Skip to content

Outdated vitest devDependency (^3.1.0) vulnerable to CVE-2026-47429 #533

Description

@baturmont

vitest is pinned to ^3.1.0 in 4 package.json files (root, understand-anything-plugin, packages/core, packages/dashboard), which is affected by CVE-2026-47429 (Vitest UI-server arbitrary file read/execute — exploitable when vitest --ui is exposed to a network). It's a devDependency only, not shipped as part of the plugin's runtime behavior, so the practical risk to end users is low, but it did trip an automated security scan (SkillSpector) during evaluation for install. Bumping to the patched vitest release would resolve this and remove the false-alarm surface for anyone else running the same kind of pre-install scan.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions