Update dependency @vitest/browser from v3.0.2 to v3.0.4 [SECURITY] (#…

…3748) This PR contains the following updates: | Package | Change | Age | Adoption | Passing | Confidence | |---|---|---|---|---|---| | [@vitest/browser](https://redirect.github.com/vitest-dev/vitest/tree/main/packages/browser#readme) ([source](https://redirect.github.com/vitest-dev/vitest/tree/HEAD/packages/browser)) | [`3.0.2` -> `3.0.4`](https://renovatebot.com/diffs/npm/@vitest%2fbrowser/3.0.2/3.0.4) | [![age](https://developer.mend.io/api/mc/badges/age/npm/@vitest%2fbrowser/3.0.4?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![adoption](https://developer.mend.io/api/mc/badges/adoption/npm/@vitest%2fbrowser/3.0.4?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![passing](https://developer.mend.io/api/mc/badges/compatibility/npm/@vitest%2fbrowser/3.0.2/3.0.4?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/@vitest%2fbrowser/3.0.2/3.0.4?slim=true)](https://docs.renovatebot.com/merge-confidence/) | ### GitHub Vulnerability Alerts #### [CVE-2025-24963](https://redirect.github.com/vitest-dev/vitest/security/advisories/GHSA-8gvc-j273-4wm5) ### Summary `__screenshot-error` handler on the browser mode HTTP server that responds any file on the file system. Especially if the server is exposed on the network by [`browser.api.host: true`](https://vitest.dev/guide/browser/config.html#browser-api), an attacker can send a request to that handler from remote to get the content of arbitrary files. ### Details This `__screenshot-error` handler on the browser mode HTTP server responds any file on the file system. https://github.com/vitest-dev/vitest/blob/f17918a79969d27a415f70431e08a9445b051e45/packages/browser/src/node/plugin.ts#L88-L130 This code was added by vitest-dev/vitest@2d62051. ### PoC 1. Create a directory and change the current directory to that directory 1. Run `npx vitest init browser` 1. Run `npm run test:browser` 2. Run `curl http://localhost:63315/__screenshot-error?file=/path/to/any/file` ### Impact Users explicitly exposing the browser mode server to the network by [`browser.api.host: true`](https://vitest.dev/guide/browser/config.html#browser-api) may get any files exposed. --- ### Release Notes <details> <summary>vitest-dev/vitest (@vitest/browser)</summary> ### [`v3.0.4`](https://redirect.github.com/vitest-dev/vitest/releases/tag/v3.0.4) [Compare Source](https://redirect.github.com/vitest-dev/vitest/compare/v3.0.3...v3.0.4) ##### 🐞 Bug Fixes - Filter projects eagerly during config resolution - by [@sheremet-va](https://redirect.github.com/sheremet-va) and [@AriPerkkio](https://redirect.github.com/AriPerkkio) in [https://github.com/vitest-dev/vitest/issues/7313](https://redirect.github.com/vitest-dev/vitest/issues/7313) [<samp>(dff44)</samp>](https://redirect.github.com/vitest-dev/vitest/commit/dff4406d) - Apply `development|production` condition on Vites 6 by [@hi-ogawa](https://redirect.github.com/hi-ogawa) and [@sheremet-va](https://redirect.github.com/sheremet-va) ([#7301](https://redirect.github.com/vitest-dev/vitest/issues/7301)) [<samp>(ef146)</samp>](https://redirect.github.com/vitest-dev/vitest/commit/ef1464fc7b101709bfbf7b040e5bad62998c2ff9) - **browser**: Restrict served files from `/__screenshot-error` - by [@hi-ogawa](https://redirect.github.com/hi-ogawa) in [https://github.com/vitest-dev/vitest/issues/7340](https://redirect.github.com/vitest-dev/vitest/issues/7340) [<samp>(ed9ae)</samp>](https://redirect.github.com/vitest-dev/vitest/commit/ed9aeba2) - **deps**: Update all non-major dependencies - by [@sheremet-va](https://redirect.github.com/sheremet-va) in [https://github.com/vitest-dev/vitest/issues/7297](https://redirect.github.com/vitest-dev/vitest/issues/7297) [<samp>(38ea8)</samp>](https://redirect.github.com/vitest-dev/vitest/commit/38ea8eae) - **runner**: Timeout long sync hook - by [@hi-ogawa](https://redirect.github.com/hi-ogawa) in [https://github.com/vitest-dev/vitest/issues/7289](https://redirect.github.com/vitest-dev/vitest/issues/7289) [<samp>(c60ee)</samp>](https://redirect.github.com/vitest-dev/vitest/commit/c60ee27c) - **typechecking**: Support typechecking parsing with Vite 6 - by [@sheremet-va](https://redirect.github.com/sheremet-va) in [https://github.com/vitest-dev/vitest/issues/7335](https://redirect.github.com/vitest-dev/vitest/issues/7335) [<samp>(bff70)</samp>](https://redirect.github.com/vitest-dev/vitest/commit/bff70be9) - **types**: Fix public types - by [@mrginglymus](https://redirect.github.com/mrginglymus) and [@sheremet-va](https://redirect.github.com/sheremet-va) in [https://github.com/vitest-dev/vitest/issues/7328](https://redirect.github.com/vitest-dev/vitest/issues/7328) [<samp>(ce6af)</samp>](https://redirect.github.com/vitest-dev/vitest/commit/ce6af70c) ##### [View changes on GitHub](https://redirect.github.com/vitest-dev/vitest/compare/v3.0.3...v3.0.4) ### [`v3.0.3`](https://redirect.github.com/vitest-dev/vitest/releases/tag/v3.0.3) [Compare Source](https://redirect.github.com/vitest-dev/vitest/compare/v3.0.2...v3.0.3) ##### 🐞 Bug Fixes - **browser**: - Don't throw a validation error if v8 coverage is used with filtered instances - by [@sheremet-va](https://redirect.github.com/sheremet-va) in [https://github.com/vitest-dev/vitest/issues/7306](https://redirect.github.com/vitest-dev/vitest/issues/7306) [<samp>(fa463)</samp>](https://redirect.github.com/vitest-dev/vitest/commit/fa4634b2) - Don't fail when running --browser.headless if the browser projest is part of the workspace - by [@sheremet-va](https://redirect.github.com/sheremet-va) in [https://github.com/vitest-dev/vitest/issues/7311](https://redirect.github.com/vitest-dev/vitest/issues/7311) [<samp>(e43a8)</samp>](https://redirect.github.com/vitest-dev/vitest/commit/e43a8f56) ##### 🏎 Performance - **reporters**: Update summary only when needed - by [@AriPerkkio](https://redirect.github.com/AriPerkkio) in [https://github.com/vitest-dev/vitest/issues/7291](https://redirect.github.com/vitest-dev/vitest/issues/7291) [<samp>(7f36b)</samp>](https://redirect.github.com/vitest-dev/vitest/commit/7f36b6f9) ##### [View changes on GitHub](https://redirect.github.com/vitest-dev/vitest/compare/v3.0.2...v3.0.3) </details> --- ### Configuration 📅 **Schedule**: Branch creation - "" (UTC), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/mong/mongts).  Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
mong · Feb 5, 2025 · 62e5e2c · 62e5e2c
1 parent 475951f
commit 62e5e2c
Show file tree

