privilegedescalation/headlamp-sealed-secrets-plugin
12
0
Fork 0
Code Issues 2 Pull Requests 2 Actions Packages Projects Releases 27 Wiki Activity

fix: patch Vite arbitrary file read vulnerability (GHSA-p9ff-h696-f583) #51

Merged
privilegedescalation-engineer[bot] merged 1 commits from gandalf/fix-vite-arbitrary-file-read-vulnerability into main 2026-05-03 17:44:05 +00:00
Conversation 3 Commits 1 Files Changed 2
+1088 -673
2 changed files with 1088 additions and 673 deletions
Download Patch File Download Diff File Expand all files Collapse all files
package.json
+2 -1
View File
@@ -51,7 +51,8 @@
],
"overrides": {
"tar": "^7.5.11",
"undici": "^7.24.3"
"undici": "^7.24.3",
"vite": ">=6.4.2"
},
greptile-apps[bot] commented 2026-04-23 03:47:35 +00:00 (Migrated from github.com)
Review
Copy Link
Copy Source

P1 security Override range includes vulnerable 7.x versions

The constraint >=6.4.2 technically satisfies pnpm with any Vite version >=6.4.2, which includes the 7.x range 7.0.0–7.3.1. Those versions are also vulnerable to GHSA-p9ff-h696-f583 (the advisory lists v7.3.2 as a separate fix release alongside v6.4.2 and v8.0.5).

In the current lockfile this doesn't bite because pnpm resolves 6.4.2 and 7.3.2 — both patched — but a future pnpm update vite or a newly added transitive dep that constrains vite to ^7.0.0 could resolve a vulnerable 7.x version and still satisfy the override.

A more precise constraint would be:

    "vite": ">=6.4.2 <7.0.0 || >=7.3.2"

This explicitly excludes the entire vulnerable 7.0.0–7.3.1 window while still allowing patched 7.3.2+ and any 8.x release.

    "vite": ">=6.4.2 <7.0.0 || >=7.3.2"
Prompt To Fix With AI 
This is a comment left during a code review.
Path: package.json
Line: 55

Comment:
**Override range includes vulnerable 7.x versions**

The constraint `>=6.4.2` technically satisfies pnpm with any Vite version `>=6.4.2`, which includes the 7.x range `7.0.0–7.3.1`. Those versions are also vulnerable to GHSA-p9ff-h696-f583 (the advisory lists `v7.3.2` as a separate fix release alongside `v6.4.2` and `v8.0.5`).

In the current lockfile this doesn't bite because pnpm resolves `6.4.2` and `7.3.2` — both patched — but a future `pnpm update vite` or a newly added transitive dep that constrains vite to `^7.0.0` could resolve a vulnerable 7.x version and still satisfy the override.

A more precise constraint would be:

```suggestion
    "vite": ">=6.4.2 <7.0.0 || >=7.3.2"
```

This explicitly excludes the entire vulnerable 7.0.0–7.3.1 window while still allowing patched 7.3.2+ and any 8.x release.

```suggestion
    "vite": ">=6.4.2 <7.0.0 || >=7.3.2"
```

How can I resolve this? If you propose a fix, please make it concise.
<a href="#"><img alt="P1" src="https://greptile-static-assets.s3.amazonaws.com/badges/p1.svg?v=7" align="top"></a> <a href="#"><img alt="security" src="https://greptile-static-assets.s3.amazonaws.com/badges/Security.svg?v=1" align="top"></a> **Override range includes vulnerable 7.x versions** The constraint `>=6.4.2` technically satisfies pnpm with any Vite version `>=6.4.2`, which includes the 7.x range `7.0.0–7.3.1`. Those versions are also vulnerable to GHSA-p9ff-h696-f583 (the advisory lists `v7.3.2` as a separate fix release alongside `v6.4.2` and `v8.0.5`). In the current lockfile this doesn't bite because pnpm resolves `6.4.2` and `7.3.2` — both patched — but a future `pnpm update vite` or a newly added transitive dep that constrains vite to `^7.0.0` could resolve a vulnerable 7.x version and still satisfy the override. A more precise constraint would be: ```suggestion "vite": ">=6.4.2 <7.0.0 || >=7.3.2" ``` This explicitly excludes the entire vulnerable 7.0.0–7.3.1 window while still allowing patched 7.3.2+ and any 8.x release. ```suggestion "vite": ">=6.4.2 <7.0.0 || >=7.3.2" ``` <details><summary>Prompt To Fix With AI</summary> `````markdown This is a comment left during a code review. Path: package.json Line: 55 Comment: **Override range includes vulnerable 7.x versions** The constraint `>=6.4.2` technically satisfies pnpm with any Vite version `>=6.4.2`, which includes the 7.x range `7.0.0–7.3.1`. Those versions are also vulnerable to GHSA-p9ff-h696-f583 (the advisory lists `v7.3.2` as a separate fix release alongside `v6.4.2` and `v8.0.5`). In the current lockfile this doesn't bite because pnpm resolves `6.4.2` and `7.3.2` — both patched — but a future `pnpm update vite` or a newly added transitive dep that constrains vite to `^7.0.0` could resolve a vulnerable 7.x version and still satisfy the override. A more precise constraint would be: ```suggestion "vite": ">=6.4.2 <7.0.0 || >=7.3.2" ``` This explicitly excludes the entire vulnerable 7.0.0–7.3.1 window while still allowing patched 7.3.2+ and any 8.x release. ```suggestion "vite": ">=6.4.2 <7.0.0 || >=7.3.2" ``` How can I resolve this? If you propose a fix, please make it concise. ````` </details>
"dependencies": {
"node-forge": "^1.4.0"
pnpm-lock.yaml
Generated
+1086 -672
View File
File diff suppressed because it is too large Load Diff