- Update dependency vite to v6.1.6 [SECURITY] - autoclosed

[blumilk-renovate]

This PR contains the following updates:

Package	Type	Update	Change
vite (source)	devDependencies	minor	6.0.13 -> 6.1.6

GitHub Vulnerability Alerts

CVE-2025-31486

Summary

The contents of arbitrary files can be returned to the browser.

Impact

Only apps explicitly exposing the Vite dev server to the network (using --host or server.host config option) are affected.

Details

.svg

Requests ending with .svg are loaded at this line.
https://github.com/vitejs/vite/blob/037f801075ec35bb6e52145d659f71a23813c48f/packages/vite/src/node/plugins/asset.ts#L285-L290
By adding ?.svg with ?.wasm?init or with sec-fetch-dest: script header, the restriction was able to bypass.

This bypass is only possible if the file is smaller than build.assetsInlineLimit (default: 4kB) and when using Vite 6.0+.

relative paths

The check was applied before the id normalization. This allowed requests to bypass with relative paths (e.g. ../../).

PoC

npm create vite@latest
cd vite-project/
npm install
npm run dev

send request to read etc/passwd

curl 'http://127.0.0.1:5173/etc/passwd?.svg?.wasm?init'

curl 'http://127.0.0.1:5173/@​fs/x/x/x/vite-project/?/../../../../../etc/passwd?import&?raw'

CVE-2025-46565

Summary

The contents of files in the project root that are denied by a file matching pattern can be returned to the browser.

Impact

Only apps explicitly exposing the Vite dev server to the network (using --host or server.host config option) are affected.
Only files that are under project root and are denied by a file matching pattern can be bypassed.

• Examples of file matching patterns: .env, .env.*, *.{crt,pem}, **/.env
• Examples of other patterns: **/.git/**, .git/**, .git/**/*

Details

server.fs.deny can contain patterns matching against files (by default it includes .env, .env.*, *.{crt,pem} as such patterns).
These patterns were able to bypass for files under root by using a combination of slash and dot (/.).

PoC

npm create vite@latest
cd vite-project/
cat "secret" > .env
npm install
npm run dev
curl --request-target /.env/. http://localhost:5173

CVE-2025-32395

Summary

The contents of arbitrary files can be returned to the browser if the dev server is running on Node or Bun.

Impact

Only apps with the following conditions are affected.

• explicitly exposing the Vite dev server to the network (using --host or server.host config option)
• running the Vite dev server on runtimes that are not Deno (e.g. Node, Bun)

Details

HTTP 1.1 spec (RFC 9112) does not allow # in request-target. Although an attacker can send such a request. For those requests with an invalid request-line (it includes request-target), the spec recommends to reject them with 400 or 301. The same can be said for HTTP 2 (ref1, ref2, ref3).

On Node and Bun, those requests are not rejected internally and is passed to the user land. For those requests, the value of http.IncomingMessage.url contains #. Vite assumed req.url won't contain # when checking server.fs.deny, allowing those kinds of requests to bypass the check.

On Deno, those requests are not rejected internally and is passed to the user land as well. But for those requests, the value of http.IncomingMessage.url did not contain #.

PoC

npm create vite@latest
cd vite-project/
npm install
npm run dev

send request to read /etc/passwd

curl --request-target /@​fs/Users/doggy/Desktop/vite-project/#/../../../../../etc/passwd http://127.0.0.1:5173

---

Release Notes

vitejs/vite (vite)

v6.1.6

Compare Source

Please refer to CHANGELOG.md for details.

v6.1.5

Compare Source

Please refer to CHANGELOG.md for details.

v6.1.4

Compare Source

Please refer to CHANGELOG.md for details.

v6.1.3

Compare Source

Please refer to CHANGELOG.md for details.

v6.1.2

Compare Source

Please refer to CHANGELOG.md for details.

v6.1.1

Compare Source

• fix: ensure .[cm]?[tj]sx? static assets are JS mime (#​19453) (e7ba55e), closes #​19453
• fix: ignore *.ipv4 address in cert (#​19416) (973283b), closes #​19416
• fix(css): run rewrite plugin if postcss plugin exists (#​19371) (bcdb51a), closes #​19371
• fix(deps): bump tsconfck (#​19375) (746a583), closes #​19375
• fix(deps): update all non-major dependencies (#​19392) (60456a5), closes #​19392
• fix(deps): update all non-major dependencies (#​19440) (ccac73d), closes #​19440
• fix(html): ignore malformed src attrs (#​19397) (aff7812), closes #​19397
• fix(worker): fix web worker type detection (#​19462) (edc65ea), closes #​19462
• refactor: remove custom .jxl mime (#​19457) (0c85464), closes #​19457
• feat: add support for injecting debug IDs (#​18763) (0ff556a), closes #​18763
• chore: update 6.1.0 changelog (#​19363) (fa7c211), closes #​19363

v6.1.0

Compare Source

Features

• feat: show hosts in cert in CLI (#​19317) (a5e306f), closes #​19317
• feat: support for env var for defining allowed hosts (#​19325) (4d88f6c), closes #​19325
• feat: use native runtime to import the config (#​19178) (7c2a794), closes #​19178
• feat: print port in the logged error message after failed WS connection with EADDRINUSE (#​19212) (14027b0), closes #​19212
• perf(css): only run postcss when needed (#​19061) (30194fa), closes #​19061
• feat: add support for .jxl (#​18855) (57b397c), closes #​18855
• feat: add the builtins environment resolve (#​18584) (2c2d521), closes #​18584
• feat: call Logger for plugin logs in build (#​13757) (bf3e410), closes #​13757
• feat: export defaultAllowedOrigins for user-land config and 3rd party plugins (#​19259) (dc8946b), closes #​19259
• feat: expose createServerModuleRunnerTransport (#​18730) (8c24ee4), closes #​18730
• feat: support async for proxy.bypass (#​18940) (a6b9587), closes #​18940
• feat: support log related functions in dev (#​18922) (3766004), closes #​18922
• feat: use module runner to import the config (#​18637) (b7e0e42), closes #​18637
• feat(css): add friendly errors for IE hacks that are not supported by lightningcss (#​19072) (caad985), closes #​19072
• feat(optimizer): support bun text lockfile (#​18403) (05b005f), closes #​18403
• feat(reporter): add wasm to the compressible assets regex (#​19085) (ce84142), closes #​19085
• feat(worker): support dynamic worker option fields (#​19010) (d0c3523), closes #​19010

Fixes

• fix: avoid builtStart during vite optimize (#​19356) (fdb36e0), closes #​19356
• fix(build): fix stale build manifest on watch rebuild (#​19361) (fcd5785), closes #​19361
• fix: allow expanding env vars in reverse order (#​19352) (3f5f2bd), closes #​19352
• fix: avoid packageJson without name in resolveLibCssFilename (#​19324) (f183bdf), closes #​19324
• fix(html): fix css disorder when building multiple entry html (#​19143) (e7b4ba3), closes #​19143
• fix: don't call buildStart hooks for vite optimize (#​19347) (19ffad0), closes #​19347
• fix: don't call next middleware if user sent response in proxy.bypass (#​19318) (7e6364d), closes #​19318
• fix: respect top-level server.preTransformRequests (#​19272) (12aaa58), closes #​19272
• fix: use nodeLikeBuiltins for ssr.target: 'webworker' without noExternal: true (#​19313) (9fc31b6), closes #​19313
• fix(css): less @plugin imports of JS files treated as CSS and rebased (fix #​19268) (#​19269) (602b373), closes #​19268 #​19269
• fix(deps): update all non-major dependencies (#​19296) (2bea7ce), closes #​19296
• fix(resolve): preserve hash/search of file url (#​19300) (d1e1b24), closes #​19300
• fix(resolve): warn if node-like builtin was imported when resolve.builtin is empty (#​19312) (b7aba0b), closes #​19312
• fix(ssr): fix transform error due to export all id scope (#​19331) (e28bce2), closes #​19331
• fix(ssr): pretty print plugin error in ssrLoadModule (#​19290) (353c467), closes #​19290
• fix: change ResolvedConfig type to interface to allow extending it (#​19210) (bc851e3), closes #​19210
• fix: correctly resolve hmr dep ids and fallback to url (#​18840) (b84498b), closes #​18840
• fix: make --force work for all environments (#​18901) (51a42c6), closes #​18901
• fix: use loc.file from rollup errors if available (#​19222) (ce3fe23), closes #​19222
• fix(deps): update all non-major dependencies (#​19190) (f2c07db), closes #​19190
• fix(hmr): register inlined assets as a dependency of CSS file (#​18979) (eb22a74), closes #​18979
• fix(resolve): support resolving TS files by JS extension specifiers in JS files (#​18889) (612332b), closes #​18889
• fix(ssr): combine empty source mappings (#​19226) (ba03da2), closes #​19226
• fix(utils): clone RegExp values with new RegExp instead of structuredClone (fix #​19245, fix #​1 (56ad2be), closes #​19245 #​18875 #​19247

Chore

• refactor: deprecate vite optimize command (#​19348) (6e0e3c0), closes #​19348
• chore: update deprecate links domain (#​19353) (2b2299c), closes #​19353
• docs: rephrase browser range and features relation (#​19286) (97569ef), closes #​19286
• docs: update build.manifest jsdocs (#​19332) (4583781), closes #​19332
• chore: remove outdated code comment about scanImports not being used in ssr (#​19285) (fbbc6da), closes #​19285
• chore: unneeded name in lockfileFormats (#​19275) (96092cb), closes #​19275
• chore(deps): update dependency strip-literal to v3 (#​19231) (1172d65), closes #​19231

Beta Changelogs

6.1.0-beta.2 (2025-02-04)

See 6.1.0-beta.2 changelog

6.1.0-beta.1 (2025-02-04)

See 6.1.0-beta.1 changelog

6.1.0-beta.0 (2025-01-24)

See 6.1.0-beta.0 changelog

v6.0.15

Compare Source

Please refer to CHANGELOG.md for details.

v6.0.14

Compare Source

Please refer to CHANGELOG.md for details.

---

Configuration

📅 Schedule: Branch creation - "" in timezone Europe/Warsaw, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Renovate Bot.