chore(deps): update dependency vite to v5.1.7 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
vite (source)	5.1.4 -> 5.1.7

GitHub Vulnerability Alerts

CVE-2024-31207

Summary

Vite dev server option server.fs.deny did not deny requests for patterns with directories. An example of such a pattern is /foo/**/*.

Impact

Only apps setting a custom server.fs.deny that includes a pattern with directories, and explicitly exposing the Vite dev server to the network (using --host or server.host config option) are affected.

Patches

Fixed in [email protected], [email protected], [email protected], [email protected], [email protected], [email protected]

Details

server.fs.deny uses picomatch with the config of { matchBase: true }. matchBase only matches the basename of the file, not the path due to a bug (https://github.com/micromatch/picomatch/issues/89). The vite config docs read like you should be able to set fs.deny to glob with picomatch. Vite also does not set { dot: true } and that causes dotfiles not to be denied unless they are explicitly defined.

Reproduction

Set fs.deny to ['**/.git/**'] and then curl for /.git/config.

• with matchBase: true, you can get any file under .git/ (config, HEAD, etc).
• with matchBase: false, you cannot get any file under .git/ (config, HEAD, etc).

---

Release Notes

vitejs/vite (vite)

v5.1.7

Compare Source

Please refer to CHANGELOG.md for details.

v5.1.6

Compare Source

• chore(deps): update all non-major dependencies (#​16131) (a862ecb), closes #​16131
• fix: check for publicDir before checking if it is a parent directory (#​16046) (b6fb323), closes #​16046
• fix: escape single quote when relative base is used (#​16060) (8f74ce4), closes #​16060
• fix: handle function property extension in namespace import (#​16113) (f699194), closes #​16113
• fix: server middleware mode resolve (#​16122) (8403546), closes #​16122
• fix(esbuild): update tsconfck to fix bug that could cause a deadlock (#​16124) (fd9de04), closes #​16124
• fix(worker): hide "The emitted file overwrites" warning if the content is same (#​16094) (60dfa9e), closes #​16094
• fix(worker): throw error when circular worker import is detected and support self referencing worker (eef9da1), closes #​16103
• style(utils): remove null check (#​16112) (0d2df52), closes #​16112
• refactor(runtime): share more code between runtime and main bundle (#​16063) (93be84e), closes #​16063

v5.1.5

Compare Source

• fix: __vite__mapDeps code injection (#​15732) (aff54e1), closes #​15732
• fix: analysing build chunk without dependencies (#​15469) (bd52283), closes #​15469
• fix: import with query with imports field (#​16085) (ab823ab), closes #​16085
• fix: normalize literal-only entry pattern (#​16010) (1dccc37), closes #​16010
• fix: optimizeDeps.entries with literal-only pattern(s) (#​15853) (49300b3), closes #​15853
• fix: output correct error for empty import specifier (#​16055) (a9112eb), closes #​16055
• fix: upgrade esbuild to 0.20.x (#​16062) (899d9b1), closes #​16062
• fix(runtime): runtime HMR affects only imported files (#​15898) (57463fc), closes #​15898
• fix(scanner): respect experimentalDecorators: true (#​15206) (4144781), closes #​15206
• revert: "fix: upgrade esbuild to 0.20.x" (#​16072) (11cceea), closes #​16072
• refactor: share code with vite runtime (#​15907) (b20d542), closes #​15907
• refactor(runtime): use functions from pathe (#​16061) (aac2ef7), closes #​16061
• chore(deps): update all non-major dependencies (#​16028) (7cfe80d), closes #​16028

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate. View repository job log here.

[vercel]

The latest updates on your projects. Learn more about Vercel for Git ↗︎

Name	Status	Preview	Updated (UTC)
sveltekit-vendure-commerce	❌ Failed (Inspect)		Apr 3, 2024 8:06pm

[socket-security]

New and removed dependencies detected. Learn more about Socket for GitHub ↗︎

Package	New capabilities	Transitives	Size	Publisher
npm/[email protected]	environment, eval, filesystem, network, shell, unsafe	+3	9.55 MB	vitebot

🚮 Removed packages: npm/[email protected]

View full report↗︎

[renovate]

Renovate Ignore Notification

Because you closed this PR without merging, Renovate will ignore this update (5.1.7). You will get a PR once a newer version is released. To ignore this dependency forever, add it to the ignoreDeps array of your Renovate config.

If you accidentally closed this PR, or if you changed your mind: rename this PR to get a fresh replacement PR.