Skip to content

Commit 9e2842d

Browse files
renovate[bot]renovate[bot]
authored
chore(deps): update dependency vite to v6.2.5 [security] (main) (#7191)
This PR contains the following updates: | Package | Change | Age | Adoption | Passing | Confidence | |---|---|---|---|---|---| | [vite](https://vite.dev) ([source](https://redirect.github.com/vitejs/vite/tree/HEAD/packages/vite)) | [`6.2.4` -> `6.2.5`](https://renovatebot.com/diffs/npm/vite/6.2.4/6.2.5) | [![age](https://developer.mend.io/api/mc/badges/age/npm/vite/6.2.5?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![adoption](https://developer.mend.io/api/mc/badges/adoption/npm/vite/6.2.5?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![passing](https://developer.mend.io/api/mc/badges/compatibility/npm/vite/6.2.4/6.2.5?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/vite/6.2.4/6.2.5?slim=true)](https://docs.renovatebot.com/merge-confidence/) | ### GitHub Vulnerability Alerts #### [CVE-2025-31486](https://redirect.github.com/vitejs/vite/security/advisories/GHSA-xcj6-pq6g-qj4x) ### Summary The contents of arbitrary files can be returned to the browser. ### Impact Only apps explicitly exposing the Vite dev server to the network (using --host or [server.host config option](https://vitejs.dev/config/server-options.html#server-host)) are affected.. ### Details #### `.svg` Requests ending with `.svg` are loaded at this line. https://github.com/vitejs/vite/blob/037f801075ec35bb6e52145d659f71a23813c48f/packages/vite/src/node/plugins/asset.ts#L285-L290 By adding `?.svg` with `?.wasm?init` or with `sec-fetch-dest: script` header, the restriction was able to bypass. This bypass is only possible if the file is smaller than [`build.assetsInlineLimit`](https://vite.dev/config/build-options.html#build-assetsinlinelimit) (default: 4kB) and when using Vite 6.0+. #### relative paths The check was applied before the id normalization. This allowed requests to bypass with relative paths (e.g. `../../`). ### PoC ```bash npm create vite@latest cd vite-project/ npm install npm run dev ``` send request to read `etc/passwd` ```bash curl 'http://127.0.0.1:5173/etc/passwd?.svg?.wasm?init' ``` ```bash curl 'http://127.0.0.1:5173/@&#8203;fs/x/x/x/vite-project/?/../../../../../etc/passwd?import&?raw' ``` --- ### Release Notes <details> <summary>vitejs/vite (vite)</summary> ### [`v6.2.5`](https://redirect.github.com/vitejs/vite/releases/tag/v6.2.5) [Compare Source](https://redirect.github.com/vitejs/vite/compare/v6.2.4...v6.2.5) Please refer to [CHANGELOG.md](https://redirect.github.com/vitejs/vite/blob/v6.2.5/packages/vite/CHANGELOG.md) for details. </details> --- ### Configuration 📅 **Schedule**: Branch creation - "" (UTC), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about these updates again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/SAP/ui5-webcomponents-react). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzOS4yMjcuMyIsInVwZGF0ZWRJblZlciI6IjM5LjIyNy4zIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJkZXBlbmRlbmNpZXMiXX0=--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
1 parent a0f234d commit 9e2842d

File tree

4 files changed

+15
-15
lines changed

4 files changed

+15
-15
lines changed

examples/react-router-ts/package-lock.json

Lines changed: 3 additions & 3 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

examples/vite-ts/package-lock.json

Lines changed: 3 additions & 3 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

templates/vite-ts/package-lock.json

Lines changed: 3 additions & 3 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

yarn.lock

Lines changed: 6 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -24609,8 +24609,8 @@ __metadata:
2460924609
linkType: hard
2461024610

2461124611
"vite@npm:^5.4.8":
24612-
version: 5.4.16
24613-
resolution: "vite@npm:5.4.16"
24612+
version: 5.4.17
24613+
resolution: "vite@npm:5.4.17"
2461424614
dependencies:
2461524615
esbuild: "npm:^0.21.3"
2461624616
fsevents: "npm:~2.3.3"
@@ -24647,13 +24647,13 @@ __metadata:
2464724647
optional: true
2464824648
bin:
2464924649
vite: bin/vite.js
24650-
checksum: 10c0/10faad2614c24a4ff65a680acfe9f71a90eba6c291ecf2d98919eb72c16d7d39b40e54e859d6a48c139a497829c3546cd2ae95be31f1a4145cba560d3d6e1b12
24650+
checksum: 10c0/3322bd6d8da30cbc87b1b24cd14fdbca75abb36de81217d1062c8b4c574a1a0d28d11dfe23a3eed08b3d179d2bdc1510e0d7b9f3e1b722a45bd7631c7cec72eb
2465124651
languageName: node
2465224652
linkType: hard
2465324653

2465424654
"vite@npm:^6.0.0":
24655-
version: 6.2.4
24656-
resolution: "vite@npm:6.2.4"
24655+
version: 6.2.5
24656+
resolution: "vite@npm:6.2.5"
2465724657
dependencies:
2465824658
esbuild: "npm:^0.25.0"
2465924659
fsevents: "npm:~2.3.3"
@@ -24699,7 +24699,7 @@ __metadata:
2469924699
optional: true
2470024700
bin:
2470124701
vite: bin/vite.js
24702-
checksum: 10c0/5a011ee5cce91de023a22564a314f04bf64d0d02b420d92c3d539d10257448d60e98e52b491404656426fba4a50dc25f107282540d7388fc5303dc441280155e
24702+
checksum: 10c0/226bb3c1875e1982559007007580e8d083b81f5289f18e28841d622ba030599e1bd9926adccc8264879e319e9f9e4f48a38a0dc52a5dfcdf2a9cb7313bfc1816
2470324703
languageName: node
2470424704
linkType: hard
2470524705

0 commit comments

Comments
 (0)