Skip to content

chore(deps): update dependency vite to v6.3.6 [security] #7838

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
mrubens merged 1 commit into from
Oct 3, 2025
Merged

chore(deps): update dependency vite to v6.3.6 [security] #7838

mrubens merged 1 commit into from
Oct 3, 2025

Conversation

@renovate
Copy link
Contributor

@renovate renovate bot commented Sep 10, 2025
edited
Loading

Note

Mend has cancelled the proposed renaming of the Renovate GitHub app being renamed to mend[bot].

This notice will be removed on 2025-10-07.

This PR contains the following updates:

Package Change Age Confidence
vite (source) 6.3.5 -> 6.3.6 age confidence

GitHub Vulnerability Alerts

CVE-2025-58751

Summary

Files starting with the same name with the public directory were served bypassing the server.fs settings.

Impact

Only apps that match the following conditions are affected:

Details

The servePublicMiddleware function is in charge of serving public files from the server. It returns the viteServePublicMiddleware function which runs the needed tests and serves the page. The viteServePublicMiddleware function checks if the publicFiles variable is defined, and then uses it to determine if the requested page is public. In the case that the publicFiles is undefined, the code will treat the requested page as a public page, and go on with the serving function. publicFiles may be undefined if there is a symbolic link anywhere inside the public directory. In that case, every requested page will be passed to the public serving function. The serving function is based on the sirv library. Vite patches the library to add the possibility to test loading access to pages, but when the public page middleware disables this functionality since public pages are meant to be available always, regardless of whether they are in the allow or deny list.

In the case of public pages, the serving function is provided with the path to the public directory as a root directory. The code of the sirv library uses the join function to get the full path to the requested file. For example, if the public directory is "/www/public", and the requested file is "myfile", the code will join them to the string "/www/public/myfile". The code will then pass this string to the normalize function. Afterwards, the code will use the string's startsWith function to determine whether the created path is within the given directory or not. Only if it is, it will be served.

Since sirv trims the trailing slash of the public directory, the string's startsWith function may return true even if the created path is not within the public directory. For example, if the server's root is at "/www", and the public directory is at "/www/p", if the created path will be "/www/private.txt", the startsWith function will still return true, because the string "/www/private.txt" starts with  "/www/p". To achieve this, the attacker will use ".." to ask for the file "../private.txt". The code will then join it to the "/www/p" string, and will receive "/www/p/../private.txt". Then, the normalize function will return "/www/private.txt", which will then be passed to the startsWith function, which will return true, and the processing of the page will continue without checking the deny list (since this is the public directory middleware which doesn't check that).

PoC

Execute the following shell commands:

npm  create  vite@latest
cd vite-project/
mkdir p
cd p
ln -s a b
cd ..
echo  'import path from "node:path"; import { defineConfig } from "vite"; export default defineConfig({publicDir: path.resolve(__dirname, "p/"), server: {fs: {deny: [path.resolve(__dirname, "private.txt")]}}})' > vite.config.js
echo  "secret" > private.txt
npm install
npm run dev

Then, in a different shell, run the following command:

curl -v --path-as-is 'http://localhost:5173/private.txt'

You will receive a 403 HTTP Response,  because private.txt is denied.

Now in the same shell run the following command:

curl -v --path-as-is 'http://localhost:5173/../private.txt'

You will receive the contents of private.txt.

Related links

CVE-2025-58752

Summary

Any HTML files on the machine were served regardless of the server.fs settings.

Impact

Only apps that match the following conditions are affected:

  • explicitly exposes the Vite dev server to the network (using --host or server.host config option)
  • appType: 'spa' (default) or appType: 'mpa' is used

This vulnerability also affects the preview server. The preview server allowed HTML files not under the output directory to be served.

Details

The serveStaticMiddleware function is in charge of serving static files from the server. It returns the viteServeStaticMiddleware function which runs the needed tests and serves the page. The viteServeStaticMiddleware function checks if the extension of the requested file is ".html". If so, it doesn't serve the page. Instead, the server will go on to the next middlewares, in this case htmlFallbackMiddleware, and then to indexHtmlMiddleware. These middlewares don't perform any test against allow or deny rules, and they don't make sure that the accessed file is in the root directory of the server. They just find the file and send back its contents to the client.

PoC

Execute the following shell commands:

npm  create  vite@latest
cd vite-project/
echo  "secret" > /tmp/secret.html
npm install
npm run dev

Then, in a different shell, run the following command:

curl -v --path-as-is 'http://localhost:5173/../../../../../../../../../../../tmp/secret.html'

The contents of /tmp/secret.html will be returned.

This will also work for HTML files that are in the root directory of the project, but are in the deny list (or not in the allow list). Test that by stopping the running server (CTRL+C), and running the following commands in the server's shell:

echo  'import path from "node:path"; import { defineConfig } from "vite"; export default defineConfig({server: {fs: {deny: [path.resolve(__dirname, "secret_files/*")]}}})'  >  [vite.config.js](http://vite.config.js)
mkdir secret_files
echo "secret txt" > secret_files/secret.txt
echo "secret html" > secret_files/secret.html
npm run dev

Then, in a different shell, run the following command:

curl -v --path-as-is 'http://localhost:5173/secret_files/secret.txt'

You will receive a 403 HTTP Response,  because everything in the secret_files directory is denied.

Now in the same shell run the following command:

curl -v --path-as-is 'http://localhost:5173/secret_files/secret.html'

You will receive the contents of secret_files/secret.html.

Release Notes

vitejs/vite (vite)

v6.3.6

Compare Source

Please refer to CHANGELOG.md for details.

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot requested review from cte, jr and mrubens as code owners September 10, 2025 03:37
@dosubot dosubot bot added the size:XS This PR changes 0-9 lines, ignoring generated files. label Sep 10, 2025
roomote[bot]
roomote bot approved these changes Sep 10, 2025
View reviewed changes
Copy link
Contributor

@roomote roomote bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you for this security update! I've reviewed the changes and they look good.

✅ Security Update Verified

This PR correctly updates Vite from 6.3.5 to 6.3.6 to address two critical CVEs:

  • CVE-2025-58751: Path traversal vulnerability bypassing server.fs settings when symlinks exist in public directory
  • CVE-2025-58752: HTML files served regardless of server.fs settings

Review Summary

What's good:

  • ✅ Minimal, focused changes - only updates the necessary dependency
  • ✅ Addresses critical security vulnerabilities promptly
  • ✅ Lock file properly synchronized with package.json
  • ✅ Correct scope - only webview-ui package uses Vite
  • ✅ Current vite.config.ts doesn't expose dev server to network, mitigating immediate risk

Future consideration:
While not critical for this PR, consider documenting in vite.config.ts that server.fs settings should be carefully configured if the dev server is ever exposed to the network in the future.

This security update should be merged to protect against the identified vulnerabilities.

@hannesrudolph hannesrudolph added the Issue/PR - Triage New issue. Needs quick review to confirm validity and assign labels. label Sep 10, 2025
@daniel-lxs daniel-lxs moved this from Triage to PR [Needs Review] in Roo Code Roadmap Sep 10, 2025
@hannesrudolph hannesrudolph added PR - Needs Review and removed Issue/PR - Triage New issue. Needs quick review to confirm validity and assign labels. labels Sep 10, 2025
@daniel-lxs daniel-lxs moved this from PR [Needs Review] to Renovate BOT in Roo Code Roadmap Sep 16, 2025
@renovate renovate bot force-pushed the renovate/npm-vite-vulnerability branch 11 times, most recently from 9814281 to 724ca83 Compare September 26, 2025 14:14
@vercel
Copy link

vercel bot commented Sep 26, 2025
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Preview Comments Updated (UTC)
roo-code-website Error Error Sep 26, 2025 2:14pm

