Skip to content

VULN UPGRADE: minor: @openfeature/core, @openfeature/web-sdk, vite [test-app]#201

Open
campaigner-prod[bot] wants to merge 1 commit intomainfrom
engraver-auto-version-upgrade/minorpatch/npm/test-app/0-1772823585
Open

VULN UPGRADE: minor: @openfeature/core, @openfeature/web-sdk, vite [test-app]#201
campaigner-prod[bot] wants to merge 1 commit intomainfrom
engraver-auto-version-upgrade/minorpatch/npm/test-app/0-1772823585

Conversation

@campaigner-prod
Copy link
Contributor

@campaigner-prod campaigner-prod bot commented Mar 6, 2026

Summary: High-severity security update — 3 packages upgraded (MINOR changes included)

Manifests changed:

  • test-app (npm)

Updates

Package From To Type Vulnerabilities Fixed
vite 5.0.12 5.4.21 minor 1 HIGH, 20 MODERATE, 4 LOW
@openfeature/core 1.3.0 1.9.2 minor -
@openfeature/web-sdk 1.5.0 1.7.3 minor -

Packages marked with "-" are updated due to dependency constraints.

Security Details

🚨 Critical & High Severity (1 fixed)
Package CVE Severity Summary Unsafe Version Fixed In
vite CVE-2025-31125 high This package is related to CVE CVE-2025-31125 which was detected by cisa.gov as actively being exploited in the wild 5.0.12 -
ℹ️ Other Vulnerabilities (24)
Package CVE Severity Summary Unsafe Version Fixed In
vite GHSA-vg6x-rcgg-rjx6 MODERATE Websites were able to send any requests to the development server and read the response in vite 5.0.12 6.0.9
vite CVE-2025-24010 MODERATE Vite allows any websites to send any requests to the development server and read the response 5.0.12 -
vite CVE-2025-46565 MODERATE Vite's server.fs.deny bypassed with /. for files under project root 5.0.12 -
vite GHSA-356w-63v5-8wf4 MODERATE Vite has an server.fs.deny bypass with an invalid request-target 5.0.12 6.2.6
vite CVE-2025-32395 MODERATE Vite has an server.fs.deny bypass with an invalid request-target 5.0.12 -
vite GHSA-xcj6-pq6g-qj4x MODERATE Vite allows server.fs.deny to be bypassed with .svg or relative paths 5.0.12 6.2.5
vite CVE-2025-31125 MODERATE Vite has a server.fs.deny bypassed for inline and raw with ?import query 5.0.12 -
vite GHSA-93m4-6634-74q7 MODERATE vite allows server.fs.deny bypass via backslash on Windows 5.0.12 7.1.11
vite CVE-2025-62522 MODERATE vite allows server.fs.deny bypass via backslash on Windows 5.0.12 -
vite GHSA-9cwx-2883-4wfx MODERATE Vite's server.fs.deny is bypassed when using ?import&raw 5.0.12 5.4.6
vite GHSA-859w-5945-r5v3 MODERATE Vite's server.fs.deny bypassed with /. for files under project root 5.0.12 6.3.4
vite CVE-2025-31486 MODERATE Vite allows server.fs.deny to be bypassed with .svg or relative paths 5.0.12 -
vite CVE-2024-31207 MODERATE Vite's server.fs.deny did not deny requests for patterns with directories 5.0.12 -
vite GHSA-x574-m823-4x7w MODERATE Vite bypasses server.fs.deny when using ?raw?? 5.0.12 6.2.3
vite CVE-2025-30208 MODERATE Vite bypasses server.fs.deny when using ?raw?? 5.0.12 -
vite GHSA-8jhw-289h-jh2g MODERATE Vite's server.fs.deny did not deny requests for patterns with directories. 5.0.12 2.9.18
vite CVE-2024-45811 MODERATE server.fs.deny bypassed when using ?import&raw in vite 5.0.12 -
vite GHSA-64vr-g452-qvp3 MODERATE Vite DOM Clobbering gadget found in vite bundled scripts that leads to XSS 5.0.12 5.4.6
vite CVE-2024-45812 MODERATE DOM Clobbering gadget found in vite bundled scripts that leads to XSS in Vite 5.0.12 -
vite GHSA-4r4m-qw57-chr8 MODERATE Vite has a server.fs.deny bypassed for inline and raw with ?import query 5.0.12 6.2.4
vite GHSA-g4jq-h2w9-997c LOW Vite middleware may serve files starting with the same name with the public directory 5.0.12 7.1.5
vite CVE-2025-58751 LOW Vite middleware may serve files starting with the same name with the public directory 5.0.12 -
vite GHSA-jqfw-vq24-v9c3 LOW Vite's server.fs settings were not applied to HTML files 5.0.12 7.1.5
vite CVE-2025-58752 LOW Vite's server.fs settings were not applied to HTML files 5.0.12 -

Review Checklist

Standard review:

  • Review changes for compatibility with your code
  • Check for breaking changes in release notes
  • Run tests locally or wait for CI

Update Mode: Vulnerability Remediation (High)

🤖 Generated by DataDog Automated Dependency Management System

@campaigner-prod campaigner-prod bot marked this pull request as ready for review March 7, 2026 13:42
@campaigner-prod campaigner-prod bot requested a review from a team as a code owner March 7, 2026 13:42
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@greghuels greghuels Awaiting requested review from greghuels greghuels is a code owner automatically assigned from DataDog/feature-flagging-and-experimentation-sdk

@dd-oleksii dd-oleksii Awaiting requested review from dd-oleksii dd-oleksii is a code owner automatically assigned from DataDog/feature-flagging-and-experimentation-sdk

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

adms-dependency-update adms-high-severity adms-low-severity adms-medium-severity adms-minor-update adms-mode-all-updates adms-npm campaigner-automated-change

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants