UI5 / webcomponents-react / 27685144752
85%

DEFAULT BRANCH: main
Ran
Jobs 7
Files 205
Run time 1min
Badge
Embed ▾
README BADGES
x

If you need to use a raster PNG badge, change the '.svg' to '.png' in the link

Markdown

Textile

RDoc

HTML

Rst
coverage: 85.482%. Remained the same
27685144752

push

github

web-flow 
chore(deps): update dependency vite to v8.0.16 [security] (#8698)

This PR contains the following updates:

| Package | Change |
[Age](https://docs.renovatebot.com/merge-confidence/) |
[Confidence](https://docs.renovatebot.com/merge-confidence/) |
|---|---|---|---|
| [vite](https://vite.dev)
([source](https://redirect.github.com/vitejs/vite/tree/HEAD/packages/vite))
| [`8.0.14` →
`8.0.16`](https://renovatebot.com/diffs/npm/vite/8.0.14/8.0.16) |
![age](https://developer.mend.io/api/mc/badges/age/npm/vite/8.0.16?slim=true)
|
![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/vite/8.0.14/8.0.16?slim=true)
|

---

### Vite Vulnerable to Path Traversal in Optimized Deps `.map` Handling
[CVE-2026-39365](https://nvd.nist.gov/vuln/detail/CVE-2026-39365) /
[GHSA-4w7w-66w2-5vf9](https://redirect.github.com/advisories/GHSA-4w7w-66w2-5vf9)

<details>
<summary>More information</summary>

#### Details
##### Summary

Any files ending with `.map` even out side the project can be returned
to the browser.

##### Impact

Only apps that match the following conditions are affected:

- explicitly exposes the Vite dev server to the network (using `--host`
or [`server.host` config
option](https://vitejs.dev/config/server-options.html#server-host))
- have a sensitive content in files ending with `.map` and the path is
predictable

##### Details

In Vite v7.3.1, the dev server’s handling of `.map` requests for
optimized dependencies resolves file paths and calls `readFile` without
restricting `../` segments in the URL. As a result, it is possible to
bypass the
[`server.fs.strict`](https://vite.dev/config/server-options#server-fs-strict)
allow list and retrieve `.map` files located outside the project root,
provided they can be parsed as valid source map JSON.

##### PoC
1. Create a minimal PoC sourcemap outside the project root
    ```bash
    cat > /tmp/poc.map <<'EOF'
    {"version":3,"file":"x.js","sources":[],"names":[],"mappings":""}
    EOF
    ```
2. S... (continued)

4084 of 5146 branches covered (79.36%)

Branch coverage included in aggregate %.

7027 of 7852 relevant lines covered (89.49%)

307535.88 hits per line

Subprojects
ID Flag name Job ID Ran Files Coverage
1 main/src/webComponents 27685144752.1 140
7.22
 GitHub Action Run
2 playwright 27685144752.2 62
84.8
 GitHub Action Run
3 main/src/internal 27685144752.3 140
8.53
 GitHub Action Run
4 base 27685144752.4 140
9.47
 GitHub Action Run
5 cypress-commands 27685144752.5 140
8.46
 GitHub Action Run
6 main/src/components 27685144752.6 140
79.89
 GitHub Action Run
7 compat 27685144752.7 148
11.11
 GitHub Action Run
Source Files on build 27685144752