chore(deps): update dependency vite@>=5.0.0 <5.4.12 to v6 [security] - autoclosed

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
vite@>=5.0.0 <5.4.12 (source)	[^5.4.12 -> ^6.0.13](https://renovatebot.com/diffs/npm/vite@&gt;&#x3D;5.0.0 <5.4.12/5.4.12/6.0.13)

GitHub Vulnerability Alerts

CVE-2025-30208

Summary

The contents of arbitrary files can be returned to the browser.

Impact

Only apps explicitly exposing the Vite dev server to the network (using --host or server.host config option) are affected.

Details

@fs denies access to files outside of Vite serving allow list. Adding ?raw?? or ?import&raw?? to the URL bypasses this limitation and returns the file content if it exists. This bypass exists because trailing separators such as ? are removed in several places, but are not accounted for in query string regexes.

PoC

$ npm create vite@latest
$ cd vite-project/
$ npm install
$ npm run dev

$ echo "top secret content" > /tmp/secret.txt

# expected behaviour
$ curl "http://localhost:5173/@​fs/tmp/secret.txt"

    <body>
      <h1>403 Restricted</h1>
      <p>The request url &quot;/tmp/secret.txt&quot; is outside of Vite serving allow list.

# security bypassed
$ curl "http://localhost:5173/@&#8203;fs/tmp/secret.txt?import&raw??"
export default "top secret content\n"
//# sourceMappingURL=data:application/json;base64,eyJ2...

CVE-2025-31125

Summary

The contents of arbitrary files can be returned to the browser.

Impact

Only apps explicitly exposing the Vite dev server to the network (using --host or server.host config option) are affected.

Details

• base64 encoded content of non-allowed files is exposed using ?inline&import (originally reported as ?import&?inline=1.wasm?init)
• content of non-allowed files is exposed using ?raw?import

/@​fs/ isn't needed to reproduce the issue for files inside the project root.

PoC

Original report (check details above for simplified cases):

The ?import&?inline=1.wasm?init ending allows attackers to read arbitrary files and returns the file content if it exists. Base64 decoding needs to be performed twice

$ npm create vite@latest
$ cd vite-project/
$ npm install
$ npm run dev

Example full URL http://localhost:5173/@​fs/C:/windows/win.ini?import&?inline=1.wasm?init

---

Release Notes

vitejs/vite (vite@>=5.0.0 <5.4.12)

v6.0.13

Compare Source

Please refer to CHANGELOG.md for details.

v6.0.12

Compare Source

Please refer to CHANGELOG.md for details.

v6.0.11

Compare Source

• fix: preview.allowedHosts with specific values was not respected (#​19246) (aeb3ec8), closes #​19246
• fix: allow CORS from loopback addresses by default (#​19249) (3d03899), closes #​19249

v6.0.10

Compare Source

• fix: try parse server.origin URL (#​19241) (2495022), closes #​19241

v6.0.9

Compare Source

• fix!: check host header to prevent DNS rebinding attacks and introduce server.allowedHosts (bd896fb)
• fix!: default server.cors: false to disallow fetching from untrusted origins (b09572a)
• fix: verify token for HMR WebSocket connection (029dcd6)

v6.0.8

Compare Source

• fix: avoid SSR HMR for HTML files (#​19193) (3bd55bc), closes #​19193
• fix: build time display 7m 60s (#​19108) (cf0d2c8), closes #​19108
• fix: don't resolve URL starting with double slash (#​19059) (35942cd), closes #​19059
• fix: ensure server.close() only called once (#​19204) (db81c2d), closes #​19204
• fix: resolve.conditions in ResolvedConfig was defaultServerConditions (#​19174) (ad75c56), closes #​19174
• fix: tree shake stringified JSON imports (#​19189) (f2aed62), closes #​19189
• fix: use shared sigterm callback (#​19203) (47039f4), closes #​19203
• fix(deps): update all non-major dependencies (#​19098) (8639538), closes #​19098
• fix(optimizer): use correct default install state path for yarn PnP (#​19119) (e690d8b), closes #​19119
• fix(types): improve ESBuildOptions.include / exclude type to allow readonly (string | RegExp)[] (ea53e70), closes #​19146
• chore(deps): update dependency pathe to v2 (#​19139) (71506f0), closes #​19139

