Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

chore: bump up @vitest/browser version to v3.0.4 [SECURITY] #9937

Merged
merged 1 commit into from
Feb 5, 2025
Merged

chore: bump up @vitest/browser version to v3.0.4 [SECURITY] #9937

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
chore: bump up @vitest/browser version to v3.0.4 [SECURITY] (#9937) 
This PR contains the following updates:

| Package | Change | Age | Adoption | Passing | Confidence |
|---|---|---|---|---|---|
| [@vitest/browser](https://redirect.github.com/vitest-dev/vitest/tree/main/packages/browser#readme) ([source](https://redirect.github.com/vitest-dev/vitest/tree/HEAD/packages/browser)) | [`3.0.2` -> `3.0.4`](https://renovatebot.com/diffs/npm/@vitest%2fbrowser/3.0.2/3.0.4) | [![age](https://developer.mend.io/api/mc/badges/age/npm/@vitest%2fbrowser/3.0.4?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![adoption](https://developer.mend.io/api/mc/badges/adoption/npm/@vitest%2fbrowser/3.0.4?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![passing](https://developer.mend.io/api/mc/badges/compatibility/npm/@vitest%2fbrowser/3.0.2/3.0.4?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/@vitest%2fbrowser/3.0.2/3.0.4?slim=true)](https://docs.renovatebot.com/merge-confidence/) |

### GitHub Vulnerability Alerts

#### [CVE-2025-24963](https://redirect.github.com/vitest-dev/vitest/security/advisories/GHSA-8gvc-j273-4wm5)

### Summary
`__screenshot-error` handler on the browser mode HTTP server that responds any file on the file system. Especially if the server is exposed on the network by [`browser.api.host: true`](https://vitest.dev/guide/browser/config.html#browser-api), an attacker can send a request to that handler from remote to get the content of arbitrary files.

### Details
This `__screenshot-error` handler on the browser mode HTTP server responds any file on the file system.
https://github.com/vitest-dev/vitest/blob/f17918a79969d27a415f70431e08a9445b051e45/packages/browser/src/node/plugin.ts#L88-L130

This code was added by vitest-dev/vitest@2d62051.

### PoC
1. Create a directory and change the current directory to that directory
1. Run `npx vitest init browser`
1. Run `npm run test:browser`
2. Run `curl http://localhost:63315/__screenshot-error?file=/path/to/any/file`

### Impact
Users explicitly exposing the browser mode server to the network by [`browser.api.host: true`](https://vitest.dev/guide/browser/config.html#browser-api) may get any files exposed.

---

### Release Notes

<details>
<summary>vitest-dev/vitest (@&#8203;vitest/browser)</summary>

### [`v3.0.4`](https://redirect.github.com/vitest-dev/vitest/releases/tag/v3.0.4)

[Compare Source](https://redirect.github.com/vitest-dev/vitest/compare/v3.0.3...v3.0.4)

#####    🐞 Bug Fixes

-   Filter projects eagerly during config resolution  -  by [@&#8203;sheremet-va](https://redirect.github.com/sheremet-va) and [@&#8203;AriPerkkio](https://redirect.github.com/AriPerkkio) in [https://github.com/vitest-dev/vitest/issues/7313](https://redirect.github.com/vitest-dev/vitest/issues/7313) [<samp>(dff44)</samp>](https://redirect.github.com/vitest-dev/vitest/commit/dff4406d)
-   Apply `development|production` condition on Vites 6 by [@&#8203;hi-ogawa](https://redirect.github.com/hi-ogawa) and [@&#8203;sheremet-va](https://redirect.github.com/sheremet-va) ([#&#8203;7301](https://redirect.github.com/vitest-dev/vitest/issues/7301)) [<samp>(ef146)</samp>](https://redirect.github.com/vitest-dev/vitest/commit/ef1464fc7b101709bfbf7b040e5bad62998c2ff9)
-   **browser**: Restrict served files from `/__screenshot-error`  -  by [@&#8203;hi-ogawa](https://redirect.github.com/hi-ogawa) in [https://github.com/vitest-dev/vitest/issues/7340](https://redirect.github.com/vitest-dev/vitest/issues/7340) [<samp>(ed9ae)</samp>](https://redirect.github.com/vitest-dev/vitest/commit/ed9aeba2)
-   **deps**: Update all non-major dependencies  -  by [@&#8203;sheremet-va](https://redirect.github.com/sheremet-va) in [https://github.com/vitest-dev/vitest/issues/7297](https://redirect.github.com/vitest-dev/vitest/issues/7297) [<samp>(38ea8)</samp>](https://redirect.github.com/vitest-dev/vitest/commit/38ea8eae)
-   **runner**: Timeout long sync hook  -  by [@&#8203;hi-ogawa](https://redirect.github.com/hi-ogawa) in [https://github.com/vitest-dev/vitest/issues/7289](https://redirect.github.com/vitest-dev/vitest/issues/7289) [<samp>(c60ee)</samp>](https://redirect.github.com/vitest-dev/vitest/commit/c60ee27c)
-   **typechecking**: Support typechecking parsing with Vite 6  -  by [@&#8203;sheremet-va](https://redirect.github.com/sheremet-va) in [https://github.com/vitest-dev/vitest/issues/7335](https://redirect.github.com/vitest-dev/vitest/issues/7335) [<samp>(bff70)</samp>](https://redirect.github.com/vitest-dev/vitest/commit/bff70be9)
-   **types**: Fix public types  -  by [@&#8203;mrginglymus](https://redirect.github.com/mrginglymus) and [@&#8203;sheremet-va](https://redirect.github.com/sheremet-va) in [https://github.com/vitest-dev/vitest/issues/7328](https://redirect.github.com/vitest-dev/vitest/issues/7328) [<samp>(ce6af)</samp>](https://redirect.github.com/vitest-dev/vitest/commit/ce6af70c)

#####     [View changes on GitHub](https://redirect.github.com/vitest-dev/vitest/compare/v3.0.3...v3.0.4)

### [`v3.0.3`](https://redirect.github.com/vitest-dev/vitest/releases/tag/v3.0.3)

[Compare Source](https://redirect.github.com/vitest-dev/vitest/compare/v3.0.2...v3.0.3)

#####    🐞 Bug Fixes

-   **browser**:
    -   Don't throw a validation error if v8 coverage is used with filtered instances  -  by [@&#8203;sheremet-va](https://redirect.github.com/sheremet-va) in [https://github.com/vitest-dev/vitest/issues/7306](https://redirect.github.com/vitest-dev/vitest/issues/7306) [<samp>(fa463)</samp>](https://redirect.github.com/vitest-dev/vitest/commit/fa4634b2)
    -   Don't fail when running --browser.headless if the browser projest is part of the workspace  -  by [@&#8203;sheremet-va](https://redirect.github.com/sheremet-va) in [https://github.com/vitest-dev/vitest/issues/7311](https://redirect.github.com/vitest-dev/vitest/issues/7311) [<samp>(e43a8)</samp>](https://redirect.github.com/vitest-dev/vitest/commit/e43a8f56)

#####    🏎 Performance

-   **reporters**: Update summary only when needed  -  by [@&#8203;AriPerkkio](https://redirect.github.com/AriPerkkio) in [https://github.com/vitest-dev/vitest/issues/7291](https://redirect.github.com/vitest-dev/vitest/issues/7291) [<samp>(7f36b)</samp>](https://redirect.github.com/vitest-dev/vitest/commit/7f36b6f9)

#####     [View changes on GitHub](https://redirect.github.com/vitest-dev/vitest/compare/v3.0.2...v3.0.3)

</details>

---

### Configuration

📅 **Schedule**: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update again.

