fix(deps): bump vite to 6.4.3 + vitest to 4.1.9 (security #236, #237) #240

Merged
maximus merged 1 commit from issue-237-vite-vitest into main 2026-07-02 00:18:32 +00:00

1 commit

Author SHA1 Message Date
le king fu
23b574ebcb fix(deps): bump vite to 6.4.3 and vitest to 4.1.9 (fixes #236, #237)
All checks were successful
PR Check / rust (pull_request) Successful in 28m3s
PR Check / frontend (pull_request) Successful in 2m39s
vite@6.4.2: server.fs.deny bypass (GHSA-fx2h-pf6j-xcff, high) + NTLMv2 hash
disclosure (GHSA-v6wh-96g9-6wx3, moderate) -- Windows-only, dev server.
vitest@4.0.18: UI server arbitrary file read/exec (GHSA-5xrq-8626-4rwp,
critical) -- only when 'vitest --ui' is listening. Both dev-only. Bumped
within 6.x/4.x (no major). 635 tests pass, build green.

npm audit: 3 -> 1 (only @babel/core low remains; left out deliberately --
audit fix adds 77 packages without resolving it, needs a scoped override
in a separate change).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-07-01 20:01:45 -04:00