Permalink
Comparing changes
Choose two branches to see whatβs changed or to start a new pull request.
If you need to, you can also or
learn more about diff comparisons.
Open a pull request
Create a new pull request by comparing changes across two branches. If you need to, you can also .
Learn more about diff comparisons here.
...
- 8 commits
- 4 files changed
- 3 contributors
Commits on Mar 25, 2025
-
chore(deps): update dependency vite to v6.2.3 [security] (#369)
This PR contains the following updates: | Package | Change | Age | Adoption | Passing | Confidence | |---|---|---|---|---|---| | [vite](https://vite.dev) ([source](https://redirect.github.com/vitejs/vite/tree/HEAD/packages/vite)) | [`6.2.2` -> `6.2.3`](https://renovatebot.com/diffs/npm/vite/6.2.2/6.2.3) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | ### GitHub Vulnerability Alerts #### [CVE-2025-30208](https://redirect.github.com/vitejs/vite/security/advisories/GHSA-x574-m823-4x7w) ### Summary The contents of arbitrary files can be returned to the browser. ### Impact Only apps explicitly exposing the Vite dev server to the network (using `--host` or [`server.host` config option](https://vitejs.dev/config/server-options.html#server-host)) are affected. ### Details `@fs` denies access to files outside of Vite serving allow list. Adding `?raw??` or `?import&raw??` to the URL bypasses this limitation and returns the file content if it exists. This bypass exists because trailing separators such as `?` are removed in several places, but are not accounted for in query string regexes. ### PoC ```bash $ npm create vite@latest $ cd vite-project/ $ npm install $ npm run dev $ echo "top secret content" > /tmp/secret.txt # expected behaviour $ curl "http://localhost:5173/@​fs/tmp/secret.txt" <body> <h1>403 Restricted</h1> <p>The request url "/tmp/secret.txt" is outside of Vite serving allow list. # security bypassed $ curl "http://localhost:5173/@​fs/tmp/secret.txt?import&raw??" export default "top secret content\n" //# sourceMappingURL=data:application/json;base64,eyJ2... ``` --- ### Release Notes <details> <summary>vitejs/vite (vite)</summary> ### [`v6.2.3`](https://redirect.github.com/vitejs/vite/releases/tag/v6.2.3) [Compare Source](https://redirect.github.com/vitejs/vite/compare/v6.2.2...v6.2.3) Please refer to [CHANGELOG.md](https://redirect.github.com/vitejs/vite/blob/v6.2.3/packages/vite/CHANGELOG.md) for details. </details> --- ### Configuration π **Schedule**: Branch creation - "" in timezone Asia/Shanghai, Automerge - At any time (no schedule defined). π¦ **Automerge**: Enabled. β» **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. π **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/oxc-project/eslint-plugin-oxlint). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzOS4yMDcuMSIsInVwZGF0ZWRJblZlciI6IjM5LjIwNy4xIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6W119--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Commits on Mar 30, 2025
-
chore(deps): update dependency pnpm to v10.7.0 (#372)
This PR contains the following updates: | Package | Change | Age | Adoption | Passing | Confidence | |---|---|---|---|---|---| | [pnpm](https://pnpm.io) ([source](https://redirect.github.com/pnpm/pnpm/tree/HEAD/pnpm)) | `10.6.5` -> `10.7.0` | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | --- ### Release Notes <details> <summary>pnpm/pnpm (pnpm)</summary> ### [`v10.7.0`](https://redirect.github.com/pnpm/pnpm/blob/HEAD/pnpm/CHANGELOG.md#1070) [Compare Source](https://redirect.github.com/pnpm/pnpm/compare/v10.6.5...v10.7.0) ##### Minor Changes - `pnpm config get` and `list` also show settings set in `pnpm-workspace.yaml` files [#​9316](https://redirect.github.com/pnpm/pnpm/pull/9316). - It should be possible to use env variables in `pnpm-workspace.yaml` setting names and value. - Add an ability to patch dependencies by version ranges. Exact versions override version ranges, which in turn override name-only patches. Version range `*` is the same as name-only, except that patch application failure will not be ignored. For example: ```yaml patchedDependencies: foo: patches/foo-1.patch foo@^2.0.0: patches/foo-2.patch foo@2.1.0: patches/foo-3.patch ``` The above configuration would apply `patches/foo-3.patch` to `foo@2.1.0`, `patches/foo-2.patch` to all `foo` versions which satisfy `^2.0.0` except `2.1.0`, and `patches/foo-1.patch` to the remaining `foo` versions. > \[!WARNING] > The version ranges should not overlap. If you want to specialize a sub range, make