Bump vite from 5.4.0 to 5.4.11 #4645
Conversation
![dependabot[bot]](https://avatars.githubusercontent.com/in/29110?s=60&v=4){kind=small}
dependabot
bot
added
the
dependencies
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
|
Sorry, only users with push access can use that command. |
dependabot
bot
force-pushed
the
dependabot/npm_and_yarn/vite-5.4.11
branch
from
77d8d09
to
f69ac1c
Compare
dependabot
bot
force-pushed
the
dependabot/npm_and_yarn/vite-5.4.11
branch
from
f69ac1c
to
9ccb39c
Compare
dependabot
bot
force-pushed
the
dependabot/npm_and_yarn/vite-5.4.11
branch
from
9ccb39c
to
2d58bdf
Compare
Bumps [vite](https://github.com/vitejs/vite/tree/HEAD/packages/vite) from 5.4.0 to 5.4.11. - [Release notes](https://github.com/vitejs/vite/releases) - [Changelog](https://github.com/vitejs/vite/blob/v5.4.11/packages/vite/CHANGELOG.md) - [Commits](https://github.com/vitejs/vite/commits/v5.4.11/packages/vite) --- updated-dependencies: - dependency-name: vite dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]>
dependabot
bot
force-pushed
the
dependabot/npm_and_yarn/vite-5.4.11
branch
from
2d58bdf
to
9beeda1
Compare
![codacy-production[bot]](https://avatars.githubusercontent.com/in/56611?s=60&v=4){kind=small}
| "object-assign": "^4.1.1" | ||
| } | ||
| }, | ||
| "node_modules/@teambit/legacy/node_modules/semver": { |
There was a problem hiding this comment.
❌ Codacy found a critical Security issue: Insecure dependency [email protected] (CVE-2022-25883: nodejs-semver: Regular expression denial of service) (update to 7.5.2, 6.3.1, 5.7.2)
The issue identified by the Trivy linter is related to a security vulnerability in the semver package, specifically version 7.3.4. This vulnerability, documented as CVE-2022-25883, exposes the application to a Regular Expression Denial of Service (ReDoS) attack, which could allow an attacker to exploit certain regular expressions to cause excessive resource consumption, potentially leading to application downtime or degraded performance.
To resolve this issue, you should update the semver package to a non-vulnerable version. The suggested non-vulnerable versions are 7.5.2, 6.3.1, or 5.7.2. A simple way to fix this issue is to change the version of semver in your dependency tree to one of the suggested versions.
Here's the one-line code suggestion to update the version of semver:
| "node_modules/@teambit/legacy/node_modules/semver": { | |
| "node_modules/@teambit/legacy/node_modules/semver": { "version": "7.5.2", ... } |
Make sure to test your application after making this change to ensure compatibility with the new version of the semver package.
This comment was generated by an experimental AI tool.
| "concat-map": "0.0.1" | ||
| } | ||
| }, | ||
| "node_modules/npm-run-all/node_modules/cross-spawn": { |
There was a problem hiding this comment.
❌ Codacy found a critical Security issue: Insecure dependency [email protected] (CVE-2024-21538: Regular Expression Denial of Service (ReDoS) in cross-spawn) (update to 7.0.5)
The issue identified by the Trivy linter pertains to a security vulnerability in the cross-spawn package, specifically version 6.0.5. This vulnerability, classified as CVE-2024-21538, relates to a Regular Expression Denial of Service (ReDoS) attack, which can potentially allow an attacker to exploit the regular expression processing in the code, leading to performance degradation or application downtime.
To resolve this security issue, you should update the version of the cross-spawn package to at least 7.0.5, which contains the necessary fixes.
Here's the code suggestion to update the version of cross-spawn:
"node_modules/npm-run-all/node_modules/cross-spawn": {
"version": "7.0.5",This single line change updates the version of cross-spawn to a secure version. After making this change, ensure to run your package manager (like npm or yarn) to install the updated dependency.
This comment was generated by an experimental AI tool.
| @@ -58379,6 +67352,16 @@ | |||
| "node": ">=4.0.0" | |||
| } | |||
| }, | |||
| "node_modules/vue-template-compiler": { | |||
There was a problem hiding this comment.
The issue identified by the Trivy linter is related to a security vulnerability in the vue-template-compiler package version 2.6.12. This vulnerability, identified as CVE-2024-6783, exposes applications to client-side Cross-Site Scripting (XSS) attacks. To mitigate this risk, it is recommended to update the vue-template-compiler to a newer version that has addressed this vulnerability.
