fix(security): upgrade vite to 5.4.21 with rollup and static-copy fixes#287
fix(security): upgrade vite to 5.4.21 with rollup and static-copy fixes#287
Conversation
…static-copy to 2.3.2 Major version bump for vite (4→5) and companion plugins to resolve multiple security vulnerabilities: - vite: server.fs.deny bypass, middleware file serving issues, HTML file access bypass - rollup: Arbitrary File Write via Path Traversal - vite-plugin-static-copy: Files not in src accessible via crafted request Also updates @vitejs/plugin-vue from ^4.2.3 to ^5.2.4 for vite 5 compatibility, and adds rollup override to ensure all transitive copies are patched. Resolves Dependabot alerts: - #141, #140, #139, #128, #89, #88 (vite) - #147, #115, #114 (rollup) - #138, #86 (vite-plugin-static-copy) Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
vite-plugin-checker 0.8 had a peer dep mismatch with vue-tsc (~2.1.6 vs installed 2.2.12). Version 0.11 fixes this and properly declares vite >= 5.4.20 compatibility. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Regenerated package-lock.json via clean install (rm -rf node_modules package-lock.json && npm install). This resolves many transitive dependencies to their latest patched versions: - lodash/lodash-es → 4.17.23 (fixes prototype pollution) - minimatch → patched within semver ranges - svelte/lit-svelte-stores removed from tree entirely - undici resolved via wrangler 4.75.0 - nanoid (postcss) → 3.3.11 Remaining unfixable vulns (blocked on upstream): - electron (hc-spin pins ^29, fix needs ^35) - esbuild (vite 5 pins ^0.21, fix needs ^0.25) - nanoid 5.0.4 (hc-spin pins exact version) Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
|
Relevance Analysis The vulnerabilities this PR fixes fall into categories: Vite/Rollup/vite-plugin-static-copy (11 alerts) — These are dev server and build tool vulnerabilities (path traversal in dev server, file serving bypasses). They affect the vite dev server and build pipeline, not the built output. In production (local Holochain runtime or HWC), the vite dev server isn't running. These only matter if you expose the dev server on a network during development. Lockfile transitive fixes (24 alerts): lodash prototype pollution (4.17.21→4.17.23) — You do depend on lodash at runtime. However, this is a theoretical prototype pollution vector that requires an attacker to control arguments to specific lodash functions. In a Holochain app where input comes from the DHT/zome calls, exploitation is extremely unlikely. Verdict Closing for now, may update later. |
2 participants
Summary
This PR is the primary security fix — it upgrades vite and companion plugins, AND includes a regenerated lockfile from a clean install that resolves most transitive vulnerabilities.
Direct dependency changes (ui/package.json)
vite^4.3.5 → ^5.4.21@vitejs/plugin-vue^4.2.3 → ^5.2.4vite-plugin-static-copy^0.13.1 → ^2.3.2vite-plugin-checker^0.8.0 → ^0.11.0Override added (package.json)
rollup→ ^4.59.0Lockfile regeneration bonus fixes
The clean install (
rm -rf node_modules package-lock.json && npm install) also resolved:Dependabot Alerts Resolved
Directly by package upgrades (11):
By lockfile regeneration (24):
Total: 35 of 38 alerts resolved
Not fixed (blocked on upstream)
Test plan
npm installcompletes without errorsnpm auditshows only 8 remaining (all blocked on upstream)npm run build --workspace uisucceeds🤖 Generated with Claude Code