs/vite/issues/16046)) ([b6fb323](https://togithub.com/vitejs/vite/commit/b6fb323)), closes [#16046](https://togithub.com/vitejs/vite/issues/16046) - fix: escape single quote when relative base is used ([#16060](https://togithub.com/vitejs/vite/issues/16060)) ([8f74ce4](https://togithub.com/vitejs/vite/commit/8f74ce4)), closes [#16060](https://togithub.com/vitejs/vite/issues/16060) - fix: handle function property extension in namespace import ([#16113](https://togithub.com/vitejs/vite/issues/16113)) ([f699194](https://togithub.com/vitejs/vite/commit/f699194)), closes [#16113](https://togithub.com/vitejs/vite/issues/16113) - fix: server middleware mode resolve ([#16122](https://togithub.com/vitejs/vite/issues/16122)) ([8403546](https://togithub.com/vitejs/vite/commit/8403546)), closes [#16122](https://togithub.com/vitejs/vite/issues/16122) - fix(esbuild): update tsconfck to fix bug that could cause a deadlock ([#16124](https://togithub.com/vitejs/vite/issues/16124)) ([fd9de04](https://togithub.com/vitejs/vite/commit/fd9de04)), closes [#16124](https://togithub.com/vitejs/vite/issues/16124) - fix(worker): hide "The emitted file overwrites" warning if the content is same ([#16094](https://togithub.com/vitejs/vite/issues/16094)) ([60dfa9e](https://togithub.com/vitejs/vite/commit/60dfa9e)), closes [#16094](https://togithub.com/vitejs/vite/issues/16094) - fix(worker): throw error when circular worker import is detected and support self referencing worker ([eef9da1](https://togithub.com/vitejs/vite/commit/eef9da1)), closes [#16103](https://togithub.com/vitejs/vite/issues/16103) - style(utils): remove null check ([#16112](https://togithub.com/vitejs/vite/issues/16112)) ([0d2df52](https://togithub.com/vitejs/vite/commit/0d2df52)), closes [#16112](https://togithub.com/vitejs/vite/issues/16112) - refactor(runtime): share more code between runtime and main bundle ([#16063](https://togithub.com/vitejs/vite/issues/16063)) ([93be84e](https://togithub.com/vitejs/vite/commit/93be84e)), closes [#16063](https://togithub.com/vitejs/vite/issues/16063) ### [`v5.1.5`](https://togithub.com/vitejs/vite/blob/HEAD/packages/vite/CHANGELOG.md#small515-2024-03-04-small) [Compare Source](https://togithub.com/vitejs/vite/compare/v5.1.4...v5.1.5) - fix: `__vite__mapDeps` code injection ([#15732](https://togithub.com/vitejs/vite/issues/15732)) ([aff54e1](https://togithub.com/vitejs/vite/commit/aff54e1)), closes [#15732](https://togithub.com/vitejs/vite/issues/15732) - fix: analysing build chunk without dependencies ([#15469](https://togithub.com/vitejs/vite/issues/15469)) ([bd52283](https://togithub.com/vitejs/vite/commit/bd52283)), closes [#15469](https://togithub.com/vitejs/vite/issues/15469) - fix: import with query with imports field ([#16085](https://togithub.com/vitejs/vite/issues/16085)) ([ab823ab](https://togithub.com/vitejs/vite/commit/ab823ab)), closes [#16085](https://togithub.com/vitejs/vite/issues/16085) - fix: normalize literal-only entry pattern ([#16010](https://togithub.com/vitejs/vite/issues/16010)) ([1dccc37](https://togithub.com/vitejs/vite/commit/1dccc37)), closes [#16010](https://togithub.com/vitejs/vite/issues/16010) - fix: optimizeDeps.entries with literal-only pattern(s) ([#15853](https://togithub.com/vitejs/vite/issues/15853)) ([49300b3](https://togithub.com/vitejs/vite/commit/49300b3)), closes [#15853](https://togithub.com/vitejs/vite/issues/15853) - fix: output correct error for empty import specifier ([#16055](https://togithub.com/vitejs/vite/issues/16055)) ([a9112eb](https://togithub.com/vitejs/vite/commit/a9112eb)), closes [#16055](https://togithub.com/vitejs/vite/issues/16055) - fix: upgrade esbuild to 0.20.x ([#16062](https://togithub.com/vitejs/vite/issues/16062)) ([899d9b1](https://togithub.com/vitejs/vite/commit/899d9b1)), closes [#16062](https://togithub.com/vitejs/vite/issues/16062) - fix(runtime): runtime HMR affects only imported files ([#15898](https://togithub.com/vitejs/vite/issues/15898)) ([57463fc](https://togithub.com/vitejs/vite/commit/57463fc)), closes [#15898](https://togithub.com/vitejs/vite/issues/15898) - fix(scanner): respect `experimentalDecorators: true` ([#15206](https://togithub.com/vitejs/vite/issues/15206)) ([4144781](https://togithub.com/vitejs/vite/commit/4144781)), closes [#15206](https://togithub.com/vitejs/vite/issues/15206) - revert: "fix: upgrade esbuild to 0.20.x" ([#16072](https://togithub.com/vitejs/vite/issues/16072)) ([11cceea](https://togithub.com/vitejs/vite/commit/11cceea)), closes [#16072](https://togithub.com/vitejs/vite/issues/16072) - refactor: share code with vite runtime ([#15907](https://togithub.com/vitejs/vite/issues/15907)) ([b20d542](https://togithub.com/vitejs/vite/commit/b20d542)), closes [#15907](https://togithub.com/vitejs/vite/issues/15907) - refactor(runtime): use functions from `pathe` ([#16061](https://togithub.com/vitejs/vite/issues/16061)) ([aac2ef7](https://togithub.com/vitejs/vite/commit/aac2ef7)), closes [#16061](https://togithub.com/vitejs/vite/issues/16061) - chore(deps): update all non-major dependencies ([#16028](https://togithub.com/vitejs/vite/issues/16028)) ([7cfe80d](https://togithub.com/vitejs/vite/commit/7cfe80d)), closes [#16028](https://togithub.com/vitejs/vite/issues/16028) ### [`v5.1.4`](https://togithub.com/vitejs/vite/blob/HEAD/packages/vite/CHANGELOG.md#small514-2024-02-21-small) [Compare Source](https://togithub.com/vitejs/vite/compare/v5.1.3...v5.1.4) - perf: remove unnecessary regex s modifier ([#15766](https://togithub.com/vitejs/vite/issues/15766)) ([8dc1b73](https://togithub.com/vitejs/vite/commit/8dc1b73)), closes [#15766](https://togithub.com/vitejs/vite/issues/15766) - fix: fs cached checks disabled by default for yarn pnp ([#15920](https://togithub.com/vitejs/vite/issues/15920)) ([8b11fea](https://togithub.com/vitejs/vite/commit/8b11fea)), closes [#15920](https://togithub.com/vitejs/vite/issues/15920) - fix: resolve directory correctly when `fs.cachedChecks: true` ([#15983](https://togithub.com/vitejs/vite/issues/15983)) ([4fe971f](https://togithub.com/vitejs/vite/commit/4fe971f)), closes [#15983](https://togithub.com/vitejs/vite/issues/15983) - fix: srcSet with optional descriptor ([#15905](https://togithub.com/vitejs/vite/issues/15905)) ([81b3bd0](https://togithub.com/vitejs/vite/commit/81b3bd0)), closes [#15905](https://togithub.com/vitejs/vite/issues/15905) - fix(deps): update all non-major dependencies ([#15959](https://togithub.com/vitejs/vite/issues/15959)) ([571a3fd](https://togithub.com/vitejs/vite/commit/571a3fd)), closes [#15959](https://togithub.com/vitejs/vite/issues/15959) - fix(watch): build watch fails when outDir is empty string ([#15979](https://togithub.com/vitejs/vite/issues/15979)) ([1d263d3](https://togithub.com/vitejs/vite/commit/1d263d3)), closes [#15979](https://togithub.com/vitejs/vite/issues/15979) ### [`v5.1.3`](https://togithub.com/vitejs/vite/blob/HEAD/packages/vite/CHANGELOG.md#small513-2024-02-15-small) [Compare Source](https://togithub.com/vitejs/vite/compare/v5.1.2...v5.1.3) - fix: cachedTransformMiddleware for direct css requests ([#15919](https://togithub.com/vitejs/vite/issues/15919)) ([5099028](https://togithub.com/vitejs/vite/commit/5099028)), closes [#15919](https://togithub.com/vitejs/vite/issues/15919) - refactor(runtime): minor tweaks ([#15904](https://togithub.com/vitejs/vite/issues/15904)) ([63a39c2](https://togithub.com/vitejs/vite/commit/63a39c2)), closes [#15904](https://togithub.com/vitejs/vite/issues/15904) - refactor(runtime): seal ES module namespace object instead of feezing ([#15914](https://togithub.com/vitejs/vite/issues/15914)) ([4172f02](https://togithub.com/vitejs/vite/commit/4172f02)), closes [#15914](https://togithub.com/vitejs/vite/issues/15914) ### [`v5.1.2`](https://togithub.com/vitejs/vite/blob/HEAD/packages/vite/CHANGELOG.md#small512-2024-02-14-small) [Compare Source](https://togithub.com/vitejs/vite/compare/v5.1.1...v5.1.2) - fix: normalize import file path info ([#15772](https://togithub.com/vitejs/vite/issues/15772)) ([306df44](https://togithub.com/vitejs/vite/commit/306df44)), closes [#15772](https://togithub.com/vitejs/vite/issues/15772) - fix(build): do not output build time when build fails ([#15711](https://togithub.com/vitejs/vite/issues/15711)) ([added3e](https://togithub.com/vitejs/vite/commit/added3e)), closes [#15711](https://togithub.com/vitejs/vite/issues/15711) - fix(runtime): pass path instead of fileURL to `isFilePathESM` ([#15908](https://togithub.com/vitejs/vite/issues/15908)) ([7b15607](https://togithub.com/vitejs/vite/commit/7b15607)), closes [#15908](https://togithub.com/vitejs/vite/issues/15908) - fix(worker): support UTF-8 encoding in inline workers (fixes [#12117](https://togithub.com/vitejs/vite/issues/12117)) ([#15866](https://togithub.com/vitejs/vite/issues/15866)) ([570e0f1](https://togithub.com/vitejs/vite/commit/570e0f1)), closes [#12117](https://togithub.com/vitejs/vite/issues/12117) [#15866](https://togithub.com/vitejs/vite/issues/15866) - chore: update license file ([#15885](https://togithub.com/vitejs/vite/issues/15885)) ([d9adf18](https://togithub.com/vitejs/vite/commit/d9adf18)), closes [#15885](https://togithub.com/vitejs/vite/issues/15885) - chore(deps): update all non-major dependencies ([#15874](https://togithub.com/vitejs/vite/issues/15874)) ([d16ce5d](https://togithub.com/vitejs/vite/commit/d16ce5d)), closes [#15874](https://togithub.com/vitejs/vite/issues/15874) - chore(deps): update dependency dotenv-expand to v11 ([#15875](https://togithub.com/vitejs/vite/issues/15875)) ([642d528](https://togithub.com/vitejs/vite/commit/642d528)), closes [#15875](https://togithub.com/vitejs/vite/issues/15875)Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate. View repository job log here.