fix(arena-web): bump Vite 6.4.1 → 6.4.2 (HIGH-severity dev-server CVEs)#1007
Merged
fix(arena-web): bump Vite 6.4.1 → 6.4.2 (HIGH-severity dev-server CVEs)#1007
Conversation
npm audit flagged Vite 6.4.1 as vulnerable to two HIGH-severity issues: - GHSA-4w7w-66w2-5vf9 — path traversal in optimized deps `.map` handling - GHSA-p9ff-h696-f583 — arbitrary file read via Vite dev server WebSocket Both are dev-server bugs, so the blast radius is bounded to anyone running `npm run dev` on an exposed host. Still worth closing. `npm audit fix` bumps the transitive vite dependency from 6.4.1 to 6.4.2 (a patch release). No package.json range change needed, no API surface change, no test fallout. Other npm workspaces in the repo (packc-action, promptarena-action, npm/packc, npm/promptarena) already report `found 0 vulnerabilities`. Verified: `npm run build` succeeds under vite 6.4.2, `npm run test:ci` still passes, `npm audit` now clean.
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Closes two HIGH-severity Vite advisories that
npm audithas been flagging on the arena web frontend:.maphandlingBoth are dev-server bugs, so real-world exposure is bounded to anyone running
npm run devon a host reachable by an attacker. Still a high rating — not worth sitting on.Change
npm audit fixbumps the transitivevitedependency from 6.4.1 to 6.4.2 (a patch release). Nopackage.jsonrange change needed. 3-line lock diff.Test plan
npm auditnow reportsfound 0 vulnerabilitiesin the frontendnpm run buildsucceeds under Vite 6.4.2npm run test:cipasses (20/20 unit tests, utils.ts 100% covered)