feat(api): add allowWrite and allowExec options to api [backport to v3]

[hi-ogawa]

Description

This PR backports the allowWrite / allowExec hardening from #9350 to the v3 branch for GHSA-5xrq-8626-4rwp. Since v3 and v4 have diverged code, this was ported manually rather than as a direct cherry-pick.

Notable divergences:

• Left out artifact/annotation attachment hardening because the v4 artifact RPC/API path is not present in v3.
• Did not port Vite’s newer isFileLoadingAllowed usage; v3 keeps isFileServingAllowed and only normalizes concrete file paths with slash(...). For the concrete file paths Vitest checks here, that should preserve the relevant protection.
• Manually adjusted tests for v3’s older test utilities and fixture shape, while keeping the same coverage intent.

TODO

• update affected/patch range in advisory after the release v3.2.5
  (but release should wait for another v3 backport fix(browser): disable client cdp API when allowWrite/allowExec: false [backport to v3] #10456)

Please don't delete this checklist! Before submitting the PR, please make sure you do the following:

• It's really useful if your PR references an issue where it is discussed ahead of time. If the feature is substantial or introduces breaking changes without a discussion, PR might be closed.
• Ideally, include a test that fails without this PR but passes with it.
• Please, don't make changes to pnpm-lock.yaml unless you introduce a new test example.
• Please check Allow edits by maintainers to make review process faster. Note that this option is not available for repositories that are owned by Github organizations.

Tests

• Run the tests with pnpm test:ci.

Documentation

• If you introduce new functionality, document it. You can run documentation with pnpm run docs command.

Changesets

• Changes in changelog are generated from PR name. Please, make sure that it explains your changes in an understandable manner. Please, prefix changeset messages with feat:, fix:, perf:, docs:, or chore:.

[netlify]

✅ Deploy Preview for vitest-dev ready!

Built without sensitive environment variables

Name	Link
🔨 Latest commit	6c5566b
🔍 Latest deploy log	https://app.netlify.com/projects/vitest-dev/deploys/6a1557e10b9bf40008de65b4
😎 Deploy Preview	https://deploy-preview-10445--vitest-dev.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.
🤖 Make changes	Run an agent on this branch

---

To edit notification comments on pull requests, go to your Netlify project configuration.

[pmaieref]

@hi-ogawa Might not be the best place to ask, but as #10456 was merged, completing the TODO and adding 3.2.5/3.2.6 to the GHSA patch range would be highly appreciated. Thanks!

[hi-ogawa]

@pmaieref Thanks for the ping. The advisory has been updated.

[ingk]

@hi-ogawa Follow up question regarding the advisory DB: This page states that version 3.2.5 includes a fix for the CVE. However Github's reviewed DB still only includes 4.1.0.

Could this be the reason why my SBOM scanner still does not recognize it as fixed even though I installed version 3.2.6? Is there a way to trigger a new review?

[hi-ogawa]

@ingk I'm not familiar with the process, but Github side likely needs to reflect the update through https://github.com/github/advisory-database. There's one PR there github/advisory-database#7881.

[ingk]

@hi-ogawa Thanks, that's good to know! I will watch the PR for the advisory database.