Hide file tree

Showing 2 changed files with 62 additions and 14 deletions.
diff --git a/apps/skde/package.json b/apps/skde/package.json
@@ -70,7 +70,7 @@
     "@types/node": "22.13.1",
     "@types/react": "18.3.18",
     "@vitejs/plugin-react": "4.3.4",
-    "@vitest/browser": "3.0.2",
+    "@vitest/browser": "3.0.4",
     "@vitest/coverage-v8": "3.0.2",
     "cypress": "14.0.1",
     "eslint": "9.19.0",

diff --git a/yarn.lock b/yarn.lock
@@ -5239,12 +5239,12 @@ __metadata:
   languageName: node
   linkType: hard
 
-"@testing-library/user-event@npm:^14.6.0":
-  version: 14.6.0
-  resolution: "@testing-library/user-event@npm:14.6.0"
+"@testing-library/user-event@npm:^14.6.1":
+  version: 14.6.1
+  resolution: "@testing-library/user-event@npm:14.6.1"
   peerDependencies:
     "@testing-library/dom": ">=7.21.4"
-  checksum: 10/01a7481642ceda10324ff5356e3cfd9c6131b0cecbcbdd5938096d4d3f8ce9e548e9b460ef35bad8f3649dc392c808044a5abd78de8218a4bc21c91125be85df
+  checksum: 10/34b74fff56a0447731a94b40d4cf246deb8dbc1c1e3aec93acd1c3377a760bb062e979f1572bb34ec164ad28ee2a391744b42d0d6d6cc16c4ce527e5e09610e1
   languageName: node
   linkType: hard
 
@@ -6988,22 +6988,22 @@ __metadata:
   languageName: node
   linkType: hard
 
-"@vitest/browser@npm:3.0.2":
-  version: 3.0.2
-  resolution: "@vitest/browser@npm:3.0.2"
+"@vitest/browser@npm:3.0.4":
+  version: 3.0.4
+  resolution: "@vitest/browser@npm:3.0.4"
   dependencies:
     "@testing-library/dom": "npm:^10.4.0"
-    "@testing-library/user-event": "npm:^14.6.0"
-    "@vitest/mocker": "npm:3.0.2"
-    "@vitest/utils": "npm:3.0.2"
+    "@testing-library/user-event": "npm:^14.6.1"
+    "@vitest/mocker": "npm:3.0.4"
+    "@vitest/utils": "npm:3.0.4"
     magic-string: "npm:^0.30.17"
     msw: "npm:^2.7.0"
     sirv: "npm:^3.0.0"
     tinyrainbow: "npm:^2.0.0"
     ws: "npm:^8.18.0"
   peerDependencies:
     playwright: "*"
-    vitest: 3.0.2
+    vitest: 3.0.4
     webdriverio: "*"
   peerDependenciesMeta:
     playwright:
@@ -7012,7 +7012,7 @@ __metadata:
       optional: true
     webdriverio:
       optional: true
-  checksum: 10/b76a2db98332500c89c03b6ad6f829753b1fc8b39cf4927f314d56d38acd8259a9d8dc02590648011ab33b14b051238279c8adfcfa86a5189949af1b19a10c48
+  checksum: 10/23f7a60b7ea073ad06cf3145a3416e1dd53489f26db2a497ea55d2313943797e99af807c4c077b54baa670d4c87cf028daa334af78d4298d8da9f087505e9138
   languageName: node
   linkType: hard
 
@@ -7073,6 +7073,25 @@ __metadata:
   languageName: node
   linkType: hard
 
+"@vitest/mocker@npm:3.0.4":
+  version: 3.0.4
+  resolution: "@vitest/mocker@npm:3.0.4"
+  dependencies:
+    "@vitest/spy": "npm:3.0.4"
+    estree-walker: "npm:^3.0.3"
+    magic-string: "npm:^0.30.17"
+  peerDependencies:
+    msw: ^2.4.9
+    vite: ^5.0.0 || ^6.0.0
+  peerDependenciesMeta:
+    msw:
+      optional: true
+    vite:
+      optional: true
+  checksum: 10/f6e7a57575271b1f9f4fd8671e0760a035c31620086b694f303815aba353864b2eb3c51f5c4506e5f618ab7584b9260035e0183a4f8d7a9947a30dc7ef91c5b6
+  languageName: node
+  linkType: hard
+
 "@vitest/pretty-format@npm:3.0.2, @vitest/pretty-format@npm:^3.0.2":
   version: 3.0.2
   resolution: "@vitest/pretty-format@npm:3.0.2"
@@ -7082,6 +7101,15 @@ __metadata:
   languageName: node
   linkType: hard
 
+"@vitest/pretty-format@npm:3.0.4":
+  version: 3.0.4
+  resolution: "@vitest/pretty-format@npm:3.0.4"
+  dependencies:
+    tinyrainbow: "npm:^2.0.0"
+  checksum: 10/8c54fc5df1e73339b5b81ad66d779c98af750a4f1609f47aecabc9af2e11620775d521ab183e9db8acf2cd018d7aa29d5fd9737bf2935369dd6f1306a6487b9f
+  languageName: node
+  linkType: hard
+
 "@vitest/runner@npm:3.0.2":
   version: 3.0.2
   resolution: "@vitest/runner@npm:3.0.2"
@@ -7112,6 +7140,15 @@ __metadata:
   languageName: node
   linkType: hard
 
+"@vitest/spy@npm:3.0.4":
+  version: 3.0.4
+  resolution: "@vitest/spy@npm:3.0.4"
+  dependencies:
+    tinyspy: "npm:^3.0.2"
+  checksum: 10/a2e03516e7f678120b03b1f1e95b587781e6c6c78781a2b37bd5b7706fb57a99f127d46d337db14477673aa811027730fe5fb5af68f03fde7e65050293810e67
+  languageName: node
+  linkType: hard
+
 "@vitest/utils@npm:3.0.2":
   version: 3.0.2
   resolution: "@vitest/utils@npm:3.0.2"
@@ -7123,6 +7160,17 @@ __metadata:
   languageName: node
   linkType: hard
 
+"@vitest/utils@npm:3.0.4":
+  version: 3.0.4
+  resolution: "@vitest/utils@npm:3.0.4"
+  dependencies:
+    "@vitest/pretty-format": "npm:3.0.4"
+    loupe: "npm:^3.1.2"
+    tinyrainbow: "npm:^2.0.0"
+  checksum: 10/68132cc059ac0db29e325b3e8a1ac6e0a99ea8a2d6d214bb4dc6399c3de0ffe78c42b13c733cc775a78d7ee1e7e3dcd67f75b7c35e5c28e3825cabf4ec7c50dc
+  languageName: node
+  linkType: hard
+
 "@webassemblyjs/ast@npm:1.11.6, @webassemblyjs/ast@npm:^1.11.5":
   version: 1.11.6
   resolution: "@webassemblyjs/ast@npm:1.11.6"
@@ -23444,7 +23492,7 @@ __metadata:
     "@visx/scale": "npm:3.12.0"
     "@visx/xychart": "npm:3.12.0"
     "@vitejs/plugin-react": "npm:4.3.4"
-    "@vitest/browser": "npm:3.0.2"
+    "@vitest/browser": "npm:3.0.4"
     "@vitest/coverage-v8": "npm:3.0.2"
     cypress: "npm:14.0.1"
     d3-array: "npm:3.2.4"