fix(deps): update dependency vite to v5.1.7 [security] (#10408)

[![Mend Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com) This PR contains the following updates: | Package | Change | Age | Adoption | Passing | Confidence | |---|---|---|---|---|---| | [vite](https://vitejs.dev) ([source](https://togithub.com/vitejs/vite/tree/HEAD/packages/vite)) | [`5.1.6` -> `5.1.7`](https://renovatebot.com/diffs/npm/vite/5.1.6/5.1.7) | [![age](https://developer.mend.io/api/mc/badges/age/npm/vite/5.1.7?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![adoption](https://developer.mend.io/api/mc/badges/adoption/npm/vite/5.1.7?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![passing](https://developer.mend.io/api/mc/badges/compatibility/npm/vite/5.1.6/5.1.7?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/vite/5.1.6/5.1.7?slim=true)](https://docs.renovatebot.com/merge-confidence/) | ### GitHub Vulnerability Alerts #### [GHSA-8jhw-289h-jh2g](https://togithub.com/vitejs/vite/security/advisories/GHSA-8jhw-289h-jh2g) ### Summary [Vite dev server option](https://vitejs.dev/config/server-options.html#server-fs-deny) `server.fs.deny` did not deny requests for patterns with directories. An example of such a pattern is `/foo/**/*`. ### Impact Only apps setting a custom `server.fs.deny` that includes a pattern with directories, and explicitly exposing the Vite dev server to the network (using `--host` or [`server.host` config option](https://vitejs.dev/config/server-options.html#server-host)) are affected. ### Patches Fixed in vite@5.2.6, vite@5.1.7, vite@5.0.13, vite@4.5.3, vite@3.2.10, vite@2.9.18 ### Details `server.fs.deny` uses picomatch with the config of `{ matchBase: true }`. [matchBase](https://togithub.com/micromatch/picomatch/blob/master/README.md#options:~:text=Description-,basename,-boolean) only matches the basename of the file, not the path due to a bug ([micromatch/picomatch#89). The vite config docs read like you should be able to set fs.deny to glob with picomatch. Vite also does not set `{ dot: true }` and that causes [dotfiles not to be denied](https://togithub.com/micromatch/picomatch/blob/master/README.md#options:~:text=error%20is%20thrown.-,dot,-boolean) unless they are explicitly defined. **Reproduction** Set fs.deny to `['**/.git/**']` and then curl for `/.git/config`. * with `matchBase: true`, you can get any file under `.git/` (config, HEAD, etc). * with `matchBase: false`, you cannot get any file under `.git/` (config, HEAD, etc). --- ### Release Notes <details> <summary>vitejs/vite (vite)</summary> ### [`v5.1.7`](https://togithub.com/vitejs/vite/releases/tag/v5.1.7) [Compare Source](https://togithub.com/vitejs/vite/compare/v5.1.6...v5.1.7) Please refer to [CHANGELOG.md](https://togithub.com/vitejs/vite/blob/v5.1.7/packages/vite/CHANGELOG.md) for details. </details> --- ### Configuration 📅 **Schedule**: Branch creation - "" (UTC), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://developer.mend.io/github/redwoodjs/redwood).  Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
redwoodjs · Apr 3, 2024 · 6cc5949 · 6cc5949
1 parent 7864b72
commit 6cc5949
Show file tree

Hide file tree

Showing 2 changed files with 6 additions and 6 deletions.
diff --git a/packages/vite/package.json b/packages/vite/package.json
@@ -83,7 +83,7 @@
     "isbot": "3.8.0",
     "react": "18.3.0-canary-a870b2d54-20240314",
     "react-server-dom-webpack": "18.3.0-canary-a870b2d54-20240314",
-    "vite": "5.1.6",
+    "vite": "5.1.7",
     "vite-plugin-cjs-interop": "2.1.0",
     "yargs-parser": "21.1.1"
   },

diff --git a/yarn.lock b/yarn.lock
@@ -8804,7 +8804,7 @@ __metadata:
     rollup: "npm:4.13.0"
     tsx: "npm:4.7.1"
     typescript: "npm:5.4.3"
-    vite: "npm:5.1.6"
+    vite: "npm:5.1.7"
     vite-plugin-cjs-interop: "npm:2.1.0"
     vitest: "npm:1.4.0"
     yargs-parser: "npm:21.1.1"
@@ -33240,9 +33240,9 @@ __metadata:
   languageName: node
   linkType: hard
 
-"vite@npm:5.1.6, vite@npm:^5.0.0":
-  version: 5.1.6
-  resolution: "vite@npm:5.1.6"
+"vite@npm:5.1.7, vite@npm:^5.0.0":
+  version: 5.1.7
+  resolution: "vite@npm:5.1.7"
   dependencies:
     esbuild: "npm:^0.19.3"
     fsevents: "npm:~2.3.3"
@@ -33276,7 +33276,7 @@ __metadata:
       optional: true
   bin:
     vite: bin/vite.js
-  checksum: 10c0/b935527544741d9313143a77f811d97b8b094757e42f9c02b7aca6294a4912674dbad5379e4759629b6ba895c93b5020cc7594f74b37846715336837fdce850a
+  checksum: 10c0/f64e1d8bcb237f600790c303447b95f0972e7c5377c0e1c38c1e62ef4864df2bff00c83315994da6e2e64fb51166199403a740b685c5b69a4af648b9244fc69c
   languageName: node
   linkType: hard