+ "message": "chore(deps): update dependency vite to v8.0.5 [security] (#9009)\n\nThis PR contains the following updates:\n\n| Package | Change |\n[Age](https://docs.renovatebot.com/merge-confidence/) |\n[Adoption](https://docs.renovatebot.com/merge-confidence/) |\n[Passing](https://docs.renovatebot.com/merge-confidence/) |\n[Confidence](https://docs.renovatebot.com/merge-confidence/) |\n|---|---|---|---|---|---|\n| [vite](https://vite.dev)\n([source](https://redirect.github.com/vitejs/vite/tree/HEAD/packages/vite))\n| [`8.0.3` →\n`8.0.5`](https://renovatebot.com/diffs/npm/vite/8.0.3/8.0.5) |\n\n|\n\n|\n\n|\n\n|\n\n### GitHub Vulnerability Alerts\n\n####\n[GHSA-4w7w-66w2-5vf9](https://redirect.github.com/vitejs/vite/security/advisories/GHSA-4w7w-66w2-5vf9)\n\n### Summary\n\nAny files ending with `.map` even out side the project can be returned\nto the browser.\n\n### Impact\n\nOnly apps that match the following conditions are affected:\n\n- explicitly exposes the Vite dev server to the network (using `--host`\nor [`server.host` config\noption](https://vitejs.dev/config/server-options.html#server-host))\n- have a sensitive content in files ending with `.map` and the path is\npredictable\n\n### Details\n\nIn Vite v7.3.1, the dev server’s handling of `.map` requests for\noptimized dependencies resolves file paths and calls `readFile` without\nrestricting `../` segments in the URL. As a result, it is possible to\nbypass the\n[`server.fs.strict`](https://vite.dev/config/server-options#server-fs-strict)\nallow list and retrieve `.map` files located outside the project root,\nprovided they can be parsed as valid source map JSON.\n\n### PoC\n1. Create a minimal PoC sourcemap outside the project root\n ```bash\n cat > /tmp/poc.map <<'EOF'\n {\"version\":3,\"file\":\"x.js\",\"sources\":[],\"names\":[],\"mappings\":\"\"}\n EOF\n ```\n2. Start the Vite dev server (example)\n ```bash\n pnpm -C playground/fs-serve dev --host 127.0.0.1 --port 18080\n ```\n3. Confirm that direct `/@​fs` access is blocked by `strict`\n(returns 403)\n<img width=\"4004\" height=\"1038\" alt=\"image\"\nsrc=\"https://github.com/user-attachments/assets/15a859a8-1dc6-4105-8d58-80527c0dd9ab\"\n/>\n4. Inject `../` segments under the optimized deps `.map` URL prefix to\nreach `/tmp/poc.map`\n<img width=\"2790\" height=\"846\" alt=\"image\"\nsrc=\"https://github.com/user-attachments/assets/5d02957d-2e6a-4c45-9819-3f024e0e81f2\"\n/>\n\n####\n[GHSA-p9ff-h696-f583](https://redirect.github.com/vitejs/vite/security/advisories/GHSA-p9ff-h696-f583)\n\n### Summary\n\n[`server.fs`](https://vite.dev/config/server-options#server-fs-strict)\ncheck was not enforced to the `fetchModule` method that is exposed in\nVite dev server's WebSocket.\n\n### Impact\n\nOnly apps that match the following conditions are affected:\n\n- explicitly exposes the Vite dev server to the network (using `--host`\nor [`server.host` config\noption](https://vitejs.dev/config/server-options.html#server-host))\n- WebSocket is not disabled by `server.ws: false`\n\nArbitrary files on the server (development machine, CI environment,\ncontainer, etc.) can be exposed.\n\n### Details\n\nIf it is possible to connect to the Vite dev server’s WebSocket\n**without an `Origin` header**, an attacker can invoke `fetchModule` via\nthe custom WebSocket event `vite:invoke` and combine `file://...` with\n`?raw` (or `?inline`) to retrieve the contents of arbitrary files on the\nserver as a JavaScript string (e.g., `export default \"...\"`).\n\nThe access control enforced in the HTTP request path (such as\n`server.fs.allow`) is not applied to this WebSocket-based execution\npath.