mui
Bump vite [SECURITY]
This PR contains the following updates:
| Package | Change | Age | Adoption | Passing | Confidence |
|---|---|---|---|---|---|
| vite (source) | 4.5.13 -> 4.5.14 |
||||
| vite (source) | 6.0.15 -> 6.1.6 |
||||
| vite (source) | 5.4.18 -> 5.4.19 |
GitHub Vulnerability Alerts
CVE-2025-46565
Summary
The contents of files in the project root that are denied by a file matching pattern can be returned to the browser.
Impact
Only apps explicitly exposing the Vite dev server to the network (using --host or server.host config option) are affected.
Only files that are under project root and are denied by a file matching pattern can be bypassed.
- Examples of file matching patterns:
.env,.env.*,*.{crt,pem},**/.env - Examples of other patterns:
**/.git/**,.git/**,.git/**/*
Details
server.fs.deny can contain patterns matching against files (by default it includes .env, .env.*, *.{crt,pem} as such patterns).
These patterns were able to bypass for files under root by using a combination of slash and dot (/.).
PoC
npm create vite@latest
cd vite-project/
cat "secret" > .env
npm install
npm run dev
curl --request-target /.env/. http://localhost:5173
Release Notes
Configuration
📅 Schedule: Branch creation - "" in timezone UTC, Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.
- [ ] If you want to rebase/retry this PR, check this box
This PR was generated by Mend Renovate. View the repository job log.
![renovate[bot] avatar](https://avatars.githubusercontent.com/in/2740?v=4 "Published by a pub.dev verified publisher"){kind=small}
Netlify deploy preview
https://deploy-preview-46050--material-ui.netlify.app/
Bundle size report
| Bundle | Parsed Size | Gzip Size |
|---|---|---|
| @mui/material | 0B(0.00%) | 0B(0.00%) |
| @mui/lab | 0B(0.00%) | 0B(0.00%) |
| @mui/system | 0B(0.00%) | 0B(0.00%) |
| @mui/utils | 0B(0.00%) | 0B(0.00%) |
Generated by :no_entry_sign: dangerJS against 7b7f716fdd05db1d10a36cde120daf37b42d9732
