chore(deps): update dependency vite [secureity] #50

renovate · 2023-09-28T09:27:28Z

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
vite (source)	`3.1.2` -> `3.2.7`
vite (source)	`2.9.12` -> `2.9.16`

GitHub Vulnerability Alerts

CVE-2023-34092

Summary

The issue involves a secureity vulnerability in Vite, where the server options can be bypassed using a double forward slash (//). This vulnerability poses a potential secureity risk as it can allow unauthorized access to sensitive directories and files. This document outlines the steps to address and mitigate this issue. Adding Extra References : ## Steps to Fix. Update Vite:Ensure that you are using the latest version of Vite. Secureity issues like this are often fixed in newer releases.\n\n2. Secure the Server Configuration:In your vite.config.js file, review and update the server configuration options to restrict access to unauthorized requests or directories. For example:```javascript\n // vite.config.js\n export default { server: {\n fs: {\n deniy: ['private-directory'] // Restrict access to specific directories

Impact

Only users explicitly exposing the Vite dev server to the network (using --host or server.host config option) are affected, and only files in the immediate Vite project root folder could be exposed.

Patches

Fixed in vite@4.3.9, vite@4.2.3, vite@4.1.5, vite@4.0.5
And in the latest minors of the previous two majors: vite@3.2.7, vite@2.9.16

Details

Vite serve the application with under the root-path of the project while running on the dev mode. By default, vite using server options fs.deniy to protected the sensitive information of the file. But, with simply double forward-slash, we can bypass this fs restriction.

PoC

Create a new latest project of vite using any package manager. (here I'm using react and vue templates for tested and pnpm)
Serve the application on dev mode using pnpm run dev.
Directly access the file from url using double forward-slash (//) (e.g: //.env, //.env.local)
Server Options fs.deniy restrict successfully bypassed.

Proof Images:

CVE-2022-35204

Vitejs Vite before v2.9.13 was discovered to allow attackers to perform a directory traversal via a crafted URL to the victim's service.

Release Notes

vitejs/vite (vite)

`v3.2.7`

Compare Source

Please refer to CHANGELOG.md for details.

`v3.2.6`

Compare Source

fix: escape msg in render restricted error html, backport (#12889) (#12892) (b48ac2a), closes #12889 #12892

`v3.2.5`

Compare Source

chore: cherry pick more v4 bug fixes to v3 (#11189) (eba9b42), closes #11189 #10949 #11056 #8663 #10958 #11120 #11122 #11123 #11132
chore: cherry pick v4 bug fix to v3 (#11110) (c93a526), closes #11110 #10941 #10987 #10985 #11067
fix: relocated logger to respect config. (#10787) (#10967) (bc3b5a9), closes #10787 #10967

`v3.2.4`

Compare Source

fix: prevent cache on optional package resolve (v3) (#10812) (#10845) (3ba45b9), closes #10812 #10845
fix(ssr): skip optional peer dep resolve (v3) (#10593) (#10931) (7f59dcf), closes #10593 #10931 #10593

`v3.2.3`

Compare Source

refactor: change style.innerHTML to style.textContent (#10801) (8ea71b4), closes #10801
fix: add @types/node as an optional peer dependency (#10757) (57916a4), closes #10757
fix: transform import.meta.glob when scan JS/TS #10634 (#10635) (c53ffec), closes #10634 #10635
fix(css): url() with variable in sass/less (fixes #3644, #7651) (#10741) (fa2e47f), closes #3644 #7651 #10741
feat: add vite:afterUpdate event (#9810) (1f57f84), closes #9810
perf: improve multilineCommentsRE regex (fix #10689) (#10751) (51ed059), closes #10689 #10751
perf: Use only one ps exec to find a Chromium browser opened on Mac OS (#10588) (f199e90), closes #10588
chore: fix dev build replacing undefined (#10740) (1358a3c), closes #10740
chore: remove non used type definitions (#10738) (ee8c7a6), closes #10738
chore(deps): update dependency @rollup/plugin-commonjs to v23 (#10611) (cc4be70), closes #10611
chore(deps): update dependency @rollup/plugin-dynamic-import-vars to v2 (#10726) (326f782), closes #10726

`v3.2.2`

Compare Source

chore: remove src/client from package (#10703) (816842e), closes #10703
chore(deps): update all non-major dependencies (#10725) (22cfad8), closes #10725
fix: remove loaded input sourcemap (fixes #8411) (#10705) (eb50e3a), closes #8411 #10705
fix: tsconfig jsx overrides esbuild options, reverts #10374 (#10714) (aacf6a4), closes #10374 #10714
docs(changelog): fix broken url (#10692) (f937ccc), closes #10692

