chore(deps): update dependency vitest to v2.1.9 [security]#120
Open
renovate[bot] wants to merge 1 commit into
Open
chore(deps): update dependency vitest to v2.1.9 [security]#120renovate[bot] wants to merge 1 commit into
renovate[bot] wants to merge 1 commit into
Conversation
|
renovate
Bot
force-pushed
the
renovate/npm-vitest-vulnerability
branch
from
February 12, 2025 04:23
fecdfcc to
a6e2c5c
Compare
renovate
Bot
force-pushed
the
renovate/npm-vitest-vulnerability
branch
from
March 5, 2025 00:21
a6e2c5c to
f270fe7
Compare
renovate
Bot
force-pushed
the
renovate/npm-vitest-vulnerability
branch
2 times, most recently
from
March 18, 2025 07:59
69eb08f to
5c92137
Compare
renovate
Bot
force-pushed
the
renovate/npm-vitest-vulnerability
branch
from
April 2, 2025 20:19
5c92137 to
f3cc515
Compare
renovate
Bot
force-pushed
the
renovate/npm-vitest-vulnerability
branch
from
April 26, 2025 00:05
f3cc515 to
29ecb7a
Compare
renovate
Bot
force-pushed
the
renovate/npm-vitest-vulnerability
branch
from
May 24, 2025 11:58
29ecb7a to
cecbf82
Compare
renovate
Bot
force-pushed
the
renovate/npm-vitest-vulnerability
branch
2 times, most recently
from
June 6, 2025 19:00
f7b2869 to
da1dd83
Compare
renovate
Bot
force-pushed
the
renovate/npm-vitest-vulnerability
branch
from
June 29, 2025 04:13
da1dd83 to
21aa32e
Compare
renovate
Bot
force-pushed
the
renovate/npm-vitest-vulnerability
branch
from
July 7, 2025 00:08
21aa32e to
8a44103
Compare
renovate
Bot
force-pushed
the
renovate/npm-vitest-vulnerability
branch
from
August 13, 2025 23:46
8a44103 to
4dee2ed
Compare
renovate
Bot
force-pushed
the
renovate/npm-vitest-vulnerability
branch
from
August 23, 2025 11:05
4dee2ed to
213ce9a
Compare
renovate
Bot
force-pushed
the
renovate/npm-vitest-vulnerability
branch
from
September 1, 2025 04:32
213ce9a to
214988d
Compare
renovate
Bot
force-pushed
the
renovate/npm-vitest-vulnerability
branch
from
September 26, 2025 11:52
214988d to
310f8c5
Compare
renovate
Bot
force-pushed
the
renovate/npm-vitest-vulnerability
branch
from
October 23, 2025 06:29
310f8c5 to
fc7bbe1
Compare
renovate
Bot
force-pushed
the
renovate/npm-vitest-vulnerability
branch
2 times, most recently
from
November 19, 2025 12:14
4869c4f to
63b2d7f
Compare
renovate
Bot
force-pushed
the
renovate/npm-vitest-vulnerability
branch
2 times, most recently
from
January 1, 2026 11:26
c22ab13 to
f1a7d4e
Compare
renovate
Bot
force-pushed
the
renovate/npm-vitest-vulnerability
branch
from
January 9, 2026 08:06
f1a7d4e to
ccbec7c
Compare
renovate
Bot
force-pushed
the
renovate/npm-vitest-vulnerability
branch
2 times, most recently
from
January 24, 2026 04:04
0984922 to
2cfc584
Compare
renovate
Bot
force-pushed
the
renovate/npm-vitest-vulnerability
branch
from
February 3, 2026 04:17
2cfc584 to
b7d1fdb
Compare
renovate
Bot
force-pushed
the
renovate/npm-vitest-vulnerability
branch
from
February 13, 2026 23:54
b7d1fdb to
fece9fe
Compare
renovate
Bot
force-pushed
the
renovate/npm-vitest-vulnerability
branch
from
February 18, 2026 23:39
fece9fe to
57657a1
Compare
renovate
Bot
force-pushed
the
renovate/npm-vitest-vulnerability
branch
2 times, most recently
from
March 14, 2026 19:06
8e71ba6 to
ff2b695
Compare
renovate
Bot
force-pushed
the
renovate/npm-vitest-vulnerability
branch
from
April 15, 2026 11:08
ff2b695 to
97f391d
Compare
renovate
Bot
force-pushed
the
renovate/npm-vitest-vulnerability
branch
from
April 30, 2026 03:10
97f391d to
931f6c7
