chore(deps): update dependency vite to v6.2.6 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
vite (source)	6.2.5 -> 6.2.6

GitHub Vulnerability Alerts

CVE-2025-32395

Summary

The contents of arbitrary files can be returned to the browser if the dev server is running on Node or Bun.

Impact

Only apps with the following conditions are affected.

• explicitly exposing the Vite dev server to the network (using --host or server.host config option)
• running the Vite dev server on runtimes that are not Deno (e.g. Node, Bun)

Details

HTTP 1.1 spec (RFC 9112) does not allow # in request-target. Although an attacker can send such a request. For those requests with an invalid request-line (it includes request-target), the spec recommends to reject them with 400 or 301. The same can be said for HTTP 2 (ref1, ref2, ref3).

On Node and Bun, those requests are not rejected internally and is passed to the user land. For those requests, the value of http.IncomingMessage.url contains #. Vite assumed req.url won't contain # when checking server.fs.deny, allowing those kinds of requests to bypass the check.

On Deno, those requests are not rejected internally and is passed to the user land as well. But for those requests, the value of http.IncomingMessage.url did not contain #.

PoC

npm create vite@latest
cd vite-project/
npm install
npm run dev

send request to read /etc/passwd

curl --request-target /@​fs/Users/doggy/Desktop/vite-project/#/../../../../../etc/passwd http://127.0.0.1:5173

---

Release Notes

vitejs/vite (vite)

v6.2.6

Compare Source

Please refer to CHANGELOG.md for details.

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[vercel]

The latest updates on your projects. Learn more about Vercel for Git ↗︎

Name	Status	Preview	Comments	Updated (UTC)
rollup	✅ Ready (Inspect)	Visit Preview	💬 Add feedback	Apr 12, 2025 4:57am

[github-actions]

Thank you for your contribution! ❤️

You can try out this pull request locally by installing Rollup via

npm install rollup/rollup#renovate/npm-vite-vulnerability

Notice: Ensure you have installed the latest stable Rust toolchain. If you haven't installed it yet, please see https://www.rust-lang.org/tools/install to learn how to download Rustup and install Rust.

or load it into the REPL:
https://rollup-lrrrmajcr-rollup-js.vercel.app/repl/?pr=5918

[github-actions]

Performance report

• BUILD: 7378ms, 746 MB
  • initialize: 0ms, 28.1 MB
  • generate module graph: 2822ms, 561 MB
    • generate ast: 1279ms, 554 MB
  • sort and bind modules: 401ms, 604 MB
  • mark included statements: 4151ms, 746 MB
    • treeshaking pass 1: 2439ms, 745 MB
    • treeshaking pass 2: 482ms, 745 MB
    • treeshaking pass 3: 416ms, 746 MB
    • treeshaking pass 4: 405ms, 748 MB
    • treeshaking pass 5: 400ms, 746 MB
• GENERATE: 755ms, 987 MB
  • initialize render: 0ms, 884 MB
  • generate chunks: 74ms, 896 MB
    • optimize chunks: 0ms, 887 MB
  • render chunks: 663ms, 962 MB
  • transform chunks: 16ms, 987 MB
  • generate bundle: 0ms, 987 MB

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 98.56%. Comparing base (328fa2d) to head (f7b043e).
Report is 1 commits behind head on master.

Additional details and impacted files

@@           Coverage Diff           @@
##           master    #5918   +/-   ##
=======================================
  Coverage   98.56%   98.56%           
=======================================
  Files         270      270           
  Lines        8688     8688           
  Branches     1488     1488           
=======================================
  Hits         8563     8563           
  Misses         92       92           
  Partials       33       33           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[renovate]

Edited/Blocked Notification

Renovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR.

You can manually request rebase by checking the rebase/retry box above.

⚠️ Warning: custom changes will be lost.

[github-actions]

This PR has been released as part of rollup@4.40.0. You can test it via npm install rollup.