chore: bump up vite version to v6.3.4 [SECURITY] (#12103)

This PR contains the following updates:

| Package | Change | Age | Adoption | Passing | Confidence |
|---|---|---|---|---|---|
| [vite](https://vite.dev) ([source](https://redirect.github.com/vitejs/vite/tree/HEAD/packages/vite)) | [`6.3.3` -> `6.3.4`](https://renovatebot.com/diffs/npm/vite/6.3.3/6.3.4) | [![age](https://developer.mend.io/api/mc/badges/age/npm/vite/6.3.4?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![adoption](https://developer.mend.io/api/mc/badges/adoption/npm/vite/6.3.4?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![passing](https://developer.mend.io/api/mc/badges/compatibility/npm/vite/6.3.3/6.3.4?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/vite/6.3.3/6.3.4?slim=true)](https://docs.renovatebot.com/merge-confidence/) |

### GitHub Vulnerability Alerts

#### [CVE-2025-46565](https://redirect.github.com/vitejs/vite/security/advisories/GHSA-859w-5945-r5v3)

### Summary
The contents of files in [the project `root`](https://vite.dev/config/shared-options.html#root) that are denied by a file matching pattern can be returned to the browser.

### Impact

Only apps explicitly exposing the Vite dev server to the network (using --host or [server.host config option](https://vitejs.dev/config/server-options.html#server-host)) are affected.
Only files that are under [project `root`](https://vite.dev/config/shared-options.html#root) and are denied by a file matching pattern can be bypassed.

- Examples of file matching patterns: `.env`, `.env.*`, `*.{crt,pem}`, `**/.env`
- Examples of other patterns: `**/.git/**`, `.git/**`, `.git/**/*`

### Details
[`server.fs.deny`](https://vite.dev/config/server-options.html#server-fs-deny) can contain patterns matching against files (by default it includes `.env`, `.env.*`, `*.{crt,pem}` as such patterns).
These patterns were able to bypass for files under `root` by using a combination of slash and dot (`/.`).

### PoC
```
npm create vite@latest
cd vite-project/
cat "secret" > .env
npm install
npm run dev
curl --request-target /.env/. http://localhost:5173
```

![image](https://redirect.github.com/user-attachments/assets/822f4416-aa42-461f-8c95-a88d155e674b)
![image](https://redirect.github.com/user-attachments/assets/42902144-863a-4afb-ac5b-fc16effa37cc)

---

### Release Notes

<details>
<summary>vitejs/vite (vite)</summary>

### [`v6.3.4`](https://redirect.github.com/vitejs/vite/blob/HEAD/packages/vite/CHANGELOG.md#small634-2025-04-30-small)

[Compare Source](https://redirect.github.com/vitejs/vite/compare/v6.3.3...v6.3.4)

-   fix: check static serve file inside sirv ([#&#8203;19965](https://redirect.github.com/vitejs/vite/issues/19965)) ([c22c43d](https://redirect.github.com/vitejs/vite/commit/c22c43de612eebb6c182dd67850c24e4fab8cacb)), closes [#&#8203;19965](https://redirect.github.com/vitejs/vite/issues/19965)
-   fix(optimizer): return plain object when using `require` to import externals in optimized dependenci ([efc5eab](https://redirect.github.com/vitejs/vite/commit/efc5eab253419fde0a6a48b8d2f233063d6a9643)), closes [#&#8203;19940](https://redirect.github.com/vitejs/vite/issues/19940)
-   refactor: remove duplicate plugin context type ([#&#8203;19935](https://redirect.github.com/vitejs/vite/issues/19935)) ([d6d01c2](https://redirect.github.com/vitejs/vite/commit/d6d01c2292fa4f9603e05b95d81c8724314c20e0)), closes [#&#8203;19935](https://redirect.github.com/vitejs/vite/issues/19935)

</details>

---

### Configuration

📅 **Schedule**: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about these updates again.

---

 - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box

---

This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/toeverything/AFFiNE).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzOS4yNjQuMCIsInVwZGF0ZWRJblZlciI6IjM5LjI2NC4wIiwidGFyZ2V0QnJhbmNoIjoiY2FuYXJ5IiwibGFiZWxzIjpbImRlcGVuZGVuY2llcyJdfQ==-->
This commit is contained in:
renovate
2025-05-02 15:12:09 +00:00
parent 41d404f7f8
commit 098f6b2c93
+3 -3
View File
@@ -33935,8 +33935,8 @@ __metadata:
linkType: hard
"vite@npm:^5.0.0 || ^6.0.0, vite@npm:^6.0.3, vite@npm:^6.1.0":
version: 6.3.3
resolution: "vite@npm:6.3.3"
version: 6.3.4
resolution: "vite@npm:6.3.4"
dependencies:
esbuild: "npm:^0.25.0"
fdir: "npm:^6.4.4"
@@ -33985,7 +33985,7 @@ __metadata:
optional: true
bin:
vite: bin/vite.js
checksum: 10/442e518d9da847db80bd19a9792d1d9a106a31d18f74bfd06574776932dd0907f7205b99e34d455ba505a7dd9e57a807354633b90acd46a11db849a15ae26ad4
checksum: 10/347579b6571e591c1e4f54262e631f02e952e548171af09042aeffb40adfa5c9b43cf05cf115f0961cc553f6b7173fb9c2ee997a688007c01b6e13779d9a2bd4
languageName: node
linkType: hard