[security] deps: vulnerability in vitest (critical) #237
Labels
No labels
autopilot:pending-human
source:analyste
source:defenseur
source:human
source:medic
status:approved
status:blocked
status:in-progress
status:needs-clarification
status:needs-fix
status:ready
status:review
status:triage
type:bug
type:feature
type:infra
type:refactor
type:schema
type:security
No milestone
No project
No assignees
1 participant
Notifications
Due date
No due date set.
Dependencies
No dependencies set.
Reference: maximus/Simpl-Resultat#237
Loading…
Reference in a new issue
No description provided.
Delete branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Contexte
Detecte par le Defenseur defenseur-simpl-resultat (npm audit) le 2026-06-30. Vulnerabilite CRITICAL GHSA-5xrq-8626-4rwp ("When Vitest UI server is listening, arbitrary file can be read and executed"), range affecte
>=4.0.0 <4.1.0.vitest@4.0.18installe, devDependency directe.Severite critique mais surface reelle limitee : necessite que le serveur UI Vitest (
vitest --ui) soit lance et ecoute (dev-only, jamais en prod/CI standard).Travail a faire
vitesten^4.1.9danspackage.json(devDependencies)npm installpour regenererpackage-lock.jsonnpm ls vitest->>=4.1.9,npm auditne liste plus ce CVEFichiers concernes
package.json(version devitest)package-lock.json(regenere)Surface de test
Suite de tests -- verifier que
npm testpasse toujours apres le bump (4.0.x -> 4.1.x, changements internes possibles).Criteres d'acceptation
npm audit --json | jq '.vulnerabilities.vitest'videnpm ls vitest>= 4.1.9npm testpasse toujoursComplexite estimee
Simple (bump direct), a verifier : absence de breaking change 4.0->4.1 dans les specs existantes.