sure to exclude it from the other keys. For example: > > ```yaml > # pnpm-workspace.yaml > patchedDependencies: > # the specialized sub range > 'foo@2.2.0-2.8.0': patches/foo.2.2.0-2.8.0.patch > # the more general patch, excluding the sub range above > 'foo@>=2.0.0 <2.2.0 || >2.8.0': 'patches/foo.gte2.patch > ``` > > In most cases, however, it's sufficient to just define an exact version to override the range. - `pnpm config set --location=project` saves the setting to a `pnpm-workspace.yaml` file if no `.npmrc` file is present in the directory [#​9316](https://redirect.github.com/pnpm/pnpm/pull/9316). - Rename `pnpm.allowNonAppliedPatches` to `pnpm.allowUnusedPatches`. The old name is still supported but it would print a deprecation warning message. - Add `pnpm.ignorePatchFailures` to manage whether pnpm would ignore patch application failures. If `ignorePatchFailures` is not set, pnpm would throw an error when patches with exact versions or version ranges fail to apply, and it would ignore failures from name-only patches. If `ignorePatchFailures` is explicitly set to `false`, pnpm would throw an error when any type of patch fails to apply. If `ignorePatchFailures` is explicitly set to `true`, pnpm would print a warning when any type of patch fails to apply. ##### Patch Changes - Remove dependency paths from audit output to prevent out-of-memory errors [#​9280](https://redirect.github.com/pnpm/pnpm/issues/9280). </details> --- ### Configuration π **Schedule**: Branch creation - "before 8am on monday" in timezone Asia/Shanghai, Automerge - At any time (no schedule defined). π¦ **Automerge**: Enabled. β» **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. π **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/oxc-project/eslint-plugin-oxlint). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzOS4yMDcuMSIsInVwZGF0ZWRJblZlciI6IjM5LjIwNy4xIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6W119--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
-
chore(deps): update github-actions (#371)
This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [github/codeql-action](https://redirect.github.com/github/codeql-action) | action | patch | `v3.28.12` -> `v3.28.13` | | [taiki-e/install-action](https://redirect.github.com/taiki-e/install-action) | action | patch | `v2.49.33` -> `v2.49.38` | --- ### Release Notes <details> <summary>github/codeql-action (github/codeql-action)</summary> ### [`v3.28.13`](https://redirect.github.com/github/codeql-action/releases/tag/v3.28.13) [Compare Source](https://redirect.github.com/github/codeql-action/compare/v3.28.12...v3.28.13) ### CodeQL Action Changelog See the [releases page](https://redirect.github.com/github/codeql-action/releases) for the relevant changes to the CodeQL CLI and language packs. #### 3.28.13 - 24 Mar 2025 No user facing changes. See the full [CHANGELOG.md](https://redirect.github.com/github/codeql-action/blob/v3.28.13/CHANGELOG.md) for more information. </details> <details> <summary>taiki-e/install-action (taiki-e/install-action)</summary> ### [`v2.49.38`](https://redirect.github.com/taiki-e/install-action/releases/tag/v2.49.38): 2.49.38 [Compare Source](https://redirect.github.com/taiki-e/install-action/compare/v2.49.37...v2.49.38) - Update `cargo-lambda@latest` to 1.8.1. - Update `typos@latest` to 1.31.0. - Update `trunk@latest` to 0.21.12. ### [`v2.49.37`](https://redirect.github.com/taiki-e/install-action/releases/tag/v2.49.37): 2.49.37 [Compare Source](https://redirect.github.com/taiki-e/install-action/compare/v2.49.36...v2.49.37) - Update `trunk@latest` to 0.21.11. ### [`v2.49.36`](https://redirect.github.com/taiki-e/install-action/releases/tag/v2.49.36): 2.49.36 [Compare Source](https://redirect.github.com/taiki-e/install-action/compare/v2.49.35...v2.49.36) - Update `release-plz@latest` to 0.3.129. - Update `protoc@latest` to 3.30.2. ### [`v2.49.35`](https://redirect.github.com/taiki-e/install-action/releases/tag/v2.49.35): 2.49.35 [Compare Source](https://redirect.github.com/taiki-e/install-action/compare/v2.49.34...v2.49.35) - Update `cargo-nextest@latest` to 0.9.93. - Update `typos@latest` to 1.30.3. - Update `wash@latest` to 0.41.0. ### [`v2.49.34`](https://redirect.github.com/taiki-e/install-action/releases/tag/v2.49.34): 2.49.34 [Compare Source](https://redirect.github.com/taiki-e/install-action/compare/v2.49.33...v2.49.34) - Update `knope@latest` to 0.19.0. </details> --- ### Configuration π **Schedule**: Branch creation - "before 8am on monday" in timezone Asia/Shanghai, Automerge - At any time (no schedule defined). π¦ **Automerge**: Disabled by config. Please merge this manually once you are satisfied. β» **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. π» **Immortal**: This PR will be recreated if closed unmerged. Get [config help](https://redirect.github.com/renovatebot/renovate/discussions) if that's undesired. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/oxc-project/eslint-plugin-oxlint). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzOS4yMDcuMSIsInVwZGF0ZWRJblZlciI6IjM5LjIwNy4xIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6W119--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
-
chore(deps): update dependency eslint-plugin-unicorn to v58 (#374)
This PR contains the following updates: | Package | Change | Age | Adoption | Passing | Confidence | |---|---|---|---|---|---| | [eslint-plugin-unicorn](https://redirect.github.com/sindresorhus/eslint-plugin-unicorn) | [`^57.0.0` -> `^58.0.0`](https://renovatebot.com/diffs/npm/eslint-plugin-unicorn/57.0.0/58.0.0) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | --- ### Release Notes <details> <summary>sindresorhus/eslint-plugin-unicorn (eslint-plugin-unicorn)</summary> ### [`v58.0.0`](https://redirect.github.com/sindresorhus/eslint-plugin-unicorn/releases/tag/v58.0.0) [Compare Source](https://redirect.github.com/sindresorhus/eslint-plugin-unicorn/compare/v57.0.0...v58.0.0) ##### Potentially breaking - Update `engines.node` in package.json to match real compatibility ([#​2581](https://redirect.github.com/sindresorhus/eslint-plugin-unicorn/issues/2581)) [`e48a620`](https://redirect.github.com/sindresorhus/eslint-plugin-unicorn/commit/e48a620) ##### Improvements - `escape-case`: Add [case option](https://redirect.github.com/sindresorhus/eslint-plugin-unicorn/blob/main/docs/rules/escape-case.md#options) ([#​2559](https://redirect.github.com/sindresorhus/eslint-plugin-unicorn/issues/2559)) [`0f6048c`](https://redirect.github.com/sindresorhus/eslint-plugin-unicorn/commit/0f6048c) - `number-literal-case`: Add [`hexadecimalValue` option](https://redirect.github.com/sindresorhus/eslint-plugin-unicorn/blob/main/docs/rules/number-literal-case.md#hexadecimalvalue) ([#​2559](https://redirect.github.com/sindresorhus/eslint-plugin-unicorn/issues/2559)) [`0f6048c`](https://redirect.github.com/sindresorhus/eslint-plugin-unicorn/commit/0f6048c) - `prevent-abbreviations`: Preserve `iOS` ([#​2560](https://redirect.github.com/sindresorhus/eslint-plugin-unicorn/issues/2560)) [`e8798da`](https://redirect.github.com/sindresorhus/eslint-plugin-unicorn/commit/e8798da) ##### Fixes - `no-unnecessary-polyfills`: Fix browserslist field name ([#​2603](https://redirect.github.com/sindresorhus/eslint-plugin-unicorn/issues/2603)) [`1a4c76f`](https://redirect.github.com/sindresorhus/eslint-plugin-unicorn/commit/1a4c76f) - `no-unnecessary-polyfills`: Fix crash on checking `es6-error` module ([#​2582](https://redirect.github.com/sindresorhus/eslint-plugin-unicorn/issues/2582)) [`66de41a`](https://redirect.github.com/sindresorhus/eslint-plugin-unicorn/commit/66de41a) - `no-accessor-recursion`: Fix exception when used in CommonJS ([#​2574](https://redirect.github.com/sindresorhus/eslint-plugin-unicorn/issues/2574)) [`ca1e432`](https://redirect.github.com/sindresorhus/eslint-plugin-unicorn/commit/ca1e432) *** </details> --- ### Configuration π **Schedule**: Branch creation - "before 8am on monday" in timezone Asia/Shanghai, Automerge - At any time (no schedule defined). π¦ **Automerge**: Enabled. β» **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. π **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/oxc-project/eslint-plugin-oxlint). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzOS4yMDcuMSIsInVwZGF0ZWRJblZlciI6IjM5LjIwNy4xIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6W119--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
-
chore(deps): lock file maintenance npm packages (#375)
