chore(deps): update dependency vitest to v1.6.1 [security]#44
Open
renovate[bot] wants to merge 1 commit into
Open
chore(deps): update dependency vitest to v1.6.1 [security]#44renovate[bot] wants to merge 1 commit into
renovate[bot] wants to merge 1 commit into
Conversation
renovate
Bot
force-pushed
the
renovate/npm-vitest-vulnerability
branch
from
February 9, 2025 15:55
96d3f32 to
74337f2
Compare
renovate
Bot
force-pushed
the
renovate/npm-vitest-vulnerability
branch
from
March 3, 2025 13:18
74337f2 to
e3d2c5e
Compare
renovate
Bot
force-pushed
the
renovate/npm-vitest-vulnerability
branch
3 times, most recently
from
March 17, 2025 13:59
7ca75b7 to
797e344
Compare
renovate
Bot
force-pushed
the
renovate/npm-vitest-vulnerability
branch
from
April 1, 2025 08:26
797e344 to
607f30d
Compare
Coverage Report
File CoverageNo changed files found. |
renovate
Bot
force-pushed
the
renovate/npm-vitest-vulnerability
branch
from
April 8, 2025 16:33
607f30d to
96a1d51
Compare
renovate
Bot
force-pushed
the
renovate/npm-vitest-vulnerability
branch
from
April 24, 2025 11:55
96a1d51 to
c8a7aca
Compare
renovate
Bot
force-pushed
the
renovate/npm-vitest-vulnerability
branch
from
May 19, 2025 18:37
c8a7aca to
83d08cd
Compare
renovate
Bot
force-pushed
the
renovate/npm-vitest-vulnerability
branch
2 times, most recently
from
June 4, 2025 09:27
bddd375 to
f0d64a6
Compare
renovate
Bot
force-pushed
the
renovate/npm-vitest-vulnerability
branch
from
June 22, 2025 11:42
f0d64a6 to
ed9742a
Compare
renovate
Bot
force-pushed
the
renovate/npm-vitest-vulnerability
branch
from
July 2, 2025 20:46
ed9742a to
6270225
Compare
renovate
Bot
force-pushed
the
renovate/npm-vitest-vulnerability
branch
2 times, most recently
from
August 13, 2025 13:07
65a063b to
f9e4727
Compare
renovate
Bot
force-pushed
the
renovate/npm-vitest-vulnerability
branch
from
August 19, 2025 11:27
f9e4727 to
853768b
Compare
renovate
Bot
force-pushed
the
renovate/npm-vitest-vulnerability
branch
from
August 31, 2025 12:10
853768b to
1b53252
Compare
renovate
Bot
force-pushed
the
renovate/npm-vitest-vulnerability
branch
from
September 25, 2025 17:42
1b53252 to
3fb187d
Compare
renovate
Bot
force-pushed
the
renovate/npm-vitest-vulnerability
branch
from
October 21, 2025 19:13
3fb187d to
841f86b
Compare
renovate
Bot
force-pushed
the
renovate/npm-vitest-vulnerability
branch
from
November 10, 2025 23:12
841f86b to
76106e5
Compare
renovate
Bot
force-pushed
the
renovate/npm-vitest-vulnerability
branch
from
November 18, 2025 23:14
76106e5 to
3739a29
Compare
renovate
Bot
force-pushed
the
renovate/npm-vitest-vulnerability
branch
from
December 3, 2025 15:45
3739a29 to
a9d229b
Compare
renovate
Bot
force-pushed
the
renovate/npm-vitest-vulnerability
branch
from
December 31, 2025 18:29
a9d229b to
aeebe4e
Compare
renovate
Bot
force-pushed
the
renovate/npm-vitest-vulnerability
branch
from
January 8, 2026 21:14
aeebe4e to
06497c5
Compare
renovate
Bot
force-pushed
the
renovate/npm-vitest-vulnerability
branch
2 times, most recently
from
January 23, 2026 20:51
29297d6 to
950a49d
Compare
renovate
Bot
force-pushed
the
renovate/npm-vitest-vulnerability
branch
from
February 2, 2026 16:16
950a49d to
c228e78
Compare
renovate
Bot
force-pushed
the
renovate/npm-vitest-vulnerability
branch
from
February 12, 2026 12:40
c228e78 to
d01b94a
Compare
renovate
Bot
force-pushed
the
renovate/npm-vitest-vulnerability
branch
from
February 17, 2026 17:49
d01b94a to
a8bb91b
Compare
renovate
Bot
force-pushed
the
renovate/npm-vitest-vulnerability
branch
from
March 5, 2026 16:44
a8bb91b to
f0fba68
Compare
renovate
Bot
force-pushed
the
renovate/npm-vitest-vulnerability
branch
from
March 14, 2026 21:01
f0fba68 to
0743cc3
Compare
renovate
Bot
force-pushed
the
renovate/npm-vitest-vulnerability
branch
from
April 1, 2026 21:39
0743cc3 to
bcb712f
Compare
renovate
Bot
force-pushed
the
renovate/npm-vitest-vulnerability
branch
2 times, most recently
from
April 19, 2026 07:36
2a8c381 to
3a3128d
Compare
renovate
Bot
force-pushed
the