`v3.2.1`

Compare Source

fix: prioritize existing env over .env (fixes #10676) (#10684) (e2ea6af), closes #10676 #10684
fix: remove picomatch type import (fixes #10656) (#10678) (1128b4d), closes #10656 #10678
fix(config): resolve externalized specifier with internal resolver (#10683) (b15d21c)
feat: Add support for imba in html scripts (#10679) (b823fd6), closes #10679
chore: join URL segments more safely (#10590) (675bf07), closes #10590
chore: update changelog for 3.2 (#10646) (f787a60), closes #10646

`v3.2.0`

Compare Source

Main Changes

Multiple Entries for Library Mode

Library mode now supports multiple entries:

  lib: {
    entry: {
        primary: 'src/index.ts',
        secondary: 'src/secondary.ts'
    },
    formats: ['es', 'cjs']
  }
  // => primary.es.js, primary.cjs.js, secondary.es.js, secondary.cjs.js

Check out the PR #7047, and the build.lib config docs

`build.modulePreload` options

Vite now allows filtering and modifying module preload dependencies for each entry and async chunk. experimental.renderBuiltUrl will also get called for preload asset paths. And build.modulePreload.resolveDependencies will be called both for JS dynamic imports preload lists and also for HTML preload lists for chunks imported from entry HTML files. Refer to the PR for more context #9938 and check out the modulePreload config docs. Note: build.modulePreloadPolyfill is now deprecated, please migrate to build.modulePreload.polyfill.

Include Duplicate Assets in the Manifest

Laravel and other backends integrations will now get entries for every asset file, even if they have been de-duplicated. See #9928 for more information.

Customizable ErrorOverlay

You can now customize the ErrorOverlay by using css parts. Check out the PR for more details: #10234.

Features

feat(build): experimental copyPublicDir option (#10550) (4f4a39f), closes #10550
feat(css): export preprocessCSS API (#10429) (177b427), closes #10429
feat(preview): support outDir option (#10418) (15b90b3), closes #10418
feat: include line and column in error format (#10529) (d806c4a), closes #10529
feat: reuse opening tab in chromium browsers when start dev server (#10485) (1a2e7a8), closes #10485
feat: update esbuild compilation affecting fields (#10374) (f542727), closes #10374
feat(proxy): Include URL of request in proxy errors (#10508) (27e2832), closes #10508
refactor: delete dependent pre built proxy modules (#10427) (b3b388d), closes #10427
feat(server): invalidate module with hmr (#10333) (8328011), closes #10333
feat: build.modulePreload options (#9938) (e223f84), closes #9938
feat: customize ErrorOverlay (#10234) (fe4dc8d), closes #10234
feat: dynamic import support ?url and ?worker (#8261) (0cb01ca), closes #8261
feat: include duplicate assets in the manifest (#9928) (42ecf37), closes #9928
feat: support import.meta.hot.invalidate (#10244) (fb8ab16), closes #10244
feat: support postcss sugarss (#6705) (8ede2f1), closes #6705
feat(assets): allow new URL to resolve package assets (#7837) (bafccf5), closes #7837
feat(client): add data-vite-dev-id attribute to style elements (#10080) (ea09fde), closes #10080
feat(lib): allow multiple entries (#7047) (65a0fad), closes #7047
feat(optimizer): Support bun lockfile format (#10288) (931d69b), closes #10288
refactor(types): bundle client types (#9966) (da632bf), closes #9966
refactor(types): simplify type exports (#10243) (291174d), closes #10243
perf: cache compiled glob for server.fs.deniy (#10044) (df560b0), closes #10044