To fix the issue, you should update the version of vue-template-compiler to at least 3.0.0. This can typically be done in your package.json file or by running the appropriate npm command.
Here’s the single line change you need to make:
| "node_modules/vue-template-compiler": { | |
| "vue-template-compiler": "^3.0.0", |
This comment was generated by an experimental AI tool.
| @@ -57672,6 +66479,112 @@ | |||
| "integrity": "sha512-x00IRNXNy63jwGkJmzPigoySHbaqpNuzKbBOmzK+g2OdZpQ9w+sxCN+VSB3ja7IAge2OP2qpfxTjeNcyjmW1uw==", | |||
| "license": "ISC" | |||
| }, | |||
| "node_modules/utile": { | |||
There was a problem hiding this comment.
ℹ️ Codacy found a minor Security issue: Insecure dependency [email protected] (NSWG-ECO-445: Out-of-bounds Read) (no fix available)
The issue reported by the Trivy linter indicates that the utile package version 0.3.0 has a security vulnerability classified as an "Out-of-bounds Read." This type of vulnerability can lead to potential information leaks or crashes in applications if the code does not properly validate input or manage memory. Since there is no fix available for this version, the recommended action is to remove or replace the vulnerable package.
To address this issue, you can remove the utile package from your dependencies. This can be done by modifying your package.json file or directly removing it from your node_modules. Here’s the code suggestion to remove the utile package:
| "node_modules/utile": { | |
| "node_modules/utile": {}, |
This effectively removes the utile package from your dependencies, mitigating the security risk associated with it. However, please ensure that you assess the impact of this change on your project and replace any functionality that depended on utile with a suitable alternative if necessary.
This comment was generated by an experimental AI tool.
| "pjv": "bin/pjv" | ||
| } | ||
| }, | ||
| "node_modules/package-json-validator/node_modules/minimist": { |
There was a problem hiding this comment.
The issue identified by the Trivy linter pertains to a known security vulnerability in the minimist package, specifically version 0.0.10. This vulnerability (CVE-2020-7598) allows for prototype pollution, which means that an attacker can manipulate the properties of Object.prototype through malicious payloads. This can lead to unexpected behavior in the application, potentially compromising its security.
To resolve this issue, you should update the minimist dependency to a version that is not affected by this vulnerability. The suggested version is 0.2.1 or later.
Here's the code suggestion to fix the issue by updating the version of minimist:
"node_modules/package-json-validator/node_modules/minimist": {
"version": "0.2.1",
"resolved": "https://registry.npmjs.org/minimist/-/minimist-0.2.1.tgz",
"integrity": "sha512-<new-integrity-hash>",
"peer": true
}Make sure to replace <new-integrity-hash> with the actual integrity hash for version 0.2.1. Additionally, you may need to run npm install or npm update to ensure that your package-lock.json reflects this change and installs the updated version.
This comment was generated by an experimental AI tool.
| "pjv": "bin/pjv" | ||
| } | ||
| }, | ||
| "node_modules/package-json-validator/node_modules/minimist": { |
There was a problem hiding this comment.
❌ Codacy found a critical Security issue: Insecure dependency [email protected] (CVE-2020-7598: nodejs-minimist: prototype pollution allows adding or modifying properties of Object.prototype using a constructor or proto payload) (update to 0.2.1, 1.2.3)
The issue identified by the Trivy linter is a security vulnerability in the minimist package version 0.0.10. This version is affected by a prototype pollution vulnerability (CVE-2020-7598), which allows an attacker to add or modify properties of Object.prototype through crafted input. This can lead to unexpected behavior and potential security risks in applications that rely on this package.
To resolve this issue, we need to update the minimist dependency to a secure version. The recommended versions to upgrade to are 0.2.1 or 1.2.3, which do not have this vulnerability.
Here’s the code suggestion to update the minimist dependency:
"node_modules/package-json-validator/node_modules/minimist": {
"version": "1.2.3",
"resolved": "https://registry.npmjs.org/minimist/-/minimist-1.2.3.tgz",
"integrity": "sha512-<new-integrity-hash>",
"peer": trueNote: You would need to replace <new-integrity-hash> with the actual integrity hash for version 1.2.3 after fetching it from the npm registry.
