chore(deps): update dependency vite to v6.2.3 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
vite (source)	6.2.1 -> 6.2.3

GitHub Vulnerability Alerts

CVE-2025-30208

Summary

The contents of arbitrary files can be returned to the browser.

Impact

Only apps explicitly exposing the Vite dev server to the network (using --host or server.host config option) are affected.

Details

@fs denies access to files outside of Vite serving allow list. Adding ?raw?? or ?import&raw?? to the URL bypasses this limitation and returns the file content if it exists. This bypass exists because trailing separators such as ? are removed in several places, but are not accounted for in query string regexes.

PoC

$ npm create vite@latest
$ cd vite-project/
$ npm install
$ npm run dev

$ echo "top secret content" > /tmp/secret.txt

# expected behaviour
$ curl "http://localhost:5173/@​fs/tmp/secret.txt"

    <body>
      <h1>403 Restricted</h1>
      <p>The request url &quot;/tmp/secret.txt&quot; is outside of Vite serving allow list.

# security bypassed
$ curl "http://localhost:5173/@&#8203;fs/tmp/secret.txt?import&raw??"
export default "top secret content\n"
//# sourceMappingURL=data:application/json;base64,eyJ2...

---

Release Notes

vitejs/vite (vite)

v6.2.3

Compare Source

Please refer to CHANGELOG.md for details.

v6.2.2

Compare Source

• fix: await client buildStart on top level buildStart (#​19624) (b31faab), closes #​19624
• fix(css): inline css correctly for double quote use strict (#​19590) (d0aa833), closes #​19590
• fix(deps): update all non-major dependencies (#​19613) (363d691), closes #​19613
• fix(indexHtml): ensure correct URL when querying module graph (#​19601) (dc5395a), closes #​19601
• fix(preview): use preview https config, not server (#​19633) (98b3160), closes #​19633
• fix(ssr): use optional chaining to prevent "undefined is not an object" happening in `ssrRewriteStac (4309755), closes #​19612
• feat: show friendly error for malformed base (#​19616) (2476391), closes #​19616
• feat(worker): show asset filename conflict warning (#​19591) (367d968), closes #​19591
• chore: extend commit hash correctly when ambigious with a non-commit object (#​19600) (89a6287), closes #​19600

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[netlify]

✅ Deploy Preview for vue-devtools-docs canceled.

Name	Link
🔨 Latest commit	a00eb45
🔍 Latest deploy log	https://app.netlify.com/sites/vue-devtools-docs/deploys/67e7a52dbe5ad10008a8c29c

[pkg-pr-new]

Open in Stackblitz

@vue/devtools-applet

npm i https://pkg.pr.new/@vue/devtools-applet@837

@vue/devtools-core

npm i https://pkg.pr.new/@vue/devtools-core@837

@vue/devtools-api

npm i https://pkg.pr.new/@vue/devtools-api@837

@vue/devtools-kit

npm i https://pkg.pr.new/@vue/devtools-kit@837

@vue/devtools

npm i https://pkg.pr.new/@vue/devtools@837

vite-plugin-vue-devtools

npm i https://pkg.pr.new/vite-plugin-vue-devtools@837

commit: 99547bf