From 3633ec183e313131e12a202542a8fcc0a0e3ddfd Mon Sep 17 00:00:00 2001
From: Renovate Bot <renovate@zzdats.lv>
Date: Thu, 4 Apr 2024 12:30:04 +0300
Subject: [PATCH] Update dependency vite to v5.0.13 [SECURITY] (#273)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

This PR contains the following updates:

| Package | Type | Update | Change |
|---|---|---|---|
| [vite](https://vitejs.dev) ([source](https://github.com/vitejs/vite/tree/HEAD/packages/vite)) | devDependencies | patch | [`5.0.12` -> `5.0.13`](https://renovatebot.com/diffs/npm/vite/5.0.12/5.0.13) |

---

### Vite's `server.fs.deny` did not deny requests for patterns with directories.
[GHSA-8jhw-289h-jh2g](https://github.com/advisories/GHSA-8jhw-289h-jh2g)

<details>
<summary>More information</summary>

#### Details
##### Summary
[Vite dev server option](https://vitejs.dev/config/server-options.html#server-fs-deny) `server.fs.deny` did not deny requests for patterns with directories. An example of such a pattern is `/foo/**/*`.

##### Impact
Only apps setting a custom `server.fs.deny` that includes a pattern with directories, and explicitly exposing the Vite dev server to the network (using `--host` or [`server.host` config option](https://vitejs.dev/config/server-options.html#server-host)) are affected.

##### Patches
Fixed in vite@5.2.6, vite@5.1.7, vite@5.0.13, vite@4.5.3, vite@3.2.10, vite@2.9.18

##### Details
`server.fs.deny` uses picomatch with the config of `{ matchBase: true }`. [matchBase](https://github.com/micromatch/picomatch/blob/master/README.md#options:~:text=Description-,basename,-boolean) only matches the basename of the file, not the path due to a bug (https://github.com/micromatch/picomatch/issues/89). The vite config docs read like you should be able to set fs.deny to glob with picomatch. Vite also does not set `{ dot: true }` and that causes [dotfiles not to be denied](https://github.com/micromatch/picomatch/blob/master/README.md#options:~:text=error%20is%20thrown.-,dot,-boolean) unless they are explicitly defined.

**Reproduction**

Set fs.deny to `['**/.git/**']` and then curl for `/.git/config`.

* with `matchBase: true`, you can get any file under  `.git/` (config, HEAD, etc).
* with `matchBase: false`, you cannot get any file under  `.git/` (config, HEAD, etc).

#### Severity
- CVSS Score: 5.9 / 10 (Medium)
- Vector String: `CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N`

#### References
- [https://github.com/vitejs/vite/security/advisories/GHSA-8jhw-289h-jh2g](https://github.com/vitejs/vite/security/advisories/GHSA-8jhw-289h-jh2g)
- [https://github.com/vitejs/vite/commit/011bbca350e447d1b499d242804ce62738c12bc0](https://github.com/vitejs/vite/commit/011bbca350e447d1b499d242804ce62738c12bc0)
- [https://github.com/vitejs/vite/commit/5a056dd2fc80dbafed033062fe6aaf4717309f48](https://github.com/vitejs/vite/commit/5a056dd2fc80dbafed033062fe6aaf4717309f48)
- [https://github.com/vitejs/vite/commit/89c7c645f09d16a38f146ef4a1528f218e844d67](https://github.com/vitejs/vite/commit/89c7c645f09d16a38f146ef4a1528f218e844d67)
- [https://github.com/vitejs/vite/commit/96a7f3a41ef2f9351c46f3ab12489bb4efa03cc9](https://github.com/vitejs/vite/commit/96a7f3a41ef2f9351c46f3ab12489bb4efa03cc9)
- [https://github.com/vitejs/vite/commit/ba5269cca81de3f5fbb0f49d58a1c55688043258](https://github.com/vitejs/vite/commit/ba5269cca81de3f5fbb0f49d58a1c55688043258)
- [https://github.com/vitejs/vite/commit/d2db33f7d4b96750b35370c70dd2c35ec3b9b649](https://github.com/vitejs/vite/commit/d2db33f7d4b96750b35370c70dd2c35ec3b9b649)
- [https://github.com/vitejs/vite](https://github.com/vitejs/vite)