@renovate renovate bot force-pushed the renovate/npm-vite-vulnerability branch 3 times, most recently from d9422f5 to ef3c788 Compare September 26, 2025 19:51
mini2s added a commit to zgsm-ai/costrict that referenced this pull request Oct 5, 2025
@mini2s @mrubens
@roomote @brunobergher @daniel-lxs @roomote @hannesrudolph @jr @ItsOnlyBinary @ellipsis-dev @github-actions @cte @mubeen-zulfiqar @dependabot @NaccOll @jdilla1277 @snova-jorgep @requesty-JohnCosta27 @SannidhyaSah @mohammad154 @MuriloFP @renovate
Roo to main (#515)
57df9be 
* Let people paste in the auth redirect url (RooCodeInc#7805)

Co-authored-by: roomote[bot] <219738659+roomote[bot]@users.noreply.github.com>
Co-authored-by: Bruno Bergher <[email protected]>

* test: change console.error to console.warn in tests

* fix: resolve chat message edit/delete duplication issues (RooCodeInc#7793)

* fix: add GIT_EDITOR env var to merge-resolver mode for non-interactive rebase (RooCodeInc#7819)

* UI: Render reasoning as plain italic (match <thinking>) (RooCodeInc#7752)

Co-authored-by: Roo Code <[email protected]>
Co-authored-by: Hannes Rudolph <[email protected]>
Co-authored-by: daniel-lxs <[email protected]>

* Add taskSyncEnabled to userSettingsConfigSchema (RooCodeInc#7827)

feat: add taskSyncEnabled to userSettingsConfigSchema

Co-authored-by: Roo Code <[email protected]>

* Release: v1.75.0 (RooCodeInc#7829)

chore: bump version to v1.75.0

* fix: prevent negative cost values and improve label visibility in evals chart (RooCodeInc#7830)

Co-authored-by: Roo Code <[email protected]>

* Fix Groq context window display (RooCodeInc#7839)

* test: enhance vscode mock implementations and error handling

* feat(chat): replace edit button with copy functionality

* refactor(core): enhance binary file detection and encoding handling

* separate task sync roomote control (RooCodeInc#7799)

* feat: separate Task Sync and Roomote Control settings

- Add new taskSyncEnabled setting to control task content syncing
- Keep remoteControlEnabled for Roomote Control functionality
- Task Sync controls whether task content is sent to cloud
- Roomote Control controls whether cloud can send instructions back
- Roomote Control now depends on Task Sync being enabled
- Usage metrics (tokens, cost) always reported regardless of settings
- Update UI with two separate toggles and clear descriptions
- Add info text explaining usage metrics are always reported

* feat: add missing translations for Task Sync and Roomote Control settings

- Added taskSync, taskSyncDescription, remoteControlRequiresTaskSync, and usageMetricsAlwaysReported keys to all non-English cloud.json files
- Updated cloudBenefit keys to match English structure
- Ensured all languages have consistent translation keys for the new Task Sync and Roomote Control features

* Cloud: cleanup taskSyncEnabled additions

* fix: correct indentation localization files

---------

Co-authored-by: Roo Code <[email protected]>

* feat: In-extension dismissible upsells for Roo Code Cloud (RooCodeInc#7850)

* First pass at separate upsell dialog

* Revert PR RooCodeInc#7188 - Restore temperature parameter to fix TabbyApi/ExLlamaV2 crashes (RooCodeInc#7594)

* fix: reduce CodeBlock button z-index to prevent overlap with popovers (RooCodeInc#7783)

Fixes RooCodeInc#7703 - CodeBlock language dropdown and copy button were appearing above popovers due to z-index: 100. Reduced to z-index: 40 to maintain proper layering hierarchy while keeping buttons functional.

