chore(deps): update dependency vite to v6.2.7 [security] (v2)

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
vite (source)	6.2.6 -> 6.2.7

GitHub Vulnerability Alerts

CVE-2025-46565

Summary

The contents of files in the project root that are denied by a file matching pattern can be returned to the browser.

Impact

Only apps explicitly exposing the Vite dev server to the network (using --host or server.host config option) are affected.
Only files that are under project root and are denied by a file matching pattern can be bypassed.

• Examples of file matching patterns: .env, .env.*, *.{crt,pem}, **/.env
• Examples of other patterns: **/.git/**, .git/**, .git/**/*

Details

server.fs.deny can contain patterns matching against files (by default it includes .env, .env.*, *.{crt,pem} as such patterns).
These patterns were able to bypass for files under root by using a combination of slash and dot (/.).

PoC

npm create vite@latest
cd vite-project/
cat "secret" > .env
npm install
npm run dev
curl --request-target /.env/. http://localhost:5173

---

Release Notes

vitejs/vite (vite)

v6.2.7

Compare Source

Please refer to CHANGELOG.md for details.

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[github-actions]

Package Changes Through ffb09b6

There are 9 changes which include deep-link with minor, deep-link-js with minor, single-instance with patch, fs with minor, fs-js with minor, http with patch, http-js with patch, opener with patch, opener-js with patch

Planned Package Versions

The following package releases are the planned based on the context of changes in this pull request.

package	current	next
api-example	2.0.25	2.0.26
api-example-js	2.0.21	2.0.22
deep-link-example-js	2.2.1	2.2.2
deep-link	2.2.1	2.3.0
deep-link-js	2.2.1	2.3.0
fs	2.2.1	2.3.0
fs-js	2.2.1	2.3.0
dialog	2.2.1	2.2.2
dialog-js	2.2.1	2.2.2
opener	2.2.6	2.2.7
opener-js	2.2.6	2.2.7
http	2.4.3	2.4.4
http-js	2.4.3	2.4.4
persisted-scope	2.2.1	2.2.2
single-instance	2.2.3	2.2.4

Add another change file through the GitHub UI by following this link.

---

Read about change files or the docs at github.com/jbolda/covector

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	@​iconify-json/​codicon@​1.2.12 ⏵ 1.2.15	-1
	vite@​6.2.6 ⏵ 6.3.4
	svelte@​5.20.4 ⏵ 5.28.2				-1

View full report