v6.0.7

Compare Source

• fix: fix minify when builder.sharedPlugins: true (#​19025) (f7b1964), closes #​19025
• fix: skip the plugin if it has been called before with the same id and importer (#​19016) (b178c90), closes #​19016
• fix(html): error while removing vite-ignore attribute for inline script (#​19062) (a492253), closes #​19062
• fix(ssr): fix semicolon injection by ssr transform (#​19097) (1c102d5), closes #​19097
• perf: skip globbing for static path in warmup (#​19107) (677508b), closes #​19107
• feat(css): show lightningcss warnings (#​19076) (b07c036), closes #​19076

v6.0.6

Compare Source

• fix: replace runner-side path normalization with fetchModule-side resolve (#​18361) (9f10261), closes #​18361
• fix(css): resolve style tags in HTML files correctly for lightningcss (#​19001) (afff05c), closes #​19001
• fix(css): show correct error when unknown placeholder is used for CSS modules pattern in lightningcs (9290d85), closes #​19070
• fix(resolve): handle package.json with UTF-8 BOM (#​19000) (902567a), closes #​19000
• fix(ssrTransform): preserve line offset when transforming imports (#​19004) (1aa434e), closes #​19004
• chore: fix typo in comment (#​19067) (eb06ec3), closes #​19067
• chore: update comment about build.target (#​19047) (0e9e81f), closes #​19047
• revert: unpin esbuild version (#​19043) (8bfe247), closes #​19043
• test(ssr): test virtual module with query (#​19044) (a1f4b46), closes #​19044

v6.0.5

Compare Source

• fix: esbuild regression (pin to 0.24.0) (#​19027) (4359e0d), closes #​19027

v6.0.4

Compare Source

• fix: this.resolve skipSelf should not skip for different id or import (#​18903) (4727320), closes #​18903
• fix: fallback terser to main thread when function options are used (#​18987) (12b612d), closes #​18987
• fix: merge client and ssr values for pluginContainer.getModuleInfo (#​18895) (258cdd6), closes #​18895
• fix(css): escape double quotes in url() when lightningcss is used (#​18997) (3734f80), closes #​18997
• fix(css): root relative import in sass modern API on Windows (#​18945) (c4b532c), closes #​18945
• fix(css): skip non css in custom sass importer (#​18970) (21680bd), closes #​18970
• fix(deps): update all non-major dependencies (#​18967) (d88d000), closes #​18967
• fix(deps): update all non-major dependencies (#​18996) (2b4f115), closes #​18996
• fix(optimizer): keep NODE_ENV as-is when keepProcessEnv is true (#​18899) (8a6bb4e), closes #​18899
• fix(ssr): recreate ssrCompatModuleRunner on restart (#​18973) (7d6dd5d), closes #​18973
• chore: better validation error message for dts build (#​18948) (63b82f1), closes #​18948
• chore(deps): update all non-major dependencies (#​18916) (ef7a6a3), closes #​18916
• chore(deps): update dependency @​rollup/plugin-node-resolve to v16 (#​18968) (62fad6d), closes #​18968
• refactor: make internal invoke event to use the same interface with handleInvoke (#​18902) (27f691b), closes #​18902
• refactor: simplify manifest plugin code (#​18890) (1bfe21b), closes #​18890
• test: test ModuleRunnerTransport invoke API (#​18865) (e5f5301), closes #​18865
• test: test output hash changes (#​18898) (bfbb130), closes #​18898

v6.0.3

Compare Source

• fix: handle postcss load unhandled rejections (#​18886) (d5fb653), closes #​18886
• fix: make handleInvoke interface compatible with invoke (#​18876) (a1dd396), closes #​18876
• fix: make result interfaces for ModuleRunnerTransport#invoke more explicit (#​18851) (a75fc31), closes #​18851
• fix: merge environments.ssr.resolve with root ssr config (#​18857) (3104331), closes #​18857
• fix: no permission to create vite config file (#​18844) (ff47778), closes #​18844
• fix: remove CSS import in CJS correctly in some cases (#​18885) (690a36f), closes #​18885
• fix(config): bundle files referenced with imports field (#​18887) (2b5926a), closes #​18887
• fix(config): make stacktrace path correct when sourcemap is enabled (#​18833) (20fdf21), closes #​18833
• fix(css): rewrite url when image-set and url exist at the same time (#​18868) (d59efd8), closes #​18868
• fix(deps): update all non-major dependencies (#​18853) (5c02236), closes #​18853
• fix(html): allow unexpected question mark in tag name (#​18852) (1b54e50), closes #​18852
• fix(module-runner): decode uri for file url passed to import (#​18837) (88e49aa), closes #​18837
• refactor: fix logic errors found by no-unnecessary-condition rule (#​18891) (ea802f8), closes #​18891
• chore: fix duplicate attributes issue number in comment (#​18860) (ffee618), closes #​18860

