chore(deps): update dependency vite to v5.1.7 [security]

[ScriptedAlchemy]

This PR contains the following updates:

Package	Type	Update	Change
vite (source)	devDependencies	patch	5.1.4 -> 5.1.7

---

Vite's server.fs.deny did not deny requests for patterns with directories.

CVE-2024-31207 / GHSA-8jhw-289h-jh2g

More information

Details

Summary

Vite dev server option server.fs.deny did not deny requests for patterns with directories. An example of such a pattern is /foo/**/*.

Impact

Only apps setting a custom server.fs.deny that includes a pattern with directories, and explicitly exposing the Vite dev server to the network (using --host or server.host config option) are affected.

Patches

Fixed in [email protected], [email protected], [email protected], [email protected], [email protected], [email protected]

Details

server.fs.deny uses picomatch with the config of { matchBase: true }. matchBase only matches the basename of the file, not the path due to a bug (https://github.com/micromatch/picomatch/issues/89). The vite config docs read like you should be able to set fs.deny to glob with picomatch. Vite also does not set { dot: true } and that causes dotfiles not to be denied unless they are explicitly defined.

Reproduction

Set fs.deny to ['**/.git/**'] and then curl for /.git/config.

• with matchBase: true, you can get any file under .git/ (config, HEAD, etc).
• with matchBase: false, you cannot get any file under .git/ (config, HEAD, etc).

Severity

• CVSS Score: 5.9 / 10 (Medium)
• Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

References

• https://github.com/vitejs/vite/security/advisories/GHSA-8jhw-289h-jh2g
• https://nvd.nist.gov/vuln/detail/CVE-2024-31207
• https://github.com/vitejs/vite/commit/011bbca350e447d1b499d242804ce62738c12bc0
• https://github.com/vitejs/vite/commit/5a056dd2fc80dbafed033062fe6aaf4717309f48
• https://github.com/vitejs/vite/commit/89c7c645f09d16a38f146ef4a1528f218e844d67
• https://github.com/vitejs/vite/commit/96a7f3a41ef2f9351c46f3ab12489bb4efa03cc9
• https://github.com/vitejs/vite/commit/ba5269cca81de3f5fbb0f49d58a1c55688043258
• https://github.com/vitejs/vite/commit/d2db33f7d4b96750b35370c70dd2c35ec3b9b649
• https://github.com/vitejs/vite

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

vitejs/vite (vite)

v5.1.7

Compare Source

Please refer to CHANGELOG.md for details.

v5.1.6

Compare Source

• chore(deps): update all non-major dependencies (#​16131) (a862ecb), closes #​16131
• fix: check for publicDir before checking if it is a parent directory (#​16046) (b6fb323), closes #​16046
• fix: escape single quote when relative base is used (#​16060) (8f74ce4), closes #​16060
• fix: handle function property extension in namespace import (#​16113) (f699194), closes #​16113
• fix: server middleware mode resolve (#​16122) (8403546), closes #​16122
• fix(esbuild): update tsconfck to fix bug that could cause a deadlock (#​16124) (fd9de04), closes #​16124
• fix(worker): hide "The emitted file overwrites" warning if the content is same (#​16094) (60dfa9e), closes #​16094
• fix(worker): throw error when circular worker import is detected and support self referencing worker (eef9da1), closes #​16103
• style(utils): remove null check (#​16112) (0d2df52), closes #​16112
• refactor(runtime): share more code between runtime and main bundle (#​16063) (93be84e), closes #​16063

v5.1.5

Compare Source

• fix: __vite__mapDeps code injection (#​15732) (aff54e1), closes #​15732
• fix: analysing build chunk without dependencies (#​15469) (bd52283), closes #​15469
• fix: import with query with imports field (#​16085) (ab823ab), closes #​16085
• fix: normalize literal-only entry pattern (#​16010) (1dccc37), closes #​16010
• fix: optimizeDeps.entries with literal-only pattern(s) (#​15853) (49300b3), closes #​15853
• fix: output correct error for empty import specifier (#​16055) (a9112eb), closes #​16055
• fix: upgrade esbuild to 0.20.x (#​16062) (899d9b1), closes #​16062
• fix(runtime): runtime HMR affects only imported files (#​15898) (57463fc), closes #​15898
• fix(scanner): respect experimentalDecorators: true (#​15206) (4144781), closes #​15206
• revert: "fix: upgrade esbuild to 0.20.x" (#​16072) (11cceea), closes #​16072
• refactor: share code with vite runtime (#​15907) (b20d542), closes #​15907
• refactor(runtime): use functions from pathe (#​16061) (aac2ef7), closes #​16061
• chore(deps): update all non-major dependencies (#​16028) (7cfe80d), closes #​16028

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Renovate Bot.

[vercel]

The latest updates on your projects. Learn more about Vercel for Git ↗︎

Name	Status	Preview	Comments	Updated (UTC)
medusa-example-dsl	✅ Ready (Inspect)	Visit Preview	💬 Add feedback	May 11, 2024 10:33pm
medusa-example-home	✅ Ready (Inspect)	Visit Preview	💬 Add feedback	May 11, 2024 10:33pm
medusa-example-nav	✅ Ready (Inspect)	Visit Preview	💬 Add feedback	May 11, 2024 10:33pm
medusa-example-search	✅ Ready (Inspect)	Visit Preview	💬 Add feedback	May 11, 2024 10:33pm
medusa-example-utils	✅ Ready (Inspect)	Visit Preview	💬 Add feedback	May 11, 2024 10:33pm

[github-actions]

Workflow status is success ✅
Unfortunately test report wasn't generated, it can be if no workspaces changed. Please check the workflow run below.
Link to GitHub workflow: Github Workflow Link