Update dependency vitest to v3.2.6 [SECURITY]#779
Conversation
|
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
π‘ Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: a208dcc451
βΉοΈ About Codex in GitHub
Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with π.
When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".
| "size-limit": "^11.2.0", | ||
| "viem": "^2.33.2", | ||
| "vitest": "^3.1.3" | ||
| "vitest": "^4.0.0" |
There was a problem hiding this comment.
In the vitest workspaces, CI runs run test --coverage in .github/workflows/ci.yml lines 236-241, so this bump also needs the V8 coverage provider to be on Vitest 4. Yarn already reports the new vitest@4.1.8 peer request as unmet because these packages still install @vitest/coverage-v8@3.1.3 from yarn.lock; when the coverage job appends --coverage, Vitest loads that incompatible 3.x provider. Please bump @vitest/coverage-v8 to the matching 4.x range in core/actions/viem-account-ledger along with this Vitest major upgrade.
Useful? React with πΒ / π.
size-limit report π¦
|
Codecov Reportβ
All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## master #779 +/- ##
==========================================
- Coverage 68.99% 67.28% -1.71%
==========================================
Files 97 135 +38
Lines 4438 7419 +2981
Branches 973 1382 +409
==========================================
+ Hits 3062 4992 +1930
- Misses 1307 2357 +1050
- Partials 69 70 +1
π New features to boost your workflow:
|
renovate
Bot
force-pushed
the
renovate/npm-vitest-vulnerability
branch
from
a208dcc to
b507fbd
Compare
renovate
Bot
changed the title
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
renovate
Bot
force-pushed
the
renovate/npm-vitest-vulnerability
branch
from
b507fbd to
154d213
Compare
There was a problem hiding this comment.
π‘ Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 154d213baa
βΉοΈ About Codex in GitHub
Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with π.
When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".
| "vitest@npm:^3.1.3": | ||
| version: 3.1.3 | ||
| resolution: "vitest@npm:3.1.3" | ||
| dependencies: | ||
| "@vitest/expect": "npm:3.1.3" | ||
| "@vitest/mocker": "npm:3.1.3" | ||
| "@vitest/pretty-format": "npm:^3.1.3" | ||
| "@vitest/runner": "npm:3.1.3" | ||
| "@vitest/snapshot": "npm:3.1.3" | ||
| "@vitest/spy": "npm:3.1.3" | ||
| "@vitest/utils": "npm:3.1.3" | ||
| version: 3.2.6 | ||
| resolution: "vitest@npm:3.2.6" |
There was a problem hiding this comment.
When CI runs .github/workflows/ci.yml's Vitest coverage job with run test --coverage, Vitest loads @vitest/coverage-v8; this lockfile now resolves vitest@npm:^3.1.3 to 3.2.6 while @vitest/coverage-v8 remains at 3.1.3 with a peer on exactly Vitest 3.1.3, and local Yarn 4 reports YN0060 for that mismatch during install. Fresh evidence: the current diff is the hunk that moves Vitest to 3.2.6, so the coverage job will use mismatched packages unless the coverage provider is bumped to the same 3.2.6 patch in the Vitest workspaces.
Useful? React with πΒ / π.
This PR contains the following updates:
3.1.3β3.2.6When Vitest UI server is listening, arbitrary file can be read and executed
CVE-2026-47429 / GHSA-5xrq-8626-4rwp
More information
Details
Summary
Arbitrary file can be read on Windows when Vitest UI server is listening, especially when exposed to the network.
Impact
Only users that match either of the following conditions are affected:
--api.hostorapi.hostconfig option)Details
The API handler for
/__vitest_attachment__uses the deprecatedisFileServingAllowedincorrectly.https://github.com/vitest-dev/vitest/blob/eb1abf08573032a532015b999ad3501c5e89e3bb/packages/ui/node/index.ts#L77
The function expects the passed value to use
cleanUrlafter the check before file system related operation.Because of this, it is possible to bypass the check by
\\?\\..\\. This is not possible on Linux as Linux errors if a directory named?does not exist.A similar problem exists in other places as well.
