chore(deps): update dependency vite to v6.1.3 [security] (#3900)

renovate[bot] · web-flow · commit d0bbf662e528 · 2025-03-31T22:02:41.000Z
This PR contains the following updates: | Package | Change | Age | Adoption | Passing | Confidence | |---|---|---|---|---|---| | [vite](https://vite.dev) ([source](https://redirect.github.com/vitejs/vite/tree/HEAD/packages/vite)) | [`6.1.2` -> `6.1.3`](https://renovatebot.com/diffs/npm/vite/6.1.2/6.1.3) | [![age](https://developer.mend.io/api/mc/badges/age/npm/vite/6.1.3?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![adoption](https://developer.mend.io/api/mc/badges/adoption/npm/vite/6.1.3?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![passing](https://developer.mend.io/api/mc/badges/compatibility/npm/vite/6.1.2/6.1.3?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/vite/6.1.2/6.1.3?slim=true)](https://docs.renovatebot.com/merge-confidence/) | ### GitHub Vulnerability Alerts #### [CVE-2025-31125](https://redirect.github.com/vitejs/vite/security/advisories/GHSA-4r4m-qw57-chr8) ### Summary The contents of arbitrary files can be returned to the browser. ### Impact Only apps explicitly exposing the Vite dev server to the network (using `--host` or [`server.host` config option](https://vitejs.dev/config/server-options.html#server-host)) are affected. ### Details - base64 encoded content of non-allowed files is exposed using `?inline&import` (originally reported as `?import&?inline=1.wasm?init`) - content of non-allowed files is exposed using `?raw?import` `/@&#8203;fs/` isn't needed to reproduce the issue for files inside the project root. ### PoC Original report (check details above for simplified cases): The ?import&?inline=1.wasm?init ending allows attackers to read arbitrary files and returns the file content if it exists. Base64 decoding needs to be performed twice ``` $ npm create vite@latest $ cd vite-project/ $ npm install $ npm run dev ``` Example full URL `http://localhost:5173/@&#8203;fs/C:/windows/win.ini?import&?inline=1.wasm?init` --- ### Release Notes <details> <summary>vitejs/vite (vite)</summary> ### [`v6.1.3`](https://redirect.github.com/vitejs/vite/releases/tag/v6.1.3) [Compare Source](https://redirect.github.com/vitejs/vite/compare/v6.1.2...v6.1.3) Please refer to [CHANGELOG.md](https://redirect.github.com/vitejs/vite/blob/v6.1.3/packages/vite/CHANGELOG.md) for details. </details> --- ### Configuration 📅 **Schedule**: Branch creation - "" (UTC), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about these updates again. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/TanStack/router).  Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
diff --git a/examples/react/start-large/package.json b/examples/react/start-large/package.json
@@ -30,7 +30,7 @@
     "autoprefixer": "^10.4.20",
     "tailwindcss": "^3.4.17",
     "typescript": "^5.7.2",
-    "vite": "6.1.2",
+    "vite": "6.1.3",
     "vite-tsconfig-paths": "^5.1.4"
   },
   "keywords": [],
diff --git a/examples/solid/start-basic/package.json b/examples/solid/start-basic/package.json
@@ -15,7 +15,7 @@
     "solid-js": "^1.9.5",
     "redaxios": "^0.5.1",
     "tailwind-merge": "^2.6.0",
-    "vite": "6.1.2",
+    "vite": "6.1.3",
     "vinxi": "0.5.3"
   },
   "devDependencies": {
diff --git a/package.json b/package.json
@@ -57,7 +57,7 @@
     "rimraf": "^6.0.1",
     "tinyglobby": "^0.2.12",
     "typescript": "^5.8.2",
-    "vite": "6.1.2",
+    "vite": "6.1.3",
     "vitest": "^3.0.6",
     "typescript53": "npm:typescript@5.3",
     "typescript54": "npm:typescript@5.4",
diff --git a/packages/directive-functions-plugin/package.json b/packages/directive-functions-plugin/package.json
@@ -76,7 +76,7 @@
     "babel-dead-code-elimination": "^1.0.10",
     "dedent": "^1.5.3",
     "tiny-invariant": "^1.3.3",
-    "vite": "6.1.2"
+    "vite": "6.1.3"
   },
   "devDependencies": {
     "@types/babel__code-frame": "^7.0.6",
diff --git a/packages/react-start-plugin/package.json b/packages/react-start-plugin/package.json
@@ -75,7 +75,7 @@
     "@tanstack/router-utils": "workspace:^",
     "babel-dead-code-elimination": "^1.0.10",
     "tiny-invariant": "^1.3.3",
-    "vite": "6.1.2"
+    "vite": "6.1.3"
   },
   "devDependencies": {
     "@types/babel__code-frame": "^7.0.6",
diff --git a/packages/solid-start-plugin/package.json b/packages/solid-start-plugin/package.json
@@ -75,7 +75,7 @@
     "@tanstack/router-utils": "workspace:^",
     "babel-dead-code-elimination": "^1.0.9",
     "tiny-invariant": "^1.3.3",
-    "vite": "6.1.2"
+    "vite": "6.1.3"
   },
   "devDependencies": {
     "@types/babel__code-frame": "^7.0.6",
diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml
