The advisory says that all versions <4.1.0 are vulnerable, but this range seems inaccurate.
Other reporting tools like snyk.io show that vitest@3 has the vulnerability fixed in v3.2.5 and v4.1.6:
I believe the fix for thevitest vulnerability was backported to the V3 branch: vitest-dev/vitest#10456
So the patched versions should be >=3.2.5, >=4.1.6, >=5.0.0-beta.3
The advisory says that all versions
<4.1.0are vulnerable, but this range seems inaccurate.Other reporting tools like snyk.io show that
vitest@3has the vulnerability fixed in v3.2.5 and v4.1.6:I believe the fix for the
vitestvulnerability was backported to the V3 branch: vitest-dev/vitest#10456So the patched versions should be
>=3.2.5, >=4.1.6, >=5.0.0-beta.3