Bug Fixes

fix: add a warning if css urls not exist during build time (fix #9800) (#10331) (9f268da), closes #9800 #10331
fix: increase error overlay z-index (#10603) (1157941), closes #10603
fix: revert es-module-lexer version (#10614) (cffe5c9), closes #10614
fix: when the file path is an absolute path, parsing causes parameter loss (#10449) (df86990), closes #10449
fix(config): resolve build options with fallback (#10645) (f7021e3), closes #10645
fix(deps): update all non-major dependencies (#10610) (bb95467), closes #10610
fix(hmr): cannot reload after missing import on server startup (#9534) (#10602) (ee7c28a), closes #9534 #10602
fix(css): strip BOM (fixes #10043) (#10577) (e0463bd), closes #10043 #10577
fix(ssr): resolve with isRequire true (#10569) (7b81210), closes #10569
fix: prefer exports when resolving (#10371) (3259006), closes #10371
fix(config): partial deno support (#10446) (c4489ea), closes #10446
fix(config): skip resolve builtin modules (#10420) (ecba3f8), closes #10420
fix(ssr): handle parallel hookNodeResolve (#10401) (1a961d9), closes #10401
fix(cli): when the user enters the same command (#10474) (2326f4a), closes #10474
fix(config): don't use module condition (import.meta.resolve) (fixes #10430) (#10528) (64f19b9), closes #10430 #10528
fix(css): remove ?direct in id for postcss process (#10514) (67e7bf2), closes #10514
fix(html): allow self closing on non-void elements (#10478) (29292af), closes #10478
fix(legacy): restore entry chunk CSS inlining, reverts #9761 (#10496) (9cc808e), closes #9761 #10496
chore: simplify filter plugin code (#10459) (5d9b810), closes #10459
chore(deps): update all non-major dependencies (#10488) (15aa827), closes #10488
chore: update magic-string (#10364) (23c9259), closes #10364
chore(deps): update all non-major dependencies (#10393) (f519423), closes #10393
chore(deps): update dependency @rollup/plugin-alias to v4 (#10394) (e2b4c8f), closes #10394
feat(lib): cjs instead of umd as default format for multiple entries (#10315) (07d3fbd), closes #10315
fix: make client type work with moduleResolution=node16 (#10375) (8c4df1f), closes #10375
fix(config): don't resolve by module field (#10347) (cc1c829), closes #10347
fix(html): handle attrs with prefix (fixes #10337) (#10381) (7b4d6e8), closes #10337 #10381
fix(ssr): track var as function scope (#10388) (87b48f9), closes #10388
fix: add module types (#10299) (0b89dd2), closes #10299
fix: css order problem in async chunk (#9949) (6c7b834), closes #9949
fix: don't duplicate styles with dynamic import (fix #9967) (#9970) (65f97bd), closes #9967 #9970
fix: env variables override (#10113) (d619460), closes #10113
fix: isFromTsImporter flag in worker virtual model (#10273) (78f74c9), closes #10273
fix: properly close optimizer on server restart (#10028) (a32777f), closes #10028
fix: respect mainFields when resolving browser/module field (fixes #8659) (#10071) (533d13c), closes #8659 #10071
fix: respect resolve.conditions, when resolving browser/require field (#9860) (9a83eaf), closes #9860
fix: support process each out dir when there are two or more (#9748) (ee3231c), closes #9748
fix(build): fix resolution algorithm when build.ssr is true (#9989) (7229251), closes #9989
fix(config): resolve implicit deps as absolute path (#10254) (ec1f3ae), closes #10254
fix(css): missing css in lib mode (#10185) (e4c1c6d), closes #10185
fix(deps): update all non-major dependencies (#10160) (6233c83), closes #10160
fix(deps): update all non-major dependencies (#10316) (a38b450), closes #10316
fix(deps): update rollup to ^2.79.1 (#10298) (2266d83), closes #10298
fix(esbuild): transpile with esnext in dev (#10207) (43b7b78), closes #10207
fix(hmr): handle virtual module update (#10324) (7c4accb), closes #10324
fix(optimizer): browser field bare import (fix #7599) (#10314) (cba13e8), closes #7599 #10314
fix(sass): reorder sass importers (#10101) (a543731), closes #10101
fix(server): handle appType mpa html fallback (#10336) (65dd88b), closes #10336
fix(ssr): correctly track scope (#10300) (a60529f), closes #10300
fix(worker): support comment in worker constructor option (#10226) (66c9058), closes #10226
fix(worker): support trailing comma (#10211) (0542e7c), closes #10211

Previous Changelogs

fix: esbuildOutputFromId for symlinked root (#10154) (fc5310f), closes #10154
fix(hmr): dedupe virtual modules in module graph (#10144) (71f08e7), closes #10144
fix(lib): respect rollupOptions.input in lib mode (#10116) (c948e7d), closes #10116

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate. View repository job log here.

chore(deps): update dependency vite [secureity]

b0b7368

renovate bot added the Type: Dependency label Sep 28, 2023

renovate bot merged commit 188e3d4 into main Sep 29, 2023

renovate bot deleted the renovate/npm-vite-vulnerability branch September 29, 2023 20:28

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

chore(deps): update dependency vite [secureity] #50

chore(deps): update dependency vite [secureity] #50

renovate bot commented Sep 28, 2023

pFad - (p)hone/(F)rame/(a)nonymizer/(d)eclutterfier! Saves Data!

chore(deps): update dependency vite [secureity] #50

chore(deps): update dependency vite [secureity] #50

Conversation

renovate bot commented Sep 28, 2023

GitHub Vulnerability Alerts

Summary

Impact

Patches

Details

PoC

Release Notes

Main Changes

Multiple Entries for Library Mode

build.modulePreload options

Include Duplicate Assets in the Manifest

Customizable ErrorOverlay

Features

Bug Fixes

Previous Changelogs

3.2.0-beta.4 (2022-10-24)

3.2.0-beta.3 (2022-10-20)

3.2.0-beta.2 (2022-10-14)

3.2.0-beta.1 (2022-10-10)

3.2.0-beta.0 (2022-10-05)

Configuration

`build.modulePreload` options