chore(deps): update dependency vite to v6.3.4 [security] - autoclosed

[renovate-bot]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
vite (source)	6.3.3 -> 6.3.4
vite (source)	^6.3.3 -> ^6.3.4

GitHub Vulnerability Alerts

GHSA-859w-5945-r5v3

Summary

The contents of files in the project root that are denied by a file matching pattern can be returned to the browser.

Impact

Only apps explicitly exposing the Vite dev server to the network (using --host or server.host config option) are affected.
Only files that are under project root and are denied by a file matching pattern can be bypassed.

• Examples of file matching patterns: .env, .env.*, *.{crt,pem}, **/.env
• Examples of other patterns: **/.git/**, .git/**, .git/**/*

Details

server.fs.deny can contain patterns matching against files (by default it includes .env, .env.*, *.{crt,pem} as such patterns).
These patterns were able to bypass for files under root by using a combination of slash and dot (/.).

PoC

npm create vite@latest
cd vite-project/
cat "secret" > .env
npm install
npm run dev
curl --request-target /.env/. http://localhost:5173

---

Release Notes

vitejs/vite (vite)

v6.3.4

Compare Source

• fix: check static serve file inside sirv (#​19965) (c22c43d), closes #​19965
• fix(optimizer): return plain object when using require to import externals in optimized dependenci (efc5eab), closes #​19940
• refactor: remove duplicate plugin context type (#​19935) (d6d01c2), closes #​19935

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[bolt-new-by-stackblitz]

Run & review this pull request in StackBlitz Codeflow.

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 20.32%. Comparing base (449251e) to head (6478b33).
Report is 1 commits behind head on master.

Additional details and impacted files

@@           Coverage Diff           @@
##           master    #1347   +/-   ##
=======================================
  Coverage   20.32%   20.32%           
=======================================
  Files           8        8           
  Lines         965      965           
  Branches      352      327   -25     
=======================================
  Hits          196      196           
  Misses        769      769           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.