This PR contains the following updates: | Package | Type | Update | Change | Age | Adoption | Passing | Confidence | |---|---|---|---|---|---|---|---| | | | lockFileMaintenance | All locks refreshed | | | | | | [@types/node](https://redirect.github.com/DefinitelyTyped/DefinitelyTyped/tree/master/types/node) ([source](https://redirect.github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node)) | devDependencies | patch | [`22.13.11` -> `22.13.14`](https://renovatebot.com/diffs/npm/@types%2fnode/22.13.11/22.13.14) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | | [pnpm](https://pnpm.io) ([source](https://redirect.github.com/pnpm/pnpm/tree/HEAD/pnpm)) | packageManager | minor | [`10.6.5` -> `10.7.0`](https://renovatebot.com/diffs/npm/pnpm/10.6.5/10.7.0) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | | [typescript-eslint](https://typescript-eslint.io/packages/typescript-eslint) ([source](https://redirect.github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/typescript-eslint)) | devDependencies | minor | [`8.27.0` -> `8.28.0`](https://renovatebot.com/diffs/npm/typescript-eslint/8.27.0/8.28.0) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | π§ This Pull Request updates lock files to use the latest dependency versions. --- ### Release Notes <details> <summary>pnpm/pnpm (pnpm)</summary> ### [`v10.7.0`](https://redirect.github.com/pnpm/pnpm/blob/HEAD/pnpm/CHANGELOG.md#1070) [Compare Source](https://redirect.github.com/pnpm/pnpm/compare/v10.6.5...v10.7.0) ##### Minor Changes - `pnpm config get` and `list` also show settings set in `pnpm-workspace.yaml` files [#​9316](https://redirect.github.com/pnpm/pnpm/pull/9316). - It should be possible to use env variables in `pnpm-workspace.yaml` setting names and value. - Add an ability to patch dependencies by version ranges. Exact versions override version ranges, which in turn override name-only patches. Version range `*` is the same as name-only, except that patch application failure will not be ignored. For example: ```yaml patchedDependencies: foo: patches/foo-1.patch foo@^2.0.0: patches/foo-2.patch foo@2.1.0: patches/foo-3.patch ``` The above configuration would apply `patches/foo-3.patch` to `foo@2.1.0`, `patches/foo-2.patch` to all `foo` versions which satisfy `^2.0.0` except `2.1.0`, and `patches/foo-1.patch` to the remaining `foo` versions. > \[!WARNING] > The version ranges should not overlap. If you want to specialize a sub range, make sure to exclude it from the other keys. For example: > > ```yaml > # pnpm-workspace.yaml > patchedDependencies: > # the specialized sub range > 'foo@2.2.0-2.8.0': patches/foo.2.2.0-2.8.0.patch > # the more general patch, excluding the sub range above > 'foo@>=2.0.0 <2.2.0 || >2.8.0': 'patches/foo.gte2.patch > ``` > > In most cases, however, it's sufficient to just define an exact version to override the range. - `pnpm config set --location=project` saves the setting to a `pnpm-workspace.yaml` file if no `.npmrc` file is present in the directory [#​9316](https://redirect.github.com/pnpm/pnpm/pull/9316). - Rename `pnpm.allowNonAppliedPatches` to `pnpm.allowUnusedPatches`. The old name is still supported but it would print a deprecation warning message. - Add `pnpm.ignorePatchFailures` to manage whether pnpm would ignore patch application failures. If `ignorePatchFailures` is not set, pnpm would throw an error when patches with exact versions or version ranges fail to apply, and it would ignore failures from name-only patches. If `ignorePatchFailures` is explicitly set to `false`, pnpm would throw an error when any type of patch fails to apply. If `ignorePatchFailures` is explicitly set to `true`, pnpm would print a warning when any type of patch fails to apply. ##### Patch Changes - Remove dependency paths from audit output to prevent out-of-memory errors [#​9280](https://redirect.github.com/pnpm/pnpm/issues/9280). </details> <details> <summary>typescript-eslint/typescript-eslint (typescript-eslint)</summary> ### [`v8.28.0`](https://redirect.github.com/typescript-eslint/typescript-eslint/blob/HEAD/packages/typescript-eslint/CHANGELOG.md#8280-2025-03-24) [Compare Source](https://redirect.github.com/typescript-eslint/typescript-eslint/compare/v8.27.0...v8.28.0) This was a version bump only for typescript-eslint to align it with other projects, there were no code changes. You can read about our [versioning strategy](https://main--typescript-eslint.netlify.app/users/versioning) and [releases](https://main--typescript-eslint.netlify.app/users/releases) on our website. </details> --- ### Configuration π **Schedule**: Branch creation - "before 8am on monday" in timezone Asia/Shanghai, Automerge - At any time (no schedule defined). π¦ **Automerge**: Enabled. β» **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. π» **Immortal**: This PR will be recreated if closed unmerged. Get [config help](https://redirect.github.com/renovatebot/renovate/discussions) if that's undesired. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/oxc-project/eslint-plugin-oxlint). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzOS4yMDcuMSIsInVwZGF0ZWRJblZlciI6IjM5LjIwNy4xIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6W119--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