* Make ollama models info transport work like lmstudio (RooCodeInc#7679)

* feat: add click-to-edit, ESC-to-cancel, and fix padding consistency for chat messages (RooCodeInc#7790)

* feat: add click-to-edit, ESC-to-cancel, and fix padding consistency

- Enable click-to-edit for past messages by making message text clickable
- Add ESC key handler to cancel edit mode in ChatTextArea
- Fix padding consistency between past and queued message editors
- Adjust right padding for edit mode to accommodate cancel button

Fixes RooCodeInc#7788

* fix: adjust padding and layout for ChatTextArea in edit mode

* refactor: replace hardcoded pr-[72px] with standard Tailwind pr-20 class

---------

Co-authored-by: Roo Code <[email protected]>
Co-authored-by: Hannes Rudolph <[email protected]>
Co-authored-by: daniel-lxs <[email protected]>

* Let people paste in the auth redirect url (RooCodeInc#7805)

Co-authored-by: roomote[bot] <219738659+roomote[bot]@users.noreply.github.com>
Co-authored-by: Bruno Bergher <[email protected]>

* fix: resolve chat message edit/delete duplication issues (RooCodeInc#7793)

* fix: add GIT_EDITOR env var to merge-resolver mode for non-interactive rebase (RooCodeInc#7819)

* UI: Render reasoning as plain italic (match <thinking>) (RooCodeInc#7752)

Co-authored-by: Roo Code <[email protected]>
Co-authored-by: Hannes Rudolph <[email protected]>
Co-authored-by: daniel-lxs <[email protected]>

* Add taskSyncEnabled to userSettingsConfigSchema (RooCodeInc#7827)

feat: add taskSyncEnabled to userSettingsConfigSchema

Co-authored-by: Roo Code <[email protected]>

* Release: v1.75.0 (RooCodeInc#7829)

chore: bump version to v1.75.0

* fix: prevent negative cost values and improve label visibility in evals chart (RooCodeInc#7830)

Co-authored-by: Roo Code <[email protected]>

* Fix Groq context window display (RooCodeInc#7839)

* feat: add DismissibleUpsell component for dismissible messages

- Created DismissibleUpsell component with variant support (banner/default)
- Added dismissedUpsells to GlobalState for persistence
- Implemented message handlers for dismissing and retrieving dismissed upsells
- Added comprehensive tests for the component
- Uses VSCode extension globalState for persistent storage

* fix: Apply PR feedback for DismissibleUpsell component

- Changed from className to separate 'id' and 'className' props for better semantics
- Added i18n support for accessibility labels (aria-label and title)
- Fixed memory leak by adding mounted flag to prevent state updates after unmount
- Fixed race condition by sending dismiss message before hiding component
- Fixed inefficient array operations in webviewMessageHandler
- Added comprehensive test coverage for edge cases including:
  - Multiple rapid dismissals
  - Component unmounting during async operations
  - Invalid/malformed message handling
  - Proper message sending before unmount
- Added null checks for message data to handle edge cases gracefully

* New Cloud upsell dialog in task share and cloud view, shared component

* Properly working DismissibleUpsell

* Working upsell for long-running tasks

* CTA in AutoApproveMenu

* Home page CTA

* Fixes the autoapprove upsell and some tests

* Visual and copy fixes

* Test fix

* Translations

* Stray className attribute

* Cloud view fixes in a left-aligned layout

* Removes unnecessary test

* Less flaky tests

* Fixes sharebutton behavior and updates associated tests

* Update webview-ui/src/i18n/locales/it/cloud.json

Co-authored-by: ellipsis-dev[bot] <65095814+ellipsis-dev[bot]@users.noreply.github.com>

* Fix dismissed flicker

* Fix long task upsell

---------

Co-authored-by: Daniel <[email protected]>
Co-authored-by: ItsOnlyBinary <[email protected]>
Co-authored-by: roomote[bot] <219738659+roomote[bot]@users.noreply.github.com>
Co-authored-by: Roo Code <[email protected]>
Co-authored-by: Hannes Rudolph <[email protected]>
Co-authored-by: daniel-lxs <[email protected]>
Co-authored-by: Matt Rubens <[email protected]>
Co-authored-by: John Richmond <[email protected]>
Co-authored-by: ellipsis-dev[bot] <65095814+ellipsis-dev[bot]@users.noreply.github.com>

* v3.28.0 (RooCodeInc#7858)

* Changeset version bump (RooCodeInc#7859)

Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: Matt Rubens <[email protected]>

