devtools icon indicating copy to clipboard operation
devtools copied to clipboard
verified publisher icon vuejs

chore(deps): update dependency vite to v7.1.11 [security]

Open renovate[bot] opened this issue 2 months ago • 2 comments

This PR contains the following updates:

Package Change Age Confidence
vite (source) 7.1.10 -> 7.1.11 age confidence

GitHub Vulnerability Alerts

CVE-2025-62522

Summary

Files denied by server.fs.deny were sent if the URL ended with \ when the dev server is running on Windows.

Impact

Only apps that match the following conditions are affected:

  • explicitly exposes the Vite dev server to the network (using --host or server.host config option)
  • running the dev server on Windows

Details

server.fs.deny can contain patterns matching against files (by default it includes .env, .env.*, *.{crt,pem} as such patterns). These patterns were able to bypass by using a back slash(\). The root cause is that fs.readFile('/foo.png/') loads /foo.png.

PoC

npm create vite@latest
cd vite-project/
cat "secret" > .env
npm install
npm run dev
curl --request-target /.env\ http://localhost:5173
image

Release Notes

vitejs/vite (vite)

v7.1.11

Compare Source

Bug Fixes
Miscellaneous Chores
Code Refactoring
Build System

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

  • [ ] If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

renovate[bot] avatar Oct 20 '25 22:10 renovate[bot]

Deploy Preview for vue-devtools-docs canceled.

Name Link
Latest commit 1cfb4b8ed17b5cb8f7701ef947d01a1ea21854bb
Latest deploy log https://app.netlify.com/projects/vue-devtools-docs/deploys/691b49f6b62b9a000898155f

netlify[bot] avatar Oct 20 '25 22:10 netlify[bot]

Open in StackBlitz

@vue/devtools-applet

npm i https://pkg.pr.new/@vue/devtools-applet@982
@vue/devtools-core

npm i https://pkg.pr.new/@vue/devtools-core@982
@vue/devtools

npm i https://pkg.pr.new/@vue/devtools@982
@vue/devtools-api

npm i https://pkg.pr.new/@vue/devtools-api@982
@vue/devtools-kit

npm i https://pkg.pr.new/@vue/devtools-kit@982
vite-plugin-vue-devtools

npm i https://pkg.pr.new/vite-plugin-vue-devtools@982

commit: 1cfb4b8

pkg-pr-new[bot] avatar Oct 20 '25 22:10 pkg-pr-new[bot]