Update dependency vite to v6.1.6 [SECURITY]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
vite (source)	6.0.9 -> 6.1.6

GitHub Vulnerability Alerts

CVE-2025-30208

Summary

The contents of arbitrary files can be returned to the browser.

Impact

Only apps explicitly exposing the Vite dev server to the network (using --host or server.host config option) are affected.

Details

@fs denies access to files outside of Vite serving allow list. Adding ?raw?? or ?import&raw?? to the URL bypasses this limitation and returns the file content if it exists. This bypass exists because trailing separators such as ? are removed in several places, but are not accounted for in query string regexes.

PoC

$ npm create vite@latest
$ cd vite-project/
$ npm install
$ npm run dev

$ echo "top secret content" > /tmp/secret.txt

# expected behaviour
$ curl "http://localhost:5173/@​fs/tmp/secret.txt"

    <body>
      <h1>403 Restricted</h1>
      <p>The request url &quot;/tmp/secret.txt&quot; is outside of Vite serving allow list.

# security bypassed
$ curl "http://localhost:5173/@&#8203;fs/tmp/secret.txt?import&raw??"
export default "top secret content\n"
//# sourceMappingURL=data:application/json;base64,eyJ2...

CVE-2025-31125

Summary

The contents of arbitrary files can be returned to the browser.

Impact

Only apps explicitly exposing the Vite dev server to the network (using --host or server.host config option) are affected.

Details

• base64 encoded content of non-allowed files is exposed using ?inline&import (originally reported as ?import&?inline=1.wasm?init)
• content of non-allowed files is exposed using ?raw?import

/@​fs/ isn't needed to reproduce the issue for files inside the project root.

PoC

Original report (check details above for simplified cases):

The ?import&?inline=1.wasm?init ending allows attackers to read arbitrary files and returns the file content if it exists. Base64 decoding needs to be performed twice

$ npm create vite@latest
$ cd vite-project/
$ npm install
$ npm run dev

Example full URL http://localhost:5173/@​fs/C:/windows/win.ini?import&?inline=1.wasm?init

CVE-2025-31486

Summary

The contents of arbitrary files can be returned to the browser.

Impact

Only apps explicitly exposing the Vite dev server to the network (using --host or server.host config option) are affected.

Details

.svg

Requests ending with .svg are loaded at this line.
https://github.com/vitejs/vite/blob/037f801075ec35bb6e52145d659f71a23813c48f/packages/vite/src/node/plugins/asset.ts#L285-L290
By adding ?.svg with ?.wasm?init or with sec-fetch-dest: script header, the restriction was able to bypass.

This bypass is only possible if the file is smaller than build.assetsInlineLimit (default: 4kB) and when using Vite 6.0+.

relative paths

The check was applied before the id normalization. This allowed requests to bypass with relative paths (e.g. ../../).

PoC

npm create vite@latest
cd vite-project/
npm install
npm run dev

send request to read etc/passwd

curl 'http://127.0.0.1:5173/etc/passwd?.svg?.wasm?init'

curl 'http://127.0.0.1:5173/@​fs/x/x/x/vite-project/?/../../../../../etc/passwd?import&?raw'

CVE-2025-46565

Summary

The contents of files in the project root that are denied by a file matching pattern can be returned to the browser.

Impact

Only apps explicitly exposing the Vite dev server to the network (using --host or server.host config option) are affected.
Only files that are under project root and are denied by a file matching pattern can be bypassed.

• Examples of file matching patterns: .env, .env.*, *.{crt,pem}, **/.env
• Examples of other patterns: **/.git/**, .git/**, .git/**/*

Details

server.fs.deny can contain patterns matching against files (by default it includes .env, .env.*, *.{crt,pem} as such patterns).
These patterns were able to bypass for files under root by using a combination of slash and dot (/.).

PoC

npm create vite@latest
cd vite-project/
cat "secret" > .env
npm install
npm run dev
curl --request-target /.env/. http://localhost:5173

---

Release Notes

vitejs/vite (vite)

v6.1.6

Compare Source

Please refer to CHANGELOG.md for details.

v6.1.5

Compare Source

Please refer to CHANGELOG.md for details.

v6.1.4

Compare Source

Please refer to CHANGELOG.md for details.

v6.1.3

Compare Source

Please refer to CHANGELOG.md for details.

v6.1.2

Compare Source

Please refer to CHANGELOG.md for details.

v6.1.1

Compare Source

Features

• add support for injecting debug IDs (#​18763) (0ff556a)

Bug Fixes

• css: run rewrite plugin if postcss plugin exists (#​19371) (bcdb51a)
• deps: bump tsconfck (#​19375) (746a583)
• deps: update all non-major dependencies (#​19392) (60456a5)
• deps: update all non-major dependencies (#​19440) (ccac73d)
• ensure .[cm]?[tj]sx? static assets are JS mime (#​19453) (e7ba55e)
• html: ignore malformed src attrs (#​19397) (aff7812)
• ignore *.ipv4 address in cert (#​19416) (973283b)
• worker: fix web worker type detection (#​19462) (edc65ea)

Miscellaneous Chores

• update 6.1.0 changelog (#​19363) (fa7c211)

Code Refactoring

• remove custom .jxl mime (#​19457) (0c85464)

v6.1.0

Compare Source

Features

• add support for injecting debug IDs (#​18763) (0ff556a)

Bug Fixes

• css: run rewrite plugin if postcss plugin exists (#​19371) (bcdb51a)
• deps: bump tsconfck (#​19375) (746a583)
• deps: update all non-major dependencies (#​19392) (60456a5)
• deps: update all non-major dependencies (#​19440) (ccac73d)
• ensure .[cm]?[tj]sx? static assets are JS mime (#​19453) (e7ba55e)
• html: ignore malformed src attrs (#​19397) (aff7812)
• ignore *.ipv4 address in cert (#​19416) (973283b)
• worker: fix web worker type detection (#​19462) (edc65ea)

