appium-device-farm
appium-device-farm copied to clipboard
AppiumTestDistribution
chore(deps): update dependency vite to v4.5.3 [security]
This PR contains the following updates:
| Package | Change | Age | Adoption | Passing | Confidence |
|---|---|---|---|---|---|
| vite (source) | 4.5.2 -> 4.5.3 |
GitHub Vulnerability Alerts
CVE-2024-31207
Summary
Vite dev server option server.fs.deny did not deny requests for patterns with directories. An example of such a pattern is /foo/**/*.
Impact
Only apps setting a custom server.fs.deny that includes a pattern with directories, and explicitly exposing the Vite dev server to the network (using --host or server.host config option) are affected.
Patches
Fixed in [email protected], [email protected], [email protected], [email protected], [email protected], [email protected]
Details
server.fs.deny uses picomatch with the config of { matchBase: true }. matchBase only matches the basename of the file, not the path due to a bug (https://github.com/micromatch/picomatch/issues/89). The vite config docs read like you should be able to set fs.deny to glob with picomatch. Vite also does not set { dot: true } and that causes dotfiles not to be denied unless they are explicitly defined.
Reproduction
Set fs.deny to ['**/.git/**'] and then curl for /.git/config.
- with
matchBase: true, you can get any file under.git/(config, HEAD, etc). - with
matchBase: false, you cannot get any file under.git/(config, HEAD, etc).
Release Notes
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Enabled.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
- [ ] If you want to rebase/retry this PR, check this box
This PR has been generated by Mend Renovate. View repository job log here.
![renovate[bot] avatar](https://avatars.githubusercontent.com/in/2740?v=4 "Published by a pub.dev verified publisher"){kind=small}
The latest updates on your projects. Learn more about Vercel for Git ↗︎
| Name | Status | Preview | Comments | Updated (UTC) |
|---|---|---|---|---|
| appium-device-farm-bre4 | ❌ Failed (Inspect) | Apr 4, 2024 5:00am |
![vercel[bot] avatar](https://avatars.githubusercontent.com/in/8329?v=4 "Published by a pub.dev verified publisher"){kind=small}
Deploy Preview for voluble-wisp-b266e5 failed.
| Name | Link |
|---|---|
| Latest commit | 1846381521484f71217dc41c183ed1981d490c1a |
| Latest deploy log | https://app.netlify.com/sites/voluble-wisp-b266e5/deploys/660e3372b0e3710008c8f263 |
![netlify[bot] avatar](https://avatars.githubusercontent.com/in/13473?v=4 "Published by a pub.dev verified publisher"){kind=small}
Renovate Ignore Notification
Because you closed this PR without merging, Renovate will ignore this update (^4.5.0). You will get a PR once a newer version is released. To ignore this dependency forever, add it to the ignoreDeps array of your Renovate config.
If you accidentally closed this PR, or if you changed your mind: rename this PR to get a fresh replacement PR.