This PR contains the following updates: | Package | Change | Age | Adoption | Passing | Confidence | |---|---|---|---|---|---| | [vite](https://vite.dev) ([source](https://redirect.github.com/vitejs/vite/tree/HEAD/packages/vite)) | [`7.1.10` -> `7.1.11`](https://renovatebot.com/diffs/npm/vite/7.1.10/7.1.11) | [![age](https://developer.mend.io/api/mc/badges/age/npm/vite/7.1.11?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![adoption](https://developer.mend.io/api/mc/badges/adoption/npm/vite/7.1.11?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![passing](https://developer.mend.io/api/mc/badges/compatibility/npm/vite/7.1.10/7.1.11?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/vite/7.1.10/7.1.11?slim=true)](https://docs.renovatebot.com/merge-confidence/) | ### GitHub Vulnerability Alerts #### [CVE-2025-62522](https://redirect.github.com/vitejs/vite/security/advisories/GHSA-93m4-6634-74q7) ### Summary Files denied by [`server.fs.deny`](https://vitejs.dev/config/server-options.html#server-fs-deny) were sent if the URL ended with `\` when the dev server is running on Windows. ### Impact Only apps that match the following conditions are affected: - explicitly exposes the Vite dev server to the network (using --host or [`server.host` config option](https://vitejs.dev/config/server-options.html#server-host)) - running the dev server on Windows ### Details `server.fs.deny` can contain patterns matching against files (by default it includes `.env`, `.env.*`, `*.{crt,pem}` as such patterns). These patterns were able to bypass by using a back slash(`\`). The root cause is that `fs.readFile('/foo.png/')` loads `/foo.png`. ### PoC ```shell npm create vite@latest cd vite-project/ cat "secret" > .env npm install npm run dev curl --request-target /.env\ http://localhost:5173 ``` <img width="1593" height="616" alt="image" src="https://github.com/user-attachments/assets/36212f4e-1d3c-4686-b16f-16b35ca9e175" /> --- ### Release Notes <details> <summary>vitejs/vite (vite)</summary> ### [`v7.1.11`](https://redirect.github.com/vitejs/vite/blob/HEAD/packages/vite/CHANGELOG.md#small-7111-2025-10-20-small) [Compare Source](https://redirect.github.com/vitejs/vite/compare/v7.1.10...v7.1.11) ##### Bug Fixes - **dev:** trim trailing slash before `server.fs.deny` check ([#20968](https://redirect.github.com/vitejs/vite/issues/20968)) ([f479cc5](https://redirect.github.com/vitejs/vite/commit/f479cc57c425ed41ceb434fecebd63931b1ed4ed)) ##### Miscellaneous Chores - **deps:** update all non-major dependencies ([#20966](https://redirect.github.com/vitejs/vite/issues/20966)) ([6fb41a2](https://redirect.github.com/vitejs/vite/commit/6fb41a260bda443685e719ea4765d3faca3db944)) ##### Code Refactoring - use subpath imports for types module reference ([#20921](https://redirect.github.com/vitejs/vite/issues/20921)) ([d0094af](https://redirect.github.com/vitejs/vite/commit/d0094af639d9ebbb51d4e00910b74f23eb8fe131)) ##### Build System - remove cjs reference in files field ([#20945](https://redirect.github.com/vitejs/vite/issues/20945)) ([ef411ce](https://redirect.github.com/vitejs/vite/commit/ef411cee2696af3ba791879fdae9aad165f178b2)) - remove hash from built filenames ([#20946](https://redirect.github.com/vitejs/vite/issues/20946)) ([a817307](https://redirect.github.com/vitejs/vite/commit/a81730754d655d1371ce0f4354af1c84e12f9f2d)) </details> --- ### Configuration 📅 **Schedule**: Branch creation - "" in timezone Asia/Shanghai, Automerge - At any time (no schedule defined). 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/oxc-project/eslint-plugin-oxlint).  Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>