Miscellaneous Chores

• update 6.1.0 changelog (#​19363) (fa7c211)

Code Refactoring

• remove custom .jxl mime (#​19457) (0c85464)

v6.0.15

Compare Source

Please refer to CHANGELOG.md for details.

v6.0.14

Compare Source

Please refer to CHANGELOG.md for details.

v6.0.13

Compare Source

Please refer to CHANGELOG.md for details.

v6.0.12

Compare Source

Please refer to CHANGELOG.md for details.

v6.0.11

Compare Source

Features

• show hosts in cert in CLI (#​19317) (a5e306f)
• support for env var for defining allowed hosts (#​19325) (4d88f6c)
• use native runtime to import the config (#​19178) (7c2a794)
• print port in the logged error message after failed WS connection with EADDRINUSE (#​19212) (14027b0)
• add support for .jxl (#​18855) (57b397c)
• add the builtins environment resolve (#​18584) (2c2d521)
• call Logger for plugin logs in build (#​13757) (bf3e410)
• css: add friendly errors for IE hacks that are not supported by lightningcss (#​19072) (caad985)
• export defaultAllowedOrigins for user-land config and 3rd party plugins (#​19259) (dc8946b)
• expose createServerModuleRunnerTransport (#​18730) (8c24ee4)
• optimizer: support bun text lockfile (#​18403) (05b005f)
• reporter: add wasm to the compressible assets regex (#​19085) (ce84142)
• support async for proxy.bypass (#​18940) (a6b9587)
• support log related functions in dev (#​18922) (3766004)
• use module runner to import the config (#​18637) (b7e0e42)
• worker: support dynamic worker option fields (#​19010) (d0c3523)

Bug Fixes

• avoid builtStart during vite optimize (#​19356) (fdb36e0)
• build: fix stale build manifest on watch rebuild (#​19361) (fcd5785)
• allow expanding env vars in reverse order (#​19352) (3f5f2bd)
• avoid packageJson without name in resolveLibCssFilename (#​19324) (f183bdf)
• html: fix css disorder when building multiple entry html (#​19143) (e7b4ba3)
• css: less [@plugin](https://redirect.github.com/plugin) imports of JS files treated as CSS and rebased (fix #​19268) (#​19269) (602b373)
• deps: update all non-major dependencies (#​19296) (2bea7ce)
• don't call buildStart hooks for vite optimize (#​19347) (19ffad0)
• don't call next middleware if user sent response in proxy.bypass (#​19318) (7e6364d)
• resolve: preserve hash/search of file url (#​19300) (d1e1b24)
• resolve: warn if node-like builtin was imported when resolve.builtin is empty (#​19312) (b7aba0b)
• respect top-level server.preTransformRequests (#​19272) (12aaa58)
• ssr: fix transform error due to export all id scope (#​19331) (e28bce2)
• ssr: pretty print plugin error in ssrLoadModule (#​19290) (353c467)
• use nodeLikeBuiltins for ssr.target: 'webworker' without noExternal: true (#​19313) (9fc31b6)
• change ResolvedConfig type to interface to allow extending it (#​19210) (bc851e3)
• correctly resolve hmr dep ids and fallback to url (#​18840) (b84498b)
• deps: update all non-major dependencies (#​19190) (f2c07db)
• hmr: register inlined assets as a dependency of CSS file (#​18979) (eb22a74)
• make --force work for all environments (#​18901) (51a42c6)
• resolve: support resolving TS files by JS extension specifiers in JS files (#​18889) (612332b)
• ssr: combine empty source mappings (#​19226) (ba03da2)
• use loc.file from rollup errors if available (#​19222) (ce3fe23)
• utils: clone RegExp values with new RegExp instead of structuredClone (fix #​19245, fix #​18875) (#​19247) (56ad2be)

Performance Improvements

• css: only run postcss when needed (#​19061) (30194fa)

Documentation

• rephrase browser range and features relation (#​19286) (97569ef)
• update build.manifest jsdocs (#​19332) (4583781)

Code Refactoring

• deprecate vite optimize command (#​19348) (6e0e3c0)

Miscellaneous Chores

• update deprecate links domain (#​19353) (2b2299c)
• deps: update dependency strip-literal to v3 (#​19231) (1172d65)
• remove outdated code comment about scanImports not being used in ssr (#​19285) (fbbc6da)
• unneeded name in lockfileFormats (#​19275) (96092cb)

Beta Changelogs

6.1.0-beta.2 (2025-02-04)

See 6.1.0-beta.2 changelog

6.1.0-beta.1 (2025-02-04)

See 6.1.0-beta.1 changelog

6.1.0-beta.0 (2025-01-24)

See 6.1.0-beta.0 changelog

v6.0.10

Compare Source

Bug Fixes

• try parse server.origin URL (#​19241) (2495022)

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[github-actions]

PR Preview Action v1.6.2
🚀 View preview at https://internetarchive.github.io/iaux-item-metadata/pr/pr-27/
Built to branch gh-pages at 2025-10-21 17:16 UTC. Preview will be ready when the GitHub Pages deployment is complete.

[codecov-commenter]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 69.58%. Comparing base (b4fe081) to head (b226266).

Additional details and impacted files

@@           Coverage Diff           @@
##             main      #27   +/-   ##
=======================================
  Coverage   69.58%   69.58%           
=======================================
  Files          13       13           
  Lines         947      947           
  Branches       24       24           
=======================================
  Hits          659      659           
  Misses        288      288           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.