Skip to content

chore(deps): update dependency vite to v5.4.16 [security] #9666

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
renovate merged 1 commit into from
Apr 1, 2025
Merged

chore(deps): update dependency vite to v5.4.16 [security] #9666

renovate merged 1 commit into from
Apr 1, 2025

Conversation

@renovate
Copy link
Contributor

@renovate renovate bot commented Apr 1, 2025

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
vite (source) 5.4.15 -> 5.4.16 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2025-31125

Summary

The contents of arbitrary files can be returned to the browser.

Impact

Only apps explicitly exposing the Vite dev server to the network (using --host or server.host config option) are affected.

Details

  • base64 encoded content of non-allowed files is exposed using ?inline&import (originally reported as ?import&?inline=1.wasm?init)
  • content of non-allowed files is exposed using ?raw?import

/@​fs/ isn't needed to reproduce the issue for files inside the project root.

PoC

Original report (check details above for simplified cases):

The ?import&?inline=1.wasm?init ending allows attackers to read arbitrary files and returns the file content if it exists. Base64 decoding needs to be performed twice

$ npm create vite@latest
$ cd vite-project/
$ npm install
$ npm run dev

Example full URL http://localhost:5173/@​fs/C:/windows/win.ini?import&?inline=1.wasm?init

Release Notes

vitejs/vite (vite)

v5.4.16

Compare Source

Configuration

📅 Schedule: Branch creation - "" in timezone Europe/Madrid, Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot added the dependencies Pull requests that update a dependency file label Apr 1, 2025
@renovate renovate bot enabled auto-merge (squash) April 1, 2025 08:57
@vercel
Copy link

vercel bot commented Apr 1, 2025
edited
Loading

The latest updates on your projects. Learn more about Vercel for Git ↗︎

1 Skipped Deployment
Name Status Preview Comments Updated (UTC)
unleash-docs ⬜️ Ignored (Inspect) Visit Preview Apr 1, 2025 8:57am

@github-project-automation github-project-automation bot moved this from New to Approved PRs in Issues and PRs Apr 1, 2025
@github-actions
Copy link
Contributor

github-actions bot commented Apr 1, 2025

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

OpenSSF Scorecard

PackageVersionScoreDetails
npm/vite 5.4.16 🟢 6.9
Details
CheckScoreReason
Maintained🟢 1030 commit(s) and 11 issue activity found in the last 90 days -- score normalized to 10
Code-Review🟢 7Found 23/29 approved changesets -- score normalized to 7
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Packaging⚠️ -1packaging workflow not detected
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
License🟢 10license file detected
Token-Permissions🟢 7detected GitHub workflow tokens with excessive permissions
Branch-Protection⚠️ -1internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration
Security-Policy🟢 10security policy file detected
Signed-Releases⚠️ -1no releases found
Binary-Artifacts🟢 7binaries present in source code
Pinned-Dependencies🟢 6dependency not pinned by hash detected -- score normalized to 6
Fuzzing⚠️ 0project is not fuzzed
SAST⚠️ 0SAST tool is not run on all commits -- score normalized to 0
Vulnerabilities🟢 82 existing vulnerabilities detected
npm/vite 5.4.16 🟢 6.9
Details
CheckScoreReason
Maintained🟢 1030 commit(s) and 11 issue activity found in the last 90 days -- score normalized to 10
Code-Review🟢 7Found 23/29 approved changesets -- score normalized to 7
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Packaging⚠️ -1packaging workflow not detected
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
License🟢 10license file detected
Token-Permissions🟢 7detected GitHub workflow tokens with excessive permissions
Branch-Protection⚠️ -1internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration
Security-Policy🟢 10security policy file detected
Signed-Releases⚠️ -1no releases found
Binary-Artifacts🟢 7binaries present in source code
Pinned-Dependencies🟢 6dependency not pinned by hash detected -- score normalized to 6
Fuzzing⚠️ 0project is not fuzzed
SAST⚠️ 0SAST tool is not run on all commits -- score normalized to 0
Vulnerabilities🟢 82 existing vulnerabilities detected

Scanned Files

  • frontend/package.json
  • frontend/yarn.lock

@renovate renovate bot merged commit 097c83e into main Apr 1, 2025
12 checks passed
@renovate renovate bot deleted the renovate/npm-vite-vulnerability branch April 1, 2025 09:01
@github-project-automation github-project-automation bot moved this from Approved PRs to Done in Issues and PRs Apr 1, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@renovate-approve renovate-approve[bot] renovate-approve[bot] approved these changes

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file

Projects

Issues and PRs
Status: Done

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant