URGENT: Fix security bug Vitest 2.1.4 [Vulnerability CVE-2025-24964] #833
Replies: 1 comment 4 replies
-
|
Thanks, updated. |
Beta Was this translation helpful? Give feedback.
-
|
Thank you for this fix. But there's no Tag or Release, it was just fixed in the branch 2.x. |
Beta Was this translation helpful? Give feedback.
-
|
Yeah vitest is just a dev dependency so it's not installed when people install Ziggy, I don't think we need a release because for end users nothing changes right. |
Beta Was this translation helpful? Give feedback.
-
|
But when I use dependency check on a laravel project, even it's in vendor I still get package vulnerability. |
Beta Was this translation helpful? Give feedback.
-
|
Not sure what dependency check you're doing but vitest doesn't get installed when you install Ziggy so you're fine. |
Beta Was this translation helpful? Give feedback.
Uh oh!
There was an error while loading. Please reload this page.
-
Hello,
I wanted to fix a security bug in Vitest, but I couldn't open an issue.
So, the problem is that the Vitest version used in the package is 2.1.4, which contains a vulnerability reported in GHSA-9crc-q9x8-hgqq .
The solution is to upgrade to version >=2.1.9,<3.0.0 by changing the configuration in package.json.
I hope I haven't missed anything.
Thanks,
Beta Was this translation helpful? Give feedback.
All reactions