chore(deps): update dependency vite to v6.2.5 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
vite (source)	6.1.3 -> 6.2.5

GitHub Vulnerability Alerts

CVE-2025-31486

Summary

The contents of arbitrary files can be returned to the browser.

Impact

Only apps explicitly exposing the Vite dev server to the network (using --host or server.host config option) are affected..

Details

.svg

Requests ending with .svg are loaded at this line.
https://github.com/vitejs/vite/blob/037f801075ec35bb6e52145d659f71a23813c48f/packages/vite/src/node/plugins/asset.ts#L285-L290
By adding ?.svg with ?.wasm?init or with sec-fetch-dest: script header, the restriction was able to bypass.

This bypass is only possible if the file is smaller than build.assetsInlineLimit (default: 4kB) and when using Vite 6.0+.

relative paths

The check was applied before the id normalization. This allowed requests to bypass with relative paths (e.g. ../../).

PoC

npm create vite@latest
cd vite-project/
npm install
npm run dev

send request to read etc/passwd

curl 'http://127.0.0.1:5173/etc/passwd?.svg?.wasm?init'

curl 'http://127.0.0.1:5173/@​fs/x/x/x/vite-project/?/../../../../../etc/passwd?import&?raw'

---

Release Notes

vitejs/vite (vite)

v6.2.5

Compare Source

Please refer to CHANGELOG.md for details.

v6.2.4

Compare Source

Please refer to CHANGELOG.md for details.

v6.2.3

Compare Source

Please refer to CHANGELOG.md for details.

v6.2.2

Compare Source

• fix: await client buildStart on top level buildStart (#​19624) (b31faab), closes #​19624
• fix(css): inline css correctly for double quote use strict (#​19590) (d0aa833), closes #​19590
• fix(deps): update all non-major dependencies (#​19613) (363d691), closes #​19613
• fix(indexHtml): ensure correct URL when querying module graph (#​19601) (dc5395a), closes #​19601
• fix(preview): use preview https config, not server (#​19633) (98b3160), closes #​19633
• fix(ssr): use optional chaining to prevent "undefined is not an object" happening in `ssrRewriteStac (4309755), closes #​19612
• feat: show friendly error for malformed base (#​19616) (2476391), closes #​19616
• feat(worker): show asset filename conflict warning (#​19591) (367d968), closes #​19591
• chore: extend commit hash correctly when ambigious with a non-commit object (#​19600) (89a6287), closes #​19600

v6.2.1

Compare Source

• refactor: remove isBuild check from preAliasPlugin (#​19587) (c9e086d), closes #​19587
• refactor: restore endsWith usage (#​19554) (6113a96), closes #​19554
• refactor: use applyToEnvironment in internal plugins (#​19588) (f678442), closes #​19588
• fix(css): stabilize css module hashes with lightningcss in dev mode (#​19481) (92125b4), closes #​19481
• fix(deps): update all non-major dependencies (#​19555) (f612e0f), closes #​19555
• fix(reporter): fix incorrect bundle size calculation with non-ASCII characters (#​19561) (437c0ed), closes #​19561
• fix(sourcemap): combine sourcemaps with multiple sources without matched source (#​18971) (e3f6ae1), closes #​18971
• fix(ssr): named export should overwrite export all (#​19534) (2fd2fc1), closes #​19534
• feat: add *?url&no-inline type and warning for .json?inline / .json?no-inline (#​19566) (c0d3667), closes #​19566
• test: add glob import test case (#​19516) (aa1d807), closes #​19516
• test: convert config playground to unit tests (#​19568) (c0e68da), closes #​19568
• test: convert resolve-config playground to unit tests (#​19567) (db5fb48), closes #​19567
• perf: flush compile cache after 10s (#​19537) (6c8a5a2), closes #​19537
• chore(css): move environment destructuring after condition check (#​19492) (c9eda23), closes #​19492
• chore(html): remove unnecessary value check (#​19491) (797959f), closes #​19491

v6.2.0

Compare Source

• fix(deps): update all non-major dependencies (#​19501) (c94c9e0), closes #​19501
• fix(worker): string interpolation in dynamic worker options (#​19476) (07091a1), closes #​19476
• chore: use unicode cross icon instead of x (#​19497) (5c70296), closes #​19497

v6.1.4

Compare Source

Please refer to CHANGELOG.md for details.

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[cloudflare-workers-and-pages]

Deploying vue-i18n-next with    Cloudflare Pages

Latest commit:	f6d0533
Status:	✅  Deploy successful!
Preview URL:	https://a93d845f.vue-i18n-next.pages.dev
Branch Preview URL:	https://renovate-npm-vite-vulnerabil.vue-i18n-next.pages.dev

View logs

[github-actions]

Size Report

Bundles

File	Size	Gzip	Brotli
core.esm-browser.prod.js	37.81 kB	11.57 kB	10.32 kB
core.global.prod.js	30.98 kB	10.72 kB	9.65 kB
core.runtime.esm-browser.prod.js	23.53 kB	7.66 kB	6.84 kB
core.runtime.global.prod.js	17.96 kB	6.99 kB	6.28 kB
message-compiler.esm-browser.prod.js	19.29 kB	5.76 kB	5.14 kB
message-compiler.global.prod.js	17.32 kB	5.55 kB	4.98 kB
petite-vue-i18n-core.esm-browser.prod.js	20.21 kB	6.79 kB	6.14 kB
petite-vue-i18n-core.global.prod.js	15.49 kB	5.99 kB	5.43 kB
petite-vue-i18n.esm-browser.prod.js	36.71 kB	11.27 kB	10.11 kB
petite-vue-i18n.global.prod.js	29.72 kB	10.12 kB	9.15 kB
petite-vue-i18n.runtime.esm-browser.prod.js	22.28 kB	7.27 kB	6.56 kB
petite-vue-i18n.runtime.global.prod.js	16.71 kB	6.36 kB	5.76 kB
vue-i18n.esm-browser.prod.js	50.31 kB	15.06 kB	13.46 kB
vue-i18n.global.prod.js	40.36 kB	13.53 kB	12.18 kB
vue-i18n.runtime.esm-browser.prod.js	35.88 kB	11.06 kB	9.94 kB
vue-i18n.runtime.global.prod.js	27.35 kB	9.79 kB	8.85 kB

Usages

Name	Size	Gzip	Brotli
packages/size-check-core (@intlify/core)	9.04 kB	3.72 kB	3.39 kB
packages/size-check-petite-vue-i18n (petite-vue-i18n)	77.51 kB	30.19 kB	27.19 kB
packages/size-check-vue-i18n (vue-i18n)	82.59 kB	31.62 kB	28.50 kB

[pkg-pr-new]

Open in StackBlitz

@intlify/core

npm i https://pkg.pr.new/@intlify/core@2154

@intlify/core-base

npm i https://pkg.pr.new/@intlify/core-base@2154

@intlify/devtools-types

npm i https://pkg.pr.new/@intlify/devtools-types@2154

@intlify/message-compiler

npm i https://pkg.pr.new/@intlify/message-compiler@2154

@intlify/shared

npm i https://pkg.pr.new/@intlify/shared@2154

petite-vue-i18n

npm i https://pkg.pr.new/petite-vue-i18n@2154

vue-i18n

npm i https://pkg.pr.new/vue-i18n@2154

@intlify/vue-i18n-core

npm i https://pkg.pr.new/@intlify/vue-i18n-core@2154

commit: 1c5d5c6