From 9aa7a5368c502ae488d3a173e732d81f3d000e98 Mon Sep 17 00:00:00 2001 From: Stefano Date: Tue, 23 Jan 2024 12:48:20 +0000 Subject: [PATCH] fix: vite security issue (#9773) --- .changeset/tricky-cobras-provide.md | 5 + packages/astro/package.json | 2 +- packages/integrations/markdoc/package.json | 2 +- packages/integrations/mdx/package.json | 2 +- packages/integrations/react/package.json | 4 +- packages/integrations/svelte/package.json | 2 +- packages/integrations/tailwind/package.json | 2 +- packages/integrations/vue/package.json | 2 +- pnpm-lock.yaml | 120 +++++++++++++------- 9 files changed, 95 insertions(+), 46 deletions(-) create mode 100644 .changeset/tricky-cobras-provide.md diff --git a/.changeset/tricky-cobras-provide.md b/.changeset/tricky-cobras-provide.md new file mode 100644 index 000000000000..6396c70d7f1c --- /dev/null +++ b/.changeset/tricky-cobras-provide.md @@ -0,0 +1,5 @@ +--- +"astro": patch +--- + +Raises the required vite version to address a vulnerability in `vite.server.fs.deny` that affected the dev mode. diff --git a/packages/astro/package.json b/packages/astro/package.json index 02670011b603..6210451a5ca3 100644 --- a/packages/astro/package.json +++ b/packages/astro/package.json @@ -172,7 +172,7 @@ "tsconfck": "^3.0.0", "unist-util-visit": "^5.0.0", "vfile": "^6.0.1", - "vite": "^5.0.10", + "vite": "^5.0.12", "vitefu": "^0.2.5", "which-pm": "^2.1.1", "yargs-parser": "^21.1.1", diff --git a/packages/integrations/markdoc/package.json b/packages/integrations/markdoc/package.json index d22aad19c631..7c4fc4713b5d 100644 --- a/packages/integrations/markdoc/package.json +++ b/packages/integrations/markdoc/package.json @@ -88,7 +88,7 @@ "devalue": "^4.3.2", "linkedom": "^0.16.4", "mocha": "^10.2.0", - "vite": "^5.0.10" + "vite": "^5.0.12" }, "engines": { "node": ">=18.14.1" diff --git a/packages/integrations/mdx/package.json b/packages/integrations/mdx/package.json index 59c72aaf8435..c4f1c62f4335 100644 --- a/packages/integrations/mdx/package.json +++ b/packages/integrations/mdx/package.json @@ -75,7 +75,7 @@ "remark-shiki-twoslash": "^3.1.3", "remark-toc": "^9.0.0", "unified": "^11.0.4", - "vite": "^5.0.10" + "vite": "^5.0.12" }, "engines": { "node": ">=18.14.1" diff --git a/packages/integrations/react/package.json b/packages/integrations/react/package.json index dbabe0be0355..1390903304a7 100644 --- a/packages/integrations/react/package.json +++ b/packages/integrations/react/package.json @@ -56,10 +56,10 @@ "astro-scripts": "workspace:*", "chai": "^4.3.7", "cheerio": "1.0.0-rc.12", + "mocha": "^10.2.0", "react": "^18.1.0", "react-dom": "^18.1.0", - "vite": "^5.0.10", - "mocha": "^10.2.0" + "vite": "^5.0.12" }, "peerDependencies": { "@types/react": "^17.0.50 || ^18.0.21", diff --git a/packages/integrations/svelte/package.json b/packages/integrations/svelte/package.json index 112f047f7483..0ceb9f97f930 100644 --- a/packages/integrations/svelte/package.json +++ b/packages/integrations/svelte/package.json @@ -49,7 +49,7 @@ "astro": "workspace:*", "astro-scripts": "workspace:*", "svelte": "^4.2.5", - "vite": "^5.0.10" + "vite": "^5.0.12" }, "peerDependencies": { "astro": "^4.0.0", diff --git a/packages/integrations/tailwind/package.json b/packages/integrations/tailwind/package.json index cd797ef33c79..c07f65963be2 100644 --- a/packages/integrations/tailwind/package.json +++ b/packages/integrations/tailwind/package.json @@ -43,7 +43,7 @@ "chai": "^4.3.7", "mocha": "^10.2.0", "tailwindcss": "^3.3.5", - "vite": "^5.0.10" + "vite": "^5.0.12" }, "peerDependencies": { "astro": "^3.0.0 || ^4.0.0", diff --git a/packages/integrations/vue/package.json b/packages/integrations/vue/package.json index b4141a9fd6ac..242cf67c2316 100644 --- a/packages/integrations/vue/package.json +++ b/packages/integrations/vue/package.json @@ -53,7 +53,7 @@ "cheerio": "1.0.0-rc.12", "linkedom": "^0.16.4", "mocha": "^10.2.0", - "vite": "^5.0.10", + "vite": "^5.0.12", "vue": "^3.3.8" }, "peerDependencies": { diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml index 7819b61caa55..38c3133136aa 100644 --- a/pnpm-lock.yaml +++ b/pnpm-lock.yaml @@ -663,11 +663,11 @@ importers: specifier: ^6.0.1 version: 6.0.1 vite: - specifier: ^5.0.10 - version: 5.0.10(@types/node@18.19.4)(sass@1.69.6) + specifier: ^5.0.12 + version: 5.0.12(@types/node@18.19.4)(sass@1.69.6) vitefu: specifier: ^0.2.5 - version: 0.2.5(vite@5.0.10) + version: 0.2.5(vite@5.0.12) which-pm: specifier: ^2.1.1 version: 2.1.1 @@ -3891,8 +3891,8 @@ importers: specifier: ^10.2.0 version: 10.2.0 vite: - specifier: ^5.0.10 - version: 5.0.10(@types/node@18.19.4)(sass@1.69.6) + specifier: ^5.0.12 + version: 5.0.12(@types/node@18.19.4)(sass@1.69.6) packages/integrations/markdoc/test/fixtures/content-collections: dependencies: @@ -4123,8 +4123,8 @@ importers: specifier: ^11.0.4 version: 11.0.4 vite: - specifier: ^5.0.10 - version: 5.0.10(@types/node@18.19.4)(sass@1.69.6) + specifier: ^5.0.12 + version: 5.0.12(@types/node@18.19.4)(sass@1.69.6) packages/integrations/mdx/test/fixtures/css-head-mdx: dependencies: @@ -4459,7 +4459,7 @@ importers: dependencies: '@vitejs/plugin-react': specifier: ^4.2.0 - version: 4.2.1(vite@5.0.10) + version: 4.2.1(vite@5.0.12) ultrahtml: specifier: ^1.3.0 version: 1.5.2 @@ -4492,8 +4492,8 @@ importers: specifier: ^18.1.0 version: 18.2.0(react@18.2.0) vite: - specifier: ^5.0.10 - version: 