renovate/npm-vitest-vulnerability
branch
from
May 1, 2026 11:04
3a3128d to
efc09eb
Compare
renovate
Bot
force-pushed
the
renovate/npm-vitest-vulnerability
branch
2 times, most recently
from
May 18, 2026 13:26
b73bd66 to
59fb351
Compare
renovate
Bot
force-pushed
the
renovate/npm-vitest-vulnerability
branch
2 times, most recently
from
June 1, 2026 23:52
f5abf5a to
6200702
Compare
renovate
Bot
force-pushed
the
renovate/npm-vitest-vulnerability
branch
from
June 11, 2026 22:04
6200702 to
638af4f
Compare
renovate
Bot
force-pushed
the
renovate/npm-vitest-vulnerability
branch
from
July 12, 2026 14:14
638af4f to
9a83009
Compare
renovate
Bot
force-pushed
the
renovate/npm-vitest-vulnerability
branch
from
July 17, 2026 03:47
9a83009 to
aea9c2f
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
1.4.0→1.6.1Vitest allows Remote Code Execution when accessing a malicious website while Vitest API server is listening
CVE-2025-24964 / GHSA-9crc-q9x8-hgqq
More information
Details
Summary
Arbitrary remote Code Execution when accessing a malicious website while Vitest API server is listening by Cross-site WebSocket hijacking (CSWSH) attacks.
Details
When
apioption is enabled (Vitest UI enables it), Vitest starts a WebSocket server. This WebSocket server did not check Origin header and did not have any authorization mechanism and was vulnerable to CSWSH attacks.https://github.com/vitest-dev/vitest/blob/9a581e1c43e5c02b11e2a8026a55ce6a8cb35114/packages/vitest/src/api/setup.ts#L32-L46
This WebSocket server has
saveTestFileAPI that can edit a test file andrerunAPI that can rerun the tests. An attacker can execute arbitrary code by injecting a code in a test file by thesaveTestFileAPI and then running that file by calling thererunAPI.https://github.com/vitest-dev/vitest/blob/9a581e1c43e5c02b11e2a8026a55ce6a8cb35114/packages/vitest/src/api/setup.ts#L66-L76
PoC
calcexecutable inPATHenv var (you'll likely have it if you are running on Windows), that application will be executed.Impact
This vulnerability can result in remote code execution for users that are using Vitest serve API.
Severity
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:HReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Release Notes
vitest-dev/vitest (vitest)
v1.6.1Compare Source
This release includes security patches for:
🐞 Bug Fixes
View changes on GitHub
v1.6.0Compare Source
🚀 Features
includeConsoleOutputandaddFileAttributein junit - by @hi-ogawa in #5659 (2f913)🐞 Bug Fixes
resolveId('vitest')afterbuildStart- by @hi-ogawa in #5646 (f5faf)toJSONfor error serialization - by @hi-ogawa in #5526 (19a21)*.test-d.*by default - by @MindfulPol in #5634 (bfe8a)vite-node's wrapper only to executed files - by @AriPerkkio in #5642 (c9883)🏎 Performance
View changes on GitHub
v1.5.3Compare Source
🐞 Bug Fixes
View changes on GitHub
v1.5.2Compare Source
🐞 Bug Fixes
View changes on GitHub
v1.5.1Compare Source
🚀 Features
startVitest()to acceptstdoutandstdin- by @AriPerkkio in #5493 (780b1)startVitestAPI is experimental and doesn't follow semver.🐞 Bug Fixes
import.meta.env.PROD: false- by @hi-ogawa in #5561 (9c649)onTestFinishedin reverse order - by @sheremet-va in #5598 (23f29)fileParallelismby default on browser pool - by @hi-ogawa in #5528 (5c69f)v8-to-istanbul- by @AriPerkkio in #5549 (df6a4)cleanOnRerunis disabled - by @AriPerkkio in #5540 (ea3c1)thresholdsto compare files relative to root - by @AriPerkkio in #5574 (80265)toEqualandtoMatchObjectwith circular references - by @hi-ogawa in #5535 (9e641)View changes on GitHub
v1.5.0Compare Source
🚀 Features
🐞 Bug Fixes
describecalls not taking generic type parameters - by @aryaemami59 in #5415 (16bac)processis mocked - by @AriPerkkio in #5430 (0ec4d)toHaveBeenNthCalledWitherror message when not called - by @hi-ogawa in #5420 (e5253)isValidNodeImportto check"type": "module"first - by @hi-ogawa in #5416 (6fb15)View changes on GitHub
Configuration
📅 Schedule: (UTC)
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.