This repository was archived by the owner on Apr 8, 2026. It is now read-only.
chore(deps): update dependency vitest to v2.1.9 [security] - autoclosed#1104
Closed
renovate[bot] wants to merge 1 commit into
Closed
chore(deps): update dependency vitest to v2.1.9 [security] - autoclosed#1104renovate[bot] wants to merge 1 commit into
renovate[bot] wants to merge 1 commit into
Conversation
renovate
Bot
force-pushed
the
renovate/npm-vitest-vulnerability
branch
4 times, most recently
from
February 12, 2025 15:57
8f36585 to
ff7ec19
Compare
renovate
Bot
force-pushed
the
renovate/npm-vitest-vulnerability
branch
3 times, most recently
from
February 27, 2025 15:33
d5fbb9f to
4abe58e
Compare
renovate
Bot
force-pushed
the
renovate/npm-vitest-vulnerability
branch
4 times, most recently
from
March 20, 2025 13:40
d43297c to
057aab4
Compare
renovate
Bot
force-pushed
the
renovate/npm-vitest-vulnerability
branch
from
April 2, 2025 07:56
057aab4 to
5ab58d8
Compare
renovate
Bot
force-pushed
the
renovate/npm-vitest-vulnerability
branch
from
August 10, 2025 14:03
5ab58d8 to
c155aa1
Compare
renovate
Bot
force-pushed
the
renovate/npm-vitest-vulnerability
branch
from
August 19, 2025 14:05
c155aa1 to
50b2ac4
Compare
renovate
Bot
force-pushed
the
renovate/npm-vitest-vulnerability
branch
3 times, most recently
from
September 3, 2025 04:02
5ca19e7 to
4e81e09
Compare
renovate
Bot
force-pushed
the
renovate/npm-vitest-vulnerability
branch
from
September 25, 2025 15:43
4e81e09 to
f4b88b9
Compare
renovate
Bot
force-pushed
the
renovate/npm-vitest-vulnerability
branch
from
October 13, 2025 08:46
f4b88b9 to
31cb5f0
Compare
renovate
Bot
force-pushed
the
renovate/npm-vitest-vulnerability
branch
from
October 21, 2025 17:03
31cb5f0 to
08ad180
Compare
renovate
Bot
force-pushed
the
renovate/npm-vitest-vulnerability
branch
from
November 10, 2025 20:46
08ad180 to
b732b5c
Compare
renovate
Bot
force-pushed
the
renovate/npm-vitest-vulnerability
branch
2 times, most recently
from
December 1, 2025 10:04
3788a7a to
94e0782
Compare
renovate
Bot
force-pushed
the
renovate/npm-vitest-vulnerability
branch
6 times, most recently
from
December 10, 2025 18:48
ba3dc71 to
367cc8d
Compare
renovate
Bot
force-pushed
the
renovate/npm-vitest-vulnerability
branch
from
February 9, 2026 12:38
367cc8d to
9a385c3
Compare
renovate
Bot
force-pushed
the
renovate/npm-vitest-vulnerability
branch
from
March 30, 2026 18:00
9a385c3 to
1c94d9c
Compare
renovate
Bot
force-pushed
the
renovate/npm-vitest-vulnerability
branch
from
April 1, 2026 20:12
1c94d9c to
78e01ae
Compare
Contributor
Author
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
2.1.3→2.1.9GitHub Vulnerability Alerts
CVE-2025-24964
Summary
Arbitrary remote Code Execution when accessing a malicious website while Vitest API server is listening by Cross-site WebSocket hijacking (CSWSH) attacks.
Details
When
apioption is enabled (Vitest UI enables it), Vitest starts a WebSocket server. This WebSocket server did not check Origin header and did not have any authorization mechanism and was vulnerable to CSWSH attacks.https://github.com/vitest-dev/vitest/blob/9a581e1c43e5c02b11e2a8026a55ce6a8cb35114/packages/vitest/src/api/setup.ts#L32-L46
This WebSocket server has
saveTestFileAPI that can edit a test file andrerunAPI that can rerun the tests. An attacker can execute arbitrary code by injecting a code in a test file by thesaveTestFileAPI and then running that file by calling thererunAPI.https://github.com/vitest-dev/vitest/blob/9a581e1c43e5c02b11e2a8026a55ce6a8cb35114/packages/vitest/src/api/setup.ts#L66-L76
PoC
calcexecutable inPATHenv var (you'll likely have it if you are running on Windows), that application will be executed.Impact
This vulnerability can result in remote code execution for users that are using Vitest serve API.
Release Notes
vitest-dev/vitest (vitest)
v2.1.9Compare Source
This release includes security patches for:
🐞 Bug Fixes
/__screenshot-error- by @hi-ogawa in #7343View changes on GitHub
v2.1.8Compare Source
🐞 Bug Fixes
View changes on GitHub
v2.1.7Compare Source
🐞 Bug Fixes
pnpm.overridesor yarn resolutions to override theviteversion in thevitestpackage - the APIs are compatible.View changes on GitHub
v2.1.6Compare Source
🚀 Features
View changes on GitHub
v2.1.5Compare Source
🐞 Bug Fixes
dangerouslyIgnoreUnhandledErrorswithout base reporter - by @AriPerkkio in #6808 (0bf0a)unhandledRejectioneven when base reporter is not used - by @AriPerkkio in #6812 (8878b)sequence.concurrentfrom theRuntimeConfigtype - by @sheremet-va in #6880 (6af73).poll,.element,.rejects/.resolves, andlocator.*weren't awaited - by @sheremet-va in #6877 (93b67)enteror'a'- by @AriPerkkio in #6848 (487c8)🏎 Performance
View changes on GitHub
v2.1.4Compare Source
🚀 Features
This patch release includes a non-breaking feature for the experimental Browser Mode that doesn't follow SemVer. If you want to avoid picking up releases like this, make sure to pin the Vitest version in your
package.json. See npm's documentation about semver for more information.transformIndexHtml- by @sheremet-va in #6725 (16902)🐞 Bug Fixes
v=queries to setup files imports - by @sheremet-va in #6759 (b8258)toThrowErrorwith empty string parameter - by @shulaoda in #6710 (a6129)test.extendtype exports - by @hi-ogawa in #6707 (e5c38)🏎 Performance
hashto replacecreateHash- by @btea in #6703 (5d07b)View changes on GitHub
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.