Closed renovate[bot] closed 1 month ago
The latest updates on your projects. Learn more about Vercel for Git ↗︎
Name | Status | Preview | Comments | Updated (UTC) |
---|---|---|---|---|
marigold-docs | ✅ Ready (Inspect) | Visit Preview | 💬 Add feedback | Apr 5, 2024 10:33am |
marigold-storybook | ✅ Ready (Inspect) | Visit Preview | 💬 Add feedback | Apr 5, 2024 10:33am |
Latest commit: 482463a558a81532c1ec5feeb841c15da6629de3
Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.
Click here to learn what changesets are, and how to add one.
Click here if you're a maintainer who wants to add a changeset to this PR
All modified and coverable lines are covered by tests :white_check_mark:
Project coverage is 99.83%. Comparing base (
1803ce8
) to head (482463a
).
Already updated
This PR has been flagged for autoclosing. However, it is being skipped due to the branch being already modified. Please close/delete it manually or report a bug if you think this is in error.
This PR contains the following updates:
5.1.5
->5.1.7
GitHub Vulnerability Alerts
CVE-2024-31207
Summary
Vite dev server option
server.fs.deny
did not deny requests for patterns with directories. An example of such a pattern is/foo/**/*
.Impact
Only apps setting a custom
server.fs.deny
that includes a pattern with directories, and explicitly exposing the Vite dev server to the network (using--host
orserver.host
config option) are affected.Patches
Fixed in vite@5.2.6, vite@5.1.7, vite@5.0.13, vite@4.5.3, vite@3.2.10, vite@2.9.18
Details
server.fs.deny
uses picomatch with the config of{ matchBase: true }
. matchBase only matches the basename of the file, not the path due to a bug (https://github.com/micromatch/picomatch/issues/89). The vite config docs read like you should be able to set fs.deny to glob with picomatch. Vite also does not set{ dot: true }
and that causes dotfiles not to be denied unless they are explicitly defined.Reproduction
Set fs.deny to
['**/.git/**']
and then curl for/.git/config
.matchBase: true
, you can get any file under.git/
(config, HEAD, etc).matchBase: false
, you cannot get any file under.git/
(config, HEAD, etc).Release Notes
vitejs/vite (vite)
### [`v5.1.7`](https://togithub.com/vitejs/vite/releases/tag/v5.1.7) [Compare Source](https://togithub.com/vitejs/vite/compare/v5.1.6...v5.1.7) Please refer to [CHANGELOG.md](https://togithub.com/vitejs/vite/blob/v5.1.7/packages/vite/CHANGELOG.md) for details. ### [`v5.1.6`](https://togithub.com/vitejs/vite/blob/HEAD/packages/vite/CHANGELOG.md#small516-2024-03-11-small) [Compare Source](https://togithub.com/vitejs/vite/compare/v5.1.5...v5.1.6) - chore(deps): update all non-major dependencies ([#16131](https://togithub.com/vitejs/vite/issues/16131)) ([a862ecb](https://togithub.com/vitejs/vite/commit/a862ecb)), closes [#16131](https://togithub.com/vitejs/vite/issues/16131) - fix: check for publicDir before checking if it is a parent directory ([#16046](https://togithub.com/vitejs/vite/issues/16046)) ([b6fb323](https://togithub.com/vitejs/vite/commit/b6fb323)), closes [#16046](https://togithub.com/vitejs/vite/issues/16046) - fix: escape single quote when relative base is used ([#16060](https://togithub.com/vitejs/vite/issues/16060)) ([8f74ce4](https://togithub.com/vitejs/vite/commit/8f74ce4)), closes [#16060](https://togithub.com/vitejs/vite/issues/16060) - fix: handle function property extension in namespace import ([#16113](https://togithub.com/vitejs/vite/issues/16113)) ([f699194](https://togithub.com/vitejs/vite/commit/f699194)), closes [#16113](https://togithub.com/vitejs/vite/issues/16113) - fix: server middleware mode resolve ([#16122](https://togithub.com/vitejs/vite/issues/16122)) ([8403546](https://togithub.com/vitejs/vite/commit/8403546)), closes [#16122](https://togithub.com/vitejs/vite/issues/16122) - fix(esbuild): update tsconfck to fix bug that could cause a deadlock ([#16124](https://togithub.com/vitejs/vite/issues/16124)) ([fd9de04](https://togithub.com/vitejs/vite/commit/fd9de04)), closes [#16124](https://togithub.com/vitejs/vite/issues/16124) - fix(worker): hide "The emitted file overwrites" warning if the content is same ([#16094](https://togithub.com/vitejs/vite/issues/16094)) ([60dfa9e](https://togithub.com/vitejs/vite/commit/60dfa9e)), closes [#16094](https://togithub.com/vitejs/vite/issues/16094) - fix(worker): throw error when circular worker import is detected and support self referencing worker ([eef9da1](https://togithub.com/vitejs/vite/commit/eef9da1)), closes [#16103](https://togithub.com/vitejs/vite/issues/16103) - style(utils): remove null check ([#16112](https://togithub.com/vitejs/vite/issues/16112)) ([0d2df52](https://togithub.com/vitejs/vite/commit/0d2df52)), closes [#16112](https://togithub.com/vitejs/vite/issues/16112) - refactor(runtime): share more code between runtime and main bundle ([#16063](https://togithub.com/vitejs/vite/issues/16063)) ([93be84e](https://togithub.com/vitejs/vite/commit/93be84e)), closes [#16063](https://togithub.com/vitejs/vite/issues/16063)Configuration
📅 Schedule: Branch creation - "" in timezone Europe/Berlin, Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate. View repository job log here.