039976ee6d
This PR contains the following updates: | Package | Change | Age | Confidence | |---|---|---|---| | [vite](https://vite.dev) ([source](https://redirect.github.com/vitejs/vite/tree/HEAD/packages/vite)) | [`6.3.5` -> `6.3.6`](https://renovatebot.com/diffs/npm/vite/6.3.5/6.3.6) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | ### GitHub Vulnerability Alerts #### [CVE-2025-58751](https://redirect.github.com/vitejs/vite/security/advisories/GHSA-g4jq-h2w9-997c) ### Summary Files starting with the same name with the public directory were served bypassing the `server.fs` settings. ### Impact Only apps that match the following conditions are affected: - explicitly exposes the Vite dev server to the network (using --host or [`server.host` config option](https://vitejs.dev/config/server-options.html#server-host)) - uses [the public directory feature](https://vite.dev/guide/assets.html#the-public-directory) (enabled by default) - a symlink exists in the public directory ### Details The [servePublicMiddleware](9719497ade/packages/vite/src/node/server/middlewares/static.ts (L79)) function is in charge of serving public files from the server. It returns the [viteServePublicMiddleware](9719497ade/packages/vite/src/node/server/middlewares/static.ts (L106)) function which runs the needed tests and serves the page. The viteServePublicMiddleware function [checks if the publicFiles variable is defined](9719497ade/packages/vite/src/node/server/middlewares/static.ts (L111)), and then uses it to determine if the requested page is public. In the case that the publicFiles is undefined, the code will treat the requested page as a public page, and go on with the serving function. [publicFiles may be undefined if there is a symbolic link anywhere inside the public directory](9719497ade/packages/vite/src/node/publicDir.ts (L21)). In that case, every requested page will be passed to the public serving function. The serving function is based on the [sirv](https://redirect.github.com/lukeed/sirv) library. Vite patches the library to add the possibility to test loading access to pages, but when the public page middleware [disables this functionality](9719497ade/packages/vite/src/node/server/middlewares/static.ts (L89)) since public pages are meant to be available always, regardless of whether they are in the allow or deny list. In the case of public pages, the serving function is [provided with the path to the public directory](9719497ade/packages/vite/src/node/server/middlewares/static.ts (L85)) as a root directory. The code of the sirv library [uses the join function to get the full path to the requested file](d061616827/packages/sirv/index.mjs (L42)). For example, if the public directory is "/www/public", and the requested file is "myfile", the code will join them to the string "/www/public/myfile". The code will then pass this string to the normalize function. Afterwards, the code will [use the string's startsWith function](d061616827/packages/sirv/index.mjs (L43)) to determine whether the created path is within the given directory or not. Only if it is, it will be served. Since [sirv trims the trailing slash of the public directory](d061616827/packages/sirv/index.mjs (L119)), the string's startsWith function may return true even if the created path is not within the public directory. For example, if the server's root is at "/www", and the public directory is at "/www/p", if the created path will be "/www/private.txt", the startsWith function will still return true, because the string "/www/private.txt" starts with "/www/p". To achieve this, the attacker will use ".." to ask for the file "../private.txt". The code will then join it to the "/www/p" string, and will receive "/www/p/../private.txt". Then, the normalize function will return "/www/private.txt", which will then be passed to the startsWith function, which will return true, and the processing of the page will continue without checking the deny list (since this is the public directory middleware which doesn't check that). ### PoC Execute the following shell commands: ``` npm create vite@latest cd vite-project/ mkdir p cd p ln -s a b cd .. echo 'import path from "node:path"; import { defineConfig } from "vite"; export default defineConfig({publicDir: path.resolve(__dirname, "p/"), server: {fs: {deny: [path.resolve(__dirname, "private.txt")]}}})' > vite.config.js echo "secret" > private.txt npm install npm run dev ``` Then, in a different shell, run the following command: `curl -v --path-as-is 'http://localhost:5173/private.txt'` You will receive a 403 HTTP Response, because private.txt is denied. Now in the same shell run the following command: `curl -v --path-as-is 'http://localhost:5173/../private.txt'` You will receive the contents of private.txt. ### Related links -f0113f3f82#### [CVE-2025-58752](https://redirect.github.com/vitejs/vite/security/advisories/GHSA-jqfw-vq24-v9c3) ### Summary Any HTML files on the machine were served regardless of the `server.fs` settings. ### Impact Only apps that match the following conditions are affected: - explicitly exposes the Vite dev server to the network (using --host or [server.host config option](https://vitejs.dev/config/server-options.html#server-host)) - `appType: 'spa'` (default) or `appType: 'mpa'` is used This vulnerability also affects the preview server. The preview server allowed HTML files not under the output directory to be served. ### Details The [serveStaticMiddleware](9719497ade/packages/vite/src/node/server/middlewares/static.ts (L123)) function is in charge of serving static files from the server. It returns the [viteServeStaticMiddleware](9719497ade/packages/vite/src/node/server/middlewares/static.ts (L136)) function which runs the needed tests and serves the page. The viteServeStaticMiddleware function [checks if the extension of the requested file is ".html"](9719497ade/packages/vite/src/node/server/middlewares/static.ts (L144)). If so, it doesn't serve the page. Instead, the server will go on to the next middlewares, in this case [htmlFallbackMiddleware](9719497ade/packages/vite/src/node/server/middlewares/htmlFallback.ts (L14)), and then to [indexHtmlMiddleware](9719497ade/packages/vite/src/node/server/middlewares/indexHtml.ts (L438)). These middlewares don't perform any test against allow or deny rules, and they don't make sure that the accessed file is in the root directory of the server. They just find the file and send back its contents to the client. ### PoC Execute the following shell commands: ``` npm create vite@latest cd vite-project/ echo "secret" > /tmp/secret.html npm install npm run dev ``` Then, in a different shell, run the following command: `curl -v --path-as-is 'http://localhost:5173/../../../../../../../../../../../tmp/secret.html'` The contents of /tmp/secret.html will be returned. This will also work for HTML files that are in the root directory of the project, but are in the deny list (or not in the allow list). Test that by stopping the running server (CTRL+C), and running the following commands in the server's shell: ``` echo 'import path from "node:path"; import { defineConfig } from "vite"; export default defineConfig({server: {fs: {deny: [path.resolve(__dirname, "secret_files/*")]}}})' > [vite.config.js](http://vite.config.js) mkdir secret_files echo "secret txt" > secret_files/secret.txt echo "secret html" > secret_files/secret.html npm run dev ``` Then, in a different shell, run the following command: `curl -v --path-as-is 'http://localhost:5173/secret_files/secret.txt'` You will receive a 403 HTTP Response, because everything in the secret_files directory is denied. Now in the same shell run the following command: `curl -v --path-as-is 'http://localhost:5173/secret_files/secret.html'` You will receive the contents of secret_files/secret.html. --- ### Release Notes <details> <summary>vitejs/vite (vite)</summary> ### [`v6.3.6`](https://redirect.github.com/vitejs/vite/releases/tag/v6.3.6) [Compare Source](https://redirect.github.com/vitejs/vite/compare/v6.3.5...v6.3.6) Please refer to [CHANGELOG.md](https://redirect.github.com/vitejs/vite/blob/v6.3.6/packages/vite/CHANGELOG.md) for details. </details> --- ### Configuration 📅 **Schedule**: Branch creation - "" (UTC), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about these updates again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/toeverything/AFFiNE). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0MS45Ny4xMCIsInVwZGF0ZWRJblZlciI6IjQxLjk3LjEwIiwidGFyZ2V0QnJhbmNoIjoiY2FuYXJ5IiwibGFiZWxzIjpbImRlcGVuZGVuY2llcyJdfQ==--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
AFFiNE.Pro
Write, Draw and Plan All at Once
A privacy-focused, local-first, open-source, and ready-to-use alternative for Notion & Miro.
One hyper-fused platform for wildly creative minds.
Special thanks to Blaze for their support of this project. They provide high-performance Apple Silicon macOS and Linux (AMD64 & ARM64) runners for GitHub Actions, greatly reducing our automated build times.
Getting started & staying tuned with us.
Star us, and you will receive all release notifications from GitHub without any delay!
What is AFFiNE
AFFiNE is an open-source, all-in-one workspace and an operating system for all the building blocks that assemble your knowledge base and much more -- wiki, knowledge management, presentation and digital assets. It's a better alternative to Notion and Miro.
Features
A true canvas for blocks in any form. Docs and whiteboard are now fully merged.
- Many editor apps claim to be a canvas for productivity, but AFFiNE is one of the very few which allows you to put any building block on an edgeless canvas -- rich text, sticky notes, any embedded web pages, multi-view databases, linked pages, shapes and even slides. We have it all.
Multimodal AI partner ready to kick in any work
- Write up professional work report? Turn an outline into expressive and presentable slides? Summary an article into a well-structured mindmap? Sorting your job plan and backlog for tasks? Or... draw and code prototype apps and web pages directly all with one prompt? With you, AFFiNE AI pushes your creativity to the edge of your imagination,just like Canvas AI to generate mind map for brainstorming.
Local-first & Real-time collaborative
- We love the idea of local-first that you always own your data on your disk, in spite of the cloud. Furthermore, AFFiNE supports real-time sync and collaborations on web and cross-platform clients.
Self-host & Shape your own AFFiNE
- You have the freedom to manage, self-host, fork and build your own AFFiNE. Plugin community and third-party blocks are coming soon. More tractions on Blocksuite. Check there to learn how to self-host AFFiNE.
Acknowledgement
“We shape our tools and thereafter our tools shape us”. A lot of pioneers have inspired us along the way, e.g.:
- Quip & Notion with their great concept of “everything is a block”
- Trello with their Kanban
- Airtable & Miro with their no-code programmable datasheets
- Miro & Whimiscal with their edgeless visual whiteboard
- Remote & Capacities with their object-based tag system
There is a large overlap of their atomic “building blocks” between these apps. They are not open source, nor do they have a plugin system like Vscode for contributors to customize. We want to have something that contains all the features we love and also goes one step even further.
Thanks for checking us out, we appreciate your interest and sincerely hope that AFFiNE resonates with you! 🎵 Checking https://affine.pro/ for more details ions.
Contributing
| Bug Reports | Feature Requests | Questions/Discussions | AFFiNE Community |
|---|---|---|---|
| Create a bug report | Submit a feature request | Check GitHub Discussion | Vist the AFFiNE Community |
| Something isn't working as expected | An idea for a new feature, or improvements | Discuss and ask questions | A place to ask, learn and engage with others |
Calling all developers, testers, tech writers and more! Contributions of all types are more than welcome, you can read more in docs/types-of-contributions.md. If you are interested in contributing code, read our docs/CONTRIBUTING.md and feel free to check out our GitHub issues to get stuck in to show us what you’re made of.
Before you start contributing, please make sure you have read and accepted our Contributor License Agreement. To indicate your agreement, simply edit this file and submit a pull request.
For bug reports, feature requests and other suggestions you can also create a new issue and choose the most appropriate template for your feedback.
For translation and language support you can visit our i18n General Space.
Looking for other ways to contribute and wondering where to start? Check out the AFFiNE Ambassador program, we work closely with passionate community members and provide them with a wide range of support and resources.
If you have questions, you are welcome to contact us. One of the best places to get more info and learn more is in the AFFiNE Community where you can engage with other like-minded individuals.
Templates
AFFiNE now provides pre-built templates from our team. Following are the Top 10 most popular templates among AFFiNE users,if you want to contribute, you can contribute your own template so other people can use it too.
- vision board template
- one pager template
- sample lesson plan math template
- grr lesson plan template free
- free editable lesson plan template for pre k
- high note collection planners
- digital planner
- ADHD Planner
- Reading Log
- Cornell Notes Template
Blog
Welcome to the AFFiNE blog section! Here, you’ll find the latest insights, tips, and guides on how to maximize your experience with AFFiNE and AFFiNE AI, the leading Canvas AI tool for flexible note-taking and creative organization.
- vision board template
- ai homework helper
- vision board maker
- itinerary template
- one pager template
- cornell notes template
- swot chart template
- apps like luna task
- note taking ai from rough notes to mind map
- canvas ai
- one pager
- SOP Template
- Chore Chart
Ecosystem
| Name | ||
|---|---|---|
| @affine/component | AFFiNE Component Resources |  |
| @toeverything/theme | AFFiNE theme |  |
Upstreams
We would also like to give thanks to open-source projects that make AFFiNE possible:
- Blocksuite - 💠 BlockSuite is the open-source collaborative editor project behind AFFiNE.
- OctoBase - 🐙 OctoBase is the open-source database behind AFFiNE, local-first, yet collaborative. A light-weight, scalable, data engine written in Rust.
- yjs - Fundamental support of CRDTs for our implementation on state management and data sync.
- electron - Build cross-platform desktop apps with JavaScript, HTML, and CSS.
- React - The library for web and native user interfaces.
- napi-rs - A framework for building compiled Node.js add-ons in Rust via Node-API.
- Jotai - Primitive and flexible state management for React.
- async-call-rpc - A lightweight JSON RPC client & server.
- Vite - Next generation frontend tooling.
- Other upstream dependencies.
Thanks a lot to the community for providing such powerful and simple libraries, so that we can focus more on the implementation of the product logic, and we hope that in the future our projects will also provide a more easy-to-use knowledge base for everyone.
Contributors
We would like to express our gratitude to all the individuals who have already contributed to AFFiNE! If you have any AFFiNE-related project, documentation, tool or template, please feel free to contribute it by submitting a pull request to our curated list on GitHub: awesome-affine.
Self-Host
Begin with Docker to deploy your own feature-rich, unrestricted version of AFFiNE. Our team is diligently updating to the latest version. For more information on how to self-host AFFiNE, please refer to our documentation.
Hiring
Some amazing companies, including AFFiNE, are looking for developers! Are you interested in joining AFFiNE or its partners? Check out our Discord channel for some of the latest jobs available.
Feature Request
For feature requests, please see community.affine.pro.
Building
Codespaces
From the GitHub repo main page, click the green "Code" button and select "Create codespace on master". This will open a new Codespace with the (supposedly auto-forked AFFiNE repo cloned, built, and ready to go.
Local
See BUILDING.md for instructions on how to build AFFiNE from source code.
Contributing
We welcome contributions from everyone. See docs/contributing/tutorial.md for details.
Thanks
Thanks to Chromatic for providing the visual testing platform that helps us review UI changes and catch visual regressions.
License
Editions
-
AFFiNE Community Edition (CE) is the current available version, it's free for self-host under the MIT license.
-
AFFiNE Enterprise Edition (EE) is yet to be published, it will have more advanced features and enterprise-oriented offerings, including but not exclusive to rebranding and SSO, advanced admin and audit, etc., you may refer to https://affine.pro/pricing for more information
See LICENSE for details.