chore(deps): update dependency vitest to v3 [security] by renovate[bot] · Pull Request #3 · ExpediaGroup/expedia-openclaw

renovate · 2026-06-08T19:58:24Z

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Change	Age	Confidence
vitest (source)	`^2.0.0` → `^3.2.6`

When Vitest UI server is listening, arbitrary file can be read and executed

CVE-2026-47429 / GHSA-5xrq-8626-4rwp

More information

Details

Summary

Arbitrary file can be read on Windows when Vitest UI server is listening, especially when exposed to the network.

Impact

Only users that match either of the following conditions are affected:

explicitly exposes the Vitest UI server to the network (using --api.host or api.host config option)
running the Vitest UI or Browser Mode on Windows

Details

The API handler for /__vitest_attachment__ uses the deprecated isFileServingAllowed incorrectly.
https://github.com/vitest-dev/vitest/blob/eb1abf08573032a532015b999ad3501c5e89e3bb/packages/ui/node/index.ts#L77
The function expects the passed value to use cleanUrl after the check before file system related operation.
Because of this, it is possible to bypass the check by \\?\\..\\. This is not possible on Linux as Linux errors if a directory named ? does not exist.

A similar problem exists in other places as well.

That said, this isFileServingAllowed check does not actually prevent the API to be abused. Since the API has rerun feature and file write feature, it's possible to run arbitrary script by writing a script as a test file using saveTestFile and running it using rerun. This means exposing the API / Vitest UI is equivalent to giving script execution access.
On the browser mode side, there're readFile / writeFile / saveSnapshotFile. So exposing the browser mode is equivalent to giving file read / write access.

PoC

Run Vitest UI
Get the API token by curl http://localhost:51204/__vitest__/
Run curl "http://localhost:51204/__vitest_attachment__?path=C:\\path\\to\\project\\?\\..\\..\\secret.txt&contentType=text/plain&token=$TOKEN" (TOKEN is the API token)
curl shows the content of secret.txt that is outside the project directory

Mitigations

Vitest now ships two configuration flags, allowWrite and allowExec, that gate the privileged operations exploited by this vulnerability. Both are disabled by default whenever the API server is bound to a non-localhost host, ensuring that exposing the server to the network no longer implicitly grants write or execute capabilities to remote clients.

When these flags are disabled, the UI also enters a read-only mode: in-browser code editing and test file execution are turned off, removing the attack surface that allowed remote code execution. Many Browser Mode features are also disabled, like attachments, artifacts or snapshots. See browser.api.

Users who require the full interactive UI on a networked host must explicitly opt in by setting allowWrite and/or allowExec to true.

Severity

CVSS Score: 9.8 / 10 (Critical)
Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

Release Notes

vitest-dev/vitest (vitest)

🐞 Bug Fixes

Use correct path for optimisation of strip-literal - by @mrginglymus in #8139 (44940)
Print uint and buffer as a simple string - by @sheremet-va in #8141 (b86bf)
browser:
- Show a helpful error when spying on an export - by @sheremet-va in #8178 (56007)
cli:
- vitest run --watch should be watch-mode - by @AriPerkkio in #8128 (657e8)
- Use absolute path environment on Windows - by @colinaaa in #8105 (85dc0)
- Throw error when --shard x/<count> exceeds count of test files - by @AriPerkkio in #8112 (8a18c)
coverage:
- Ignore SCSS in browser mode - by @sheremet-va in #8161 (0c3be)
deps:
- Update all non-major dependencies - in #8123 (93f32)
expect:
- Handle async errors in expect.soft - by @lzl0304 in #8145 (68699)
pool:
- Auto-adjust minWorkers when only maxWorkers specified - by @AriPerkkio in #8110 (14dc0)
reporter:
- task.meta should be available in custom reporter's errors - by @AriPerkkio in #8115 (27df6)
runner:
- Preserve handler wrapping on extend - by @pengooseDev in #8153 (a9281)
ui:
- Ensure ui config option works correctly - by @lzl0304 in #8147 (42eeb)

View changes on GitHub

`v3.2.3`

Compare Source

🚀 Features

browser: Use base url instead of vitest - by @sheremet-va in #8126 (1d8eb)
ui: Show test annotations and metadata in the test report tab - by @sheremet-va in #8093 (c69be)

🐞 Bug Fixes

Rerun tests when project's setup file is changed - by @sheremet-va in #8097 (0f335)
Revert expect.any return type - by @sheremet-va in #8129 (47514)
Run only the name plugin last, not all config plugins - by @sheremet-va in #8130 (83862)
pool:
- Throw if user's tests use process.send() - by @AriPerkkio in #8125 (dfe81)
runner:
- Fast sequential task updates missing - by @AriPerkkio in #8121 (7bd11)
- Comments between fixture destructures - by @AriPerkkio in #8127 (dc469)
vite-node:
- Unable to handle errors where sourcemap mapping empty - by @blake-newman and @hi-ogawa in #8071 (8aa25)

View changes on GitHub

`v3.2.2`

Compare Source

🚀 Features

Support rolldown-vite - by @sheremet-va and @hi-ogawa in #7509 (c8d62)

🐞 Bug Fixes

browser:
- Calculate prepare time from createTesters call on the main thread - by @sheremet-va in #8101 (142c7)
- Optimize build output and always prebundle vitest - by @sheremet-va (00a39)
- Make custom locators available in vitest-browser-* packages - by @sheremet-va in #8103 (247ef)
expect:
- Ensure we can always self toEqual - by @dubzzz in #8094 (02ec8)
reporter:
- Allow dot reporter to work in non interactive terminals - by @bstephen1 and @AriPerkkio in #7994 (6db9f)

View changes on GitHub

`v3.2.1`

Compare Source

🐞 Bug Fixes

Use sha1 instead of md5 for hashing - by @sheremet-va (e4c73)
expect:
- Fix chai import in dts - by @hi-ogawa in #8077 (a7593)
- Export DeeplyAllowMatchers - by @sheremet-va in #8078 (30ab4)

View changes on GitHub

`v3.2.0`

Compare Source

🚀 Features

Provide ctx.signal - by @sheremet-va in #7878 (e761f)
Support custom colors for test.name - by @AriPerkkio in #7809 (4af5d)
Add vi.mockObject to automock any object - by @hi-ogawa and @sheremet-va in #7761 (465bd)
Introduce watchTriggerPatterns option - by @sheremet-va in #7778 (a0675)
Deprecate workspace in favor of projects - by @sheremet-va and @AriPerkkio in #7923 (41beb)
Explicit Resource Management support in mocked functions - by @EskiMojo14 in #7927 (b67d3)
Add sequence.groupOrder option - by @sheremet-va in #7852 (d1a1d)
Initial support for Temporal equality - by @dirkluijk in #8007 (52bd7)
Support Vite 7 - by @sheremet-va in #8003 (1716b)
Track module execution totalTime and selfTime - by @abrenneke in #8027 (95961)
Annotation API - by @sheremet-va in #7953 (b03f2)
browser:
- Implement connect option for playwright browser provider - by @egfx-notifications and @sheremet-va in #7915 (029c0)
- Add screenshot.save option - by @sheremet-va in #7777 (d9f51)
- Custom locators API - by @sheremet-va in #7993 (e6fbd)
coverage:
- V8 experimental AST-aware remapping - by @AriPerkkio in #7736 (78a3d)
reporter:
- Add onWritePath option to github-actions - by @nwalters512 and @AriPerkkio in #8015 (abd3b)
vitest:
- Allow per-file and per-worker fixtures - by @sheremet-va and @AriPerkkio in #7704 (9cbfc)

