Skip to content

chore(deps): update dependency vite to v8.0.5 [security]#9009

Merged
renovate[bot] merged 1 commit into
mainfrom
renovate/npm-vite-vulnerability
Apr 6, 2026
Merged

chore(deps): update dependency vite to v8.0.5 [security]#9009
renovate[bot] merged 1 commit into
mainfrom
renovate/npm-vite-vulnerability

Conversation

@renovate

@renovate renovate Bot commented Apr 6, 2026

Copy link
Copy Markdown
Contributor

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
vite (source) 8.0.38.0.5 age adoption passing confidence

GitHub Vulnerability Alerts

GHSA-4w7w-66w2-5vf9

Summary

Any files ending with .map even out side the project can be returned to the browser.

Impact

Only apps that match the following conditions are affected:

  • explicitly exposes the Vite dev server to the network (using --host or server.host config option)
  • have a sensitive content in files ending with .map and the path is predictable

Details

In Vite v7.3.1, the dev server’s handling of .map requests for optimized dependencies resolves file paths and calls readFile without restricting ../ segments in the URL. As a result, it is possible to bypass the server.fs.strict allow list and retrieve .map files located outside the project root, provided they can be parsed as valid source map JSON.

PoC

  1. Create a minimal PoC sourcemap outside the project root 
    cat > /tmp/poc.map <<'EOF'
{"version":3,"file":"x.js","sources":[],"names":[],"mappings":""}
EOF
  2. Start the Vite dev server (example) 
    pnpm -C playground/fs-serve dev --host 127.0.0.1 --port 18080
  3. Confirm that direct /@&#8203;fs access is blocked by strict (returns 403)
    image
  4. Inject ../ segments under the optimized deps .map URL prefix to reach /tmp/poc.map
    image

GHSA-p9ff-h696-f583

Summary

server.fs check was not enforced to the fetchModule method that is exposed in Vite dev server's WebSocket.

Impact

Only apps that match the following conditions are affected:

  • explicitly exposes the Vite dev server to the network (using --host or server.host config option)
  • WebSocket is not disabled by server.ws: false

Arbitrary files on the server (development machine, CI environment, container, etc.) can be exposed.

Details

If it is possible to connect to the Vite dev server’s WebSocket without an Origin header, an attacker can invoke fetchModule via the custom WebSocket event vite:invoke and combine file://... with ?raw (or ?inline) to retrieve the contents of arbitrary files on the server as a JavaScript string (e.g., export default "...").

The access control enforced in the HTTP request path (such as server.fs.allow) is not applied to this WebSocket-based execution path.

PoC

  1. Start the dev server on the target
    Example (used during validation with this repository):

    pnpm -C playground/alias exec vite --host 0.0.0.0 --port 5173

  2. Confirm that access is blocked via the HTTP path (example: arbitrary file)

    curl -i 'http://localhost:5173/@&#8203;fs/etc/passwd?raw'

    Result: 403 Restricted (outside the allow list)
    image

  3. Confirm that the same file can be retrieved via the WebSocket path
    By connecting to the HMR WebSocket without an Origin header and sending a vite:invoke request that calls fetchModule with a file://... URL and ?raw, the file contents are returned as a JavaScript module.

image image

GHSA-v2wj-q39q-566r

Summary

The contents of files that are specified by server.fs.deny can be returned to the browser.

Impact

Only apps that match the following conditions are affected:

Details

On the Vite dev server, files that should be blocked by server.fs.deny (e.g., .env, *.crt) can be retrieved with HTTP 200 responses when query parameters such as ?raw, ?import&raw, or ?import&url&inline are appended.

PoC

  1. Start the dev server: pnpm exec vite root --host 127.0.0.1 --port 5175 --strictPort
  2. Confirm that server.fs.deny is enforced (expect 403): curl -i http://127.0.0.1:5175/src/.env | head -n 20
    image
  3. Confirm that the same files can be retrieved with query parameters (expect 200):
    image

Release Notes

vitejs/vite (vite)

v8.0.5

Compare Source

Bug Fixes

v8.0.4

Compare Source

Features
Bug Fixes
Documentation
Miscellaneous Chores
Code Refactoring

Configuration

📅 Schedule: Branch creation - "" in timezone Asia/Shanghai, Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate Bot enabled auto-merge (squash) April 6, 2026 21:28
@netlify

netlify Bot commented Apr 6, 2026

Copy link
Copy Markdown

Deploy Preview for rolldown-rs canceled.

Name Link
🔨 Latest commit 8041260
🔍 Latest deploy log https://app.netlify.com/projects/rolldown-rs/deploys/69d4256371e3cd0008248f79

@renovate renovate Bot merged commit 4976794 into main Apr 6, 2026
53 checks passed
@renovate renovate Bot deleted the renovate/npm-vite-vulnerability branch April 6, 2026 21:31
This was referenced Apr 8, 2026
Closed
Merged
shulaoda added a commit that referenced this pull request Apr 8, 2026
@github-actions @shulaoda
release: v1.0.0-rc.14 (#9035)
b7a66e0 
## [1.0.0-rc.14] - 2026-04-08

### 🚀 Features

- rust: add `disable_panic_hook` feature to disable the panic hook (#9023) by @sapphi-red
- support inlineConst for CJS exports accessed through module.exports (#8976) by @h-a-n-a

### 🐛 Bug Fixes

- rolldown_plugin_vite_import_glob: normalize resolved alias path to prevent double slashes (#9032) by @shulaoda
- rolldown_plugin_vite_import_glob: follow symlinks in file scanning (#9000) by @Copilot
- wrap CJS entry modules for IIFE/UMD when using exports/module (#8999) by @IWANABETHATGUY
- emit separate __toESM bindings for mixed ESM/CJS external imports (#8987) by @IWANABETHATGUY
- tree-shake dead dynamic imports to side-effect-free CJS modules (#8529) by @sapphi-red
- skip inlining stale CJS export constants on module.exports reassignment (#8990) by @IWANABETHATGUY

### 🚜 Refactor

- generator: migrate ecma formatting from npx oxfmt to vp fmt (#9022) by @shulaoda
- generator: replace npx oxfmt with vp fmt for ecma formatting (#9021) by @shulaoda

### 📚 Documentation

- contrib-guide: mention that running tests on older Node.js version will have different stat results (#8996) by @claude

### ⚙️ Miscellaneous Tasks

- deps: update npm packages (#9002) by @renovate[bot]
- deps: update dependency @napi-rs/cli to v3.6.1 (#9034) by @renovate[bot]
- deps: upgrade oxc to 0.124.0 (#9018) by @shulaoda
- deps: update test262 submodule for tests (#9010) by @sapphi-red
- deps: update dependency oxfmt to ^0.44.0 (#9012) by @renovate[bot]
- deps: update dependency vite to v8.0.5 [security] (#9009) by @renovate[bot]
- deps: update dependency vite-plus to v0.1.16 (#9008) by @renovate[bot]
- deps: update rust crates (#9003) by @renovate[bot]
- deps: update github-actions (#9004) by @renovate[bot]
- deps: update dependency lodash-es to v4.18.1 [security] (#8992) by @renovate[bot]
- deps: update crate-ci/typos action to v1.45.0 (#8988) by @renovate[bot]
- upgrade oxc npm packages to 0.123.0 (#8985) by @shulaoda

### ◀️ Revert

- "chore(deps): update dependency oxfmt to ^0.44.0 (#9012)" (#9019) by @shulaoda

Co-authored-by: shulaoda <165626830+shulaoda@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@renovate-approve renovate-approve[bot] renovate-approve[bot] approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants