[Security] Bump vite from 4.5.0 to 4.5.1 in /frontend (!147) · Merge requests · tools / Sudoku

Dependabot requested to merge dependabot-npm_and_yarn-frontend-vite-4.5.1 into master Dec 06, 2023

Bumps vite from 4.5.0 to 4.5.1. This update includes a security fix.

Vulnerabilities fixed

Vite XSS vulnerability in server.transformIndexHtml via URL payload

Summary

When Vite's HTML transformation is invoked manually via server.transformIndexHtml, the original request URL is passed in unmodified, and the html being transformed contains inline module scripts (<script type="module">...</script>), it is possible to inject arbitrary HTML into the transformed output by supplying a malicious URL query string to server.transformIndexHtml.

Impact

Only apps using appType: 'custom' and using the default Vite HTML middleware are affected. The HTML entry must also contain an inline script. The attack requires a user to click on a malicious URL while running the dev server. Restricted files aren't exposed to the attacker.

Patches

Fixed in vite@5.0.5, vite@4.5.1, vite@4.4.12

Details

Suppose index.html contains an inline module script:
<script type="module">
  // Inline script
</script>
This script is transformed into a proxy script like

... (truncated)

Patched versions: 4.5.1 Affected versions: = 4.5.0

Changelog

Sourced from vite's changelog.

4.5.1 (2023-12-04)

fix: backport #15223, proxy html path should be encoded (#15226) (41bb354), closes #15223 #15226

Commits

c075115 release: v4.5.1
41bb354 fix: backport #15223, proxy html path should be encoded (#15226)
See full diff in compare view

Dependabot commands

You can trigger Dependabot actions by commenting on this MR

$dependabot rebase will rebase this MR
$dependabot recreate will recreate this MR rewriting all the manual changes and resolving conflicts

[Security] Bump vite from 4.5.0 to 4.5.1 in /frontend

Summary

Impact

Patches

Details

4.5.1 (2023-12-04)

Merge request reports