Skip to content

Commit 9e5656c

Browse files
renovate[bot]renovate[bot]
authored
chore(deps): update dependency vite to v6.3.4 [security] (main) (#7290)
This PR contains the following updates: | Package | Change | Age | Adoption | Passing | Confidence | |---|---|---|---|---|---| | [vite](https://vite.dev) ([source](https://redirect.github.com/vitejs/vite/tree/HEAD/packages/vite)) | [`6.3.2` -> `6.3.4`](https://renovatebot.com/diffs/npm/vite/6.3.2/6.3.4) | [![age](https://developer.mend.io/api/mc/badges/age/npm/vite/6.3.4?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![adoption](https://developer.mend.io/api/mc/badges/adoption/npm/vite/6.3.4?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![passing](https://developer.mend.io/api/mc/badges/compatibility/npm/vite/6.3.2/6.3.4?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/vite/6.3.2/6.3.4?slim=true)](https://docs.renovatebot.com/merge-confidence/) | | [vite](https://vite.dev) ([source](https://redirect.github.com/vitejs/vite/tree/HEAD/packages/vite)) | [`6.3.3` -> `6.3.4`](https://renovatebot.com/diffs/npm/vite/6.3.3/6.3.4) | [![age](https://developer.mend.io/api/mc/badges/age/npm/vite/6.3.4?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![adoption](https://developer.mend.io/api/mc/badges/adoption/npm/vite/6.3.4?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![passing](https://developer.mend.io/api/mc/badges/compatibility/npm/vite/6.3.3/6.3.4?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/vite/6.3.3/6.3.4?slim=true)](https://docs.renovatebot.com/merge-confidence/) | ### GitHub Vulnerability Alerts #### [CVE-2025-46565](https://redirect.github.com/vitejs/vite/security/advisories/GHSA-859w-5945-r5v3) ### Summary The contents of files in [the project `root`](https://vite.dev/config/shared-options.html#root) that are denied by a file matching pattern can be returned to the browser. ### Impact Only apps explicitly exposing the Vite dev server to the network (using --host or [server.host config option](https://vitejs.dev/config/server-options.html#server-host)) are affected. Only files that are under [project `root`](https://vite.dev/config/shared-options.html#root) and are denied by a file matching pattern can be bypassed. - Examples of file matching patterns: `.env`, `.env.*`, `*.{crt,pem}`, `**/.env` - Examples of other patterns: `**/.git/**`, `.git/**`, `.git/**/*` ### Details [`server.fs.deny`](https://vite.dev/config/server-options.html#server-fs-deny) can contain patterns matching against files (by default it includes `.env`, `.env.*`, `*.{crt,pem}` as such patterns). These patterns were able to bypass for files under `root` by using a combination of slash and dot (`/.`). ### PoC ``` npm create vite@latest cd vite-project/ cat "secret" > .env npm install npm run dev curl --request-target /.env/. http://localhost:5173 ``` ![image](https://redirect.github.com/user-attachments/assets/822f4416-aa42-461f-8c95-a88d155e674b) ![image](https://redirect.github.com/user-attachments/assets/42902144-863a-4afb-ac5b-fc16effa37cc) --- ### Release Notes <details> <summary>vitejs/vite (vite)</summary> ### [`v6.3.4`](https://redirect.github.com/vitejs/vite/blob/HEAD/packages/vite/CHANGELOG.md#small634-2025-04-30-small) [Compare Source](https://redirect.github.com/vitejs/vite/compare/v6.3.3...v6.3.4) - fix: check static serve file inside sirv ([#&#8203;19965](https://redirect.github.com/vitejs/vite/issues/19965)) ([c22c43d](https://redirect.github.com/vitejs/vite/commit/c22c43de612eebb6c182dd67850c24e4fab8cacb)), closes [#&#8203;19965](https://redirect.github.com/vitejs/vite/issues/19965) - fix(optimizer): return plain object when using `require` to import externals in optimized dependenci ([efc5eab](https://redirect.github.com/vitejs/vite/commit/efc5eab253419fde0a6a48b8d2f233063d6a9643)), closes [#&#8203;19940](https://redirect.github.com/vitejs/vite/issues/19940) - refactor: remove duplicate plugin context type ([#&#8203;19935](https://redirect.github.com/vitejs/vite/issues/19935)) ([d6d01c2](https://redirect.github.com/vitejs/vite/commit/d6d01c2292fa4f9603e05b95d81c8724314c20e0)), closes [#&#8203;19935](https://redirect.github.com/vitejs/vite/issues/19935) ### [`v6.3.3`](https://redirect.github.com/vitejs/vite/blob/HEAD/packages/vite/CHANGELOG.md#small633-2025-04-24-small) [Compare Source](https://redirect.github.com/vitejs/vite/compare/v6.3.2...v6.3.3) - fix: ignore malformed uris in tranform middleware ([#&#8203;19853](https://redirect.github.com/vitejs/vite/issues/19853)) ([e4d5201](https://redirect.github.com/vitejs/vite/commit/e4d520141bcd83ad61f16767348b4a813bf9340a)), closes [#&#8203;19853](https://redirect.github.com/vitejs/vite/issues/19853) - fix(assets): ensure ?no-inline is not included in the asset url in the production environment ([#&#8203;1949](https://redirect.github.com/vitejs/vite/issues/1949) ([16a73c0](https://redirect.github.com/vitejs/vite/commit/16a73c05d35daa34117a173784895546212db5f4)), closes [#&#8203;19496](https://redirect.github.com/vitejs/vite/issues/19496) - fix(css): resolve relative imports in sass properly on Windows ([#&#8203;19920](https://redirect.github.com/vitejs/vite/issues/19920)) ([ffab442](https://redirect.github.com/vitejs/vite/commit/ffab44270488f54ae344801024474b597249071b)), closes [#&#8203;19920](https://redirect.github.com/vitejs/vite/issues/19920) - fix(deps): update all non-major dependencies ([#&#8203;19899](https://redirect.github.com/vitejs/vite/issues/19899)) ([a4b500e](https://redirect.github.com/vitejs/vite/commit/a4b500ef9ccc9b19a2882156a9ba8397e69bc6b2)), closes [#&#8203;19899](https://redirect.github.com/vitejs/vite/issues/19899) - fix(ssr): fix execution order of re-export ([#&#8203;19841](https://redirect.github.com/vitejs/vite/issues/19841)) ([ed29dee](https://redirect.github.com/vitejs/vite/commit/ed29dee2eb2e3573b2bc337e1a9124c65222a1e5)), closes [#&#8203;19841](https://redirect.github.com/vitejs/vite/issues/19841) - fix(ssr): fix live binding of default export declaration and hoist exports getter ([#&#8203;19842](https://redirect.github.com/vitejs/vite/issues/19842)) ([80a91ff](https://redirect.github.com/vitejs/vite/commit/80a91ff82426a4c88d54b9f5ec9a4205cb13899b)), closes [#&#8203;19842](https://redirect.github.com/vitejs/vite/issues/19842) - perf: skip sourcemap generation for renderChunk hook of import-analysis-build plugin ([#&#8203;19921](https://redirect.github.com/vitejs/vite/issues/19921)) ([55cfd04](https://redirect.github.com/vitejs/vite/commit/55cfd04b10f98cde7a96814a69b9813543ea79c2)), closes [#&#8203;19921](https://redirect.github.com/vitejs/vite/issues/19921) - test(ssr): test `ssrTransform` re-export deps and test stacktrace with first line ([#&#8203;19629](https://redirect.github.com/vitejs/vite/issues/19629)) ([9399cda](https://redirect.github.com/vitejs/vite/commit/9399cdaf8c3b2efd5f4015d57dc3b0e4e5b91a9d)), closes [#&#8203;19629](https://redirect.github.com/vitejs/vite/issues/19629) </details> --- ### Configuration 📅 **Schedule**: Branch creation - "" (UTC), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about these updates again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/SAP/ui5-webcomponents-react). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzOS4yNjQuMCIsInVwZGF0ZWRJblZlciI6IjM5LjI2NC4wIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJkZXBlbmRlbmNpZXMiXX0=--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
1 parent 9061974 commit 9e5656c

