socket-security[bot]
commented
3 months ago New and removed dependencies detected. Learn more about Socket for GitHub ↗︎
| Package | New capabilities | Transitives | Size | Publisher |
|---|
🚮 Removed packages: npm/bentocache@1.0.0-beta.7
This PR contains the following updates:
5.1.1->5.1.7GitHub Vulnerability Alerts
CVE-2024-31207
Summary
Vite dev server option
server.fs.denydid not deny requests for patterns with directories. An example of such a pattern is/foo/**/*.Impact
Only apps setting a custom
server.fs.denythat includes a pattern with directories, and explicitly exposing the Vite dev server to the network (using--hostorserver.hostconfig option) are affected.Patches
Fixed in vite@5.2.6, vite@5.1.7, vite@5.0.13, vite@4.5.3, vite@3.2.10, vite@2.9.18
Details
server.fs.denyuses picomatch with the config of{ matchBase: true }. matchBase only matches the basename of the file, not the path due to a bug (https://github.com/micromatch/picomatch/issues/89). The vite config docs read like you should be able to set fs.deny to glob with picomatch. Vite also does not set{ dot: true }and that causes dotfiles not to be denied unless they are explicitly defined.Reproduction
Set fs.deny to
['**/.git/**']and then curl for/.git/config.matchBase: true, you can get any file under.git/(config, HEAD, etc).matchBase: false, you cannot get any file under.git/(config, HEAD, etc).Release Notes
vitejs/vite (vite)
### [`v5.1.7`](https://togithub.com/vitejs/vite/releases/tag/v5.1.7) [Compare Source](https://togithub.com/vitejs/vite/compare/v5.1.6...v5.1.7) Please refer to [CHANGELOG.md](https://togithub.com/vitejs/vite/blob/v5.1.7/packages/vite/CHANGELOG.md) for details. ### [`v5.1.6`](https://togithub.com/vitejs/vite/blob/HEAD/packages/vite/CHANGELOG.md#small516-2024-03-11-small) [Compare Source](https://togithub.com/vitejs/vite/compare/v5.1.5...v5.1.6) - chore(deps): update all non-major dependencies ([#16131](https://togithub.com/vitejs/vite/issues/16131)) ([a862ecb](https://togithub.com/vitejs/vite/commit/a862ecb)), closes [#16131](https://togithub.com/vitejs/vite/issues/16131) - fix: check for publicDir before checking if it is a parent directory ([#16046](https://togithub.com/vitejs/vite/issues/16046)) ([b6fb323](https://togithub.com/vitejs/vite/commit/b6fb323)), closes [#16046](https://togithub.com/vitejs/vite/issues/16046) - fix: escape single quote when relative base is used ([#16060](https://togithub.com/vitejs/vite/issues/16060)) ([8f74ce4](https://togithub.com/vitejs/vite/commit/8f74ce4)), closes [#16060](https://togithub.com/vitejs/vite/issues/16060) - fix: handle function property extension in namespace import ([#16113](https://togithub.com/vitejs/vite/issues/16113)) ([f699194](https://togithub.com/vitejs/vite/commit/f699194)), closes [#16113](https://togithub.com/vitejs/vite/issues/16113) - fix: server middleware mode resolve ([#16122](https://togithub.com/vitejs/vite/issues/16122)) ([8403546](https://togithub.com/vitejs/vite/commit/8403546)), closes [#16122](https://togithub.com/vitejs/vite/issues/16122) - fix(esbuild): update tsconfck to fix bug that could cause a deadlock ([#16124](https://togithub.com/vitejs/vite/issues/16124)) ([fd9de04](https://togithub.com/vitejs/vite/commit/fd9de04)), closes [#16124](https://togithub.com/vitejs/vite/issues/16124) - fix(worker): hide "The emitted file overwrites" warning if the content is same ([#16094](https://togithub.com/vitejs/vite/issues/16094)) ([60dfa9e](https://togithub.com/vitejs/vite/commit/60dfa9e)), closes [#16094](https://togithub.com/vitejs/vite/issues/16094) - fix(worker): throw error when circular worker import is detected and support self referencing worker ([eef9da1](https://togithub.com/vitejs/vite/commit/eef9da1)), closes [#16103](https://togithub.com/vitejs/vite/issues/16103) - style(utils): remove null check ([#16112](https://togithub.com/vitejs/vite/issues/16112)) ([0d2df52](https://togithub.com/vitejs/vite/commit/0d2df52)), closes [#16112](https://togithub.com/vitejs/vite/issues/16112) - refactor(runtime): share