---

 - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box

---

This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/toeverything/AFFiNE).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzOS4xNDUuMCIsInVwZGF0ZWRJblZlciI6IjM5LjE0NS4wIiwidGFyZ2V0QnJhbmNoIjoiY2FuYXJ5IiwibGFiZWxzIjpbImRlcGVuZGVuY2llcyJdfQ==-->
  • Loading branch information
@renovate
renovate[bot] committed Feb 5, 2025
commit 4a943d854e32686c7a50d483fc9e7c55f563d68b
2 changes: 1 addition & 1 deletion package.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -64,7 +64,7 @@
"@types/node": "^22.0.0",
"@typescript-eslint/parser": "^8.18.0",
"@vanilla-extract/vite-plugin": "^5.0.0",
"@vitest/browser": "3.0.2",
"@vitest/browser": "3.0.4",
"@vitest/coverage-istanbul": "3.0.2",
"@vitest/ui": "3.0.2",
"cross-env": "^7.0.3",
Expand Down
64 changes: 42 additions & 22 deletions yarn.lock
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -671,7 +671,7 @@ __metadata:
"@types/node": "npm:^22.0.0"
"@typescript-eslint/parser": "npm:^8.18.0"
"@vanilla-extract/vite-plugin": "npm:^5.0.0"
"@vitest/browser": "npm:3.0.2"
"@vitest/browser": "npm:3.0.4"
"@vitest/coverage-istanbul": "npm:3.0.2"
"@vitest/ui": "npm:3.0.2"
cross-env: "npm:^7.0.3"
Expand Down Expand Up @@ -14675,12 +14675,12 @@ __metadata:
languageName: node
linkType: hard

"@testing-library/user-event@npm:^14.6.0":
version: 14.6.0
resolution: "@testing-library/user-event@npm:14.6.0"
"@testing-library/user-event@npm:^14.6.1":
version: 14.6.1
resolution: "@testing-library/user-event@npm:14.6.1"
peerDependencies:
"@testing-library/dom": ">=7.21.4"
checksum: 10/01a7481642ceda10324ff5356e3cfd9c6131b0cecbcbdd5938096d4d3f8ce9e548e9b460ef35bad8f3649dc392c808044a5abd78de8218a4bc21c91125be85df
checksum: 10/34b74fff56a0447731a94b40d4cf246deb8dbc1c1e3aec93acd1c3377a760bb062e979f1572bb34ec164ad28ee2a391744b42d0d6d6cc16c4ce527e5e09610e1
languageName: node
linkType: hard

Expand Down Expand Up @@ -16279,22 +16279,22 @@ __metadata:
languageName: node
linkType: hard

"@vitest/browser@npm:3.0.2":
version: 3.0.2
resolution: "@vitest/browser@npm:3.0.2"
"@vitest/browser@npm:3.0.4":
version: 3.0.4
resolution: "@vitest/browser@npm:3.0.4"
dependencies:
"@testing-library/dom": "npm:^10.4.0"
"@testing-library/user-event": "npm:^14.6.0"
"@vitest/mocker": "npm:3.0.2"
"@vitest/utils": "npm:3.0.2"
"@testing-library/user-event": "npm:^14.6.1"
"@vitest/mocker": "npm:3.0.4"
"@vitest/utils": "npm:3.0.4"
magic-string: "npm:^0.30.17"
msw: "npm:^2.7.0"
sirv: "npm:^3.0.0"
tinyrainbow: "npm:^2.0.0"
ws: "npm:^8.18.0"
peerDependencies:
playwright: "*"
vitest: 3.0.2
vitest: 3.0.4
webdriverio: "*"
peerDependenciesMeta:
playwright:
Expand All @@ -16303,7 +16303,7 @@ __metadata:
optional: true
webdriverio:
optional: true
checksum: 10/b76a2db98332500c89c03b6ad6f829753b1fc8b39cf4927f314d56d38acd8259a9d8dc02590648011ab33b14b051238279c8adfcfa86a5189949af1b19a10c48
checksum: 10/23f7a60b7ea073ad06cf3145a3416e1dd53489f26db2a497ea55d2313943797e99af807c4c077b54baa670d4c87cf028daa334af78d4298d8da9f087505e9138
languageName: node
linkType: hard