Compare
renovate
Bot
force-pushed
the
renovate/npm-vitest-vulnerability
branch
from
May 13, 2026 02:59
931f6c7 to
82055d3
Compare
renovate
Bot
force-pushed
the
renovate/npm-vitest-vulnerability
branch
from
May 23, 2026 04:01
82055d3 to
d8ebd32
Compare
renovate
Bot
force-pushed
the
renovate/npm-vitest-vulnerability
branch
2 times, most recently
from
June 1, 2026 15:16
8d47960 to
ab65be9
Compare
renovate
Bot
force-pushed
the
renovate/npm-vitest-vulnerability
branch
from
June 13, 2026 04:04
ab65be9 to
453902f
Compare
renovate
Bot
force-pushed
the
renovate/npm-vitest-vulnerability
branch
from
July 16, 2026 07:58
453902f to
c3f36b7
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
2.0.5→2.1.9Vitest allows Remote Code Execution when accessing a malicious website while Vitest API server is listening
CVE-2025-24964 / GHSA-9crc-q9x8-hgqq
More information
Details
Summary
Arbitrary remote Code Execution when accessing a malicious website while Vitest API server is listening by Cross-site WebSocket hijacking (CSWSH) attacks.
Details
When
apioption is enabled (Vitest UI enables it), Vitest starts a WebSocket server. This WebSocket server did not check Origin header and did not have any authorization mechanism and was vulnerable to CSWSH attacks.https://github.com/vitest-dev/vitest/blob/9a581e1c43e5c02b11e2a8026a55ce6a8cb35114/packages/vitest/src/api/setup.ts#L32-L46
This WebSocket server has
saveTestFileAPI that can edit a test file andrerunAPI that can rerun the tests. An attacker can execute arbitrary code by injecting a code in a test file by thesaveTestFileAPI and then running that file by calling thererunAPI.https://github.com/vitest-dev/vitest/blob/9a581e1c43e5c02b11e2a8026a55ce6a8cb35114/packages/vitest/src/api/setup.ts#L66-L76
PoC
calcexecutable inPATHenv var (you'll likely have it if you are running on Windows), that application will be executed.Impact
This vulnerability can result in remote code execution for users that are using Vitest serve API.
Severity
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:HReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Release Notes
vitest-dev/vitest (vitest)
v2.1.9Compare Source
This release includes security patches for:
🐞 Bug Fixes
/__screenshot-error- by @hi-ogawa in #7343View changes on GitHub
v2.1.8Compare Source
🐞 Bug Fixes
View changes on GitHub
v2.1.7Compare Source
🐞 Bug Fixes
pnpm.overridesor yarn resolutions to override theviteversion in thevitestpackage - the APIs are compatible.View changes on GitHub
v2.1.6Compare Source
🚀 Features
View changes on GitHub
v2.1.5Compare Source
🐞 Bug Fixes
dangerouslyIgnoreUnhandledErrorswithout base reporter - by @AriPerkkio in #6808 (0bf0a)unhandledRejectioneven when base reporter is not used - by @AriPerkkio in #6812 (8878b)sequence.concurrentfrom theRuntimeConfigtype - by @sheremet-va in #6880 (6af73).poll,.element,.rejects/.resolves, andlocator.*weren't awaited - by @sheremet-va in #6877 (93b67)enteror'a'- by @AriPerkkio in #6848 (487c8)🏎 Performance
View changes on GitHub
v2.1.4Compare Source
🚀 Features
This patch release includes a non-breaking feature for the experimental Browser Mode that doesn't follow SemVer. If you want to avoid picking up releases like this, make sure to pin the Vitest version in your
package.json. See npm's documentation about semver for more information.transformIndexHtml- by @sheremet-va in #6725 (16902)🐞 Bug Fixes