🐞 Bug Fixes

Replace micromatch with picomatch - by @sapphi-red in #7951 (df076)
Try to catch unhandled error outside of a test - by @sheremet-va in #7968 (46421)
Generate a separate config for "vitest init browser" instead of a workspace file - by @sheremet-va in #7934 (e84e2)
Switch ExpectStatic any types to AsymmetricMatcher<unknown>, with DeeplyAllowMatchers<T> - by @JoshuaKGoldberg in #7016 (8ec44)
Remove unused exports - by @sheremet-va in #7618 (33d05)
Throw an error if typechecker failed to spawn - by @sheremet-va in #7990 (0e960)
Ignore non-string stack properties - by @sheremet-va in #7995 (330f9)
Apply browser CLI options only if the project has the browser set in the config already - by @sheremet-va in #7984 (70358)
Ensure errors keep their message and stack after toJSON serialisation - by @sheremet-va in #8053 (3bdf0)
browser:
- Resolve FS commands relative to the project root - by @sheremet-va in #7896 (69ac9)
- Run tests serially if provider doesn't provide a mocker - by @sheremet-va in #8032 (227a9)
- Resolve upload files relative to the project root - by @sheremet-va in #8042 (b9a31)
- Await mocker invalidation to avoid race condition with "mock wasn't registered" - by @sheremet-va in #8021 (b34ff)
- Share vite cache with the project cache - by @sheremet-va in #8049 (0cbad)
- Add this type to locators.extend - by @sheremet-va in #8069 (70fb0)
cache:
- Preserve test results from previous runs - by @macko911 in #8043 (d6ef0)
cli:
- Add built-in reporters list to --help output - by @pengooseDev in #7955 (ef6ef)
- Parse --silent values properly - by @AriPerkkio in #8055 (8fad7)
coverage:
- Istanbul provider to not use Vite preserved query params - by @AriPerkkio in #7939 (a05d4)
- Browser + v8 in source tests missing - by @AriPerkkio in #7946 (51cd8)
- In-source test cases excluded - by @AriPerkkio in #7985 (407c0)
dev:
- Fix relay of custom equality testers - by @StefanLiebscher in #6140 (6dc1d)
expect:
- Unbundle @types/chai - by @hi-ogawa in #7937 (525f5)
- Support type-safe declaration of custom matchers - by @kettanaito and @sheremet-va in #7656 (e996b)
reporters:
- Check the test result again when tests are rerunning - by @sheremet-va in #8063 (35e31)
spy:
- Copy over static properties from the function - by @sheremet-va in #7780 (9b9f0)
typecheck:
- Don't panic during vitest list command - by @sheremet-va in #7933 (ba6da)
- Avoid creating a temporary tsconfig file when typechecking - by @sheremet-va in #7967 (34f43)
vite-node:
- Add __vite_ssr_exportName__ - by @hi-ogawa in #7925 (76091)
vitest:
- Adjust getWorkerMemoryLimit priority for vmForks - by @pengooseDev in #7960 (5a91e)
wdio:
- Don't scale browser in headless mode - by @sheremet-va in #8033 (c23b0)

View changes on GitHub

`v3.1.4`

Compare Source

🐞 Bug Fixes

Apply browser CLI options only if the project has the browser set in the config already - by @sheremet-va in #8002 (64f2b)

View changes on GitHub

`v3.1.3`

Compare Source

🐞 Bug Fixes

Correctly resolve vitest import if inline: true is set - by @sheremet-va in #7856 (a83f3)
Fix fixture parsing with lowered async with esbuild 0.25.3 - by @hi-ogawa in #7921 (c5c85)
Remove event-catcher code - by @sheremet-va in #7898 (deb1b)
Reset mocks on test retry/repeat - by @sheremet-va in #7897 (2fa76)
Ignore failures on writeToCache - by @orgads in #7893 (8c7f7)
browser: Correctly inherit CLI options - by @sheremet-va in #7858 (03660)
deps: Update all non-major dependencies - in #7867 (67ef7)
reporters: --merge-reports to show each total run times - by @AriPerkkio in #7877 (d613b)

View changes on GitHub

`v3.1.2`

Compare Source

🐞 Bug Fixes

Add global chai variable in vitest/globals (fix: #7474) - by @Jay-Karia in #7771 and #7474 (d9297)
Prevent modifying test.exclude when same object passed in coverage.exclude - by @AriPerkkio in #7774 (c3751)
Fix already hoisted mock - by @hi-ogawa in #7815 (773b1)
Fix test.scoped inheritance - by @hi-ogawa in #7814 (db6c3)
Remove pointer-events-none after resizing the left panel - by @alexprudhomme in #7811 (a7e77)
Default to run mode when stdin is not a TTY - by @kentonv, @hi-ogawa and @sheremet-va in #7673 (6358f)
Use happy-dom/jsdom types for envionmentOptions - by @hi-ogawa in #7795 (67430)
browser:
- Fix transform error before browser server initialization - by @hi-ogawa in #7783 (5f762)
- Fix mocking from outside of root - by @hi-ogawa in #7789 (03f55)
- Scale iframe for non ui case - by @hi-ogawa in #6512 (c3374)
coverage:
- await profiler calls - by @AriPerkkio in #7763 (795a6)
- Expose profiling timers - by @AriPerkkio in #7820 (5652b)
deps:
- Update all non-major dependencies - in #7765 (7c3df)
- Update all non-major dependencies - in #7831 (15701)
runner:
- Correctly call test hooks and teardown functions - by @sheremet-va in #7775 (3c00c)
- Show stacktrace on test timeout error - by @hi-ogawa in #7799 (df33b)
ui:
- Load panel sizes from storage on initial load - by @userquin in #7265 (6555d)
vite-node:
- Named export should overwrite export all - by @hi-ogawa in #7846 (5ba0d)
- Add ERR_MODULE_NOT_FOUND code error if module cannot be loaded - by @sheremet-va in #7776 (f9eac)

🏎 Performance

browser: Improve browser parallelisation - by @sheremet-va in #7665 (816a5)

View changes on GitHub

`v3.1.1`

Compare Source

🐞 Bug Fixes

reporter:
- Report tests in correct order - by @sheremet-va in #7752 (b166e)
- Print test only once in the verbose mode - by @sheremet-va in #7738 (69ca4)

View changes on GitHub

`v3.1.0`

Compare Source

🚀 Features

Introduce %$ option to add number of the test to its title - by @kemuridama in #7412 (df347)
Add diff.maxDepth option and set non-Infinity value as a default to reduce crash - by @hi-ogawa in #7481 (eacab)
Allow array element for test.each/for title formatting - by @hi-ogawa in #7522 (ea3d6)
Add "configureVitest" plugin hook - by @sheremet-va and @AriPerkkio in #7349 (20a5d)
Support --configLoader CLI option - by @Carnageous and @hi-ogawa in #7574 (2a852)
Added vitest-browser-lit to vitest init browser and docs - by @EskiMojo14 and @hi-ogawa in #7705 (5659a)
Use providers request interception for module mocking - by @sheremet-va in #7576 (7883a)
browser:
- Introduce and, or and filter locators - by @sheremet-va and @AriPerkkio in #7463 (63949)
reporter:
- Always render test time - by @AriPerkkio and @spamshaker in #7529 (5eba6)
- --silent=passed-only to log failed tasks only - by @AriPerkkio in #7530 (f9e1c)
runner:
- Add test.scoped to override test.extend fixtures per-suite - by @sheremet-va in #7233 (e5851)
vitest:
- Allow conditional context.skip(boolean) - by @sheremet-va and @AriPerkkio in #7659 (6adec)
- Support rolldown-vite in NormalizeUrlPlugin - by @sapphi-red and @sheremet-va in #7739 (1ef31)

🐞 Bug Fixes

Update test stats regularly - by @hi-ogawa in #7700 (b7953)
Fix vm tests flakiness - by @sheremet-va in #7741 (2702c)
Set diff.expand: false as default - by @hi-ogawa in #7697 (f3420)
browser:
- Correctly calculate timeout in hooks when actions are performed - by @sheremet-va in #7747 (a5505)
deps:
- Update all non-major dependencies - by @hi-ogawa in #7600 (7fc5a)
reporter:
- --hideSkippedTests should hide suites too - by @AriPerkkio in #7695 (ba9b5)
- Report tests in correct order - by @sheremet-va in #7752 (b166e)
- Print test only once in the verbose mode - by @sheremet-va in #7738 (69ca4)
snapshot:
- Fix indent normalization - by @hi-ogawa in #7400 (82997)
- This change can cause small amount of very old snapshots to be updated, but there will be no functional change to how they work.

🏎 Performance

browser: Fork jest-dom instead of bundling it - by @sheremet-va in #7605 (12762)

View changes on GitHub

`v3.0.9`

Compare Source

🐞 Bug Fixes

Typings of ctx.skip() as never - by @sirlancelot in #7608 (09f35)
Cleanup vitest in public resolveConfig API - by @hi-ogawa in #7623 (db14a)
Fix toHaveBeenCalledWith(asymmetricMatcher) with undefined arguments - by @hi-ogawa in #7624 (0fb21)
Race condition in RPC filesystem cache. - by @dts in #7531 (b7f55)
Fix getState().testPath during collection with no isolation - by @hi-ogawa in #7640 (3fb3f)
Support custom toString method in %s format - by @pengooseDev in #7637 (46d93)
browser:
- Fail playwright timeouts earlier than a test timeout - by @sheremet-va and @hi-ogawa in #7565 (5eb4c)
- Remove @testing-library/dom from dependencies #7555)" - by @sheremet-va in #7628 and #7555 (94b27)
coverage:
- Browser mode + coverage.all - by @AriPerkkio in #7597 (422ba)
runner:
- Show stacktrace on hook timeout error - by @hi-ogawa in #7502 (268a1)
vite-node:
- Fix source map of inlined node_modules - by @hi-ogawa in #7557 (34aa3)
- Fix missing buildStart - by @hi-ogawa in #7652 (29f5a)
web-worker:
- Ensure removeEventListener is bound to worker - by @joelgallant in #7631 (ff42b)

View changes on GitHub

`v3.0.8`

Compare Source

🐞 Bug Fixes

Fix fetch cache multiple writes - by @hi-ogawa in #7546 (1a8b4)
Use browser.isolate instead of config.isolate - by @sheremet-va in #7560 (4b5ed)
Remove vestigial spy stub, import directly from @vitest/spy - by @mrginglymus in #7575 (7f7ff)
Correctly split the argv string - by @btea in #7533 (4325a)
browser:
- Remove @testing-library/dom from dependencies - by @sheremet-va in #7555 (5387a)
- Improve source map handling for bundled files - by @sheremet-va in #7534 (e2c57)
- Print related test file and potential test in unhandled errors - by @sheremet-va in #7564 (fee90)
runner:
- Fix beforeEach/All cleanup callback timeout - by @hi-ogawa in #7500 (0c292)
- Fix and simplify Task.suite initialization - by @hi-ogawa in #7414 (ca9ff)
snapshot:
- Allow inline snapshot calls on same location with same snapshot - by @jycouet and @hi-ogawa in #7464 (d5cb8)
vite-node:
- Fix buildStart on Vite 6 - by @hi-ogawa in #7480 (c0f47)

View changes on GitHub

`v3.0.7`

Compare Source

🐞 Bug Fixes

browser: Support webdriverio 9 - by [@&#820

✂ Note

PR body was truncated to here.

Configuration

📅 Schedule: (UTC)

Branch creation
- At any time (no schedule defined)
Automerge
- At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

github-actions · 2026-06-08T20:01:43Z

🦙 MegaLinter status: ✅ SUCCESS

Descriptor	Linter	Files	Errors	Warnings	Elapsed time
✅ COPYPASTE	jscpd	yes	no	no	1.82s
✅ EDITORCONFIG	editorconfig-checker	1	0	0	0.22s
✅ JSON	jsonlint	1	0	0	0.39s
✅ JSON	npm-package-json-lint	yes	no	no	0.34s
✅ JSON	v8r	1	0	0	8.34s
✅ REPOSITORY	git_diff	yes	no	no	0.21s
✅ REPOSITORY	secretlint	yes	no	no	0.72s
✅ REPOSITORY	syft	yes	no	no	3.27s
✅ REPOSITORY	trivy	yes	no	no	9.16s
✅ REPOSITORY	trivy-sbom	yes	no	no	1.26s
✅ REPOSITORY	trufflehog	yes	no	no	23.37s

See detailed report in MegaLinter reports
Set VALIDATE_ALL_CODEBASE: true in mega-linter.yml to validate all sources, not only the diff

renovate Bot force-pushed the renovate/npm-vitest-vulnerability branch from 703fef2 to a6444ae Compare June 8, 2026 20:03