chore: Update dependency vite to v6.1.6 [SECURITY]

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
vite (source)	6.0.11 -> 6.1.6

GitHub Vulnerability Alerts

CVE-2025-30208

Summary

The contents of arbitrary files can be returned to the browser.

Impact

Only apps explicitly exposing the Vite dev server to the network (using --host or server.host config option) are affected.

Details

@fs denies access to files outside of Vite serving allow list. Adding ?raw?? or ?import&raw?? to the URL bypasses this limitation and returns the file content if it exists. This bypass exists because trailing separators such as ? are removed in several places, but are not accounted for in query string regexes.

PoC

$ npm create vite@latest
$ cd vite-project/
$ npm install
$ npm run dev

$ echo "top secret content" > /tmp/secret.txt

# expected behaviour
$ curl "http://localhost:5173/@​fs/tmp/secret.txt"

    <body>
      <h1>403 Restricted</h1>
      <p>The request url &quot;/tmp/secret.txt&quot; is outside of Vite serving allow list.

# security bypassed
$ curl "http://localhost:5173/@&#8203;fs/tmp/secret.txt?import&raw??"
export default "top secret content\n"
//# sourceMappingURL=data:application/json;base64,eyJ2...

CVE-2025-31125

Summary

The contents of arbitrary files can be returned to the browser.

Impact

Only apps explicitly exposing the Vite dev server to the network (using --host or server.host config option) are affected.

Details

• base64 encoded content of non-allowed files is exposed using ?inline&import (originally reported as ?import&?inline=1.wasm?init)
• content of non-allowed files is exposed using ?raw?import

/@​fs/ isn't needed to reproduce the issue for files inside the project root.

PoC

Original report (check details above for simplified cases):

The ?import&?inline=1.wasm?init ending allows attackers to read arbitrary files and returns the file content if it exists. Base64 decoding needs to be performed twice

$ npm create vite@latest
$ cd vite-project/
$ npm install
$ npm run dev

Example full URL http://localhost:5173/@​fs/C:/windows/win.ini?import&?inline=1.wasm?init

CVE-2025-31486

Summary

The contents of arbitrary files can be returned to the browser.

Impact

Only apps explicitly exposing the Vite dev server to the network (using --host or server.host config option) are affected.

Details

.svg

Requests ending with .svg are loaded at this line.
https://github.com/vitejs/vite/blob/037f801075ec35bb6e52145d659f71a23813c48f/packages/vite/src/node/plugins/asset.ts#L285-L290
By adding ?.svg with ?.wasm?init or with sec-fetch-dest: script header, the restriction was able to bypass.

This bypass is only possible if the file is smaller than build.assetsInlineLimit (default: 4kB) and when using Vite 6.0+.

relative paths

The check was applied before the id normalization. This allowed requests to bypass with relative paths (e.g. ../../).

PoC

npm create vite@latest
cd vite-project/
npm install
npm run dev

send request to read etc/passwd

curl 'http://127.0.0.1:5173/etc/passwd?.svg?.wasm?init'

curl 'http://127.0.0.1:5173/@​fs/x/x/x/vite-project/?/../../../../../etc/passwd?import&?raw'

CVE-2025-46565

Summary

The contents of files in the project root that are denied by a file matching pattern can be returned to the browser.

Impact

Only apps explicitly exposing the Vite dev server to the network (using --host or server.host config option) are affected.
Only files that are under project root and are denied by a file matching pattern can be bypassed.

• Examples of file matching patterns: .env, .env.*, *.{crt,pem}, **/.env
• Examples of other patterns: **/.git/**, .git/**, .git/**/*

Details

server.fs.deny can contain patterns matching against files (by default it includes .env, .env.*, *.{crt,pem} as such patterns).
These patterns were able to bypass for files under root by using a combination of slash and dot (/.).

PoC

npm create vite@latest
cd vite-project/
cat "secret" > .env
npm install
npm run dev
curl --request-target /.env/. http://localhost:5173

---

Release Notes

vitejs/vite (vite)

v6.1.6

Compare Source

Please refer to CHANGELOG.md for details.

v6.1.5

Compare Source

Please refer to CHANGELOG.md for details.

v6.1.4

Compare Source

Please refer to CHANGELOG.md for details.

v6.1.3

Compare Source

Please refer to CHANGELOG.md for details.

v6.1.2

Compare Source

Please refer to CHANGELOG.md for details.

v6.1.1

Compare Source

• fix: ensure .[cm]?[tj]sx? static assets are JS mime (#​19453) (e7ba55e), closes #​19453
• fix: ignore *.ipv4 address in cert (#​19416) (973283b), closes #​19416
• fix(css): run rewrite plugin if postcss plugin exists (#​19371) (bcdb51a), closes #​19371
• fix(deps): bump tsconfck (#​19375) (746a583), closes #​19375
• fix(deps): update all non-major dependencies (#​19392) (60456a5), closes #​19392
• fix(deps): update all non-major dependencies (#​19440) (ccac73d), closes #​19440
• fix(html): ignore malformed src attrs (#​19397) (aff7812), closes #​19397
• fix(worker): fix web worker type detection (#​19462) (edc65ea), closes #​19462
• refactor: remove custom .jxl mime (#​19457) (0c85464), closes #​19457
• feat: add support for injecting debug IDs (#​18763) (0ff556a), closes #​18763
• chore: update 6.1.0 changelog (#​19363) (fa7c211), closes #​19363