This comment was generated by an experimental AI tool.
| @@ -36079,6 +41408,12 @@ | |||
| "url": "https://github.com/sindresorhus/invert-kv?sponsor=1" | |||
| } | |||
| }, | |||
| "node_modules/ip": { | |||
There was a problem hiding this comment.
ℹ️ Codacy found a minor Security issue: Insecure dependency [email protected] (CVE-2023-42282: nodejs-ip: arbitrary code execution via the isPublic() function) (update to 1.1.9)
The issue reported by the Trivy linter indicates that the version of the ip package (1.1.5) has a known security vulnerability (CVE-2023-42282) that allows for arbitrary code execution through the isPublic() function. This vulnerability can potentially be exploited by an attacker to execute malicious code within the application, leading to severe security risks.
To resolve this issue, you should update the ip package to a secure version (at least 1.1.9) where this vulnerability has been fixed.
Here’s the code suggestion to update the version of the ip package in your package.json (or equivalent dependency file):
"node_modules/ip": {
"version": "1.1.9",Make sure to run npm install after making this change to ensure the updated package is installed.
This comment was generated by an experimental AI tool.
| "node": ">=10" | ||
| } | ||
| }, | ||
| "node_modules/@teambit/legacy/node_modules/minimatch": { |
There was a problem hiding this comment.
❌ Codacy found a critical Security issue: Insecure dependency [email protected] (CVE-2022-3517: nodejs-minimatch: ReDoS via the braceExpand function) (update to 3.0.5)
The issue identified by the Trivy linter is a security vulnerability in the minimatch package version 3.0.4, which is susceptible to a Regular Expression Denial of Service (ReDoS) attack via the braceExpand function. This vulnerability, documented as CVE-2022-3517, can allow an attacker to exploit the way minimatch processes certain patterns, potentially leading to performance degradation or application downtime. The recommended fix is to update to version 3.0.5 or later, where the vulnerability has been addressed.
To resolve the issue, you can update the version of minimatch in your package.json or wherever the dependency is specified. Here’s the single line change that you would make:
| "node_modules/@teambit/legacy/node_modules/minimatch": { | |
| "minimatch": "^3.0.5" |
This change updates the minimatch package to a secure version.
This comment was generated by an experimental AI tool.
| @@ -35312,6 +40062,12 @@ | |||
| "node": ">= 0.6" | |||
| } | |||
| }, | |||
| "node_modules/http-cache-semantics": { | |||
There was a problem hiding this comment.
❌ Codacy found a critical Security issue: Insecure dependency [email protected] (CVE-2022-25881: http-cache-semantics: Regular Expression Denial of Service (ReDoS) vulnerability) (update to 4.1.1)
The issue identified by the Trivy linter is a security vulnerability in the http-cache-semantics package, specifically version 3.8.1. This vulnerability, tracked as CVE-2022-25881, is a Regular Expression Denial of Service (ReDoS) vulnerability. This type of vulnerability can allow an attacker to exploit the regular expressions used in the package, potentially leading to performance degradation or service disruption.
To resolve this issue, you should update the http-cache-semantics package to the recommended version 4.1.1, which addresses the vulnerability.
Here is the single line code suggestion to update the version:
| "node_modules/http-cache-semantics": { | |
| "node_modules/http-cache-semantics": { "version": "4.1.1", ... |
Make sure to also run npm install after making this change to ensure the updated version is installed.
This comment was generated by an experimental AI tool.
Bumps vite from 5.4.0 to 5.4.11.
Release notes
Sourced from vite's releases.
Changelog
Sourced from vite's changelog.
... (truncated)
Commits
c54c860release: v5.4.115f52bc8release: v5.4.107d1a3bcfix: backport #18367,augment hash for CSS files to prevent chromium erroring ...898d61frelease: v5.4.9508d9abfix: bump launch-editor-middleware to v2.9.1 (#18348)dc5434cfix(deps): bump tsconfck (#18322)851b258fix(hmr): don't try to rewrite imports for direct CSS soft invalidation (#18252)96084d6fix(data-uri): only match ids starting withdata:(#18241)eae00b5fix(css): fix lightningcss dep url resolution with custom root (#18125)c23558achore: update all url references of vitejs.dev to vite.dev (#18276)Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot mergewill merge this PR after your CI passes on it@dependabot squash and mergewill squash and merge this PR after your CI passes on it@dependabot cancel mergewill cancel a previously requested merge and block automerging@dependabot reopenwill reopen this PR if it is closed@dependabot closewill close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)