Bump vite from 5.2.11 to 5.4.10 #5
Conversation
![dependabot[bot]](https://avatars.githubusercontent.com/in/29110?s=80&v=4){kind=small}
Bumps [vite](https://github.com/vitejs/vite/tree/HEAD/packages/vite) from 5.2.11 to 5.4.10. - [Release notes](https://github.com/vitejs/vite/releases) - [Changelog](https://github.com/vitejs/vite/blob/v5.4.10/packages/vite/CHANGELOG.md) - [Commits](https://github.com/vitejs/vite/commits/v5.4.10/packages/vite) --- updated-dependencies: - dependency-name: vite dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com>
dependabot
bot
added
the
dependencies
Reviewer's Guide by SourceryThis pull request updates the vite dependency from version 5.2.11 to 5.4.10. The update includes several bug fixes, dependency updates, and minor improvements to Vite's functionality. No diagrams generated as the changes look simple and do not need a visual representation. File-Level Changes
Tips and commandsInteracting with Sourcery
Customizing Your ExperienceAccess your dashboard to:
Getting Help
|
![sourcery-ai[bot]](https://avatars.githubusercontent.com/in/48477?s=60&v=4){kind=small}
![codacy-production[bot]](https://avatars.githubusercontent.com/in/56611?s=60&v=4){kind=small}
| micromark@4.0.0: | ||
| resolution: {integrity: sha512-o/sd0nMof8kYff+TqcDx3VSrgBTcZpSvYcAHIfHhv5VAuNmisCxjhx6YmxS8PFEpb9z5WKWKPdzf0jM23ro3RQ==} | ||
|
|
||
| micromatch@4.0.7: |
There was a problem hiding this comment.
The issue identified by the Trivy linter is a security vulnerability in the micromatch package version 4.0.7. The vulnerability, identified as CVE-2024-4067, is related to a Regular Expression Denial of Service (ReDoS). This type of vulnerability occurs when an attacker can exploit the way regular expressions are processed, potentially causing the application to become unresponsive or slow due to excessive resource consumption.
To fix this issue, the micromatch package should be updated to version 4.0.8, where the vulnerability has been addressed. Here is the code suggestion for updating the package:
| micromatch@4.0.7: | |
| micromatch@4.0.8: |
This comment was generated by an experimental AI tool.
| resolution: {integrity: sha512-Xa4Nw17FS9ApQFJ9umLiJS4orGjm7ZzwUrwamcGQuHSzDyth9boKDaycYdDcZDuqYATXw4HFXgaqWTctW/v1HA==} | ||
| engines: {node: '>=16 || 14 >=14.18'} | ||
|
|
||
| path-to-regexp@6.2.2: |
There was a problem hiding this comment.
❌ Codacy found a critical Security issue: Insecure dependency path-to-regexp@6.2.2 (CVE-2024-45296: path-to-regexp: Backtracking regular expressions cause ReDoS) (update to 6.3.0)
The issue identified by the Trivy linter is a security vulnerability in the path-to-regexp package, specifically version 6.2.2. This vulnerability is related to a Regular Expression Denial of Service (ReDoS) attack, which occurs when an attacker can provide input that causes a regular expression to consume excessive amounts of processing time. This can lead to a denial of service as the application becomes unresponsive. The CVE (Common Vulnerabilities and Exposures) ID for this issue is CVE-2024-45296. The recommended fix is to update the path-to-regexp package to version 6.3.0, which addresses this vulnerability.
To fix the issue, you should update the path-to-regexp version in your dependencies. Here is the single line change suggestion:
| path-to-regexp@6.2.2: | |
| path-to-regexp@6.3.0: |
This comment was generated by an experimental AI tool.
| domutils@3.1.0: | ||
| resolution: {integrity: sha512-H78uMmQtI2AhgDJjWeQmHwJJ2bLPD3GMmO7Zja/ZZh84wkm+4ut+IUnUdRa8uCGX88DiVx1j6FRe1XfxEgjEZA==} | ||
|
|
||
| dset@3.1.3: |
There was a problem hiding this comment.