v6.0.2

Compare Source

• chore: run typecheck in unit tests (#​18858) (49f20bb), closes #​18858
• chore: update broken links in changelog (#​18802) (cb754f8), closes #​18802
• chore: update broken links in changelog (#​18804) (47ec49f), closes #​18804
• fix: don't store temporary vite config file in node_modules if deno (#​18823) (a20267b), closes #​18823
• fix(css): referencing aliased svg asset with lightningcss enabled errored (#​18819) (ae68958), closes #​18819
• fix(manifest): use style.css as a key for the style file for cssCodesplit: false (#​18820) (ec51115), closes #​18820
• fix(optimizer): resolve all promises when cancelled (#​18826) (d6e6194), closes #​18826
• fix(resolve): don't set builtinModules to external by default (#​18821) (2250ffa), closes #​18821
• fix(ssr): set ssr.target: 'webworker' defaults as fallback (#​18827) (b39e696), closes #​18827
• feat(css): format lightningcss error (#​18818) (dac7992), closes #​18818
• refactor: make properties of ResolvedServerOptions and ResolvedPreviewOptions required (#​18796) (51a5569), closes #​18796

v6.0.1

Compare Source

• fix: preview.allowedHosts with specific values was not respected (#​19246) (aeb3ec8), closes #​19246
• fix: allow CORS from loopback addresses by default (#​19249) (3d03899), closes #​19249

v6.0.0

Compare Source

Today, we're taking another big step in Vite's story. The Vite team, contributors, and ecosystem partners are excited to announce the release of the next Vite major:

• Vite 6.0 announcement blog post
• Docs
• Translations: 简体中文, 日本語, Español, Português, 한국어, Deutsch
• Migration Guide

We want to thank the more than 1K contributors to Vite Core and the maintainers and contributors of Vite plugins, integrations, tools, and translations that have helped us craft this new major. We invite you to get involved and help us improve Vite for the whole ecosystem. Learn more at our Contributing Guide.

Breaking Changes

• feat!: drop node 21 support in version ranges (#​18729) (a384d8f), closes #​18729
• fix(deps)!: update dependency dotenv-expand to v12 (#​18697) (0c658de), closes #​18697
• feat(html)!: support more asset sources (#​11138) (8a7af50), closes #​11138
• feat(resolve)!: allow removing conditions (#​18395) (d002e7d), closes #​18395
• refactor!: remove fs.cachedChecks option (#​18493) (94b0857), closes #​18493
• feat!: proxy bypass with WebSocket (#​18070) (3c9836d), closes #​18070
• feat!: support file:// resolution (#​18422) (6a7e313), closes #​18422
• feat!: update to chokidar v4 (#​18453) (192d555), closes #​18453
• feat(lib)!: use package name for css output file name (#​18488) (61cbf6f), closes #​18488
• fix(css)!: remove default import in ssr dev (#​17922) (eccf663), closes #​17922
• chore(deps)!: update postcss-load-config to v6 (#​15235) (3a27f62), closes #​15235
• feat(css)!: change default sass api to modern/modern-compiler (#​17937) (d4e0442), closes #​17937
• feat(css)!: load postcss config within workspace root only (#​18440) (d23a493), closes #​18440
• feat(json)!: add json.stringify: 'auto' and make that the default (#​18303) (b80daa7), closes #​18303
• fix!: default build.cssMinify to 'esbuild' for SSR (#​15637) (f1d3bf7), closes #​15637
• chore(deps)!: migrate fast-glob to tinyglobby (#​18243) (6f74a3a), closes #​18243
• refactor!: bump minimal terser version to 5.16.0 (#​18209) (19ce525), closes #​18209
• feat!: Environment API (#​16471) (242f550), closes #​16471

