Vitest 0.25.7 represents a minor update over version 0.25.6 of this blazing-fast unit test framework powered by Vite. While the core functionality remains consistent, examining the changes reveals subtle but potentially important refinements for developers. One key difference lies in the declared compatibility with Vite. Version 0.25.7 explicitly states support for both Vite 3.x and 4.x (vite":"^3.0.0 || ^4.0.0"), whereas version 0.25.6 simply declared support for Vite 3.x (vite":"^3.0.0"). This broadened compatibility ensures users who have upgraded to Vite 4 enjoy seamless integration with the latest Vitest release.
Beyond this primary change, the updates appear to be incremental, addressing underlying issues or minor version bumps within the dependency tree. For instance, the vite-node and @vitest/ui devDependencies are updated to 0.25.7, aligning them with the core Vitest package version, ensuring consistent internal tooling. Discrepancies in unpackedSize and releaseDate attribute indicate changes in packaging, the build, or release process, suggesting potential bug fixes and optimizations. Developers will appreciate Vitest's commitment to staying current with the Vite ecosystem, offering a consistent, performant testing experience especially for projects leveraging the latest Vite features. These iterative improvements contributes to a more reliable and robust testing environment.
All the vulnerabilities related to the version 0.25.7 of the package
esbuild enables any website to send any requests to the development server and read the response
esbuild allows any websites to send any request to the development server and read the response due to default CORS settings.
esbuild sets Access-Control-Allow-Origin: * header to all requests, including the SSE connection, which allows any websites to send any request to the development server and read the response.
https://github.com/evanw/esbuild/blob/df815ac27b84f8b34374c9182a93c94718f8a630/pkg/api/serve_other.go#L121 https://github.com/evanw/esbuild/blob/df815ac27b84f8b34374c9182a93c94718f8a630/pkg/api/serve_other.go#L363
Attack scenario:
http://malicious.example.com).fetch('http://127.0.0.1:8000/main.js') request by JS in that malicious web page. This request is normally blocked by same-origin policy, but that's not the case for the reasons above.http://127.0.0.1:8000/main.js.In this scenario, I assumed that the attacker knows the URL of the bundle output file name. But the attacker can also get that information by
/index.html: normally you have a script tag here/assets: it's common to have a assets directory when you have JS files and CSS files in a different directory and the directory listing feature tells the attacker the list of files/esbuild SSE endpoint: the SSE endpoint sends the URL path of the changed files when the file is changed (new EventSource('/esbuild').addEventListener('change', e => console.log(e.type, e.data)))The scenario above fetches the compiled content, but if the victim has the source map option enabled, the attacker can also get the non-compiled content by fetching the source map file.
npm inpm run watchfetch('http://127.0.0.1:8000/app.js').then(r => r.text()).then(content => console.log(content)) in a different website's dev tools.Users using the serve feature may get the source code stolen by malicious websites.