[PR #722] [MERGED] chore(deps): update dependency vite to v6.3.4 [security] #885

New Issue

GiteaMirror · 2025-11-01T21:06:19-05:00

GiteaMirror commented

2025-11-01 21:06:19 -05:00

📋 Pull Request Information

Original PR: https://github.com/go-vikunja/vikunja/pull/722
Author: @renovate[bot]
Created: 4/30/2025
Status: ✅ Merged
Merged: 4/30/2025
Merged by: @kolaente

Base: main ← Head: renovate/npm-vite-vulnerability

📝 Commits (1)

294332f chore(deps): update dependency vite to v6.3.4 [security]

📊 Changes

2 files changed (+55 additions, -55 deletions)

View changed files

📝 frontend/package.json (+1 -1)
📝 frontend/pnpm-lock.yaml (+54 -54)

📄 Description

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
vite (source)	`6.3.3` -> `6.3.4`

GitHub Vulnerability Alerts

GHSA-859w-5945-r5v3

Summary

The contents of files in the project root that are denied by a file matching pattern can be returned to the browser.

Impact

Only apps explicitly exposing the Vite dev server to the network (using --host or server.host config option) are affected.
Only files that are under project root and are denied by a file matching pattern can be bypassed.

Examples of file matching patterns: .env, .env.*, *.{crt,pem}, **/.env
Examples of other patterns: **/.git/**, .git/**, .git/**/*

Details

server.fs.deny can contain patterns matching against files (by default it includes .env, .env.*, *.{crt,pem} as such patterns).
These patterns were able to bypass for files under root by using a combination of slash and dot (/.).

PoC

npm create vite@latest
cd vite-project/
cat "secret" > .env
npm install
npm run dev
curl --request-target /.env/. http://localhost:5173

Release Notes

vitejs/vite (vite)

`v6.3.4`

Compare Source

fix: check static serve file inside sirv (#19965) (c22c43d), closes #19965
fix(optimizer): return plain object when using require to import externals in optimized dependenci (efc5eab), closes #19940
refactor: remove duplicate plugin context type (#19935) (d6d01c2), closes #19935

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/go-vikunja/vikunja/pull/722 **Author:** [@renovate[bot]](https://github.com/apps/renovate) **Created:** 4/30/2025 **Status:** ✅ Merged **Merged:** 4/30/2025 **Merged by:** [@kolaente](https://github.com/kolaente) **Base:** `main` ← **Head:** `renovate/npm-vite-vulnerability` --- ### 📝 Commits (1) - [`294332f`](https://github.com/go-vikunja/vikunja/commit/294332f030efe687f5bee77d6d37befa28ce5514) chore(deps): update dependency vite to v6.3.4 [security] ### 📊 Changes **2 files changed** (+55 additions, -55 deletions) <details> <summary>View changed files</summary> 📝 `frontend/package.json` (+1 -1) 📝 `frontend/pnpm-lock.yaml` (+54 -54) </details> ### 📄 Description This PR contains the following updates: | Package | Change | Age | Adoption | Passing | Confidence | |---|---|---|---|---|---| | [vite](https://vite.dev) ([source](https://redirect.github.com/vitejs/vite/tree/HEAD/packages/vite)) | [`6.3.3` -> `6.3.4`](https://renovatebot.com/diffs/npm/vite/6.3.3/6.3.4) | [![age](https://developer.mend.io/api/mc/badges/age/npm/vite/6.3.4?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![adoption](https://developer.mend.io/api/mc/badges/adoption/npm/vite/6.3.4?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![passing](https://developer.mend.io/api/mc/badges/compatibility/npm/vite/6.3.3/6.3.4?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/vite/6.3.3/6.3.4?slim=true)](https://docs.renovatebot.com/merge-confidence/) | ### GitHub Vulnerability Alerts #### [GHSA-859w-5945-r5v3](https://redirect.github.com/vitejs/vite/security/advisories/GHSA-859w-5945-r5v3) ### Summary The contents of files in [the project `root`](https://vite.dev/config/shared-options.html#root) that are denied by a file matching pattern can be returned to the browser. ### Impact Only apps explicitly exposing the Vite dev server to the network (using --host or [server.host config option](https://vitejs.dev/config/server-options.html#server-host)) are affected. Only files that are under [project `root`](https://vite.dev/config/shared-options.html#root) and are denied by a file matching pattern can be bypassed. - Examples of file matching patterns: `.env`, `.env.*`, `*.{crt,pem}`, `**/.env` - Examples of other patterns: `**/.git/**`, `.git/**`, `.git/**/*` ### Details [`server.fs.deny`](https://vite.dev/config/server-options.html#server-fs-deny) can contain patterns matching against files (by default it includes `.env`, `.env.*`, `*.{crt,pem}` as such patterns). These patterns were able to bypass for files under `root` by using a combination of slash and dot (`/.`). ### PoC ``` npm create vite@latest cd vite-project/ cat "secret" > .env npm install npm run dev curl --request-target /.env/. http://localhost:5173 ``` ![image](https://redirect.github.com/user-attachments/assets/822f4416-aa42-461f-8c95-a88d155e674b) ![image](https://redirect.github.com/user-attachments/assets/42902144-863a-4afb-ac5b-fc16effa37cc) --- ### Release Notes <details> <summary>vitejs/vite (vite)</summary> ### [`v6.3.4`](https://redirect.github.com/vitejs/vite/blob/HEAD/packages/vite/CHANGELOG.md#small634-2025-04-30-small) [Compare Source](https://redirect.github.com/vitejs/vite/compare/v6.3.3...v6.3.4) - fix: check static serve file inside sirv ([#19965](https://redirect.github.com/vitejs/vite/issues/19965)) ([c22c43d](https://redirect.github.com/vitejs/vite/commit/c22c43de612eebb6c182dd67850c24e4fab8cacb)), closes [#19965](https://redirect.github.com/vitejs/vite/issues/19965) - fix(optimizer): return plain object when using `require` to import externals in optimized dependenci ([efc5eab](https://redirect.github.com/vitejs/vite/commit/efc5eab253419fde0a6a48b8d2f233063d6a9643)), closes [#19940](https://redirect.github.com/vitejs/vite/issues/19940) - refactor: remove duplicate plugin context type ([#19935](https://redirect.github.com/vitejs/vite/issues/19935)) ([d6d01c2](https://redirect.github.com/vitejs/vite/commit/d6d01c2292fa4f9603e05b95d81c8724314c20e0)), closes [#19935](https://redirect.github.com/vitejs/vite/issues/19935) </details> --- ### Configuration 📅 **Schedule**: Branch creation - "" (UTC), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/go-vikunja/vikunja).  --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>

