14194518132
89%

Ran 01 Apr 2025 11:35AM UTC

Jobs 6

Files 216

Run time 2min

Badge

Embed ▾

Committed 01 Apr 2025 11:32AM UTC coverage: 87.5%. Remained the same

Build # 14194518132

Build Type

push

github

Committed by

web-flow

Commit Message

chore(deps): update dependency vite to v6.2.4 [security] (main) (#7168)

This PR contains the following updates:

| Package | Change | Age | Adoption | Passing | Confidence |
|---|---|---|---|---|---|
| [vite](https://vite.dev)
([source](https://redirect.github.com/vitejs/vite/tree/HEAD/packages/vite))
| [`6.2.3` ->
`6.2.4`](https://renovatebot.com/diffs/npm/vite/6.2.3/6.2.4) |
[![age](https://developer.mend.io/api/mc/badges/age/npm/vite/6.2.4?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![adoption](https://developer.mend.io/api/mc/badges/adoption/npm/vite/6.2.4?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![passing](https://developer.mend.io/api/mc/badges/compatibility/npm/vite/6.2.3/6.2.4?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/vite/6.2.3/6.2.4?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|

### GitHub Vulnerability Alerts

####
[CVE-2025-31125](https://redirect.github.com/vitejs/vite/security/advisories/GHSA-4r4m-qw57-chr8)

### Summary

The contents of arbitrary files can be returned to the browser.

### Impact
Only apps explicitly exposing the Vite dev server to the network (using
`--host` or [`server.host` config
option](https://vitejs.dev/config/server-options.html#server-host)) are
affected.

### Details

- base64 encoded content of non-allowed files is exposed using
`?inline&import` (originally reported as `?import&?inline=1.wasm?init`)
- content of non-allowed files is exposed using `?raw?import`

`/@&#8203;fs/` isn't needed to reproduce the issue for files inside the
project root.

### PoC

Original report (check details above for simplified cases):

The ?import&?inline=1.wasm?init ending allows attackers to read
arbitrary files and returns the file content if it exists. Base64
decoding needs to be performed twice
```
$ npm create vite@latest
$ cd vite-project/
$ npm install
$ npm run dev
```

Exampl... (continued)

Run Details

2944 of 3900 branches covered (75.49%)

5124 of 5856 relevant lines covered (87.5%)

90865.57 hits per line

Subprojects

ID	Flag name	Job ID	Ran	Files	Coverage
1	compat	14194518132.1	01 Apr 2025 11:36AM UTC	159	18.95	GitHub Action Run
2	base	14194518132.2	01 Apr 2025 11:36AM UTC	148	17.17	GitHub Action Run
3	main/src/components	14194518132.3	01 Apr 2025 11:40AM UTC	148	84.98	GitHub Action Run
4	cypress-commands	14194518132.4	01 Apr 2025 11:36AM UTC	148	15.46	GitHub Action Run
5	main/src/internal	14194518132.5	01 Apr 2025 11:35AM UTC	148	15.44	GitHub Action Run
6	charts	14194518132.6	01 Apr 2025 11:37AM UTC	205	28.04	GitHub Action Run

SAP / ui5-webcomponents-react / 14194518132
89%

README BADGES
x

Markdown

Textile

RDoc

HTML

Rst

Subprojects

Source Files on build 14194518132

SAP / ui5-webcomponents-react / 14194518132 89%

README BADGES x

Markdown

Textile

RDoc

HTML

Rst

Subprojects

Source Files on build 14194518132

SAP / ui5-webcomponents-react / 14194518132
89%

README BADGES
x