5.0.10(@types/node@18.19.4)(sass@1.69.6) + specifier: ^5.0.12 + version: 5.0.12(@types/node@18.19.4)(sass@1.69.6) packages/integrations/react/test/fixtures/react-component: dependencies: @@ -4591,7 +4591,7 @@ importers: dependencies: '@sveltejs/vite-plugin-svelte': specifier: ^3.0.0 - version: 3.0.1(svelte@4.2.8)(vite@5.0.10) + version: 3.0.1(svelte@4.2.8)(vite@5.0.12) svelte2tsx: specifier: ^0.6.25 version: 0.6.27(svelte@4.2.8)(typescript@5.2.2) @@ -4606,8 +4606,8 @@ importers: specifier: ^4.2.5 version: 4.2.8 vite: - specifier: ^5.0.10 - version: 5.0.10(@types/node@18.19.4)(sass@1.69.6) + specifier: ^5.0.12 + version: 5.0.12(@types/node@18.19.4)(sass@1.69.6) packages/integrations/tailwind: dependencies: @@ -4637,8 +4637,8 @@ importers: specifier: ^3.3.5 version: 3.4.0 vite: - specifier: ^5.0.10 - version: 5.0.10(@types/node@18.19.4)(sass@1.69.6) + specifier: ^5.0.12 + version: 5.0.12(@types/node@18.19.4)(sass@1.69.6) packages/integrations/tailwind/test/fixtures/basic: dependencies: @@ -4873,10 +4873,10 @@ importers: dependencies: '@vitejs/plugin-vue': specifier: ^4.5.0 - version: 4.6.2(vite@5.0.10)(vue@3.4.3) + version: 4.6.2(vite@5.0.12)(vue@3.4.3) '@vitejs/plugin-vue-jsx': specifier: ^3.1.0 - version: 3.1.0(vite@5.0.10)(vue@3.4.3) + version: 3.1.0(vite@5.0.12)(vue@3.4.3) '@vue/babel-plugin-jsx': specifier: ^1.1.5 version: 1.1.5(@babel/core@7.23.7) @@ -4906,8 +4906,8 @@ importers: specifier: ^10.2.0 version: 10.2.0 vite: - specifier: ^5.0.10 - version: 5.0.10(@types/node@18.19.4)(sass@1.69.6) + specifier: ^5.0.12 + version: 5.0.12(@types/node@18.19.4)(sass@1.69.6) vue: specifier: ^3.3.8 version: 3.4.3(typescript@5.2.2) @@ -7137,7 +7137,7 @@ packages: solid-js: 1.8.7 dev: false - /@sveltejs/vite-plugin-svelte-inspector@2.0.0(@sveltejs/vite-plugin-svelte@3.0.1)(svelte@4.2.8)(vite@5.0.10): + /@sveltejs/vite-plugin-svelte-inspector@2.0.0(@sveltejs/vite-plugin-svelte@3.0.1)(svelte@4.2.8)(vite@5.0.12): resolution: {integrity: sha512-gjr9ZFg1BSlIpfZ4PRewigrvYmHWbDrq2uvvPB1AmTWKuM+dI1JXQSUu2pIrYLb/QncyiIGkFDFKTwJ0XqQZZg==} engines: {node: ^18.0.0 || >=20} peerDependencies: @@ -7148,15 +7148,15 @@ packages: vite: optional: true dependencies: - '@sveltejs/vite-plugin-svelte': 3.0.1(svelte@4.2.8)(vite@5.0.10) + '@sveltejs/vite-plugin-svelte': 3.0.1(svelte@4.2.8)(vite@5.0.12) debug: 4.3.4(supports-color@8.1.1) svelte: 4.2.8 - vite: 5.0.10(@types/node@18.19.4)(sass@1.69.6) + vite: 5.0.12(@types/node@18.19.4)(sass@1.69.6) transitivePeerDependencies: - supports-color dev: false - /@sveltejs/vite-plugin-svelte@3.0.1(svelte@4.2.8)(vite@5.0.10): + /@sveltejs/vite-plugin-svelte@3.0.1(svelte@4.2.8)(vite@5.0.12): resolution: {integrity: sha512-CGURX6Ps+TkOovK6xV+Y2rn8JKa8ZPUHPZ/NKgCxAmgBrXReavzFl8aOSCj3kQ1xqT7yGJj53hjcV/gqwDAaWA==} engines: {node: ^18.0.0 || >=20} peerDependencies: @@ -7166,15 +7166,15 @@ packages: vite: optional: true dependencies: - '@sveltejs/vite-plugin-svelte-inspector': 2.0.0(@sveltejs/vite-plugin-svelte@3.0.1)(svelte@4.2.8)(vite@5.0.10) + '@sveltejs/vite-plugin-svelte-inspector': 2.0.0(@sveltejs/vite-plugin-svelte@3.0.1)(svelte@4.2.8)(vite@5.0.12) debug: 4.3.4(supports-color@8.1.1) deepmerge: 4.3.1 kleur: 4.1.5 magic-string: 0.30.5 svelte: 4.2.8 svelte-hmr: 0.15.3(svelte@4.2.8) - vite: 5.0.10(@types/node@18.19.4)(sass@1.69.6) - vitefu: 0.2.5(vite@5.0.10) + vite: 5.0.12(@types/node@18.19.4)(sass@1.69.6) + vitefu: 0.2.5(vite@5.0.12) transitivePeerDependencies: - supports-color dev: false @@ -7734,7 +7734,7 @@ packages: - supports-color dev: false - /@vitejs/plugin-react@4.2.1(vite@5.0.10): + /@vitejs/plugin-react@4.2.1(vite@5.0.12): resolution: {integrity: sha512-oojO9IDc4nCUUi8qIR11KoQm0XFFLIwsRBwHRR4d/88IWghn1y6ckz/bJ8GHDCsYEJee8mDzqtJxh15/cisJNQ==} engines: {node: ^14.18.0 || >=16.0.0} peerDependencies: @@ -7748,12 +7748,12 @@ packages: '@babel/plugin-transform-react-jsx-source': 7.23.3(@babel/core@7.23.7) '@types/babel__core': 7.20.5 react-refresh: 0.14.0 - vite: 5.0.10(@types/node@18.19.4)(sass@1.69.6) + vite: 5.0.12(@types/node@18.19.4)(sass@1.69.6) transitivePeerDependencies: - supports-color dev: false - /@vitejs/plugin-vue-jsx@3.1.0(vite@5.0.10)(vue@3.4.3): + /@vitejs/plugin-vue-jsx@3.1.0(vite@5.0.12)(vue@3.4.3): resolution: {integrity: sha512-w9M6F3LSEU5kszVb9An2/MmXNxocAnUb3WhRr8bHlimhDrXNt6n6D2nJQR3UXpGlZHh/EsgouOHCsM8V3Ln+WA==} engines: {node: ^14.18.0 || >=16.0.0} peerDependencies: @@ -7766,13 +7766,13 @@ packages: '@babel/core': 7.23.7 '@babel/plugin-transform-typescript': 7.23.6(@babel/core@7.23.7) '@vue/babel-plugin-jsx': 1.1.5(@babel/core@7.23.7) - vite: 5.0.10(@types/node@18.19.4)(sass@1.69.6) + vite: 5.0.12(@types/node@18.19.4)(sass@1.69.6) vue: 3.4.3(typescript@5.2.2) transitivePeerDependencies: - supports-color dev: false - /@vitejs/plugin-vue@4.6.2(vite@5.0.10)(vue@3.4.3): + /@vitejs/plugin-vue@4.6.2(vite@5.0.12)(vue@3.4.3): resolution: {integrity: sha512-kqf7SGFoG+80aZG6Pf+gsZIVvGSCKE98JbiWqcCV9cThtg91Jav0yvYFC9Zb+jKetNGF6ZKeoaxgZfND21fWKw==} engines: {node: ^14.18.0 || >=16.0.0} peerDependencies: @@ -7782,7 +7782,7 @@ packages: vite: optional: true dependencies: - vite: 5.0.10(@types/node@18.19.4)(sass@1.69.6) + vite: 5.0.12(@types/node@18.19.4)(sass@1.69.6) vue: 3.4.3(typescript@5.2.2) dev: false @@ -13400,6 +13400,14 @@ packages: picocolors: 1.0.0 source-map-js: 1.0.2 + /postcss@8.4.33: + resolution: {integrity: