Update dependency serve to v10 [SECURITY]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
serve	^9.1.0 → ^10.0.0

GitHub Vulnerability Alerts

GHSA-xw79-hhv6-578c

Versions of serve prior to 10.0.2 are vulnerable to Cross-Site Scripting (XSS). The package does not encode output, allowing attackers to execute arbitrary JavaScript in the victim's browser if user-supplied input is rendered.

Recommendation

Upgrade to version 10.0.2 or later.

GHSA-48gc-5j93-5cfq

Versions of serve prior to 10.1.2 are vulnerable to Path Traversal. Explicitly ignored folders can be accessed through relative paths, which allows attackers to access hidden folders and files.

Recommendation

Upgrade to version 10.1.2 or later.

GHSA-cpgr-wmr9-qxv4

Versions of serve prior to 10.0.2 are vulnerable to Cross-Site Scripting (XSS). The package fails to sanitize filenames, allowing attackers to execute arbitrary JavaScript in the victim's browser through files with names containing malicious code.

Recommendation

Upgrade to version 10.0.2 or later.

---

Release Notes

vercel/serve (serve)

v10.1.2

Compare Source

Patches

• Use os.networkInterfaces() to detect network address: #​492
• Bumped serve-handler to latest version: #​505

Credits

Huge thanks to @​saintwinkle for helping!

v10.1.1

Compare Source

Patches

• Properly encode redirect responses: #​491

v10.1.0

Compare Source

Minor Changes

• Added support for compression: #​487
• Added NO_UPDATE_CHECK environment flag: #​457
• Brought back support for ephemeral port switching: #​490

Patches

• Bumped serve-handler to the latest version: #​488
• Deprecate support for now.json and package.json: #​489

Credits

Huge thanks to @​leeyeh for helping!

v10.0.2

Compare Source

Patches

• Bumped serve-handler to the latest version: #​480

v10.0.1

Compare Source

Patches

• Bumped @zeit/schemas to the latest version: #​475

v10.0.0

Compare Source

Major Changes

• Bumped dependencies to the latest version: #​468

v9.6.0

Compare Source

Minor Changes

• Added support for range requests: #​465

v9.4.2

Compare Source

Patches

• Point directly to Spectrum community: #​462

v9.4.1

Compare Source

Patches

• Updated link to Spectrum: #​461

v9.4.0

Compare Source

Minor Changes

• Handle ETag and If-None-Match: #​456

v9.3.0

Compare Source

Minor Changes

• Support for absolute paths: #​445

Patches

• Add badge to display install size: #​450
• Bumped dependencies to the latest version: #​452

Credits

Huge thanks to @​az0uz and @​styfle for helping!

v9.2.0

Compare Source

Minor Changes

• Allow custom headers to be set for default error responses: #​443

v9.1.2

Compare Source

Patches

• Properly handle requests with malformed URIs: #​442

v9.1.1

Compare Source

Patches

• Handle DNS lookup failures: #​439

Credits

Huge thanks to @​just-boris for helping!

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[orca-security-us]

Orca Security Scan Summary

Status	Check	Issues by priority
Passed	Infrastructure as Code	0   0   0   0	View in Orca
Passed	Secrets	0   0   0   0	View in Orca
Passed	Vulnerabilities	0   0   0   0	View in Orca

[orca-security-us]

Orca Security Scan Summary

Status	Check	Issues by priority
Passed	Infrastructure as Code	0   0   0   0	View in Orca
Passed	Secrets	0   0   0   0	View in Orca
Passed	Vulnerabilities	0   0   0   0	View in Orca