Skip to content

release: v0.2.4: Vitest security hotfix#2093

Merged
wan9chi merged 2 commits into
mainfrom
release/v0.2.4
Jul 8, 2026
Merged

release: v0.2.4: Vitest security hotfix#2093
wan9chi merged 2 commits into
mainfrom
release/v0.2.4

Conversation

@voidzero-guard

@voidzero-guard voidzero-guard Bot commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

Release vite-plus v0.2.4: Vitest security hotfix.

This hotfix updates the bundled Vitest Browser Mode packages to 4.1.10, which includes the fix for GHSA-p63j-vcc4-9vmv. The advisory is critical and affects @vitest/browser <=4.1.9.

Highlights

  • Critical Vitest Browser Mode advisory fixed: bundled vitest and @vitest/browser* move from 4.1.9 to 4.1.10, addressing GHSA-p63j-vcc4-9vmv, where provider commands could bypass the file access permission gate (#2089), by @voidzero-guard[bot]

Chore

  • Add the standard release-manager skill for vite-plus release operations (#2019), by @fengmk2

Bundled Versions

Tool Version Source
vite 8.1.3 578ffb8
rolldown 1.1.4 6cbd233
tsdown 0.22.3 npm
vitest 4.1.10 npm
oxlint 1.72.0 npm
oxlint-tsgolint 0.24.0 npm
oxfmt 0.57.0 npm

Upgrade

vp upgrade

New Contributors

No new contributors in this release.

Full Changelog: v0.2.3...v0.2.4


Merging this PR will trigger the release workflow.

@netlify

netlify Bot commented Jul 8, 2026

Copy link
Copy Markdown

Deploy Preview for viteplus-preview canceled.

Name Link
🔨 Latest commit 7fff5b0
🔍 Latest deploy log https://app.netlify.com/projects/viteplus-preview/deploys/6a4e09bf85beaa000812cf9a

NAPI bakes the package.json version into binding/index.cjs version

checks. The prepare_release workflow bumps package.json but does not

regenerate this file, so the CI build's regeneration step produces a

diff that the post-build no-unexpected-changes guard rejects.
@wan9chi wan9chi changed the title release: v0.2.4 release: v0.2.4: Vitest security hotfix Jul 8, 2026
@wan9chi wan9chi merged commit 1ca9f0f into main Jul 8, 2026
47 checks passed
@wan9chi wan9chi deleted the release/v0.2.4 branch July 8, 2026 08:42
@wan9chi

wan9chi commented Jul 8, 2026

Copy link
Copy Markdown
Member

Discord announcement draft:

:viteplus: **vite-plus v0.2.4 is out** :tada:

Security hotfix for Vitest Browser Mode.

**Highlights**
:lock: Fixes critical [GHSA-p63j-vcc4-9vmv](https://github.com/vitest-dev/vitest/security/advisories/GHSA-p63j-vcc4-9vmv) in bundled Vitest Browser Mode

**Upstream Upgrades**
:package: vitest `4.1.9` -> `4.1.10`
:package: `@vitest/browser*` `4.1.9` -> `4.1.10`

**Bundled versions**
vite `8.1.3`, rolldown `1.1.4`, tsdown `0.22.3`, vitest `4.1.10`, oxlint `1.72.0`, oxlint-tsgolint `0.24.0`, oxfmt `0.57.0`

**Upgrade**: `vp upgrade`

Full notes: <https://github.com/voidzero-dev/vite-plus/releases/tag/v0.2.4>

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants