Skip to content

chore(deps-dev): Bump vitest from 3.2.4 to 3.2.6#22

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/vitest-3.2.6
Open

chore(deps-dev): Bump vitest from 3.2.4 to 3.2.6#22
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/vitest-3.2.6

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 9, 2026

Copy link
Copy Markdown

Bumps vitest from 3.2.4 to 3.2.6.

Release notes

Sourced from vitest's releases.

v3.2.6

   🐞 Bug Fixes

    View changes on GitHub

v3.2.5

   🚀 Features

   🐞 Bug Fixes

    View changes on GitHub
Commits
  • b6d56f8 chore: release v3.2.6
  • 16f120d fix: pin last supported vite-node version
  • 2cbad0a chore: release v3.2.5
  • 385a1ae fix(browser): disable client cdp API when allowWrite/allowExec: false [ba...
  • af88b1f feat(api): add allowWrite and allowExec options to api [backport to v3]...
  • See full diff in compare view
Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for vitest since your current version.


@dependabot @github

dependabot Bot commented on behalf of github Jun 9, 2026

Copy link
Copy Markdown
Author

Labels

The following labels could not be found: dependencies. Please create it before Dependabot can add it to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.

Comment thread pnpm-lock.yaml

vitest@3.2.4:
resolution: {integrity: sha512-LUCP5ev3GURDysTWiP47wRRUpLKMOfPh+yKTx3kVIEiu5KOMeqzpnYNsKyOoVrULivR8tLcks4+lga33Whn90A==}
vitest@3.2.6:

@semgrep-code-getcoherence semgrep-code-getcoherence Bot Jun 9, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Risk: Affected versions of vitest are vulnerable to Missing Authorization. When the Vitest UI server is listening, the deprecated isFileServingAllowed check is applied without normalizing the URL before filesystem operations, allowing path traversal that lets an attacker read, write, and execute arbitrary files outside the project directory.

Manual Review Advice: A vulnerability from this advisory is reachable if you run the Vitest UI on Windows, or you expose the Vitest UI server to the network with the --api.host flag or api.host config option

Fix: Upgrade this library to at least version 4.1.0 at openpartner/pnpm-lock.yaml:2949.

Reference(s): GHSA-5xrq-8626-4rwp

🧹 Removed in commit 2f85e80 🧹

@dependabot dependabot Bot force-pushed the dependabot/npm_and_yarn/vitest-3.2.6 branch from 23c4fec to 2f85e80 Compare July 3, 2026 00:00
Bumps [vitest](https://github.com/vitest-dev/vitest/tree/HEAD/packages/vitest) from 3.2.4 to 3.2.6.
- [Release notes](https://github.com/vitest-dev/vitest/releases)
- [Changelog](https://github.com/vitest-dev/vitest/blob/main/docs/releases.md)
- [Commits](https://github.com/vitest-dev/vitest/commits/v3.2.6/packages/vitest)

---
updated-dependencies:
- dependency-name: vitest
  dependency-version: 3.2.6
  dependency-type: direct:development
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot force-pushed the dependabot/npm_and_yarn/vitest-3.2.6 branch from 2f85e80 to ac82626 Compare July 3, 2026 23:09
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants