Update dependency @vitest/browser from v3.0.2 to v3.0.4 [SECURITY]

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
@vitest/browser (source)	3.0.2 -> 3.0.4

GitHub Vulnerability Alerts

CVE-2025-24963

Summary

__screenshot-error handler on the browser mode HTTP server that responds any file on the file system. Especially if the server is exposed on the network by browser.api.host: true, an attacker can send a request to that handler from remote to get the content of arbitrary files.

Details

This __screenshot-error handler on the browser mode HTTP server responds any file on the file system.
https://github.com/vitest-dev/vitest/blob/f17918a79969d27a415f70431e08a9445b051e45/packages/browser/src/node/plugin.ts#L88-L130

This code was added by vitest-dev/vitest@2d62051.

PoC

1. Create a directory and change the current directory to that directory
2. Run npx vitest init browser
3. Run npm run test:browser
4. Run curl http://localhost:63315/__screenshot-error?file=/path/to/any/file

Impact

Users explicitly exposing the browser mode server to the network by browser.api.host: true may get any files exposed.

---

Release Notes

vitest-dev/vitest (@​vitest/browser)

v3.0.4

Compare Source

   🐞 Bug Fixes

• Filter projects eagerly during config resolution  -  by @​sheremet-va and @​AriPerkkio in https://github.com/vitest-dev/vitest/issues/7313 (dff44)
• Apply development|production condition on Vites 6 by @​hi-ogawa and @​sheremet-va (#​7301) (ef146)
• browser: Restrict served files from /__screenshot-error  -  by @​hi-ogawa in https://github.com/vitest-dev/vitest/issues/7340 (ed9ae)
• deps: Update all non-major dependencies  -  by @​sheremet-va in https://github.com/vitest-dev/vitest/issues/7297 (38ea8)
• runner: Timeout long sync hook  -  by @​hi-ogawa in https://github.com/vitest-dev/vitest/issues/7289 (c60ee)
• typechecking: Support typechecking parsing with Vite 6  -  by @​sheremet-va in https://github.com/vitest-dev/vitest/issues/7335 (bff70)
• types: Fix public types  -  by @​mrginglymus and @​sheremet-va in https://github.com/vitest-dev/vitest/issues/7328 (ce6af)

    View changes on GitHub

v3.0.3

Compare Source

   🐞 Bug Fixes

• browser:
  • Don't throw a validation error if v8 coverage is used with filtered instances  -  by @​sheremet-va in https://github.com/vitest-dev/vitest/issues/7306 (fa463)
  • Don't fail when running --browser.headless if the browser projest is part of the workspace  -  by @​sheremet-va in https://github.com/vitest-dev/vitest/issues/7311 (e43a8)

   🏎 Performance

• reporters: Update summary only when needed  -  by @​AriPerkkio in https://github.com/vitest-dev/vitest/issues/7291 (7f36b)

    View changes on GitHub

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.