File tree

4 files changed

+21
-21
lines changed

4 files changed

+21
-21
lines changed

examples/react-router-ts/package-lock.json

Lines changed: 5 additions & 5 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

examples/vite-ts/package-lock.json

Lines changed: 5 additions & 5 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

templates/vite-ts/package-lock.json

Lines changed: 5 additions & 5 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

yarn.lock

Lines changed: 6 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -24519,8 +24519,8 @@ __metadata:
2451924519
linkType: hard
2452024520

2452124521
"vite@npm:^5.4.8":
24522-
version: 5.4.18
24523-
resolution: "vite@npm:5.4.18"
24522+
version: 5.4.19
24523+
resolution: "vite@npm:5.4.19"
2452424524
dependencies:
2452524525
esbuild: "npm:^0.21.3"
2452624526
fsevents: "npm:~2.3.3"
@@ -24557,13 +24557,13 @@ __metadata:
2455724557
optional: true
2455824558
bin:
2455924559
vite: bin/vite.js
24560-
checksum: 10c0/a8cbbec6bdf399e62c386d70b8485e4f2f1b427beb19bc7c5d52b402a0c3750b7ff469fc20a8333755ea13bc1b0af5df3f22c8fd37d1739ee51d709b7a4740b6
24560+
checksum: 10c0/c97601234dba482cea5290f2a2ea0fcd65e1fab3df06718ea48adc8ceb14bc3129508216c4989329c618f6a0470b42f439677a207aef62b0c76f445091c2d89e
2456124561
languageName: node
2456224562
linkType: hard
2456324563

2456424564
"vite@npm:^6.0.0":
24565-
version: 6.3.3
24566-
resolution: "vite@npm:6.3.3"
24565+
version: 6.3.4
24566+
resolution: "vite@npm:6.3.4"
2456724567
dependencies:
2456824568
esbuild: "npm:^0.25.0"
2456924569
fdir: "npm:^6.4.4"
@@ -24612,7 +24612,7 @@ __metadata:
2461224612
optional: true
2461324613
bin:
2461424614
vite: bin/vite.js
24615-
checksum: 10c0/7ea27d2c80a9e0b7ccf6cbd6c251455501286568160e8b632984e5332440f21a6d05f9236408212ba7653f7d2d4790f848956d8a620bbf4dd2ecb792a2fe1ab1
24615+
checksum: 10c0/f1534a3f42d14b30e11c58e5e451903d965d5f5ba18d8c81f9df208589e3d2c65535abaa3268d3963573174b8e056ea7bc445f567622c65fcdf98eb4acc1bf4e
2461624616
languageName: node
2461724617
linkType: hard
2461824618

0 commit comments

Comments
 (0)