Skip to content

Commit 63234ad

Browse files
renovate[bot]renovate[bot]
authored
chore(deps): update dependency vite to v6.0.12 [security] (#5104)
This PR contains the following updates: | Package | Change | Age | Adoption | Passing | Confidence | |---|---|---|---|---|---| | [vite](https://vite.dev) ([source](https://redirect.github.com/vitejs/vite/tree/HEAD/packages/vite)) | [`6.0.9` -> `6.0.12`](https://renovatebot.com/diffs/npm/vite/6.0.9/6.0.12) | [![age](https://developer.mend.io/api/mc/badges/age/npm/vite/6.0.12?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![adoption](https://developer.mend.io/api/mc/badges/adoption/npm/vite/6.0.12?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![passing](https://developer.mend.io/api/mc/badges/compatibility/npm/vite/6.0.9/6.0.12?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/vite/6.0.9/6.0.12?slim=true)](https://docs.renovatebot.com/merge-confidence/) | ### GitHub Vulnerability Alerts #### [CVE-2025-30208](https://redirect.github.com/vitejs/vite/security/advisories/GHSA-x574-m823-4x7w) ### Summary The contents of arbitrary files can be returned to the browser. ### Impact Only apps explicitly exposing the Vite dev server to the network (using `--host` or [`server.host` config option](https://vitejs.dev/config/server-options.html#server-host)) are affected. ### Details `@fs` denies access to files outside of Vite serving allow list. Adding `?raw??` or `?import&raw??` to the URL bypasses this limitation and returns the file content if it exists. This bypass exists because trailing separators such as `?` are removed in several places, but are not accounted for in query string regexes. ### PoC ```bash $ npm create vite@latest $ cd vite-project/ $ npm install $ npm run dev $ echo "top secret content" > /tmp/secret.txt # expected behaviour $ curl "http://localhost:5173/@&#8203;fs/tmp/secret.txt" <body> <h1>403 Restricted</h1> <p>The request url &quot;/tmp/secret.txt&quot; is outside of Vite serving allow list. # security bypassed $ curl "http://localhost:5173/@&#8203;fs/tmp/secret.txt?import&raw??" export default "top secret content\n" //# sourceMappingURL=data:application/json;base64,eyJ2... ``` --- ### Release Notes <details> <summary>vitejs/vite (vite)</summary> ### [`v6.0.12`](https://redirect.github.com/vitejs/vite/releases/tag/v6.0.12) [Compare Source](https://redirect.github.com/vitejs/vite/compare/v6.0.11...v6.0.12) Please refer to [CHANGELOG.md](https://redirect.github.com/vitejs/vite/blob/v6.0.12/packages/vite/CHANGELOG.md) for details. ### [`v6.0.11`](https://redirect.github.com/vitejs/vite/blob/HEAD/packages/vite/CHANGELOG.md#small6011-2025-01-21-small) [Compare Source](https://redirect.github.com/vitejs/vite/compare/v6.0.10...v6.0.11) - fix: `preview.allowedHosts` with specific values was not respected ([#&#8203;19246](https://redirect.github.com/vitejs/vite/issues/19246)) ([aeb3ec8](https://redirect.github.com/vitejs/vite/commit/aeb3ec84a288d6be227a1284607f13428a4f14a1)), closes [#&#8203;19246](https://redirect.github.com/vitejs/vite/issues/19246) - fix: allow CORS from loopback addresses by default ([#&#8203;19249](https://redirect.github.com/vitejs/vite/issues/19249)) ([3d03899](https://redirect.github.com/vitejs/vite/commit/3d038997377a30022b6a6b7916e0b4b5d8b9a363)), closes [#&#8203;19249](https://redirect.github.com/vitejs/vite/issues/19249) ### [`v6.0.10`](https://redirect.github.com/vitejs/vite/blob/HEAD/packages/vite/CHANGELOG.md#small6010-2025-01-20-small) [Compare Source](https://redirect.github.com/vitejs/vite/compare/v6.0.9...v6.0.10) - fix: try parse `server.origin` URL ([#&#8203;19241](https://redirect.github.com/vitejs/vite/issues/19241)) ([2495022](https://redirect.github.com/vitejs/vite/commit/2495022420fda05ee389c2dcf26921b21e2aed3b)), closes [#&#8203;19241](https://redirect.github.com/vitejs/vite/issues/19241) </details> --- ### Configuration 📅 **Schedule**: Branch creation - "" in timezone Europe/Zurich, Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/swisspost/design-system). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzOS4yMDcuMSIsInVwZGF0ZWRJblZlciI6IjM5LjIwNy4xIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyLwn5OmIHN0eWxlcyJdfQ==--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
1 parent 2de32fe commit 63234ad

File tree

3 files changed

+16
-15
lines changed

3 files changed

+16
-15
lines changed

packages/documentation/package.json

+1-1
Original file line numberDiff line numberDiff line change
@@ -83,6 +83,6 @@
8383
"storybook": "8.4.7",
8484
"typescript": "5.8.2",
8585
"typescript-eslint": "8.20.0",
86-
"vite": "6.0.9"
86+
"vite": "6.0.12"
8787
}
8888
}

packages/styles/package.json

+1-1
Original file line numberDiff line numberDiff line change
@@ -70,7 +70,7 @@
7070
"stylelint-prettier": "5.0.2",
7171
"stylelint-scss": "6.10.0",
7272
"typescript": "5.8.2",
73-
"vite": "6.0.9"
73+
"vite": "6.0.12"
7474
},
7575
"sass": {
7676
"loadPaths": [

pnpm-lock.yaml

+14-13
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

0 commit comments

Comments
 (0)