Expand Down Expand Up @@ -16351,11 +16351,11 @@ __metadata:
languageName: node
linkType: hard

"@vitest/mocker@npm:3.0.2":
version: 3.0.2
resolution: "@vitest/mocker@npm:3.0.2"
"@vitest/mocker@npm:3.0.4":
version: 3.0.4
resolution: "@vitest/mocker@npm:3.0.4"
dependencies:
"@vitest/spy": "npm:3.0.2"
"@vitest/spy": "npm:3.0.4"
estree-walker: "npm:^3.0.3"
magic-string: "npm:^0.30.17"
peerDependencies:
Expand All @@ -16366,7 +16366,7 @@ __metadata:
optional: true
vite:
optional: true
checksum: 10/91f4315d1fec10e670e3cf4165a8b108c651af0f4f2089dc6de8e3f7739f3f3d08335cbec31865ea866a47434e5c879fb6348465efa90e24673197525f6459ce
checksum: 10/f6e7a57575271b1f9f4fd8671e0760a035c31620086b694f303815aba353864b2eb3c51f5c4506e5f618ab7584b9260035e0183a4f8d7a9947a30dc7ef91c5b6
languageName: node
linkType: hard

Expand Down Expand Up @@ -16416,6 +16416,15 @@ __metadata:
languageName: node
linkType: hard

"@vitest/pretty-format@npm:3.0.4":
version: 3.0.4
resolution: "@vitest/pretty-format@npm:3.0.4"
dependencies:
tinyrainbow: "npm:^2.0.0"
checksum: 10/8c54fc5df1e73339b5b81ad66d779c98af750a4f1609f47aecabc9af2e11620775d521ab183e9db8acf2cd018d7aa29d5fd9737bf2935369dd6f1306a6487b9f
languageName: node
linkType: hard

"@vitest/pretty-format@npm:3.0.5, @vitest/pretty-format@npm:^3.0.5":
version: 3.0.5
resolution: "@vitest/pretty-format@npm:3.0.5"
Expand Down Expand Up @@ -16455,12 +16464,12 @@ __metadata:
languageName: node
linkType: hard

"@vitest/spy@npm:3.0.2":
version: 3.0.2
resolution: "@vitest/spy@npm:3.0.2"
"@vitest/spy@npm:3.0.4":
version: 3.0.4
resolution: "@vitest/spy@npm:3.0.4"
dependencies:
tinyspy: "npm:^3.0.2"
checksum: 10/19fe5b04f58d31074fd19086f239a84db437f3b816c0180bd7584a3ce47a77d2593546d8f2a62b33ba93c5a61045681d60cb2f840f08f0fee192a108e7c33620
checksum: 10/a2e03516e7f678120b03b1f1e95b587781e6c6c78781a2b37bd5b7706fb57a99f127d46d337db14477673aa811027730fe5fb5af68f03fde7e65050293810e67
languageName: node
linkType: hard

Expand Down Expand Up @@ -16513,6 +16522,17 @@ __metadata:
languageName: node
linkType: hard

"@vitest/utils@npm:3.0.4":
version: 3.0.4
resolution: "@vitest/utils@npm:3.0.4"
dependencies:
"@vitest/pretty-format": "npm:3.0.4"
loupe: "npm:^3.1.2"
tinyrainbow: "npm:^2.0.0"
checksum: 10/68132cc059ac0db29e325b3e8a1ac6e0a99ea8a2d6d214bb4dc6399c3de0ffe78c42b13c733cc775a78d7ee1e7e3dcd67f75b7c35e5c28e3825cabf4ec7c50dc
languageName: node
linkType: hard

"@vitest/utils@npm:3.0.5":
version: 3.0.5
resolution: "@vitest/utils@npm:3.0.5"
Expand Down
Loading