more code between runtime and main bundle ([#16063](https://togithub.com/vitejs/vite/issues/16063)) ([93be84e](https://togithub.com/vitejs/vite/commit/93be84e)), closes [#16063](https://togithub.com/vitejs/vite/issues/16063) ### [`v5.1.5`](https://togithub.com/vitejs/vite/blob/HEAD/packages/vite/CHANGELOG.md#small515-2024-03-04-small) [Compare Source](https://togithub.com/vitejs/vite/compare/v5.1.4...v5.1.5) - fix: `__vite__mapDeps` code injection ([#15732](https://togithub.com/vitejs/vite/issues/15732)) ([aff54e1](https://togithub.com/vitejs/vite/commit/aff54e1)), closes [#15732](https://togithub.com/vitejs/vite/issues/15732) - fix: analysing build chunk without dependencies ([#15469](https://togithub.com/vitejs/vite/issues/15469)) ([bd52283](https://togithub.com/vitejs/vite/commit/bd52283)), closes [#15469](https://togithub.com/vitejs/vite/issues/15469) - fix: import with query with imports field ([#16085](https://togithub.com/vitejs/vite/issues/16085)) ([ab823ab](https://togithub.com/vitejs/vite/commit/ab823ab)), closes [#16085](https://togithub.com/vitejs/vite/issues/16085) - fix: normalize literal-only entry pattern ([#16010](https://togithub.com/vitejs/vite/issues/16010)) ([1dccc37](https://togithub.com/vitejs/vite/commit/1dccc37)), closes [#16010](https://togithub.com/vitejs/vite/issues/16010) - fix: optimizeDeps.entries with literal-only pattern(s) ([#15853](https://togithub.com/vitejs/vite/issues/15853)) ([49300b3](https://togithub.com/vitejs/vite/commit/49300b3)), closes [#15853](https://togithub.com/vitejs/vite/issues/15853) - fix: output correct error for empty import specifier ([#16055](https://togithub.com/vitejs/vite/issues/16055)) ([a9112eb](https://togithub.com/vitejs/vite/commit/a9112eb)), closes [#16055](https://togithub.com/vitejs/vite/issues/16055) - fix: upgrade esbuild to 0.20.x ([#16062](https://togithub.com/vitejs/vite/issues/16062)) ([899d9b1](https://togithub.com/vitejs/vite/commit/899d9b1)), closes [#16062](https://togithub.com/vitejs/vite/issues/16062) - fix(runtime): runtime HMR affects only imported files ([#15898](https://togithub.com/vitejs/vite/issues/15898)) ([57463fc](https://togithub.com/vitejs/vite/commit/57463fc)), closes [#15898](https://togithub.com/vitejs/vite/issues/15898) - fix(scanner): respect `experimentalDecorators: true` ([#15206](https://togithub.com/vitejs/vite/issues/15206)) ([4144781](https://togithub.com/vitejs/vite/commit/4144781)), closes [#15206](https://togithub.com/vitejs/vite/issues/15206) - revert: "fix: upgrade esbuild to 0.20.x" ([#16072](https://togithub.com/vitejs/vite/issues/16072)) ([11cceea](https://togithub.com/vitejs/vite/commit/11cceea)), closes [#16072](https://togithub.com/vitejs/vite/issues/16072) - refactor: share code with vite runtime ([#15907](https://togithub.com/vitejs/vite/issues/15907)) ([b20d542](https://togithub.com/vitejs/vite/commit/b20d542)), closes [#15907](https://togithub.com/vitejs/vite/issues/15907) - refactor(runtime): use functions from `pathe` ([#16061](https://togithub.com/vitejs/vite/issues/16061)) ([aac2ef7](https://togithub.com/vitejs/vite/commit/aac2ef7)), closes [#16061](https://togithub.com/vitejs/vite/issues/16061) - chore(deps): update all non-major dependencies ([#16028](https://togithub.com/vitejs/vite/issues/16028)) ([7cfe80d](https://togithub.com/vitejs/vite/commit/7cfe80d)), closes [#16028](https://togithub.com/vitejs/vite/issues/16028) ### [`v5.1.4`](https://togithub.com/vitejs/vite/blob/HEAD/packages/vite/CHANGELOG.md#small514-2024-02-21-small) [Compare Source](https://togithub.com/vitejs/vite/compare/v5.1.3...v5.1.4) - perf: remove unnecessary regex s modifier ([#15766](https://togithub.com/vitejs/vite/issues/15766)) ([8dc1b73](https://togithub.com/vitejs/vite/commit/8dc1b73)), closes [#15766](https://togithub.com/vitejs/vite/issues/15766) - fix: fs cached checks disabled by default for yarn pnp ([#15920](https://togithub.com/vitejs/vite/issues/15920)) ([8b11fea](https://togithub.com/vitejs/vite/commit/8b11fea)), closes [#15920](https://togithub.com/vitejs/vite/issues/15920) - fix: resolve directory correctly when `fs.cachedChecks: true` ([#15983](https://togithub.com/vitejs/vite/issues/15983)) ([4fe971f](https://togithub.com/vitejs/vite/commit/4fe971f)), closes [#15983](https://togithub.com/vitejs/vite/issues/15983) - fix: srcSet with optional descriptor ([#15905](https://togithub.com/vitejs/vite/issues/15905)) ([81b3bd0](https://togithub.com/vitejs/vite/commit/81b3bd0)), closes [#15905](https://togithub.com/vitejs/vite/issues/15905) - fix(deps): update all non-major dependencies ([#15959](https://togithub.com/vitejs/vite/issues/15959)) ([571a3fd](https://togithub.com/vitejs/vite/commit/571a3fd)), closes [#15959](https://togithub.com/vitejs/vite/issues/15959) - fix(watch): build watch fails when outDir is empty string ([#15979](https://togithub.com/vitejs/vite/issues/15979)) ([1d263d3](https://togithub.com/vitejs/vite/commit/1d263d3)), closes [#15979](https://togithub.com/vitejs/vite/issues/15979) ### [`v5.1.3`](https://togithub.com/vitejs/vite/blob/HEAD/packages/vite/CHANGELOG.md#small513-2024-02-15-small) [Compare Source](https://togithub.com/vitejs/vite/compare/v5.1.2...v5.1.3) - fix: cachedTransformMiddleware for direct css requests ([#15919](https://togithub.com/vitejs/vite/issues/15919)) ([5099028](https://togithub.com/vitejs/vite/commit/5099028)), closes [#15919](https://togithub.com/vitejs/vite/issues/15919) - refactor(runtime): minor tweaks ([#15904](https://togithub.com/vitejs/vite/issues/15904)) ([63a39c2](https://togithub.com/vitejs/vite/commit/63a39c2)), closes [#15904](https://togithub.com/vitejs/vite/issues/15904) - refactor(runtime): seal ES module namespace object instead of feezing ([#15914](https://togithub.com/vitejs/vite/issues/15914)) ([4172f02](https://togithub.com/vitejs/vite/commit/4172f02)), closes [#15914](https://togithub.com/vitejs/vite/issues/15914) ### [`v5.1.2`](https://togithub.com/vitejs/vite/blob/HEAD/packages/vite/CHANGELOG.md#small512-2024-02-14-small) [Compare Source](https://togithub.com/vitejs/vite/compare/v5.1.1...v5.1.2) - fix: normalize import file path info ([#15772](https://togithub.com/vitejs/vite/issues/15772)) ([306df44](https://togithub.com/vitejs/vite/commit/306df44)), closes [#15772](https://togithub.com/vitejs/vite/issues/15772) - fix(build): do not output build time when build fails ([#15711](https://togithub.com/vitejs/vite/issues/15711)) ([added3e](https://togithub.com/vitejs/vite/commit/added3e)), closes [#15711](https://togithub.com/vitejs/vite/issues/15711) - fix(runtime): pass path instead of fileURL to `isFilePathESM` ([#15908](https://togithub.com/vitejs/vite/issues/15908)) ([7b15607](https://togithub.com/vitejs/vite/commit/7b15607)), closes [#15908](https://togithub.com/vitejs/vite/issues/15908) - fix(worker): support UTF-8 encoding in inline workers (fixes [#12117](https://togithub.com/vitejs/vite/issues/12117)) ([#15866](https://togithub.com/vitejs/vite/issues/15866)) ([570e0f1](https://togithub.com/vitejs/vite/commit/570e0f1)), closes [#12117](https://togithub.com/vitejs/vite/issues/12117) [#15866](https://togithub.com/vitejs/vite/issues/15866) - chore: update license file ([#15885](https://togithub.com/vitejs/vite/issues/15885)) ([d9adf18](https://togithub.com/vitejs/vite/commit/d9adf18)), closes [#15885](https://togithub.com/vitejs/vite/issues/15885) - chore(deps): update all non-major dependencies ([#15874](https://togithub.com/vitejs/vite/issues/15874)) ([d16ce5d](https://togithub.com/vitejs/vite/commit/d16ce5d)), closes [#15874](https://togithub.com/vitejs/vite/issues/15874) - chore(deps): update dependency dotenv-expand to v11 ([#15875](https://togithub.com/vitejs/vite/issues/15875)) ([642d528](https://togithub.com/vitejs/vite/commit/642d528)), closes [#15875](https://togithub.com/vitejs/vite/issues/15875)Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Enabled.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate. View repository job log here.