chore(deps): update dependency vite to v6.0.13 [security] (#5121)

renovate[bot] · web-flow · commit c5fe9a24bdf2 · 2025-04-02T10:49:22.000+02:00
This PR contains the following updates: | Package | Change | Age | Adoption | Passing | Confidence | |---|---|---|---|---|---| | [vite](https://vite.dev) ([source](https://redirect.github.com/vitejs/vite/tree/HEAD/packages/vite)) | [`6.0.12` -> `6.0.13`](https://renovatebot.com/diffs/npm/vite/6.0.12/6.0.13) | [![age](https://developer.mend.io/api/mc/badges/age/npm/vite/6.0.13?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![adoption](https://developer.mend.io/api/mc/badges/adoption/npm/vite/6.0.13?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![passing](https://developer.mend.io/api/mc/badges/compatibility/npm/vite/6.0.12/6.0.13?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/vite/6.0.12/6.0.13?slim=true)](https://docs.renovatebot.com/merge-confidence/) | ### GitHub Vulnerability Alerts #### [CVE-2025-30208](https://redirect.github.com/vitejs/vite/security/advisories/GHSA-x574-m823-4x7w) ### Summary The contents of arbitrary files can be returned to the browser. ### Impact Only apps explicitly exposing the Vite dev server to the network (using `--host` or [`server.host` config option](https://vitejs.dev/config/server-options.html#server-host)) are affected. ### Details `@fs` denies access to files outside of Vite serving allow list. Adding `?raw??` or `?import&raw??` to the URL bypasses this limitation and returns the file content if it exists. This bypass exists because trailing separators such as `?` are removed in several places, but are not accounted for in query string regexes. ### PoC ```bash $ npm create vite@latest $ cd vite-project/ $ npm install $ npm run dev $ echo "top secret content" > /tmp/secret.txt # expected behaviour $ curl "http://localhost:5173/@&#8203;fs/tmp/secret.txt" <body> <h1>403 Restricted</h1> <p>The request url &quot;/tmp/secret.txt&quot; is outside of Vite serving allow list. # security bypassed $ curl "http://localhost:5173/@&#8203;fs/tmp/secret.txt?import&raw??" export default "top secret content\n" //# sourceMappingURL=data:application/json;base64,eyJ2... ``` #### [CVE-2025-31125](https://redirect.github.com/vitejs/vite/security/advisories/GHSA-4r4m-qw57-chr8) ### Summary The contents of arbitrary files can be returned to the browser. ### Impact Only apps explicitly exposing the Vite dev server to the network (using `--host` or [`server.host` config option](https://vitejs.dev/config/server-options.html#server-host)) are affected. ### Details - base64 encoded content of non-allowed files is exposed using `?inline&import` (originally reported as `?import&?inline=1.wasm?init`) - content of non-allowed files is exposed using `?raw?import` `/@&#8203;fs/` isn't needed to reproduce the issue for files inside the project root. ### PoC Original report (check details above for simplified cases): The ?import&?inline=1.wasm?init ending allows attackers to read arbitrary files and returns the file content if it exists. Base64 decoding needs to be performed twice ``` $ npm create vite@latest $ cd vite-project/ $ npm install $ npm run dev ``` Example full URL `http://localhost:5173/@&#8203;fs/C:/windows/win.ini?import&?inline=1.wasm?init` --- ### Release Notes <details> <summary>vitejs/vite (vite)</summary> ### [`v6.0.13`](https://redirect.github.com/vitejs/vite/releases/tag/v6.0.13) [Compare Source](https://redirect.github.com/vitejs/vite/compare/v6.0.12...v6.0.13) Please refer to [CHANGELOG.md](https://redirect.github.com/vitejs/vite/blob/v6.0.13/packages/vite/CHANGELOG.md) for details. </details> --- ### Configuration 📅 **Schedule**: Branch creation - "" in timezone Europe/Zurich, Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/swisspost/design-system).  Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
diff --git a/packages/documentation/package.json b/packages/documentation/package.json
@@ -83,6 +83,6 @@
     "storybook": "8.4.7",
     "typescript": "5.8.2",
     "typescript-eslint": "8.20.0",
-    "vite": "6.0.12"
+    "vite": "6.0.13"
   }
 }
diff --git a/packages/styles/package.json b/packages/styles/package.json
@@ -70,7 +70,7 @@
     "stylelint-prettier": "5.0.2",
     "stylelint-scss": "6.10.0",
     "typescript": "5.8.2",
-    "vite": "6.0.12"
+    "vite": "6.0.13"
   },
   "sass": {
     "loadPaths": [
diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml

Original file line number	Diff line number	Diff line change
`@@ -83,6 +83,6 @@`
`83`	`83`	`"storybook": "8.4.7",`
`84`	`84`	`"typescript": "5.8.2",`
`85`	`85`	`"typescript-eslint": "8.20.0",`
`86`		`- "vite": "6.0.12"`
	`86`	`+ "vite": "6.0.13"`
`87`	`87`	`}`
`88`	`88`	`}`