This data is provided by [OSV](https://osv.dev/vulnerability/GHSA-8jhw-289h-jh2g) and the [GitHub Advisory Database](https://github.com/github/advisory-database) ([CC-BY 4.0](https://github.com/github/advisory-database/blob/main/LICENSE.md)).
</details>

---

### Release Notes

<details>
<summary>vitejs/vite (vite)</summary>

### [`v5.0.13`](https://github.com/vitejs/vite/releases/tag/v5.0.13)

[Compare Source](https://github.com/vitejs/vite/compare/v5.0.12...v5.0.13)

Please refer to [CHANGELOG.md](https://github.com/vitejs/vite/blob/v5.0.13/packages/vite/CHANGELOG.md) for details.

</details>

---

### Configuration

📅 **Schedule**: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update again.

---

 - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box

---

This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy4xODIuMCIsInVwZGF0ZWRJblZlciI6IjM3LjE4Mi4wIiwidGFyZ2V0QnJhbmNoIjoiZGV2ZWxvcCJ9-->

Reviewed-on: https://git.zzdats.lv/lx/demo/pulls/273
Co-authored-by: Renovate Bot <renovate@zzdats.lv>
Co-committed-by: Renovate Bot <renovate@zzdats.lv>
---
 package.json   |  2 +-
 pnpm-lock.yaml | 49 ++++++++++++++++++++-----------------------------
 2 files changed, 21 insertions(+), 30 deletions(-)

diff --git a/package.json b/package.json
index 9908dd3..fb5cab2 100644
--- a/package.json
+++ b/package.json
@@ -38,7 +38,7 @@
     "jest": "^29.7.0",
     "jsdom": "^24.0.0",
     "prettier": "^2.8.8",
-    "vite": "5.0.12",
+    "vite": "5.0.13",
     "vite-plugin-html": "^3.2.2",
     "vite-plugin-mkcert": "^1.17.3",
     "vite-plugin-mock-server": "^1.1.2",
diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml
index a9df720..15c89cd 100644
--- a/pnpm-lock.yaml
+++ b/pnpm-lock.yaml
@@ -1,5 +1,9 @@
 lockfileVersion: '6.0'
 
+settings:
+  autoInstallPeers: true
+  excludeLinksFromLockfile: false
+
 importers:
 
   .:
@@ -37,7 +41,7 @@ importers:
     devDependencies:
       '@vitejs/plugin-vue':
         specifier: ^5.0.0
-        version: 5.0.0(vite@5.0.12)(vue@3.4.15)
+        version: 5.0.0(vite@5.0.13)(vue@3.4.15)
       '@vue/eslint-config-prettier':
         specifier: ^9.0.0
         version: 9.0.0(eslint@8.40.0)(prettier@2.8.8)
@@ -78,14 +82,14 @@ importers:
         specifier: ^2.8.8
         version: 2.8.8
       vite:
-        specifier: 5.0.12
-        version: 5.0.12
+        specifier: 5.0.13
+        version: 5.0.13
       vite-plugin-html:
         specifier: ^3.2.2
-        version: 3.2.2(vite@5.0.12)
+        version: 3.2.2(vite@5.0.13)
       vite-plugin-mkcert:
         specifier: ^1.17.3
-        version: 1.17.3(vite@5.0.12)
+        version: 1.17.3(vite@5.0.13)
       vite-plugin-mock-server:
         specifier: ^1.1.2
         version: 1.1.2
@@ -1713,14 +1717,14 @@ packages:
       '@types/yargs-parser': 21.0.0
     dev: true
 
-  /@vitejs/plugin-vue@5.0.0(vite@5.0.12)(vue@3.4.15):
+  /@vitejs/plugin-vue@5.0.0(vite@5.0.13)(vue@3.4.15):
     resolution: {integrity: sha512-7x5e8X4J1Wi4NxudGjJBd2OFerAi/0nzF80ojCzvfj347WVr0YSn82C8BSsgwSHzlk9Kw5xnZfj0/7RLnNwP5w==}
     engines: {node: ^18.0.0 || >=20.0.0}
     peerDependencies:
       vite: ^5.0.0
       vue: ^3.2.25
     dependencies:
-      vite: 5.0.12
+      vite: 5.0.13
       vue: 3.4.15
     dev: true
 
