I checked we don't need to do more (like releasing or restarting the demos).
AFAIK we are not using Vite in a manner to be affected.
https://github.com/vitejs/vite/security/advisories/GHSA-353f-5xf4-qw67
<<Only users explicitly exposing the Vite dev server to the network (using --host or server.host config option) are affected, and only files in the
immediate Vite project root folder could be exposed.>>
Le 06/06/2023 à 08:40, Jacques Le Roux a écrit :
Hi,
I have just handled it.
Le 06/06/2023 à 05:35, GitHub a écrit :
GitHub
1 repository in your apache organization might be affected by a security
vulnerability in vite
Vite Server Options (server.fs.deny) can be bypassed using double
forward-slash (//)
High severity
vite
CVE-2023-34092
View all alerts
<https://github.com/advisories/GHSA-353f-5xf4-qw67/dependabot?query=user:apache>
apache/ofbiz-plugins
* example/vite-react-app/package-lock.json
<https://github.com/apache/ofbiz-plugins/security/dependabot/4>
You are receiving this email because your repository has Dependabot enabled. If you want to ship secure code, make sure it is enabled on all your
important repositories.
Sign in to GitHub <https://github.com/login> ・ Terms <https://docs.github.com/articles/github-terms-of-service/> ・ Privacy
<https://docs.github.com/articles/github-privacy-policy/> ・ Notification settings <https://github.com/settings/notifications>
GitHub, Inc. ・88 Colin P Kelly Jr Street ・San Francisco, CA 94107