Skip to content

vite-plus v0.2.4: Vitest security hotfix

Latest

Choose a tag to compare

@github-actions github-actions released this 08 Jul 09:18
Immutable release. Only release title and notes can be modified.
1ca9f0f

This hotfix updates the bundled Vitest Browser Mode packages to 4.1.10, which includes the fix for GHSA-p63j-vcc4-9vmv. The advisory is critical and affects @vitest/browser <=4.1.9.

Highlights

  • Critical Vitest Browser Mode advisory fixed: bundled vitest and @vitest/browser* move from 4.1.9 to 4.1.10, addressing GHSA-p63j-vcc4-9vmv, where provider commands could bypass the file access permission gate (#2089), by @voidzero-guard[bot]

Chore

  • Add the standard release-manager skill for vite-plus release operations (#2019), by @fengmk2

Bundled Versions

Tool Version Source
vite 8.1.3 578ffb8
rolldown 1.1.4 6cbd233
tsdown 0.22.3 npm
vitest 4.1.10 npm
oxlint 1.72.0 npm
oxlint-tsgolint 0.24.0 npm
oxfmt 0.57.0 npm

Upgrade

vp upgrade

New Contributors

No new contributors in this release.

Full Changelog: v0.2.3...v0.2.4

Published Packages

  • @voidzero-dev/vite-plus-core@0.2.4
  • vite-plus@0.2.4

Installation

macOS/Linux:

curl -fsSL https://vite.plus | bash

Windows:

irm https://vite.plus/ps1 | iex

Or download and run vp-setup.exe from the assets below.

Docker:

docker run --rm -it -v "$PWD:/app" -w /app ghcr.io/voidzero-dev/vite-plus:0.2.4 vp build

Run any vp command without installing it; see the Docker guide for more.