@@ -5086,15 +5090,6 @@ packages:
       util-deprecate: 1.0.2
     dev: true
 
-  /postcss@8.4.32:
-    resolution: {integrity: sha512-D/kj5JNu6oo2EIy+XL/26JEDTlIbB8hw85G8StOE6L74RQAVVP5rej6wxCNqyMbR4RkPfqvezVbPw81Ngd6Kcw==}
-    engines: {node: ^10 || ^12 || >=14}
-    dependencies:
-      nanoid: 3.3.7
-      picocolors: 1.0.0
-      source-map-js: 1.0.2
-    dev: true
-
   /postcss@8.4.33:
     resolution: {integrity: sha512-Kkpbhhdjw2qQs2O2DGX+8m5OVqEcbB9HRBvuYM9pgrjEFUg30A9LmXNlTAUj4S9kgtGyrMbTzVjH7E+s5Re2yg==}
     engines: {node: ^10 || ^12 || >=14}
@@ -5982,7 +5977,7 @@ packages:
       debug: 4.3.4
       pathe: 1.1.1
       picocolors: 1.0.0
-      vite: 5.0.12
+      vite: 5.0.13
     transitivePeerDependencies:
       - '@types/node'
       - less
@@ -5994,7 +5989,7 @@ packages:
       - terser
     dev: true
 
-  /vite-plugin-html@3.2.2(vite@5.0.12):
+  /vite-plugin-html@3.2.2(vite@5.0.13):
     resolution: {integrity: sha512-vb9C9kcdzcIo/Oc3CLZVS03dL5pDlOFuhGlZYDCJ840BhWl/0nGeZWf3Qy7NlOayscY4Cm/QRgULCQkEZige5Q==}
     peerDependencies:
       vite: '>=2.0.0'
@@ -6011,10 +6006,10 @@ packages:
       html-minifier-terser: 6.1.0
       node-html-parser: 5.4.2
       pathe: 0.2.0
-      vite: 5.0.12
+      vite: 5.0.13
     dev: true
 
-  /vite-plugin-mkcert@1.17.3(vite@5.0.12):
+  /vite-plugin-mkcert@1.17.3(vite@5.0.13):
     resolution: {integrity: sha512-C8iLz4Su4kEyJb1GdlGIMfKkYMqfH5qvhqVP1x/hrc+1mo9GOzqU88mevvP5epgoqawkhVpcQVQ+HTFXsRuC0g==}
     engines: {node: '>=v16.7.0'}
     peerDependencies:
@@ -6024,7 +6019,7 @@ packages:
       axios: 1.6.7(debug@4.3.4)
       debug: 4.3.4
       picocolors: 1.0.0
-      vite: 5.0.12
+      vite: 5.0.13
     transitivePeerDependencies:
       - supports-color
     dev: true
@@ -6036,8 +6031,8 @@ packages:
       chokidar: 3.5.3
     dev: true
 
-  /vite@5.0.12:
-    resolution: {integrity: sha512-4hsnEkG3q0N4Tzf1+t6NdN9dg/L3BM+q8SWgbSPnJvrgH2kgdyzfVJwbR1ic69/4uMJJ/3dqDZZE5/WwqW8U1w==}
+  /vite@5.0.13:
+    resolution: {integrity: sha512-/9ovhv2M2dGTuA+dY93B9trfyWMDRQw2jdVBhHNP6wr0oF34wG2i/N55801iZIpgUpnHDm4F/FabGQLyc+eOgg==}
     engines: {node: ^18.0.0 || >=20.0.0}
     hasBin: true
     peerDependencies:
@@ -6065,7 +6060,7 @@ packages:
         optional: true
     dependencies:
       esbuild: 0.19.11
-      postcss: 8.4.32
+      postcss: 8.4.33
       rollup: 4.9.2
     optionalDependencies:
       fsevents: 2.3.3
@@ -6115,7 +6110,7 @@ packages:
       strip-literal: 1.3.0
       tinybench: 2.5.1
       tinypool: 0.8.2
-      vite: 5.0.12
+      vite: 5.0.13
       vite-node: 1.2.2
       why-is-node-running: 2.2.2
     transitivePeerDependencies:
@@ -6485,7 +6480,3 @@ packages:
     dependencies:
       '@types/emscripten': 1.39.10
     dev: false
-
-settings:
-  autoInstallPeers: true
-  excludeLinksFromLockfile: false