patch(deps): update dependency vite to v5.1.7 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
vite (source)	5.1.1 -> 5.1.7

GitHub Vulnerability Alerts

CVE-2024-31207

Summary

Vite dev server option server.fs.deny did not deny requests for patterns with directories. An example of such a pattern is /foo/**/*.

Impact

Only apps setting a custom server.fs.deny that includes a pattern with directories, and explicitly exposing the Vite dev server to the network (using --host or server.host config option) are affected.

Patches

Fixed in vite@5.2.6, vite@5.1.7, vite@5.0.13, vite@4.5.3, vite@3.2.10, vite@2.9.18

Details

server.fs.deny uses picomatch with the config of { matchBase: true }. matchBase only matches the basename of the file, not the path due to a bug (https://github.com/micromatch/picomatch/issues/89). The vite config docs read like you should be able to set fs.deny to glob with picomatch. Vite also does not set { dot: true } and that causes dotfiles not to be denied unless they are explicitly defined.

Reproduction

Set fs.deny to ['**/.git/**'] and then curl for /.git/config.

• with matchBase: true, you can get any file under .git/ (config, HEAD, etc).
• with matchBase: false, you cannot get any file under .git/ (config, HEAD, etc).

---

Release Notes

vitejs/vite (vite)

v5.1.7

Compare Source

Please refer to CHANGELOG.md for details.

v5.1.6

Compare Source

• chore(deps): update all non-major dependencies (#​16131) (a862ecb), closes #​16131
• fix: check for publicDir before checking if it is a parent directory (#​16046) (b6fb323), closes #​16046
• fix: escape single quote when relative base is used (#​16060) (8f74ce4), closes #​16060
• fix: handle function property extension in namespace import (#​16113) (f699194), closes #​16113
• fix: server middleware mode resolve (#​16122) (8403546), closes #​16122
• fix(esbuild): update tsconfck to fix bug that could cause a deadlock (#​16124) (fd9de04), closes #​16124
• fix(worker): hide "The emitted file overwrites" warning if the content is same (#​16094) (60dfa9e), closes #​16094
• fix(worker): throw error when circular worker import is detected and support self referencing worker (eef9da1), closes #​16103
• style(utils): remove null check (#​16112) (0d2df52), closes #​16112
• refactor(runtime): share more code between runtime and main bundle (#​16063) (93be84e), closes #​16063

v5.1.5

Compare Source

• fix: __vite__mapDeps code injection (#​15732) (aff54e1), closes #​15732
• fix: analysing build chunk without dependencies (#​15469) (bd52283), closes #​15469
• fix: import with query with imports field (#​16085) (ab823ab), closes #​16085
• fix: normalize literal-only entry pattern (#​16010) (1dccc37), closes #​16010
• fix: optimizeDeps.entries with literal-only pattern(s) (#​15853) (49300b3), closes #​15853
• fix: output correct error for empty import specifier (#​16055) (a9112eb), closes #​16055
• fix: upgrade esbuild to 0.20.x (#​16062) (899d9b1), closes #​16062
• fix(runtime): runtime HMR affects only imported files (#​15898) (57463fc), closes #​15898
• fix(scanner): respect experimentalDecorators: true (#​15206) (4144781), closes #​15206
• revert: "fix: upgrade esbuild to 0.20.x" (#​16072) (11cceea), closes #​16072
• refactor: share code with vite runtime (#​15907) (b20d542), closes #​15907
• refactor(runtime): use functions from pathe (#​16061) (aac2ef7), closes #​16061
• chore(deps): update all non-major dependencies (#​16028) (7cfe80d), closes #​16028

v5.1.4

Compare Source

• perf: remove unnecessary regex s modifier (#​15766) (8dc1b73), closes #​15766
• fix: fs cached checks disabled by default for yarn pnp (#​15920) (8b11fea), closes #​15920
• fix: resolve directory correctly when fs.cachedChecks: true (#​15983) (4fe971f), closes #​15983
• fix: srcSet with optional descriptor (#​15905) (81b3bd0), closes #​15905
• fix(deps): update all non-major dependencies (#​15959) (571a3fd), closes #​15959
• fix(watch): build watch fails when outDir is empty string (#​15979) (1d263d3), closes #​15979

v5.1.3

Compare Source

• fix: cachedTransformMiddleware for direct css requests (#​15919) (5099028), closes #​15919
• refactor(runtime): minor tweaks (#​15904) (63a39c2), closes #​15904
• refactor(runtime): seal ES module namespace object instead of feezing (#​15914) (4172f02), closes #​15914

v5.1.2

Compare Source

• fix: normalize import file path info (#​15772) (306df44), closes #​15772
• fix(build): do not output build time when build fails (#​15711) (added3e), closes #​15711
• fix(runtime): pass path instead of fileURL to isFilePathESM (#​15908) (7b15607), closes #​15908
• fix(worker): support UTF-8 encoding in inline workers (fixes #​12117) (#​15866) (570e0f1), closes #​12117 #​15866
• chore: update license file (#​15885) (d9adf18), closes #​15885
• chore(deps): update all non-major dependencies (#​15874) (d16ce5d), closes #​15874
• chore(deps): update dependency dotenv-expand to v11 (#​15875) (642d528), closes #​15875

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate. View repository job log here.