History

renovate[bot] 807fce8069 Update dependency vite to v6.2.3 (#16972 ) This PR contains the following updates: \| Package \| Change \| Age \| Adoption \| Passing \| Confidence \| \|---\|---\|---\|---\|---\|---\| \| [vite](https://vite.dev) ([source](https://redirect.github.com/vitejs/vite/tree/HEAD/packages/vite)) \| [`6.2.2` -> `6.2.3`](https://renovatebot.com/diffs/npm/vite/6.2.2/6.2.3) \| [![age](https://developer.mend.io/api/mc/badges/age/npm/vite/6.2.3?slim=true)](https://docs.renovatebot.com/merge-confidence/) \| [![adoption](https://developer.mend.io/api/mc/badges/adoption/npm/vite/6.2.3?slim=true)](https://docs.renovatebot.com/merge-confidence/) \| [![passing](https://developer.mend.io/api/mc/badges/compatibility/npm/vite/6.2.2/6.2.3?slim=true)](https://docs.renovatebot.com/merge-confidence/) \| [![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/vite/6.2.2/6.2.3?slim=true)](https://docs.renovatebot.com/merge-confidence/) \| --- > [!WARNING] > Some dependencies could not be looked up. Check the Dependency Dashboard for more information. ### GitHub Vulnerability Alerts #### [CVE-2025-30208](https://redirect.github.com/vitejs/vite/security/advisories/GHSA-x574-m823-4x7w) ### Summary The contents of arbitrary files can be returned to the browser. ### Impact Only apps explicitly exposing the Vite dev server to the network (using `--host` or [`server.host` config option](https://vitejs.dev/config/server-options.html#server-host)) are affected. ### Details `@fs` denies access to files outside of Vite serving allow list. Adding `?raw??` or `?import&raw??` to the URL bypasses this limitation and returns the file content if it exists. This bypass exists because trailing separators such as `?` are removed in several places, but are not accounted for in query string regexes. ### PoC ```bash $ npm create vite@latest $ cd vite-project/ $ npm install $ npm run dev $ echo "top secret content" > /tmp/secret.txt # expected behaviour $ curl "http://localhost:5173/@fs/tmp/secret.txt" <body> <h1>403 Restricted</h1> <p>The request url "/tmp/secret.txt" is outside of Vite serving allow list. # security bypassed $ curl "http://localhost:5173/@fs/tmp/secret.txt?import&raw??" export default "top secret content\n" //# sourceMappingURL=data:application/json;base64,eyJ2... ``` --- ### Release Notes <details> <summary>vitejs/vite (vite)</summary> ### [`v6.2.3`](https://redirect.github.com/vitejs/vite/releases/tag/v6.2.3) [Compare Source](https://redirect.github.com/vitejs/vite/compare/v6.2.2...v6.2.3) Please refer to [CHANGELOG.md](https://redirect.github.com/vitejs/vite/blob/v6.2.3/packages/vite/CHANGELOG.md) for details. </details> --- ### Configuration 📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined). 🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied. ♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 Ignore: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/astral-sh/ruff). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzOS4yMDcuMSIsInVwZGF0ZWRJblZlciI6IjM5LjIwNy4xIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJpbnRlcm5hbCIsInNlY3VyaXR5Il19--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>		2025-03-25 20:17:40 +00:00
..
api	[playground] Use cursor for clickable elements (#16833 )	2025-03-18 18:06:00 +01:00
knot	[red-knot] Default playground to Python 3.13 for real (#16956 )	2025-03-24 16:40:49 +00:00
ruff	[red-knot] Add settings support to playground (#16929 )	2025-03-24 01:38:48 +00:00
shared	[red-knot] Add settings support to playground (#16929 )	2025-03-24 01:38:48 +00:00
.gitignore	Remove all `useEffect` usages (#12659 )	2024-08-08 13:16:38 +02:00
.prettierignore	Red Knot Playground (#12681 )	2025-03-18 17:17:11 +01:00
README.md	Red Knot Playground (#12681 )	2025-03-18 17:17:11 +01:00
eslint.config.mjs	Red Knot Playground (#12681 )	2025-03-18 17:17:11 +01:00
package-lock.json	Update dependency vite to v6.2.3 (#16972 )	2025-03-25 20:17:40 +00:00
package.json	Red Knot Playground (#12681 )	2025-03-18 17:17:11 +01:00
tsconfig.json	Red Knot Playground (#12681 )	2025-03-18 17:17:11 +01:00
tsconfig.node.json	Red Knot Playground (#12681 )	2025-03-18 17:17:11 +01:00

README.md

playground

In-browser playground for Ruff. Available https://play.ruff.rs/.

Getting started

Install the NPM dependencies with npm install, and run, and run the development server with npm start --workspace ruff-playground or npm start --workspace knot-playground. You may need to restart the server after making changes to Ruff or Red Knot to re-build the WASM module.

To run the datastore, which is based on Workers KV, install the Wrangler CLI, then run npx wrangler dev --local from the ./playground/api directory. Note that the datastore is only required to generate shareable URLs for code snippets. The development datastore does not require Cloudflare authentication or login, but in turn only persists data locally.

Architecture

The playground is implemented as a single-page React application powered by Vite, with the editor experience itself powered by Monaco.

The playground stores state in localStorage, but supports persisting code snippets to a persistent datastore based on Workers KV and exposed via a Cloudflare Worker.

The playground design is originally based on Tailwind Play, with additional inspiration from the Biome Playground.

Known issues

Stack overflows

If you see stack overflows in the playground, build the WASM module in release mode: npm run --workspace knot-playground build:wasm.