chore(deps): update dependency vite to v6.2.4 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
vite (source)	6.2.3 -> 6.2.4

GitHub Vulnerability Alerts

CVE-2025-31125

Summary

The contents of arbitrary files can be returned to the browser.

Impact

Only apps explicitly exposing the Vite dev server to the network (using --host or server.host config option) are affected.

Details

• base64 encoded content of non-allowed files is exposed using ?inline&import (originally reported as ?import&?inline=1.wasm?init)
• content of non-allowed files is exposed using ?raw?import

/@​fs/ isn't needed to reproduce the issue for files inside the project root.

PoC

Original report (check details above for simplified cases):

The ?import&?inline=1.wasm?init ending allows attackers to read arbitrary files and returns the file content if it exists. Base64 decoding needs to be performed twice

$ npm create vite@latest
$ cd vite-project/
$ npm install
$ npm run dev

Example full URL http://localhost:5173/@​fs/C:/windows/win.ini?import&?inline=1.wasm?init

---

Release Notes

vitejs/vite (vite)

v6.2.4

Compare Source

Please refer to CHANGELOG.md for details.

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[cloudflare-workers-and-pages]

Deploying unplugin-vue-router with    Cloudflare Pages

Latest commit:	8133a2f
Status:	✅  Deploy successful!
Preview URL:	https://207448c6.unplugin-vue-router.pages.dev
Branch Preview URL:	https://renovate-npm-vite-vulnerabil.unplugin-vue-router.pages.dev

View logs

[socket-security]

New and removed dependencies detected. Learn more about Socket for GitHub ↗︎

Package	New capabilities	Transitives	Size	Publisher
npm/[email protected]	Transitive: environment, eval, filesystem, network, shell, unsafe	+260	70.6 MB	danielroe
npm/[email protected]	None	0	4.61 kB	sindresorhus
npm/[email protected]	None	0	51.4 kB	pi0

🚮 Removed packages: npm/[email protected]

View full report↗︎

[pkg-pr-new]

Open in StackBlitz

npm i https://pkg.pr.new/unplugin-vue-router@618

commit: 8133a2f

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 61.68%. Comparing base (e98250b) to head (8133a2f).
Report is 1 commits behind head on main.

Additional details and impacted files

@@           Coverage Diff           @@
##             main     #618   +/-   ##
=======================================
  Coverage   61.68%   61.68%           
=======================================
  Files          32       32           
  Lines        3145     3145           
  Branches      580      580           
=======================================
  Hits         1940     1940           
  Misses       1199     1199           
  Partials        6        6           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.