chore(deps): update dependency vite to v6.2.5 [security] #2161

renovate · 2025-04-05T17:43:49Z

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
vite (source)	`6.1.3` -> `6.2.5`

GitHub Vulnerability Alerts

CVE-2025-31486

Summary

The contents of arbitrary files can be returned to the browser.

Impact

Only apps explicitly exposing the Vite dev server to the network (using --host or server.host config option) are affected..

Details

`.svg`

Requests ending with .svg are loaded at this line.
https://github.com/vitejs/vite/blob/037f801075ec35bb6e52145d659f71a23813c48f/packages/vite/src/node/plugins/asset.ts#L285-L290
By adding ?.svg with ?.wasm?init or with sec-fetch-dest: script header, the restriction was able to bypass.

This bypass is only possible if the file is smaller than build.assetsInlineLimit (default: 4kB) and when using Vite 6.0+.

relative paths

The check was applied before the id normalization. This allowed requests to bypass with relative paths (e.g. ../../).

PoC

npm create vite@latest
cd vite-project/
npm install
npm run dev

send request to read etc/passwd

curl 'http://127.0.0.1:5173/etc/passwd?.svg?.wasm?init'

curl 'http://127.0.0.1:5173/@&#8203;fs/x/x/x/vite-project/?/../../../../../etc/passwd?import&?raw'

Release Notes

vitejs/vite (vite)

`v6.2.5`

Compare Source

Please refer to CHANGELOG.md for details.

`v6.2.4`

Compare Source

Please refer to CHANGELOG.md for details.

`v6.2.3`

Compare Source

Please refer to CHANGELOG.md for details.

`v6.2.2`

Compare Source

fix: await client buildStart on top level buildStart (#19624) (b31faab), closes #19624
fix(css): inline css correctly for double quote use strict (#19590) (d0aa833), closes #19590
fix(deps): update all non-major dependencies (#19613) (363d691), closes #19613
fix(indexHtml): ensure correct URL when querying module graph (#19601) (dc5395a), closes #19601
fix(preview): use preview https config, not server (#19633) (98b3160), closes #19633
fix(ssr): use optional chaining to prevent "undefined is not an object" happening in `ssrRewriteStac (4309755), closes #19612
feat: show friendly error for malformed base (#19616) (2476391), closes #19616
feat(worker): show asset filename conflict warning (#19591) (367d968), closes #19591
chore: extend commit hash correctly when ambigious with a non-commit object (#19600) (89a6287), closes #19600

`v6.2.1`

Compare Source

refactor: remove isBuild check from preAliasPlugin (#19587) (c9e086d), closes #19587
refactor: restore endsWith usage (#19554) (6113a96), closes #19554
refactor: use applyToEnvironment in internal plugins (#19588) (f678442), closes #19588
fix(css): stabilize css module hashes with lightningcss in dev mode (#19481) (92125b4), closes #19481
fix(deps): update all non-major dependencies (#19555) (f612e0f), closes #19555
fix(reporter): fix incorrect bundle size calculation with non-ASCII characters (#19561) (437c0ed), closes #19561
fix(sourcemap): combine sourcemaps with multiple sources without matched source (#18971) (e3f6ae1), closes #18971
fix(ssr): named export should overwrite export all (#19534) (2fd2fc1), closes #19534
feat: add *?url&no-inline type and warning for .json?inline / .json?no-inline (#19566) (c0d3667), closes #19566
test: add glob import test case (#19516) (aa1d807), closes #19516
test: convert config playground to unit tests (#19568) (c0e68da), closes #19568
test: convert resolve-config playground to unit tests (#19567) (db5fb48), closes #19567
perf: flush compile cache after 10s (#19537) (6c8a5a2), closes #19537
chore(css): move environment destructuring after condition check (#19492) (c9eda23), closes #19492
chore(html): remove unnecessary value check (#19491) (797959f), closes #19491

`v6.2.0`

Compare Source

fix(deps): update all non-major dependencies (#19501) (c94c9e0), closes #19501
fix(worker): string interpolation in dynamic worker options (#19476) (07091a1), closes #19476
chore: use unicode cross icon instead of x (#19497) (5c70296), closes #19497

`v6.1.4`

Compare Source

Please refer to CHANGELOG.md for details.

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled because a matching PR was automerged previously.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

cloudflare-workers-and-pages · 2025-04-05T17:43:51Z

Deploying vue-i18n-next with Cloudflare Pages

Latest commit:	`b2788d5`
Status:	✅ Deploy successful!
Preview URL:	https://074be9f7.vue-i18n-next.pages.dev
Branch Preview URL:	https://renovate-npm-vite-vulnerabil.vue-i18n-next.pages.dev

View logs

github-actions · 2025-04-05T17:47:13Z

Size Report

Bundles

File	Size	Gzip	Brotli
core.esm-browser.prod.js	38.05 kB	11.62 kB	10.39 kB
core.global.prod.js	31.11 kB	10.78 kB	9.67 kB
core.runtime.esm-browser.prod.js	23.77 kB	7.71 kB	6.90 kB
core.runtime.global.prod.js	18.08 kB	7.04 kB	6.32 kB
message-compiler.esm-browser.prod.js	19.29 kB	5.76 kB	5.14 kB
message-compiler.global.prod.js	17.32 kB	5.55 kB	4.98 kB
petite-vue-i18n-core.esm-browser.prod.js	20.67 kB	6.96 kB	6.26 kB
petite-vue-i18n-core.global.prod.js	15.63 kB	6.06 kB	5.51 kB
petite-vue-i18n.esm-browser.prod.js	36.98 kB	11.34 kB	10.17 kB
petite-vue-i18n.global.prod.js	29.84 kB	10.19 kB	9.20 kB
petite-vue-i18n.runtime.esm-browser.prod.js	22.55 kB	7.33 kB	6.63 kB
petite-vue-i18n.runtime.global.prod.js	16.83 kB	6.40 kB	5.80 kB
vue-i18n.esm-browser.prod.js	50.65 kB	15.15 kB	13.54 kB
vue-i18n.global.prod.js	40.53 kB	13.60 kB	12.24 kB
vue-i18n.runtime.esm-browser.prod.js	36.22 kB	11.15 kB	10.02 kB
vue-i18n.runtime.global.prod.js	27.51 kB	9.85 kB	8.89 kB

Usages

Name	Size	Gzip	Brotli
packages/size-check-core (@intlify/core)	9.22 kB	3.82 kB	3.46 kB
packages/size-check-petite-vue-i18n (petite-vue-i18n)	77.63 kB	30.24 kB	27.28 kB
packages/size-check-vue-i18n (vue-i18n)	82.83 kB	31.74 kB	28.51 kB

pkg-pr-new · 2025-04-05T17:47:46Z

Open in StackBlitz

@intlify/core

npm i https://pkg.pr.new/@intlify/core@2161

@intlify/core-base

npm i https://pkg.pr.new/@intlify/core-base@2161

@intlify/devtools-types

npm i https://pkg.pr.new/@intlify/devtools-types@2161

@intlify/message-compiler

npm i https://pkg.pr.new/@intlify/message-compiler@2161

petite-vue-i18n

npm i https://pkg.pr.new/petite-vue-i18n@2161

@intlify/shared

npm i https://pkg.pr.new/@intlify/shared@2161

vue-i18n

npm i https://pkg.pr.new/vue-i18n@2161

@intlify/vue-i18n-core

npm i https://pkg.pr.new/@intlify/vue-i18n-core@2161

commit: b2788d5

renovate bot added the Type: Dependency Dependencies fixes label Apr 5, 2025

chore(deps): update dependency vite to v6.2.5 [security]

b2788d5

renovate bot force-pushed the renovate/npm-vite-vulnerability branch from 1c5d5c6 to b2788d5 Compare April 8, 2025 13:35

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

chore(deps): update dependency vite to v6.2.5 [security] #2161

chore(deps): update dependency vite to v6.2.5 [security] #2161

renovate bot commented Apr 5, 2025

cloudflare-workers-and-pages bot commented Apr 5, 2025 •

edited

Loading

github-actions bot commented Apr 5, 2025

pkg-pr-new bot commented Apr 5, 2025 •

edited

Loading

chore(deps): update dependency vite to v6.2.5 [security] #2161

Are you sure you want to change the base?

chore(deps): update dependency vite to v6.2.5 [security] #2161

Conversation

renovate bot commented Apr 5, 2025

GitHub Vulnerability Alerts

Summary

Impact

Details

.svg

relative paths

PoC

Release Notes

Configuration

cloudflare-workers-and-pages bot commented Apr 5, 2025 • edited Loading

Deploying vue-i18n-next with Cloudflare Pages

github-actions bot commented Apr 5, 2025

Size Report

Bundles

Usages

pkg-pr-new bot commented Apr 5, 2025 • edited Loading

`.svg`

cloudflare-workers-and-pages bot commented Apr 5, 2025 •

edited

Loading

pkg-pr-new bot commented Apr 5, 2025 •

edited

Loading