Describe the bug
Migration #1074 introduced vite as a mandatory peer dep of vitest. The currently locked vite@7.3.0 has two high-severity CVEs (GHSA-v2wj-q39q-566r, GHSA-p9ff-h696-f583), patched in ≥7.3.2. pnpm.overrides does not force the resolution for peer deps, so pnpm audit --audit-level=high fails on a clean checkout with no workaround short of adding vite as an explicit devDependency. Jest didn't have this problem — no bundler in the dep tree.
Technical details: #2042
To Reproduce
Steps to reproduce the behavior:
- Run
pnpm audit --audit-level=high
- Outcome:
pnpm audit --audit-level=high
┌─────────────────────┬────────────────────────────────────────────────────────┐
│ high │ Vite: `server.fs.deny` bypassed with queries │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Package │ vite │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Vulnerable versions │ >=7.1.0 <=7.3.1 │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Patched versions │ >=7.3.2 │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Paths │ .>vitest>vite │
│ │ │
│ │ common__vitest-config>vite-tsconfig-paths>vite │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ More info │ https://github.com/advisories/GHSA-v2wj-q39q-566r │
└─────────────────────┴────────────────────────────────────────────────────────┘
┌─────────────────────┬────────────────────────────────────────────────────────┐
│ high │ Vite Vulnerable to Arbitrary File Read via Vite Dev │
│ │ Server WebSocket │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Package │ vite │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Vulnerable versions │ >=7.0.0 <=7.3.1 │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Patched versions │ >=7.3.2 │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Paths │ .>vitest>vite │
│ │ │
│ │ common__vitest-config>vite-tsconfig-paths>vite │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ More info │ https://github.com/advisories/GHSA-p9ff-h696-f583 │
└─────────────────────┴────────────────────────────────────────────────────────┘
Expected behavior
Fails = 0
Logs
Described in To Reproduce section above
Additional context
We expect to revert Jest, remove better-auth dependency from examples (reason is the same)
Describe the bug
Migration #1074 introduced
viteas a mandatory peer dep ofvitest. The currently lockedvite@7.3.0has two high-severity CVEs (GHSA-v2wj-q39q-566r, GHSA-p9ff-h696-f583), patched in ≥7.3.2. pnpm.overrides does not force the resolution for peer deps, sopnpm audit --audit-level=highfails on a clean checkout with no workaround short of addingviteas an explicit devDependency. Jest didn't have this problem — no bundler in the dep tree.Technical details: #2042
To Reproduce
Steps to reproduce the behavior:
pnpm audit --audit-level=highExpected behavior
Fails = 0
Logs
Described in
To Reproducesection aboveAdditional context
We expect to revert Jest, remove
better-authdependency from examples (reason is the same)