v=queries to setup files imports - by @sheremet-va in #6759 (b8258)toThrowErrorwith empty string parameter - by @shulaoda in #6710 (a6129)test.extendtype exports - by @hi-ogawa in #6707 (e5c38)🏎 Performance
hashto replacecreateHash- by @btea in #6703 (5d07b)View changes on GitHub
v2.1.3Compare Source
🐞 Bug Fixes
toBeNaN, toBeUndefined, toBeNull, toBeTruthy, toBeFalsy- by @hi-ogawa in #6697 (e0027)/mockServiceWorker.jsinstead of/__vitest_msw__- by @sheremet-va in #6687 (4b2ce)toMatchObjectdiff - by @hi-ogawa in #6620 (d289e)<empty line>logs when interleavingconsole.log/error- by @hi-ogawa in #6644 (9ece3)fast-globinstead oftinyglobbyin Vitest - by @sheremet-va in #6688 (70baa)🏎 Performance
View changes on GitHub
v2.1.2Compare Source
🐞 Bug Fixes
Vitest.setServerto postconfigureServerhook to enable import analysis for workspace config loading - by @hi-ogawa in #6584 (e7f35)BenchmarkResult.samplesarray to reduce memory usage - by @hi-ogawa and @AriPerkkio in #6541 (a6407)data:protocol on preview provider file upload - by @userquin in #6501 (e9821)*.astroby default - by @AriPerkkio in #6565 (f8ff7)cleanOnRerun: falseto invalidate previous results - by @AriPerkkio in #6592 (88bde)toBeDefinedwithexpect.poll- by @hi-ogawa in #6562 (f7da6)--cpu-profand--heap-profnot working by default - by @AriPerkkio in #6555 (2e4d894)beforeAllfailed - by @hi-ogawa in #6524 (fb797)onTestFinishedandonTestFailedduringretryandrepeats- by @hi-ogawa in #6609 (c5e29)--standalone- by @hi-ogawa in #6577 (d0bf8)View changes on GitHub
v2.1.1Compare Source
🐞 Bug Fixes
View changes on GitHub
v2.1.0Compare Source
This release makes another big change to the Browser Mode by introducing locators API:
You can use either vitest-browser-vue, vitest-browser-svelte or vitest-browser-react to render components and make assertions using locators. Locators are also available on the
pageobject from@vitest/browser/context.Potential Breaking Change
vitest.config.tsorvite.config.tsinside the folder)projects/*will match anything inside theprojectsfolder. If it's a folder, we try to find the config inside that folder (if there is none, it is still treated as a project with the default config). If it's a file, it will be treated as a Vitest config.projects/**/*previously would assume that you only wanted to have folders as projects, but now it will match every single file insideprojects.🚀 Features
userEvent.uploadin playwright provider - by @sheremet-va in #6442 (cf148)--inspect- by @AriPerkkio in #6433 (0499a)--inspect-brk- by @AriPerkkio in #6434 (7ab0f)--exclude-after-remap- by @AriPerkkio in #6309 (5932a){ spy: true }instead of a factory - by @sheremet-va in #6289 (95f02)vi.advanceTimersToNextFrame- by @bnjm and @sheremet-va in #6347 (8ff63)fast-globtotinyglobby- by @SuperchupuDev in #6274 (c321a)🐞 Bug Fixes
indexfile - by @sheremet-va in #6266 (081cf)expect.getState().testPathalways returns correct path - by @sheremet-va in #6472 (ac698)vitestand@vitest/*versions don't match - by @AriPerkkio in #6317 (e662c)vitenodefor uncovered files - by @AriPerkkio in #6044 (da52d)performance.nowinstead ofDate.nowfor duration - by @LuciNyan in #6382 (fe489)toMatchInlineSnapshotupdates at the same location - by @hi-ogawa in #6332 (1606f)typecheck.includeoverlaps withinclude- by @sheremet-va in #6256 (153ff)View changes on GitHub
Configuration
📅 Schedule: (UTC)
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.