That said, this
isFileServingAllowedcheck does not actually prevent the API to be abused. Since the API has rerun feature and file write feature, it's possible to run arbitrary script by writing a script as a test file usingsaveTestFileand running it usingrerun. This means exposing the API / Vitest UI is equivalent to giving script execution access.On the browser mode side, there're
readFile/writeFile/saveSnapshotFile. So exposing the browser mode is equivalent to giving file read / write access.PoC
curl http://localhost:51204/__vitest__/curl "http://localhost:51204/__vitest_attachment__?path=C:\\path\\to\\project\\?\\..\\..\\secret.txt&contentType=text/plain&token=$TOKEN"(TOKEN is the API token)secret.txtthat is outside the project directoryMitigations
Vitest now ships two configuration flags,
allowWriteandallowExec, that gate the privileged operations exploited by this vulnerability. Both are disabled by default whenever the API server is bound to a non-localhosthost, ensuring that exposing the server to the network no longer implicitly grants write or execute capabilities to remote clients.When these flags are disabled, the UI also enters a read-only mode: in-browser code editing and test file execution are turned off, removing the attack surface that allowed remote code execution. Many Browser Mode features are also disabled, like attachments, artifacts or snapshots. See
browser.api.Users who require the full interactive UI on a networked host must explicitly opt in by setting
allowWriteand/orallowExectotrue.Severity
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HReferences
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
Release Notes
vitest-dev/vitest (vitest)
v3.2.6Compare Source
v3.2.5Compare Source
v3.2.4Compare Source
Β Β Β π Bug Fixes
vitest run --watchshould be watch-mode Β -Β by @βAriPerkkio in #β8128 (657e8)--shard x/<count>exceeds count of test files Β -Β by @βAriPerkkio in #β8112 (8a18c)minWorkerswhen onlymaxWorkersspecified Β -Β by @βAriPerkkio in #β8110 (14dc0)task.metashould be available in custom reporter's errors Β -Β by @βAriPerkkio in #β8115 (27df6)Β Β Β Β View changes on GitHub
v3.2.3Compare Source
Β Β Β π Features
Β Β Β π Bug Fixes
expect.anyreturn type Β -Β by @βsheremet-va in #β8129 (47514)process.send()Β -Β by @βAriPerkkio in #β8125 (dfe81)Β Β Β Β View changes on GitHub
v3.2.2Compare Source
Β Β Β π Features
Β Β Β π Bug Fixes
createTesterscall on the main thread Β -Β by @βsheremet-va in #β8101 (142c7)vitest-browser-*packages Β -Β by @βsheremet-va in #β8103 (247ef)toEqualΒ -Β by @βdubzzz in #β8094 (02ec8)dotreporter to work in non interactive terminals Β -Β by @βbstephen1 and @βAriPerkkio in #β7994 (6db9f)Β Β Β Β View changes on GitHub
v3.2.1Compare Source
Β Β Β π Bug Fixes
DeeplyAllowMatchersΒ -Β by @βsheremet-va in #β8078 (30ab4)Β Β Β Β View changes on GitHub
v3.2.0Compare Source
Β Β Β π Features
ctx.signalΒ -Β by @βsheremet-va in #β7878 (e761f)test.nameΒ -Β by @βAriPerkkio in #β7809 (4af5d)vi.mockObjectto automock any object Β -Β by @βhi-ogawa and @βsheremet-va in #β7761 (465bd)watchTriggerPatternsoption Β -Β by @βsheremet-va in #β7778 (a0675)workspacein favor ofprojectsΒ -Β by @βsheremet-va and @βAriPerkkio in #β7923 (41beb)sequence.groupOrderoption Β -Β by @βsheremet-va in #β7852 (d1a1d)connectoption forplaywrightbrowser provider Β -Β by @βegfx-notifications and @βsheremet-va in #β7915 (029c0)screenshot.saveoption Β -Β by @βsheremet-va in #β7777 (d9f51)onWritePathoption togithub-actionsΒ -Β by @βnwalters512 and @βAriPerkkio in #β8015 (abd3b)Β Β Β π Bug Fixes
micromatchwithpicomatchΒ -Β by @βsapphi-red in #β7951 (df076)anytypes toAsymmetricMatcher<unknown>, withDeeplyAllowMatchers<T>Β -Β by @βJoshuaKGoldberg in #β7016 (8ec44)stackproperties Β -Β by @βsheremet-va in #β7995 (330f9)toJSONserialisation Β -Β by @βsheremet-va in #β8053 (3bdf0)uploadfiles relative to the project root Β -Β by @βsheremet-va in #β8042 (b9a31)thistype tolocators.extendΒ -Β by @βsheremet-va in #β8069 (70fb0)--silentvalues properly Β -Β by @βAriPerkkio in #β8055 (8fad7)@types/chaiΒ -Β by @βhi-ogawa in #β7937 (525f5)vitest listcommand Β -Β by @βsheremet-va in #β7933 (ba6da)__vite_ssr_exportName__Β -Β by @βhi-ogawa in #β7925 (76091)getWorkerMemoryLimitpriority for vmForks Β -Β by @βpengooseDev in #β7960 (5a91e)Β Β Β Β View changes on GitHub
v3.1.4Compare Source
Β Β Β π Bug Fixes
Β Β Β Β View changes on GitHub
Configuration
π Schedule: (UTC)
π¦ Automerge: Disabled by config. Please merge this manually once you are satisfied.
β» Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
π Ignore: Close this PR and you won't be reminded about these updates again.
This PR was generated by Mend Renovate. View the repository job log.
PR-Codex overview
This PR primarily updates the versions of various packages in the
yarn.lockfile, including@esbuild,@rollup, and@vitest, among others. It introduces new versions with specific conditions for different operating systems and architectures.Detailed summary
@esbuildpackages (e.g.,0.27.7).@rolluppackages to version4.62.0.@vitestpackages to version3.2.6.debug,fdir, andpicomatch.