Features

• feat: add support for .cur type (#​18680) (5ec9eed), closes #​18680
• feat: enable HMR by default on ModuleRunner side (#​18749) (4d2abc7), closes #​18749
• feat: support module-sync condition when loading config if enabled (#​18650) (cf5028d), closes #​18650
• feat: add isSsrTargetWebWorker flag to configEnvironment hook (#​18620) (3f5fab0), closes #​18620
• feat: add ssr.resolve.mainFields option (#​18646) (a6f5f5b), closes #​18646
• feat: expose default mainFields/conditions (#​18648) (c12c653), closes #​18648
• feat: extended applyToEnvironment and perEnvironmentPlugin (#​18544) (8fa70cd), closes #​18544
• feat: show error when accessing variables not exposed in CJS build (#​18649) (87c5502), closes #​18649
• feat(optimizer): allow users to specify their esbuild platform option (#​18611) (0924879), closes #​18611
• refactor: introduce mergeWithDefaults and organize how default values for config options are set ( (0e1f437), closes #​18550
• build: ignore cjs warning (#​18660) (33b0d5a), closes #​18660
• feat: use a single transport for fetchModule and HMR support (#​18362) (78dc490), closes #​18362
• feat(asset): add ?inline and ?no-inline queries to control inlining (#​15454) (9162172), closes #​15454
• feat(asset): inline svg in dev if within limit (#​18581) (f08b146), closes #​18581
• feat: log complete config in debug mode (#​18289) (04f6736), closes #​18289
• feat(html): support vite-ignore attribute to opt-out of processing (#​18494) (d951310), closes #​18494
• feat: allow custom console in createLogger (#​18379) (0c497d9), closes #​18379
• feat: read sec-fetch-dest header to detect JS in transform (#​9981) (e51dc40), closes #​9981
• feat(css): add more stricter typing of lightningcss (#​18460) (b9b925e), closes #​18460
• feat: add .git to deny list by default (#​18382) (105ca12), closes #​18382
• feat: add environment::listen (#​18263) (4d5f51d), closes #​18263
• feat: enable dependencies discovery and pre-bundling in ssr environments (#​18358) (9b21f69), closes #​18358
• feat: restrict characters useable for environment name (#​18255) (9ab6180), closes #​18255
• feat: support arbitrary module namespace identifier imports from cjs deps (#​18236) (4389a91), closes #​18236
• feat: introduce RunnableDevEnvironment (#​18190) (fb292f2), closes #​18190
• feat: support this.environment in options and onLog hook (#​18142) (7722c06), closes #​18142
• feat: expose EnvironmentOptions type (#​18080) (35cf59c), closes #​18080
• feat(css): support es2023 build target for lightningcss (#​17998) (1a76300), closes #​17998

Performance

• perf: reduce bundle size for Object.keys(import.meta.glob(...)) / `Object.values(import.meta.glob( (ed99a2c), closes #​18666
• perf(worker): inline worker without base64 (#​18752) (90c66c9), closes #​18752
• perf: remove strip-ansi for a node built-in (#​18630) (5182272), closes #​18630
• perf(css): skip style.css extraction if code-split css (#​18470) (34fdb6b), closes #​18470
• perf: call module.enableCompileCache() (#​18323) (18f1dad), closes #​18323
• perf: use crypto.hash when available (#​18317) (2a14884), closes #​18317
• build: reduce package size (#​18517) (b83f60b), closes #​18517

Fixes

• fix: createRunnableDevEnvironment returns RunnableDevEnvironment, not DevEnvironment (#​18673) (74221c3), closes #​18673
• fix: getModulesByFile should return a serverModule (#​18715) (b80d5ec), closes #​18715
• fix: catch error in full reload handler (#​18713) (a10e741), closes #​18713
• fix: display pre-transform error details (#​18764) (554f45f), closes #​18764
• fix: exit code on SIGTERM (#​18741) (cc55e36), closes #​18741
• fix: expose missing InterceptorOptions type (#​18766) (6252c60), closes #​18766
• fix: log error when send in module runner failed (#​18753) (ba821bb), closes #​18753
• fix(client): overlay not appearing when multiple vite clients were loaded (#​18647) (27d70b5), closes #​18647
• fix(deps): update all non-major dependencies (#​18691) (f005461), closes #​18691
• fix(html): fix inline proxy modules invalidation (#​18696) (8ab04b7), closes #​18696
• fix(module-runner): make evaluator optional (#​18672) (fd1283f), closes #​18672
• fix(optimizer): detect npm / yarn / pnpm dependency changes correctly (#​17336) (#​18560) (818cf3e), closes #​17336 #​18560
• fix(optimizer): trigger onCrawlEnd after manual included deps are registered (#​18733) (dc60410), closes #​18733
• fix(optimizer): workaround firefox's false warning for no sources source map (#​18665) (473424e), closes #​18665
• fix(ssr): replace __vite_ssr_identity__ with (0, ...) and inject ; between statements (#​18748) (94546be), closes #​18748
• refactor: first character judgment replacement regexp (#​18658) (58f1df3), closes #​18658
• refactor(resolve): remove allowLinkedExternal parameter from tryNodeResolve (#​18670) (b74d363), closes #​18670
• revert: use chokidar v3 (#​18659) (49783da), closes #​18659
• fix: cjs build for perEnvironmentState et al (#​18656) (95c4b3c), closes #​18656
• fix: include more modules to prefix-only module list (#​18667) (5a2103f), closes #​18667
• fix(html): externalize rollup.external scripts correctly (#​18618) (55461b4), closes #​18618
• fix(ssr): format ssrTransform parse error (#​18644) (d9be921), closes #​18644
• fix(ssr): preserve fetchModule error details (#​18626) (866a433), closes #​18626
• fix: browser field should not be included by default for consumer: 'server' (#​18575) (87b2347), closes #​18575
• fix: use server.perEnvironmentStartEndDuringDev (#​18549) (fe30349), closes #​18549
• fix(client): detect ws close correctly (#​18548) (637d31b), closes #​18548
• fix(resolve): run ensureVersionQuery for SSR (#​18591) (63207e5), closes #​18591
• refactor(resolve): remove environmentsOptions parameter (#​18590) (3ef0bf1), closes #​18590
• fix: allow nested dependency selector to be used for optimizeDeps.include for SSR (#​18506) (826c81a), closes #​18506
• fix: asset new URL(,import.meta.url) match (#​18194) (5286a90), closes #​18194
• fix: close watcher if it's disabled (#​18521) (85bd0e9), closes #​18521
• fix(config): write temporary vite config to node_modules (#​18509) (72eaef5), closes #​18509
• fix(css): cssCodeSplit uses the current environment configuration (#​18486) (eefe895), closes #​18486
• fix(json): don't json.stringify arrays (#​18541) (fa50b03), closes #​18541
• fix(less): prevent rebasing @import url(...) (#​17857) (aec5fdd), closes #​17857
• fix(lib): only resolve css bundle name if have styles (#​18530) (5d6dc49), closes #​18530
• fix(scss): improve error logs (#​18522) (3194a6a), closes #​18522
• refactor: client-only top-level warmup (#​18524) (a50ff60), closes #​18524
• fix: define in environment config was not working ([#​18515](https://redirect.github.com/vitejs/vite/

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

• any of the package files in this branch needs updating, or
• the branch becomes conflicted, or
• you click the rebase/retry checkbox if found above, or
• you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: pnpm-lock.yaml

Scope: all 23 workspace projects
Progress: resolved 1, reused 0, downloaded 0, added 0
packages/browser                         |  WARN  deprecated eslint@8.57.0
Progress: resolved 28, reused 0, downloaded 0, added 0
packages/next-server-actions-sample      |  WARN  deprecated eslint@8.50.0
Progress: resolved 56, reused 0, downloaded 0, added 0
Progress: resolved 100, reused 0, downloaded 0, added 0
Progress: resolved 114, reused 0, downloaded 0, added 0
Progress: resolved 267, reused 0, downloaded 0, added 0
/tmp/renovate/repos/github/logto-io/js/packages/client:
 ERR_PNPM_FETCH_403  GET https://registry.npmjs.org/camelcase: Forbidden - 403

This error happened while installing the dependencies of camelcase-keys@9.1.3

No authorization header was set for the request.

No authorization settings were found in the configs.
Try to log in to the registry by running "pnpm login"
or add the auth tokens manually to the ~/.npmrc file.