components
89%
main: 89%

Ran 17 Sep 2024 08:28PM UTC

Files 158

Run time 6s

Badge

Embed ▾

Committed 17 Sep 2024 08:20PM UTC coverage: 84.569% (+0.02%) from 84.547%

Subproject # main/src/components – 10910485087.1

Build Type

push

github

Committed by

web-flow

Commit Message

chore(deps): update dependency vite to v5.4.6 [security] (#6378)

This PR contains the following updates:

| Package | Change | Age | Adoption | Passing | Confidence |
|---|---|---|---|---|---|
| [vite](https://vitejs.dev)
([source](https://redirect.github.com/vitejs/vite/tree/HEAD/packages/vite))
| [`5.4.5` ->
`5.4.6`](https://renovatebot.com/diffs/npm/vite/5.4.5/5.4.6) |
[![age](https://developer.mend.io/api/mc/badges/age/npm/vite/5.4.6?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![adoption](https://developer.mend.io/api/mc/badges/adoption/npm/vite/5.4.6?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![passing](https://developer.mend.io/api/mc/badges/compatibility/npm/vite/5.4.5/5.4.6?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/vite/5.4.5/5.4.6?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|

### GitHub Vulnerability Alerts

####
[CVE-2024-45811](https://redirect.github.com/vitejs/vite/security/advisories/GHSA-9cwx-2883-4wfx)

### Summary
The contents of arbitrary files can be returned to the browser.

### Details
`@fs` denies access to files outside of Vite serving allow list. Adding
`?import&raw` to the URL bypasses this limitation and returns the file
content if it exists.

### PoC
```sh
$ npm create vite@latest
$ cd vite-project/
$ npm install
$ npm run dev

$ echo "top secret content" > /tmp/secret.txt

# expected behaviour
$ curl "http://localhost:5173/@&#8203;fs/tmp/secret.txt"

    <body>
      <h1>403 Restricted</h1>
      <p>The request url &quot;/tmp/secret.txt&quot; is outside of Vite serving allow list.

# security bypassed
$ curl "http://localhost:5173/@&#8203;fs/tmp/secret.txt?import&raw"
export default "top secret content\n"
//# sourceMappingURL=data:application/json;base64,eyJ2...
```

---

### Release Notes

<details>
<summary>vitejs/vite (vite)</summary>

###
[`v5.4.6`](https://redirect.github.co... (continued)

Run Details

2190 of 2816 branches covered (77.77%)

3787 of 4478 relevant lines covered (84.57%)

117725.91 hits per line

SAP / ui5-webcomponents-react / 10910485087 / 1 – main/src/components
89%
main: 89%

README BADGES
x

Markdown

Textile

RDoc

HTML

Rst

Source Files on job main/src/components - 10910485087.1

SAP / ui5-webcomponents-react / 10910485087 / 1 – main/src/components 89% main: 89%

README BADGES x

Markdown

Textile

RDoc

HTML

Rst

Source Files on job main/src/components - 10910485087.1

SAP / ui5-webcomponents-react / 10910485087 / 1 – main/src/components
89%
main: 89%

README BADGES
x