-
Notifications
You must be signed in to change notification settings - Fork 123
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
chore(deps): update dependency vite to v2.9.16 [security] #321
base: main
Are you sure you want to change the base?
Conversation
057420b
to
ed69b8b
Compare
ed69b8b
to
e41df2f
Compare
e41df2f
to
ee173e0
Compare
Important Auto Review SkippedBot user detected. To trigger a single review, invoke the You can disable this status message by setting the Thank you for using CodeRabbit. We offer it for free to the OSS community and would appreciate your support in helping us grow. If you find it useful, would you consider giving us a shout-out on your favorite social media? TipsChatThere are 3 ways to chat with CodeRabbit:
Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments. CodeRabbit Commands (invoked as PR comments)
Additionally, you can add CodeRabbit Configration File (
|
This PR contains the following updates:
2.1.5
->2.9.16
GitHub Vulnerability Alerts
CVE-2022-35204
Vitejs Vite before v2.9.13 was discovered to allow attackers to perform a directory traversal via a crafted URL to the victim's service.
CVE-2023-34092
Summary
The issue involves a security vulnerability in Vite, where the server options can be bypassed using a double forward slash (
//
). This vulnerability poses a potential security risk as it can allow unauthorized access to sensitive directories and files. This document outlines the steps to address and mitigate this issue. Adding Extra References : ## Steps to Fix. Update Vite:Ensure that you are using the latest version of Vite. Security issues like this are often fixed in newer releases.\n\n2. Secure the Server Configuration:In yourvite.config.js
file, review and update the server configuration options to restrict access to unauthorized requests or directories. For example:```javascript\n // vite.config.js\n export default { server: {\n fs: {\n deny: ['private-directory'] // Restrict access to specific directoriesImpact
Only users explicitly exposing the Vite dev server to the network (using
--host
orserver.host
config option) are affected, and only files in the immediate Vite project root folder could be exposed.Patches
Fixed in vite@4.3.9, vite@4.2.3, vite@4.1.5, vite@4.0.5
And in the latest minors of the previous two majors: vite@3.2.7, vite@2.9.16
Details
Vite serve the application with under the root-path of the project while running on the dev mode. By default, vite using server options fs.deny to protected the sensitive information of the file. But, with simply double forward-slash, we can bypass this fs restriction.
PoC
//
) (e.g://.env
,//.env.local
)fs.deny
restrict successfully bypassed.Proof Images:
![proof-1](https://user-images.githubusercontent.com/30733517/241105344-6ecbc7f6-57b7-45c7-856a-6421a577dda1.png)
![proof-2](https://user-images.githubusercontent.com/30733517/241105349-ab9561e7-8aff-4f29-97f9-b784e673c122.png)
Release Notes
vitejs/vite (vite)
v2.9.16
Compare Source
Please refer to CHANGELOG.md for details.
v2.9.15
Compare Source
Please refer to CHANGELOG.md for details.
v2.9.14
Compare Source
Please refer to CHANGELOG.md for details.
v2.9.13
Compare Source
Please refer to CHANGELOG.md for details.
v2.9.12
Compare Source
Please refer to CHANGELOG.md for details.
v2.9.11
Compare Source
Please refer to CHANGELOG.md for details.
v2.9.10
Compare Source
Please refer to CHANGELOG.md for details.
v2.9.9
Compare Source
Please refer to CHANGELOG.md for details.
v2.9.8
Compare Source
Please refer to CHANGELOG.md for details.
v2.9.7
Compare Source
Please refer to CHANGELOG.md for details.
v2.9.6
Compare Source
Please refer to CHANGELOG.md for details.
v2.9.5
Compare Source
Please refer to CHANGELOG.md for details.
v2.9.4
Compare Source
Please refer to CHANGELOG.md for details.
v2.9.3
Compare Source
Please refer to CHANGELOG.md for details.
v2.9.2
Compare Source
Please refer to CHANGELOG.md for details.
v2.9.1
Compare Source
Please refer to CHANGELOG.md for details.
v2.9.0
Compare Source
Please refer to CHANGELOG.md for details.
v2.8.6
Compare Source
Please refer to CHANGELOG.md for details.
v2.8.5
Compare Source
Please refer to CHANGELOG.md for details.
v2.8.4
Compare Source
Please refer to CHANGELOG.md for details.
v2.8.3
Compare Source
Please refer to CHANGELOG.md for details.
v2.8.2
Compare Source
Please refer to CHANGELOG.md for details.
v2.8.1
Please refer to CHANGELOG.md for details.
v2.8.0
Please refer to CHANGELOG.md for details.
v2.7.13
Compare Source
Please refer to CHANGELOG.md for details.
v2.7.12
Compare Source
Please refer to CHANGELOG.md for details.
v2.7.11
Compare Source
Please refer to CHANGELOG.md for details.
v2.7.10
Compare Source
Please refer to CHANGELOG.md for details.
v2.7.9
Compare Source
Please refer to CHANGELOG.md for details.
v2.7.8
Compare Source
Please refer to CHANGELOG.md for details.
v2.7.7
Compare Source
Please refer to CHANGELOG.md for details.
v2.7.6
Compare Source
Please refer to CHANGELOG.md for details.
v2.7.5
Compare Source
Please refer to CHANGELOG.md for details.
v2.7.4
Compare Source
Please refer to CHANGELOG.md for details.
v2.7.3
Please refer to CHANGELOG.md for details.
v2.7.2
Please refer to CHANGELOG.md for details.
v2.7.1
Please refer to CHANGELOG.md for details.
v2.7.0
Please refer to CHANGELOG.md for details.
v2.6.14
Compare Source
v2.6.13
Compare Source
v2.6.12
Compare Source
v2.6.11
Compare Source
v2.6.10
Compare Source
v2.6.9
Compare Source
v2.6.8
Compare Source
v2.5.10
Compare Source
v2.5.9
Compare Source
v2.5.8
Compare Source
v2.5.7
Compare Source
v2.5.6
Compare Source
v2.4.4
Compare Source
v2.4.3
Compare Source
v2.4.2
Compare Source
v2.4.1
Compare Source
v2.4.0
Compare Source
v2.3.8
Compare Source
v2.3.7
Compare Source
v2.3.6
Compare Source
v2.3.5
Compare Source
v2.3.4
Compare Source
v2.3.3
Compare Source
v2.3.2
Compare Source
v2.3.1
Compare Source
v2.3.0
Compare Source
v2.2.4
Compare Source
v2.2.3
Compare Source
v2.2.2
Compare Source
v2.2.1
Compare Source
v2.2.0
Compare Source
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate. View repository job log here.