chore(deps): update dependency vite to v6.3.4 [security]#5940
Conversation
|
The latest updates on your projects. Learn more about Vercel for Git ↗︎
|
Thank you for your contribution! ❤️You can try out this pull request locally by installing Rollup via npm install rollup/rollup#renovate/npm-vite-vulnerabilityNotice: Ensure you have installed the latest stable Rust toolchain. If you haven't installed it yet, please see https://www.rust-lang.org/tools/install to learn how to download Rustup and install Rust. or load it into the REPL: |
Performance report
|
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## master #5940 +/- ##
=======================================
Coverage 98.55% 98.55%
=======================================
Files 270 270
Lines 8704 8704
Branches 1492 1492
=======================================
Hits 8578 8578
Misses 93 93
Partials 33 33 ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
|
This PR has been released as part of rollup@4.40.2. You can test it via |
This PR contains the following updates:
6.3.3->6.3.4GitHub Vulnerability Alerts
CVE-2025-46565
Summary
The contents of files in the project
rootthat are denied by a file matching pattern can be returned to the browser.Impact
Only apps explicitly exposing the Vite dev server to the network (using --host or server.host config option) are affected.
Only files that are under project
rootand are denied by a file matching pattern can be bypassed..env,.env.*,*.{crt,pem},**/.env**/.git/**,.git/**,.git/**/*Details
server.fs.denycan contain patterns matching against files (by default it includes.env,.env.*,*.{crt,pem}as such patterns).These patterns were able to bypass for files under
rootby using a combination of slash and dot (/.).PoC
Release Notes
vitejs/vite (vite)
v6.3.4Compare Source
requireto import externals in optimized dependenci (efc5eab), closes #19940Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Enabled.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.