* feat(chat): add chat search functionality with highlighting

* feat: show notification when the checkpoint initialization fails (RooCodeInc#7766)

Co-authored-by: daniel-lxs <[email protected]>

* Bust cache in generated image preview (RooCodeInc#7860)

Co-authored-by: Roo Code <[email protected]>

* test: disable TaskHeader upsell tests

* test: refactor TaskHeader test file

* feat: Add cloud task button for opening tasks in Roo Code Cloud (RooCodeInc#7572)

Co-authored-by: Roo Code <[email protected]>
Co-authored-by: Bruno Bergher <[email protected]>
Co-authored-by: Bruno Bergher <[email protected]>

* fix: center active mode in selector dropdown on open (RooCodeInc#7883)

Co-authored-by: Roo Code <[email protected]>
Co-authored-by: daniel-lxs <[email protected]>

* Make Posthog telemetry the default (RooCodeInc#7909)

Co-authored-by: ellipsis-dev[bot] <65095814+ellipsis-dev[bot]@users.noreply.github.com>

* Fix: Preserve first message during conversation condensing (RooCodeInc#7910)

* In-app announcement for Roo Code Cloud (RooCodeInc#7914)

Co-authored-by: ellipsis-dev[bot] <65095814+ellipsis-dev[bot]@users.noreply.github.com>

* chore: add changeset for v3.28.1 (RooCodeInc#7916)

* Changeset version bump (RooCodeInc#7917)

Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: Matt Rubens <[email protected]>

* Remove Roo Code 3.25 release announcement

Removed the section about Roo Code 3.25 release notes.

* fix: restrict @-mention parsing to line-start or whitespace boundaries (RooCodeInc#7876)

Co-authored-by: Roo Code <[email protected]>

* Fix message queue re-queue loop in Task.ask() (RooCodeInc#7823)

* fix: preserve original first message context during conversation condensing (RooCodeInc#7939)

* Add a little padding to the cloudview (RooCodeInc#7954)

* test: increase test timeout configuration

* test(ci): enable translation check and optimize test workflow

* fix: make nested git repository warning persistent with path info (RooCodeInc#7885)

Co-authored-by: Roo Code <[email protected]>
Co-authored-by: daniel-lxs <[email protected]>

* fix: include API key in Ollama /api/tags requests (RooCodeInc#7903)

Co-authored-by: Roo Code <[email protected]>

* feat: add Qwen3 Next 80B A3B models to chutes provider (RooCodeInc#7948)

* ux: Smaller and more subtle auto-approve UI (RooCodeInc#7894)

Co-authored-by: Roo Code <[email protected]>
Co-authored-by: Hannes Rudolph <[email protected]>
Co-authored-by: daniel-lxs <[email protected]>
Co-authored-by: roomote[bot] <219738659+roomote[bot]@users.noreply.github.com>
Co-authored-by: Bruno Bergher <[email protected]>
Co-authored-by: Daniel <[email protected]>
Co-authored-by: ItsOnlyBinary <[email protected]>
Co-authored-by: Matt Rubens <[email protected]>
Co-authored-by: John Richmond <[email protected]>

* Disable Roomote Control on logout (RooCodeInc#7976)

* Remove chevrons from chat buttons (RooCodeInc#7970)

* chore: add changeset for v3.28.2 (RooCodeInc#7979)

* Changeset version bump (RooCodeInc#7980)

Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: Matt Rubens <[email protected]>

* ux: Makes text area buttons appear only when there's text (RooCodeInc#7987)

* fix: corrected C# tree-sitter query (RooCodeInc#7813)

* feat: Move slash commands to Settings tab with gear icon for discoverability (RooCodeInc#7988)

Co-authored-by: ellipsis-dev[bot] <65095814+ellipsis-dev[bot]@users.noreply.github.com>
Co-authored-by: Roo Code <[email protected]>
Co-authored-by: Bruno Bergher <[email protected]>
Co-authored-by: Mubeen Zulfiqar <[email protected]>
Co-authored-by: Matt Rubens <[email protected]>

* Add Z.ai coding plan support (