search

vuejs / babel-plugin-jsx

JSX for Vue 3
https://vue-jsx-explorer.netlify.app
MIT License
1.7k stars 143 forks source link

chore(deps): update dependency vite to v5.0.13 [security] - autoclosed #701

Closed renovate[bot] closed 3 months ago

renovate[bot] commented 3 months ago

Mend Renovate

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
vite (source) 5.0.12 -> 5.0.13 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2024-31207

Summary

Vite dev server option server.fs.deny did not deny requests for patterns with directories. An example of such a pattern is /foo/**/*.

Impact

Only apps setting a custom server.fs.deny that includes a pattern with directories, and explicitly exposing the Vite dev server to the network (using --host or server.host config option) are affected.

Patches

Fixed in vite@5.2.6, vite@5.1.7, vite@5.0.13, vite@4.5.3, vite@3.2.10, vite@2.9.18

Details

server.fs.deny uses picomatch with the config of { matchBase: true }. matchBase only matches the basename of the file, not the path due to a bug (https://github.com/micromatch/picomatch/issues/89). The vite config docs read like you should be able to set fs.deny to glob with picomatch. Vite also does not set { dot: true } and that causes dotfiles not to be denied unless they are explicitly defined.

Reproduction

Set fs.deny to ['**/.git/**'] and then curl for /.git/config.

Release Notes

vitejs/vite (vite) ### [`v5.0.13`](https://togithub.com/vitejs/vite/releases/tag/v5.0.13) [Compare Source](https://togithub.com/vitejs/vite/compare/v5.0.12...v5.0.13) Please refer to [CHANGELOG.md](https://togithub.com/vitejs/vite/blob/v5.0.13/packages/vite/CHANGELOG.md) for details.

Configuration

πŸ“… Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

β™» Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

πŸ”• Ignore: Close this PR and you won't be reminded about this update again.

This PR has been generated by Mend Renovate. View repository job log here.

netlify[bot] commented 3 months ago

Deploy Preview for vue-jsx-explorer ready!

Name Link
Latest commit 82047c682ebee0b989073a6a4fbe2d008c28de7c
Latest deploy log https://app.netlify.com/sites/vue-jsx-explorer/deploys/660ddb02deb176000852571e
Deploy Preview https://deploy-preview-701--vue-jsx-explorer.netlify.app
Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify site configuration.