Vitest version 0.31.2 brings incremental updates and refinements to the blazing-fast unit testing framework powered by Vite. Building upon the solid foundation of version 0.31.1, this release includes updates to several core dependencies, notably vite-node (from 0.31.1 to 0.31.2) and the internal @vitest packages (@vitest/spy, @vitest/utils, @vitest/expect, @vitest/runner, and @vitest/snapshot), ensuring a more cohesive and potentially optimized testing experience.
While the surface-level changes might seem minor, these updates often incorporate crucial bug fixes, performance improvements, and enhanced stability. Developers upgrading from 0.31.1 can expect a smoother testing workflow with enhanced compatibility and potentially faster test execution speeds. The updated vite-node integration is particularly interesting because it handles module resolution and transformation.
Furthermore, the birpc dev dependency has been updated from version 0.2.11 to 0.2.12. Although it's only a dev dep it suggests potential improvements with the bi-directional RPC layer, which may be important if you are using some advanced features of vitest.
The unpacked size has slightly increased from 1289998 to 1294002, suggesting the addition of new features, updated assets or more verbose code. Vitest continues to offer a rich set of features, including mocking, spying, snapshot testing, and comprehensive coverage reports. These incremental updates solidify Vitest's position as a robust and reliable choice for modern web development testing, tightly integrating with Vite projects for seamless integration and developer experience.
All the vulnerabilities related to the version 0.31.2 of the package
esbuild enables any website to send any requests to the development server and read the response
esbuild allows any websites to send any request to the development server and read the response due to default CORS settings.
esbuild sets Access-Control-Allow-Origin: * header to all requests, including the SSE connection, which allows any websites to send any request to the development server and read the response.
https://github.com/evanw/esbuild/blob/df815ac27b84f8b34374c9182a93c94718f8a630/pkg/api/serve_other.go#L121 https://github.com/evanw/esbuild/blob/df815ac27b84f8b34374c9182a93c94718f8a630/pkg/api/serve_other.go#L363
Attack scenario:
http://malicious.example.com).fetch('http://127.0.0.1:8000/main.js') request by JS in that malicious web page. This request is normally blocked by same-origin policy, but that's not the case for the reasons above.http://127.0.0.1:8000/main.js.In this scenario, I assumed that the attacker knows the URL of the bundle output file name. But the attacker can also get that information by
/index.html: normally you have a script tag here/assets: it's common to have a assets directory when you have JS files and CSS files in a different directory and the directory listing feature tells the attacker the list of files/esbuild SSE endpoint: the SSE endpoint sends the URL path of the changed files when the file is changed (new EventSource('/esbuild').addEventListener('change', e => console.log(e.type, e.data)))The scenario above fetches the compiled content, but if the victim has the source map option enabled, the attacker can also get the non-compiled content by fetching the source map file.
npm inpm run watchfetch('http://127.0.0.1:8000/app.js').then(r => r.text()).then(content => console.log(content)) in a different website's dev tools.Users using the serve feature may get the source code stolen by malicious websites.