This hotfix updates the bundled Vitest Browser Mode packages to 4.1.10, which includes the fix for GHSA-p63j-vcc4-9vmv. The advisory is critical and affects @vitest/browser <=4.1.9.
Highlights
- Critical Vitest Browser Mode advisory fixed: bundled
vitestand@vitest/browser*move from4.1.9to4.1.10, addressing GHSA-p63j-vcc4-9vmv, where provider commands could bypass the file access permission gate (#2089), by @voidzero-guard[bot]
Chore
Bundled Versions
| Tool | Version | Source |
|---|---|---|
| vite | 8.1.3
| 578ffb8
|
| rolldown | 1.1.4
| 6cbd233
|
| tsdown | 0.22.3
| npm |
| vitest | 4.1.10
| npm |
| oxlint | 1.72.0
| npm |
| oxlint-tsgolint | 0.24.0
| npm |
| oxfmt | 0.57.0
| npm |
Upgrade
vp upgradeNew Contributors
No new contributors in this release.
Full Changelog: v0.2.3...v0.2.4
Published Packages
@voidzero-dev/vite-plus-core@0.2.4vite-plus@0.2.4
Installation
macOS/Linux:
curl -fsSL https://vite.plus | bashWindows:
irm https://vite.plus/ps1 | iexOr download and run vp-setup.exe from the assets below.
Docker:
docker run --rm -it -v "$PWD:/app" -w /app ghcr.io/voidzero-dev/vite-plus:0.2.4 vp buildRun any vp command without installing it; see the Docker guide for more.