vite@6.4.2: server.fs.deny bypass (GHSA-fx2h-pf6j-xcff, high) + NTLMv2 hash
disclosure (GHSA-v6wh-96g9-6wx3, moderate) -- Windows-only, dev server.
vitest@4.0.18: UI server arbitrary file read/exec (GHSA-5xrq-8626-4rwp,
critical) -- only when 'vitest --ui' is listening. Both dev-only. Bumped
within 6.x/4.x (no major). 635 tests pass, build green.
npm audit: 3 -> 1 (only @babel/core low remains; left out deliberately --
audit fix adds 77 packages without resolving it, needs a scoped override
in a separate change).
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>