-
chore(deps): update taiki-e/install-action action to v2.49.39 (#373)
This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [taiki-e/install-action](https://redirect.github.com/taiki-e/install-action) | action | patch | `v2.49.38` -> `v2.49.39` | --- ### Release Notes <details> <summary>taiki-e/install-action (taiki-e/install-action)</summary> ### [`v2.49.39`](https://redirect.github.com/taiki-e/install-action/releases/tag/v2.49.39): 2.49.39 [Compare Source](https://redirect.github.com/taiki-e/install-action/compare/v2.49.38...v2.49.39) - Downgrade `cargo-lambda@latest` to 1.8.0. ([#​923](https://redirect.github.com/taiki-e/install-action/pull/923)) </details> --- ### Configuration π **Schedule**: Branch creation - "before 8am on monday" in timezone Asia/Shanghai, Automerge - At any time (no schedule defined). π¦ **Automerge**: Disabled by config. Please merge this manually once you are satisfied. β» **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. π **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/oxc-project/eslint-plugin-oxlint). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzOS4yMDcuMSIsInVwZGF0ZWRJblZlciI6IjM5LjIwNy4xIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6W119--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Commits on Mar 31, 2025
-
chore(deps): update dependency vite to v6.2.4 [security] (#376)
This PR contains the following updates: | Package | Change | Age | Adoption | Passing | Confidence | |---|---|---|---|---|---| | [vite](https://vite.dev) ([source](https://redirect.github.com/vitejs/vite/tree/HEAD/packages/vite)) | [`6.2.3` -> `6.2.4`](https://renovatebot.com/diffs/npm/vite/6.2.3/6.2.4) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | ### GitHub Vulnerability Alerts #### [CVE-2025-31125](https://redirect.github.com/vitejs/vite/security/advisories/GHSA-4r4m-qw57-chr8) ### Summary The contents of arbitrary files can be returned to the browser. ### Impact Only apps explicitly exposing the Vite dev server to the network (using `--host` or [`server.host` config option](https://vitejs.dev/config/server-options.html#server-host)) are affected. ### Details - base64 encoded content of non-allowed files is exposed using `?inline&import` (originally reported as `?import&?inline=1.wasm?init`) - content of non-allowed files is exposed using `?raw?import` `/@​fs/` isn't needed to reproduce the issue for files inside the project root. ### PoC Original report (check details above for simplified cases): The ?import&?inline=1.wasm?init ending allows attackers to read arbitrary files and returns the file content if it exists. Base64 decoding needs to be performed twice ``` $ npm create vite@latest $ cd vite-project/ $ npm install $ npm run dev ``` Example full URL `http://localhost:5173/@​fs/C:/windows/win.ini?import&?inline=1.wasm?init` --- ### Release Notes <details> <summary>vitejs/vite (vite)</summary> ### [`v6.2.4`](https://redirect.github.com/vitejs/vite/releases/tag/v6.2.4) [Compare Source](https://redirect.github.com/vitejs/vite/compare/v6.2.3...v6.2.4) Please refer to [CHANGELOG.md](https://redirect.github.com/vitejs/vite/blob/v6.2.4/packages/vite/CHANGELOG.md) for details. </details> --- ### Configuration π **Schedule**: Branch creation - "" in timezone Asia/Shanghai, Automerge - At any time (no schedule defined). π¦ **Automerge**: Enabled. β» **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. π **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/oxc-project/eslint-plugin-oxlint). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzOS4yMDcuMSIsInVwZGF0ZWRJblZlciI6IjM5LjIwNy4xIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6W119--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Commits on Apr 1, 2025
-
Automated changes by [create-pull-request](https://github.com/peter-evans/create-pull-request) GitHub action Co-authored-by: Boshen <Boshen@users.noreply.github.com>
Configuration menu Copy the full SHA 66518e6View commit details
Loading
This comparison is taking too long to generate.
Unfortunately it looks like we canβt render this comparison for you right now. It might be too big, or there might be something weird with your repository.
You can try running this command locally to see the comparison on your machine:
git diff v0.16.3...v0.16.4