\n\n### PoC\n\n1. Start the dev server on the target \n Example (used during validation with this repository):\n ```bash\n pnpm -C playground/alias exec vite --host 0.0.0.0 --port 5173\n ```\n\n2. Confirm that access is blocked via the HTTP path (example: arbitrary\nfile)\n ```bash\n curl -i 'http://localhost:5173/@​fs/etc/passwd?raw'\n ```\n Result: `403 Restricted` (outside the allow list)\n<img width=\"3898\" height=\"1014\" alt=\"image\"\nsrc=\"https://github.com/user-attachments/assets/f6593377-549c-45d7-b562-5c19833438af\"\n/>\n\n3. Confirm that the same file can be retrieved via the WebSocket path\nBy connecting to the HMR WebSocket without an `Origin` header and\nsending a `vite:invoke` request that calls `fetchModule` with a\n`file://...` URL and `?raw`, the file contents are returned as a\nJavaScript module.\n<img width=\"1049\" height=\"296\" alt=\"image\"\nsrc=\"https://github.com/user-attachments/assets/af969f7b-d34e-4af4-8adb-5e2b83b31972\"\n/>\n<img width=\"1382\" height=\"955\" alt=\"image\"\nsrc=\"https://github.com/user-attachments/assets/6a230d2e-197a-4c9c-b373-d0129756d5d7\"\n/>\n\n####\n[GHSA-v2wj-q39q-566r](https://redirect.github.com/vitejs/vite/security/advisories/GHSA-v2wj-q39q-566r)\n\n### Summary\n\nThe contents of files that are specified by\n[`server.fs.deny`](https://vite.dev/config/server-options#server-fs-deny)\ncan be returned to the browser.\n\n### Impact\n\nOnly apps that match the following conditions are affected:\n\n- explicitly exposes the Vite dev server to the network (using `--host`\nor [`server.host` config\noption](https://vitejs.dev/config/server-options.html#server-host))\n- the sensitive file exists in the allowed directories specified by\n[`server.fs.allow`](https://vite.dev/config/server-options#server-fs-allow)\n- the sensitive file is denied with a pattern that matches a file by\n[`server.fs.deny`](https://vite.dev/config/server-options#server-fs-deny)\n\n### Details\n\nOn the Vite dev server, files that should be blocked by `server.fs.deny`\n(e.g., `.env`, `*.crt`) can be retrieved with HTTP 200 responses when\nquery parameters such as `?raw`, `?import&raw`, or `?import&url&inline`\nare appended.\n\n### PoC\n\n1. Start the dev server: `pnpm exec vite root --host 127.0.0.1 --port\n5175 --strictPort`\n2. Confirm that `server.fs.deny` is enforced (expect 403): `curl -i\nhttp://127.0.0.1:5175/src/.env | head -n 20`\n<img width=\"3944\" height=\"1092\" alt=\"image\"\nsrc=\"https://github.com/user-attachments/assets/ecb9f2e0-e08f-4ac7-b194-e0f988c4cd4f\"\n/>\n3. Confirm that the same files can be retrieved with query parameters\n(expect 200):\n<img width=\"2014\" height=\"373\" alt=\"image\"\nsrc=\"https://github.com/user-attachments/assets/76bc2a6a-44f4-4161-ae47-eab5ae0c04a8\"\n/>\n\n---\n\n### Release Notes\n\n<details>\n<summary>vitejs/vite (vite)</summary>\n\n###\n[`v8.0.5`](https://redirect.github.com/vitejs/vite/blob/HEAD/packages/vite/CHANGELOG.md#small-805-2026-04-06-small)\n\n[Compare\nSource](https://redirect.github.com/vitejs/vite/compare/v8.0.4...v8.0.5)\n\n##### Bug Fixes\n\n- apply server.fs check to env transport\n([#​22159](https://redirect.github.com/vitejs/vite/issues/22159))\n([f02d9fd](https://redirect.github.com/vitejs/vite/commit/f02d9fde0b195afe3ea2944414186962fbbe41e0))\n- avoid path traversal with optimize deps sourcemap handler\n([#​22161](https://redirect.github.com/vitejs/vite/issues/22161))\n([79f002f](https://redirect.github.com/vitejs/vite/commit/79f002f2286c03c88c7b74c511c7f9fc6dc46694))\n- check `server.fs` after stripping query as well\n([#​22160](https://redirect.github.com/vitejs/vite/issues/22160))\n([a9a3df2](https://redirect.github.com/vitejs/vite/commit/a9a3df299378d9cbc5f069e3536a369f8188c8ff))\n- disallow referencing files outside the package from sourcemap\n([#​22158](https://redirect.github.com/vitejs/vite/issues/22158))\n([f05f501](https://redirect.github.com/vitejs/vite/commit/f05f50173461789e0f1323fe06b51f18ca41c132))\n\n###\n[`v8.0.4`](https://redirect.github.com/vitejs/vite/blob/HEAD/packages/vite/CHANGELOG.md#small-804-2026-04-06-small)\n\n[Compare\nSource](https://redirect.github.com/vitejs/vite/compare/v8.0.3...v8.0.4)\n\n##### Features\n\n- allow esbuild 0.28 as peer deps\n([#​22155](https://redirect.github.com/vitejs/vite/issues/22155))\n([b0da973](https://redirect.github.com/vitejs/vite/commit/b0da97372f5dba73e78035d1cc7680466ff6cf7f))\n- **hmr:** truncate list of files on hmr update\n([#​21535](https://redirect.github.com/vitejs/vite/issues/21535))\n([d00e806](https://redirect.github.com/vitejs/vite/commit/d00e806d7be15ebbfe7875e9244963d80ee8b142))\n- **optimizer:** log when dependency scanning or bundling takes over 1s\n([#​21797](https://redirect.github.com/vitejs/vite/issues/21797))\n([f61a1ab](https://redirect.github.com/vitejs/vite/commit/f61a1ab33b05dc6f6a7eda6e8bc9c4c5b9aab133))\n\n##### Bug Fixes\n\n- `hasBothRollupOptionsAndRolldownOptions` should return `false` for\nproxy case\n([#​22043](https://redirect.github.com/vitejs/vite/issues/22043))\n([99897d2](https://redirect.github.com/vitejs/vite/commit/99897d27b44dd73307fa03e2f11f0baa1a1dc939))\n- add types for `vite/modulepreload-polyfill`\n([#​22126](https://redirect.github.com/vitejs/vite/issues/22126))\n([17330d2](https://redirect.github.com/vitejs/vite/commit/17330d2b9e132460f194d6d4b547cfee7e25c788))\n- **deps:** update all non-major dependencies\n([#​22073](https://redirect.github.com/vitejs/vite/issues/22073))\n([6daa10f](https://redirect.github.com/vitejs/vite/commit/6daa10ff1e8d15a90f49d8dd909ff208da85d6d8))\n- **deps:** update all non-major dependencies\n([#​22143](https://redirect.github.com/vitejs/vite/issues/22143))\n([22b0166](https://redirect.github.com/vitejs/vite/commit/22b016612703320db45c64a2fe44472051ef5ec5))\n- **resolve:** resolve tsconfig paths starting with `#`\n([#​22038](https://redirect.github.com/vitejs/vite/issues/22038))\n([3460fc5](https://redirect.github.com/vitejs/vite/commit/3460fc55aa89aef4103d2c05ac2e446032511a6d))\n- **ssr:** use browser platform for webworker SSR builds (fix\n[#​21969](https://redirect.github.com/vitejs/vite/issues/21969))\n([#​21963](https://redirect.github.com/vitejs/vite/issues/21963))\n([364c227](https://redirect.github.com/vitejs/vite/commit/364c2273a121dad4d93ec3b9ec87ffbe0d6e860b))\n\n##### Documentation\n\n- add `environment.fetchModule` documentation\n([#​22035](https://redirect.github.com/vitejs/vite/issues/22035))\n([54229e7](https://redirect.github.com/vitejs/vite/commit/54229e78631ebf10d1db767b51ea85f3cf06718a))\n\n##### Miscellaneous Chores\n\n- **deps:** update rolldown-related dependencies\n([#​21989](https://redirect.github.com/vitejs/vite/issues/21989))\n([0ded627](https://redirect.github.com/vitejs/vite/commit/0ded6274579e8bda6b22a7ba93b15d15b4c28b78))\n\n##### Code Refactoring\n\n- upgrade to typescript 6\n([#​22110](https://redirect.github.com/vitejs/vite/issues/22110))\n([cc41398](https://redirect.github.com/vitejs/vite/commit/cc41398c2cf0bb5061cf0ca5dc3b408ae7e41191))\n\n</details>\n\n---\n\n### Configuration\n\n📅 **Schedule**: Branch creation - \"\" in timezone Asia/Shanghai,\nAutomerge - At any time (no schedule defined).\n\n🚦 **Automerge**: Enabled.\n\n♻ **Rebasing**: Whenever PR is behind base branch, or you tick the\nrebase/retry checkbox.\n\n🔕 **Ignore**: Close this PR and you won't be reminded about this update\nagain.\n\n---\n\n- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check\nthis box\n\n---\n\nThis PR was generated by [Mend Renovate](https://mend.io/renovate/).\nView the [repository job\nlog](https://developer.mend.io/github/rolldown/rolldown).\n\n<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xMDIuMTEiLCJ1cGRhdGVkSW5WZXIiOiI0My4xMDIuMTEiLCJ0YXJnZXRCcmFuY2giOiJtYWluIiwibGFiZWxzIjpbXX0=-->\n\nCo-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>",
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?v=4&size=40){kind=avatar}
0 commit comments