❌ Codacy found a critical Security issue: Insecure dependency dset@3.1.3 (CVE-2024-21529: dset: Prototype Pollution) (update to 3.1.4)
The issue identified by the Trivy linter is a security vulnerability known as Prototype Pollution in the dset package, specifically in version 3.1.3. Prototype Pollution is a type of vulnerability that allows an attacker to manipulate the prototype of a base object, which can lead to unexpected behaviors, security issues, or application crashes. In this case, the vulnerability is tracked as CVE-2024-21529. To mitigate this vulnerability, it is recommended to update the dset package to version 3.1.4, where the issue has been addressed.
To fix the issue, update the version of dset from 3.1.3 to 3.1.4 in your code. Here's the single line change you need to make:
| dset@3.1.3: | |
| dset@3.1.4: |
This comment was generated by an experimental AI tool.
| '@types/cheerio@0.22.35': | ||
| resolution: {integrity: sha512-yD57BchKRvTV+JD53UZ6PD8KWY5g5rvvMLRnZR3EQBCZXiDT/HR+pKpMzFGlWNhFrXlo7VPZXtKvIEwZkAWOIA==} | ||
|
|
||
| '@types/cookie@0.6.0': |
There was a problem hiding this comment.
ℹ️ Codacy found a minor Security issue: Insecure dependency cookie@0.6.0 (CVE-2024-47764: cookie: cookie accepts cookie name, path, and domain with out of bounds characters) (update to 0.7.0)
The issue identified by the Trivy linter is related to a security vulnerability in the cookie library, specifically version 0.6.0. The vulnerability, identified as CVE-2024-47764, allows the cookie library to accept cookie name, path, and domain with out-of-bounds characters. This can potentially lead to security risks such as improper handling of cookies, which might be exploited by an attacker to inject malicious cookies or bypass security controls.
To fix this issue, you should update the cookie library to a version where the vulnerability is patched. According to the provided issue description, updating to version 0.7.0 resolves the problem. Here's the code suggestion to update the dependency:
| '@types/cookie@0.6.0': | |
| '@types/cookie@0.7.0': |
This comment was generated by an experimental AI tool.
|
Superseded by #10. |
Bumps vite from 5.2.11 to 5.4.10.
Release notes
Sourced from vite's releases.
... (truncated)
Changelog
Sourced from vite's changelog.
... (truncated)
Commits
5f52bc8release: v5.4.107d1a3bcfix: backport #18367,augment hash for CSS files to prevent chromium erroring ...898d61frelease: v5.4.9508d9abfix: bump launch-editor-middleware to v2.9.1 (#18348)dc5434cfix(deps): bump tsconfck (#18322)851b258fix(hmr): don't try to rewrite imports for direct CSS soft invalidation (#18252)96084d6fix(data-uri): only match ids starting withdata:(#18241)eae00b5fix(css): fix lightningcss dep url resolution with custom root (#18125)c23558achore: update all url references of vitejs.dev to vite.dev (#18276)1864eb1chore: update license copyright (#18278)Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot mergewill merge this PR after your CI passes on it@dependabot squash and mergewill squash and merge this PR after your CI passes on it@dependabot cancel mergewill cancel a previously requested merge and block automerging@dependabot reopenwill reopen this PR if it is closed@dependabot closewill close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)You can disable automated security fix PRs for this repo from the Security Alerts page.
Summary by Sourcery
Upgrade Vite from version 5.2.11 to 5.4.10, addressing multiple bug fixes and improvements. Update pnpm-lock.yaml to reflect the changes. Fix various issues related to CSS handling, SSR, and HMR. Update documentation and perform maintenance tasks like updating URLs and license information.
Bug Fixes:
Build:
Documentation:
Chores: