Skip to content

chore(deps): update dependency vite to v6.2.7 [security] (main)#5561

Merged
renovate[bot] merged 1 commit intomainfrom
renovate/main-npm-vite-vulnerability
Apr 30, 2025
Merged

chore(deps): update dependency vite to v6.2.7 [security] (main)#5561
renovate[bot] merged 1 commit intomainfrom
renovate/main-npm-vite-vulnerability

Conversation

@renovate
Copy link
Contributor

@renovate renovate bot commented Apr 30, 2025

This PR contains the following updates:

Package Type Update Change OpenSSF
vite (source) devDependencies patch 6.2.6 -> 6.2.7 OpenSSF Scorecard

GitHub Vulnerability Alerts

GHSA-859w-5945-r5v3

Summary

The contents of files in the project root that are denied by a file matching pattern can be returned to the browser.

Impact

Only apps explicitly exposing the Vite dev server to the network (using --host or server.host config option) are affected.
Only files that are under project root and are denied by a file matching pattern can be bypassed.

  • Examples of file matching patterns: .env, .env.*, *.{crt,pem}, **/.env
  • Examples of other patterns: **/.git/**, .git/**, .git/**/*

Details

server.fs.deny can contain patterns matching against files (by default it includes .env, .env.*, *.{crt,pem} as such patterns).
These patterns were able to bypass for files under root by using a combination of slash and dot (/.).

PoC

npm create vite@latest
cd vite-project/
cat "secret" > .env
npm install
npm run dev
curl --request-target /.env/. http://localhost:5173

image
image

Release Notes

vitejs/vite (vite)

v6.2.7

Compare Source

Please refer to CHANGELOG.md for details.

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot added the security label Apr 30, 2025
@renovate renovate bot enabled auto-merge (squash) April 30, 2025 19:39
@dosubot dosubot bot added the dependencies PRs that update a dependency file label Apr 30, 2025
@renovate renovate bot merged commit 7281d84 into main Apr 30, 2025
32 of 35 checks passed
@renovate renovate bot deleted the renovate/main-npm-vite-vulnerability branch April 30, 2025 19:41
joe1981al pushed a commit to joe1981al/atlantis that referenced this pull request Jun 20, 2025
@renovate @joe1981al
chore(deps): update dependency vite to v6.2.7 [security] (main) (runa…
ffdc389 
…tlantis#5561)

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Signed-off-by: Joseph McDonald <jojosr2000@gmail.com>
@BrewTestBot BrewTestBot mentioned this pull request Jun 27, 2025
Merged
dimisjim pushed a commit to dimisjim/atlantis that referenced this pull request Oct 29, 2025
@renovate @dimisjim
chore(deps): update dependency vite to v6.2.7 [security] (main) (runa…
003e9b5 
…tlantis#5561)

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Signed-off-by: dimisjim <dimitris.moraitidis@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@renovate-approve renovate-approve[bot] renovate-approve[bot] approved these changes

Assignees

No one assigned

Labels

dependencies PRs that update a dependency file security website

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants