2 – base
89%
main: 89%

Ran 01 Apr 2025 11:40AM UTC

Files 148

Run time 3s

Badge

Embed ▾

Committed 01 Apr 2025 11:32AM UTC coverage: 17.172% (-0.02%) from 17.194%

Subproject # base – 14194518132.2

Build Type

push

github

Committed by

web-flow

Commit Message

chore(deps): update dependency vite to v6.2.4 [security] (main) (#7168)

This PR contains the following updates:

| Package | Change | Age | Adoption | Passing | Confidence |
|---|---|---|---|---|---|
| [vite](https://vite.dev)
([source](https://redirect.github.com/vitejs/vite/tree/HEAD/packages/vite))
| [`6.2.3` ->
`6.2.4`](https://renovatebot.com/diffs/npm/vite/6.2.3/6.2.4) |
[![age](https://developer.mend.io/api/mc/badges/age/npm/vite/6.2.4?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![adoption](https://developer.mend.io/api/mc/badges/adoption/npm/vite/6.2.4?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![passing](https://developer.mend.io/api/mc/badges/compatibility/npm/vite/6.2.3/6.2.4?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/vite/6.2.3/6.2.4?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|

### GitHub Vulnerability Alerts

####
[CVE-2025-31125](https://redirect.github.com/vitejs/vite/security/advisories/GHSA-4r4m-qw57-chr8)

### Summary

The contents of arbitrary files can be returned to the browser.

### Impact
Only apps explicitly exposing the Vite dev server to the network (using
`--host` or [`server.host` config
option](https://vitejs.dev/config/server-options.html#server-host)) are
affected.

### Details

- base64 encoded content of non-allowed files is exposed using
`?inline&import` (originally reported as `?import&?inline=1.wasm?init`)
- content of non-allowed files is exposed using `?raw?import`

`/@&#8203;fs/` isn't needed to reproduce the issue for files inside the
project root.

### PoC

Original report (check details above for simplified cases):

The ?import&?inline=1.wasm?init ending allows attackers to read
arbitrary files and returns the file content if it exists. Base64
decoding needs to be performed twice
```
$ npm create vite@latest
$ cd vite-project/
$ npm install
$ npm run dev
```

Exampl... (continued)

Run Details

114 of 2904 branches covered (3.93%)

781 of 4548 relevant lines covered (17.17%)

16.16 hits per line

SAP / ui5-webcomponents-react / 14194518132 / 2 – base
89%
main: 89%

README BADGES
x

Markdown

Textile

RDoc

HTML

Rst

Source Files on job base - 14194518132.2

SAP / ui5-webcomponents-react / 14194518132 / 2 – base 89% main: 89%

README BADGES x

Markdown

Textile

RDoc

HTML

Rst

Source Files on job base - 14194518132.2

SAP / ui5-webcomponents-react / 14194518132 / 2 – base
89%
main: 89%

README BADGES
x