chore(devdeps): update dependency vite to v6.2.7 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
vite (source)	6.2.6 -> 6.2.7

GitHub Vulnerability Alerts

CVE-2025-46565

Summary

The contents of files in the project root that are denied by a file matching pattern can be returned to the browser.

Impact

Only apps explicitly exposing the Vite dev server to the network (using --host or server.host config option) are affected.
Only files that are under project root and are denied by a file matching pattern can be bypassed.

• Examples of file matching patterns: .env, .env.*, *.{crt,pem}, **/.env
• Examples of other patterns: **/.git/**, .git/**, .git/**/*

Details

server.fs.deny can contain patterns matching against files (by default it includes .env, .env.*, *.{crt,pem} as such patterns).
These patterns were able to bypass for files under root by using a combination of slash and dot (/.).

PoC

npm create vite@latest
cd vite-project/
cat "secret" > .env
npm install
npm run dev
curl --request-target /.env/. http://localhost:5173

---

Release Notes

vitejs/vite (vite)

v6.2.7

Compare Source

Please refer to CHANGELOG.md for details.

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[changeset-bot]

🦋 Changeset detected

Latest commit: d3274f1

The changes in this PR will be included in the next version bump.

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

[renovate]

Edited/Blocked Notification

Renovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR.

You can manually request rebase by checking the rebase/retry box above.

⚠️ Warning: custom changes will be lost.

[nx-cloud]

View your CI Pipeline Execution ↗ for commit d3274f1.

Command	Status	Duration	Result
nx affected -t build typecheck lint test e2e-ci	✅ Succeeded	1m 48s	View ↗
nx-cloud record -- nx format:check	✅ Succeeded	2s	View ↗

---

☁️ Nx Cloud last updated this comment at 2025-05-16 14:35:38 UTC

[github-actions]

Deployed db51302 to https://ForgeRock.github.io/ping-javascript-sdk/pr-268/db51302c7c61b455293a178bb0e6ecbb938dafcf branch gh-pages in ForgeRock/ping-javascript-sdk

[codecov-commenter]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 49.33%. Comparing base (dd5af9a) to head (6988f25).
Report is 9 commits behind head on main.

❗ Current head 6988f25 differs from pull request most recent head d3274f1

Please upload reports for the commit d3274f1 to get more accurate results.

Additional details and impacted files

@@           Coverage Diff           @@
##             main     #268   +/-   ##
=======================================
  Coverage   49.33%   49.33%           
=======================================
  Files          29       29           
  Lines        1571     1571           
  Branches      173      173           
=======================================
  Hits          775      775           
  Misses        796      796           

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[renovate]

Renovate Ignore Notification

Because you closed this PR without merging, Renovate will ignore this update (6.2.7). You will get a PR once a newer version is released. To ignore this dependency forever, add it to the ignoreDeps array of your Renovate config.

If you accidentally closed this PR, or if you changed your mind: rename this PR to get a fresh replacement PR.