v6.1.0

Compare Source

Features

• feat: show hosts in cert in CLI (#​19317) (a5e306f), closes #​19317
• feat: support for env var for defining allowed hosts (#​19325) (4d88f6c), closes #​19325
• feat: use native runtime to import the config (#​19178) (7c2a794), closes #​19178
• feat: print port in the logged error message after failed WS connection with EADDRINUSE (#​19212) (14027b0), closes #​19212
• perf(css): only run postcss when needed (#​19061) (30194fa), closes #​19061
• feat: add support for .jxl (#​18855) (57b397c), closes #​18855
• feat: add the builtins environment resolve (#​18584) (2c2d521), closes #​18584
• feat: call Logger for plugin logs in build (#​13757) (bf3e410), closes #​13757
• feat: export defaultAllowedOrigins for user-land config and 3rd party plugins (#​19259) (dc8946b), closes #​19259
• feat: expose createServerModuleRunnerTransport (#​18730) (8c24ee4), closes #​18730
• feat: support async for proxy.bypass (#​18940) (a6b9587), closes #​18940
• feat: support log related functions in dev (#​18922) (3766004), closes #​18922
• feat: use module runner to import the config (#​18637) (b7e0e42), closes #​18637
• feat(css): add friendly errors for IE hacks that are not supported by lightningcss (#​19072) (caad985), closes #​19072
• feat(optimizer): support bun text lockfile (#​18403) (05b005f), closes #​18403
• feat(reporter): add wasm to the compressible assets regex (#​19085) (ce84142), closes #​19085
• feat(worker): support dynamic worker option fields (#​19010) (d0c3523), closes #​19010

Fixes

• fix: avoid builtStart during vite optimize (#​19356) (fdb36e0), closes #​19356
• fix(build): fix stale build manifest on watch rebuild (#​19361) (fcd5785), closes #​19361
• fix: allow expanding env vars in reverse order (#​19352) (3f5f2bd), closes #​19352
• fix: avoid packageJson without name in resolveLibCssFilename (#​19324) (f183bdf), closes #​19324
• fix(html): fix css disorder when building multiple entry html (#​19143) (e7b4ba3), closes #​19143
• fix: don't call buildStart hooks for vite optimize (#​19347) (19ffad0), closes #​19347
• fix: don't call next middleware if user sent response in proxy.bypass (#​19318) (7e6364d), closes #​19318
• fix: respect top-level server.preTransformRequests (#​19272) (12aaa58), closes #​19272
• fix: use nodeLikeBuiltins for ssr.target: 'webworker' without noExternal: true (#​19313) (9fc31b6), closes #​19313
• fix(css): less @plugin imports of JS files treated as CSS and rebased (fix #​19268) (#​19269) (602b373), closes #​19268 #​19269
• fix(deps): update all non-major dependencies (#​19296) (2bea7ce), closes #​19296
• fix(resolve): preserve hash/search of file url (#​19300) (d1e1b24), closes #​19300
• fix(resolve): warn if node-like builtin was imported when resolve.builtin is empty (#​19312) (b7aba0b), closes #​19312
• fix(ssr): fix transform error due to export all id scope (#​19331) (e28bce2), closes #​19331
• fix(ssr): pretty print plugin error in ssrLoadModule (#​19290) (353c467), closes #​19290
• fix: change ResolvedConfig type to interface to allow extending it (#​19210) (bc851e3), closes #​19210
• fix: correctly resolve hmr dep ids and fallback to url (#​18840) (b84498b), closes #​18840
• fix: make --force work for all environments (#​18901) (51a42c6), closes #​18901
• fix: use loc.file from rollup errors if available (#​19222) (ce3fe23), closes #​19222
• fix(deps): update all non-major dependencies (#​19190) (f2c07db), closes #​19190
• fix(hmr): register inlined assets as a dependency of CSS file (#​18979) (eb22a74), closes #​18979
• fix(resolve): support resolving TS files by JS extension specifiers in JS files (#​18889) (612332b), closes #​18889
• fix(ssr): combine empty source mappings (#​19226) (ba03da2), closes #​19226
• fix(utils): clone RegExp values with new RegExp instead of structuredClone (fix #​19245, fix #​1 (56ad2be), closes #​19245 #​18875 #​19247

Chore

• refactor: deprecate vite optimize command (#​19348) (6e0e3c0), closes #​19348
• chore: update deprecate links domain (#​19353) (2b2299c), closes #​19353
• docs: rephrase browser range and features relation (#​19286) (97569ef), closes #​19286
• docs: update build.manifest jsdocs (#​19332) (4583781), closes #​19332
• chore: remove outdated code comment about scanImports not being used in ssr (#​19285) (fbbc6da), closes #​19285
• chore: unneeded name in lockfileFormats (#​19275) (96092cb), closes #​19275
• chore(deps): update dependency strip-literal to v3 (#​19231) (1172d65), closes #​19231

Beta Changelogs

6.1.0-beta.2 (2025-02-04)

See 6.1.0-beta.2 changelog

6.1.0-beta.1 (2025-02-04)

See 6.1.0-beta.1 changelog

6.1.0-beta.0 (2025-01-24)

See 6.1.0-beta.0 changelog

v6.0.15

Compare Source

Please refer to CHANGELOG.md for details.

v6.0.14

Compare Source

Please refer to CHANGELOG.md for details.

v6.0.13

Compare Source

Please refer to CHANGELOG.md for details.

v6.0.12

Compare Source

Please refer to CHANGELOG.md for details.

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.