sha512-Kkpbhhdjw2qQs2O2DGX+8m5OVqEcbB9HRBvuYM9pgrjEFUg30A9LmXNlTAUj4S9kgtGyrMbTzVjH7E+s5Re2yg==} + engines: {node: ^10 || ^12 || >=14} + dependencies: + nanoid: 3.3.7 + picocolors: 1.0.0 + source-map-js: 1.0.2 + /preact-render-to-string@6.3.1(preact@10.19.3): resolution: {integrity: sha512-NQ28WrjLtWY6lKDlTxnFpKHZdpjfF+oE6V4tZ0rTrunHrtZp6Dm0oFrcJalt/5PNeqJz4j1DuZDS0Y6rCBoqDA==} peerDependencies: @@ -15588,7 +15596,7 @@ packages: mlly: 1.4.2 pathe: 1.1.1 picocolors: 1.0.0 - vite: 5.0.10(@types/node@18.19.4)(sass@1.69.6) + vite: 5.0.10(@types/node@18.19.4) transitivePeerDependencies: - '@types/node' - less @@ -15616,7 +15624,7 @@ packages: merge-anything: 5.1.7 solid-js: 1.8.7 solid-refresh: 0.5.3(solid-js@1.8.7) - vitefu: 0.2.5(vite@5.0.10) + vitefu: 0.2.5(vite@5.0.12) transitivePeerDependencies: - supports-color dev: false @@ -15644,7 +15652,7 @@ packages: svgo: 3.2.0 dev: false - /vite@5.0.10(@types/node@18.19.4)(sass@1.69.6): + /vite@5.0.10(@types/node@18.19.4): resolution: {integrity: sha512-2P8J7WWgmc355HUMlFrwofacvr98DAjoE52BfdbwQtyLH06XKwaL/FMnmKM2crF0iX4MpmMKoDlNCB1ok7zHCw==} engines: {node: ^18.0.0 || >=20.0.0} hasBin: true @@ -15676,11 +15684,47 @@ packages: esbuild: 0.19.11 postcss: 8.4.32 rollup: 4.9.2 + optionalDependencies: + fsevents: 2.3.3 + dev: false + + /vite@5.0.12(@types/node@18.19.4)(sass@1.69.6): + resolution: {integrity: sha512-4hsnEkG3q0N4Tzf1+t6NdN9dg/L3BM+q8SWgbSPnJvrgH2kgdyzfVJwbR1ic69/4uMJJ/3dqDZZE5/WwqW8U1w==} + engines: {node: ^18.0.0 || >=20.0.0} + hasBin: true + peerDependencies: + '@types/node': ^18.0.0 || >=20.0.0 + less: '*' + lightningcss: ^1.21.0 + sass: '*' + stylus: '*' + sugarss: '*' + terser: ^5.4.0 + peerDependenciesMeta: + '@types/node': + optional: true + less: + optional: true + lightningcss: + optional: true + sass: + optional: true + stylus: + optional: true + sugarss: + optional: true + terser: + optional: true + dependencies: + '@types/node': 18.19.4 + esbuild: 0.19.11 + postcss: 8.4.33 + rollup: 4.9.2 sass: 1.69.6 optionalDependencies: fsevents: 2.3.3 - /vitefu@0.2.5(vite@5.0.10): + /vitefu@0.2.5(vite@5.0.12): resolution: {integrity: sha512-SgHtMLoqaeeGnd2evZ849ZbACbnwQCIwRH57t18FxcXoZop0uQu0uzlIhJBlF/eWVzuce0sHeqPcDo+evVcg8Q==} peerDependencies: vite: ^3.0.0 || ^4.0.0 || ^5.0.0 @@ -15688,7 +15732,7 @@ packages: vite: optional: true dependencies: - vite: 5.0.10(@types/node@18.19.4)(sass@1.69.6) + vite: 5.0.12(@types/node@18.19.4)(sass@1.69.6) dev: false /vitest@0.34.6: @@ -15743,7 +15787,7 @@ packages: strip-literal: 1.3.0 tinybench: 2.5.1 tinypool: 0.7.0 - vite: 5.0.10(@types/node@18.19.4)(sass@1.69.6) + vite: 5.0.10(@types/node@18.19.4) vite-node: 0.34.6(@types/node@18.19.4) why-is-node-running: 2.2.2 transitivePeerDependencies: