marty-media/server
1
0
Fork 0
Code Issues 9 Pull requests 10 Projects Releases 75 Packages Wiki Activity Actions

chore: [security] bump vite from 5.4.11 to 5.4.12 #370

Merged
martinr92 merged 1 commit from dependabot-npm_and_yarn-develop-vite-5.4.12 into develop 2025-02-23 13:12:04 +00:00
Conversation 7 Commits 1 Files changed 2 +8 -8
martinr92 commented 2025-01-22 03:57:19 +00:00 (Migrated from gitlab.com)
Copy link

Bumps vite from 5.4.11 to 5.4.12. This update includes a security fix.

Vulnerabilities fixed

Websites were able to send any requests to the development server and read the response in vite

Summary

Vite allowed any websites to send any requests to the development server and read the response due to default CORS settings and lack of validation on the Origin header for WebSocket connections.

Upgrade Path

Users that does not match either of the following conditions should be able to upgrade to a newer version of Vite that fixes the vulnerability without any additional configuration.

  • Using the backend integration feature
  • Using a reverse proxy in front of Vite
  • Accessing the development server via a domain other than localhost or *.localhost
  • Using a plugin / framework that connects to the WebSocket server on their own from the browser

Using the backend integration feature

If you are using the backend integration feature and not setting server.origin, you need to add the origin of the backend server to the server.cors.origin option. Make sure to set a specific origin rather than *, otherwise any origin can access your development server.

Using a reverse proxy in front of Vite

If you are using a reverse proxy in front of Vite and sending requests to Vite with a hostname other than localhost or *.localhost, you need to add the hostname to the new server.allowedHosts option. For example, if the reverse proxy is sending requests to http://vite:5173, you need to add vite to the server.allowedHosts option.

Accessing the development server via a domain other than localhost or *.localhost

You need to add the hostname to the new server.allowedHosts option. For example, if you are accessing the development server via http://foo.example.com:8080, you need to add foo.example.com to the server.allowedHosts option.

... (truncated)

Patched versions: 4.5.6; 5.4.12; 6.0.9 Affected versions: = 6.0.0, <= 6.0.8

Changelog

Sourced from vite's changelog.

5.4.12 (2025-01-20)

  • fix!: check host header to prevent DNS rebinding attacks and introduce server.allowedHosts (9da4abc)
  • fix!: default server.cors: false to disallow fetching from untrusted origins (dfea38f)
  • fix: verify token for HMR WebSocket connection (b71a5c8)
  • chore: add deps update changelog (ecd2375)
Commits
  • f428aa9 release: v5.4.12
  • 9da4abc fix!: check host header to prevent DNS rebinding attacks and introduce `serve...
  • b71a5c8 fix: verify token for HMR WebSocket connection
  • dfea38f fix!: default server.cors: false to disallow fetching from untrusted origins
  • ecd2375 chore: add deps update changelog
  • See full diff in compare view

Bumps [vite](https://github.com/vitejs/vite/tree/HEAD/packages/vite) from 5.4.11 to 5.4.12. **This update includes a security fix.** <details> <summary>Vulnerabilities fixed</summary> <blockquote> <p><strong>Websites were able to send any requests to the development server and read the response in vite</strong></p> <h3>Summary</h3> <p>Vite allowed any websites to send any requests to the development server and read the response due to default CORS settings and lack of validation on the Origin header for WebSocket connections.</p> <h3>Upgrade Path</h3> <p>Users that does not match either of the following conditions should be able to upgrade to a newer version of Vite that fixes the vulnerability without any additional configuration.</p> <ul> <li>Using the backend integration feature</li> <li>Using a reverse proxy in front of Vite</li> <li>Accessing the development server via a domain other than <code>localhost</code> or <code>*.localhost</code></li> <li>Using a plugin / framework that connects to the WebSocket server on their own from the browser</li> </ul> <h4>Using the backend integration feature</h4> <p>If you are using the backend integration feature and not setting <a href="https://vite.dev/config/server-options.html#server-origin"><code>server.origin</code></a>, you need to add the origin of the backend server to the <a href="https://github.com/expressjs/cors#configuration-options"><code>server.cors.origin</code></a> option. Make sure to set a specific origin rather than <code>*</code>, otherwise any origin can access your development server.</p> <h4>Using a reverse proxy in front of Vite</h4> <p>If you are using a reverse proxy in front of Vite and sending requests to Vite with a hostname other than <code>localhost</code> or <code>*.localhost</code>, you need to add the hostname to the new <a href="https://vite.dev/config/server-options.html#server-allowedhosts"><code>server.allowedHosts</code></a> option. For example, if the reverse proxy is sending requests to <code>http://vite:5173</code>, you need to add <code>vite</code> to the <code>server.allowedHosts</code> option.</p> <h4>Accessing the development server via a domain other than <code>localhost</code> or <code>*.localhost</code></h4> <p>You need to add the hostname to the new <a href="https://vite.dev/config/server-options.html#server-allowedhosts"><code>server.allowedHosts</code></a> option. For example, if you are accessing the development server via <code>http://foo.example.com:8080</code>, you need to add <code>foo.example.com</code> to the <code>server.allowedHosts</code> option.</p> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> <blockquote> <p>Patched versions: 4.5.6; 5.4.12; 6.0.9 Affected versions: <!-- raw HTML omitted -->= 6.0.0, &lt;= 6.0.8</p> </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/vitejs/vite/blob/v5.4.12/packages/vite/CHANGELOG.md">vite's changelog</a>.</em></p> <blockquote> <h2><!-- raw HTML omitted -->5.4.12 (2025-01-20)<!-- raw HTML omitted --></h2> <ul> <li>fix!: check host header to prevent DNS rebinding attacks and introduce <code>server.allowedHosts</code> (<a href="https://github.com/vitejs/vite/commit/9da4abc8dde7f032ca1f23f425c2060b9b9ebd34">9da4abc</a>)</li> <li>fix!: default <code>server.cors: false</code> to disallow fetching from untrusted origins (<a href="https://github.com/vitejs/vite/commit/dfea38f1ff9f6fc0f0ca57927c527b0b9ffd2210">dfea38f</a>)</li> <li>fix: verify token for HMR WebSocket connection (<a href="https://github.com/vitejs/vite/commit/b71a5c89a1b4b913813ae665e6e04dd9d18c189c">b71a5c8</a>)</li> <li>chore: add deps update changelog (<a href="https://github.com/vitejs/vite/commit/ecd2375460edb4ae258fed4abe6c6f6ed7323b23">ecd2375</a>)</li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/vitejs/vite/commit/f428aa9af8534b214abb09fe4456653eb09913e7"><code>f428aa9</code></a> release: v5.4.12</li> <li><a href="https://github.com/vitejs/vite/commit/9da4abc8dde7f032ca1f23f425c2060b9b9ebd34"><code>9da4abc</code></a> fix!: check host header to prevent DNS rebinding attacks and introduce `serve...</li> <li><a href="https://github.com/vitejs/vite/commit/b71a5c89a1b4b913813ae665e6e04dd9d18c189c"><code>b71a5c8</code></a> fix: verify token for HMR WebSocket connection</li> <li><a href="https://github.com/vitejs/vite/commit/dfea38f1ff9f6fc0f0ca57927c527b0b9ffd2210"><code>dfea38f</code></a> fix!: default <code>server.cors: false</code> to disallow fetching from untrusted origins</li> <li><a href="https://github.com/vitejs/vite/commit/ecd2375460edb4ae258fed4abe6c6f6ed7323b23"><code>ecd2375</code></a> chore: add deps update changelog</li> <li>See full diff in <a href="https://github.com/vitejs/vite/commits/v5.4.12/packages/vite">compare view</a></li> </ul> </details> <br />
martinr92 commented 2025-01-22 03:57:19 +00:00 (Migrated from gitlab.com)
Copy link

assigned to @martinr92

assigned to @martinr92
martinr92 commented 2025-01-22 03:57:23 +00:00 (Migrated from gitlab.com)
Copy link

mentioned in merge request !345

mentioned in merge request !345
martinr92 commented 2025-01-22 03:57:24 +00:00 (Migrated from gitlab.com)
Copy link

restored source branch dependabot-npm_and_yarn-develop-vite-5.4.12

restored source branch `dependabot-npm_and_yarn-develop-vite-5.4.12`
martinr92 commented 2025-02-23 13:04:11 +00:00 (Migrated from gitlab.com)
Copy link

added 12 commits

  • c718d7ec...54923d5f - 11 commits from branch develop
  • 7abb9133 - chore: [security] bump vite from 5.4.11 to 5.4.12

Compare with previous version

added 12 commits <ul><li>c718d7ec...54923d5f - 11 commits from branch <code>develop</code></li><li>7abb9133 - chore: [security] bump vite from 5.4.11 to 5.4.12</li></ul> [Compare with previous version](/marty-media/server/-/merge_requests/346/diffs?diff_id=1273664378&start_sha=c718d7ec4e59cfcf094ec7439b7f39a868704e1d)
martinr92 commented 2025-02-23 13:08:11 +00:00 (Migrated from gitlab.com)
Copy link

SonarQube Cloud Code Analysis

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

## SonarQube Cloud Code Analysis ## Quality Gate passed Issues ![](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/common/passed.svg '') [0 New issues](https://sonarcloud.io/project/issues?id=marty-media_server&pullRequest=346&issueStatuses=OPEN,CONFIRMED&sinceLeakPeriod=true) ![](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/common/accepted.svg '') [0 Accepted issues](https://sonarcloud.io/project/issues?id=marty-media_server&pullRequest=346&issueStatuses=ACCEPTED) Measures ![](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/common/passed.svg '') [0 Security Hotspots](https://sonarcloud.io/project/security_hotspots?id=marty-media_server&pullRequest=346&issueStatuses=OPEN,CONFIRMED&sinceLeakPeriod=true) ![](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/common/passed.svg '') [0.0% Coverage on New Code](https://sonarcloud.io/component_measures?id=marty-media_server&pullRequest=346&metric=new_coverage&view=list) ![](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/common/passed.svg '') [0.0% Duplication on New Code](https://sonarcloud.io/component_measures?id=marty-media_server&pullRequest=346&metric=new_duplicated_lines_density&view=list) [See analysis details on SonarQube Cloud](https://sonarcloud.io/dashboard?id=marty-media_server&pullRequest=346)
martinr92 (Migrated from gitlab.com) merged commit into develop 2025-02-23 13:12:05 +00:00
martinr92 commented 2025-02-23 14:38:39 +00:00 (Migrated from gitlab.com)
Copy link

🎉 This MR is included in version 0.6.0-beta.1 🎉

The release is available on GitLab release.

Your semantic-release bot 📦 🚀

:tada: This MR is included in version 0.6.0-beta.1 :tada: The release is available on [GitLab release](https://gitlab.com/marty-media/server/-/releases/v0.6.0-beta.1). Your **[semantic-release](https://github.com/semantic-release/semantic-release)** bot :package: :rocket:
martinr92 commented 2025-03-02 14:17:59 +00:00 (Migrated from gitlab.com)
Copy link

🎉 This MR is included in version 0.6.0 🎉

The release is available on GitLab release.

Your semantic-release bot 📦 🚀

:tada: This MR is included in version 0.6.0 :tada: The release is available on [GitLab release](https://gitlab.com/marty-media/server/-/releases/v0.6.0). Your **[semantic-release](https://github.com/semantic-release/semantic-release)** bot :package: :rocket:
Sign in to join this conversation.
Reviewers
No reviewers
Labels
Clear labels   
bug

   
confirmed

   
critical

   
dependencies
Pull requests that update a dependency file

  
discussion

   
docker

   
documentation

   
enhancement

   
go

   
javascript

   
security
Pull requests that address a security vulnerability

  
severity:high

   
severity:low

   
severity:moderate

   
suggestion

   
support
No labels
bug
confirmed
critical
dependencies
discussion
docker
documentation
enhancement
go
javascript
security
severity:high
severity:low
severity:moderate
suggestion
support
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
marty-media/server!370
No description provided.