GiteaMirror added the pull-request label 2025-11-01 21:06:19 -05:00

GiteaMirror closed this issue

2025-11-01 21:06:19 -05:00

GiteaMirror referenced this issue

2025-11-01 21:09:32 -05:00

[PR #885] [MERGED] chore(deps): update ghcr.io/techknowlogick/xgo:go-1.23.x docker digest to a56d0c3 #1031

Sign in to join this conversation.

Branches Tags

main

feat-websocket-notifications

claude/csv-import-feature-01Kavsoc8Zabn7Q7WwwfVjBh

csv-import-feature

feat-quick-entry

codex/add-task-sorting-functionality

fix-duplicate-close-button

codex/analyze-codebase-for-email-task-feature

feat-list-view-sorting

feat/official-vite-sentry-plugin

feat/highlight-overdue-tasks

feat/add-enter-key-form-submission-handling

feat/TipTap-nits

feat/update-caldavtimetotimestamp-parsing

feat-oauth-server

feat-phosphor-icons

wip-plans

claude/investigate-issue-2173-llKme

poc-yaegi-plugins

fix-description-text-drag

feat-custom-keyboard-shortcuts

pr-1845-ci

codex/fix-drag-and-drop-behavior-inconsistency

copilot/add-clickable-labels-for-filtering

copilot/fix-issue-1786

playwright-migration

fix-kanban-repeating-wip

copilot/fix-1498

feature/replace-axios

codex/upgrade-to-tailwind-4.1.8-using-pnpm

codex/add-cypress-test-for-avatar-types

feature/biome

feature/oxc

codex/update-flexsearch-to-0.8.205

4r6ni9-codex/fix-deprecated-sass-@import-usage

codex/fix-deprecated-sass-@import-usage

codex/add-cypress-test-for-task-list-refresh-fix

codex/fix-quick-add-magic-not-adding-tasks

codex/fix-all-type-errors

codex/fix-mimetype-for-docs.json

feature/caldav-from-scratch

feature/gh-actions-hetzner

fix-ci

feat/new-logger

jyte-better-dev-config

feat/add-team-member-with-enter

fix/button-and-icon-types

fix/notifications-component-name-collision

feature/null-time

renovate/tailwindcss-4.x

feature/unplugin-vue-router

fix/deprecated-import

feature/zod-schema

renovate/golangci-golangci-lint-1.x

fix/tiptap-editor-reactive-destructuring

release/0.24

feat/improve-add-task

fix/saved-filter-search

feature/use-modern-compiler-for-sass-files-as-well

feat/webp-and-avif-attachment-previews

feature/migrate-back-to-bulma

fix/sass-add-missing-list-import

feature/sticky-demo-bar

fix/gantt-view-switch

feature/typesense-position-join

feature/focus-visible

dependencies/golangci-lint

feature/better-filter-syntax

fix/tiptap-task-list

renovate/github.com-golang-jwt-jwt-v4-5.x

feature/hide-forbidden-related-tasks

renovate/golang-1.x

release/0.20

release/0.17

release/0.16

release/0.15

release/0.14

release/0.13

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/vikunja#885