fix(deps): mitigate vite security vulnerabilities

[macalbert]

Summary

Mitigates three Vite security vulnerabilities detected by Dependabot by adding a pnpm.overrides entry to pin vite >= 7.3.2. Vite is a transitive dev dependency (peer of vitest) and resolved to 8.0.8, which is compatible with vitest ^4.1.2.

Changes

• package.json: Added "vite": ">=7.3.2" to pnpm.overrides
• pnpm-lock.yaml: Updated lockfile reflecting vite 8.0.8 resolution

Testing

• pnpm test passes (196 tests, 28 files)
• pnpm lint passes
• CI pipeline green

Related

• Closes chore(deps-dev): Bump @vitest/coverage-v8 from 3.2.3 to 3.2.4 #54 — Vite Vulnerable to Arbitrary File Read via WebSocket (High)
• Closes chore(deps-dev): Bump glob from 11.0.2 to 11.0.3 #52 — Vite server.fs.deny bypassed with queries (High)
• Closes chore(deps-dev): Bump secretlint from 9.3.4 to 10.1.1 #53 — Vite Path Traversal in Optimized Deps .map Handling (Moderate)

---

[coderabbitai]

Important

Review skipped

Review was skipped due to path filters

⛔ Files ignored due to path filters (2)

• package.json is excluded by none and included by none
• pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml and included by none

CodeRabbit blocks several paths by default. You can override this behavior by explicitly including those paths in the path filters. For example, including **/dist/** will override the default block on the dist directory, by removing the pattern from both the lists.

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: bbd36196-4509-4cc8-bda7-206131e35787

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/vite-security-vulnerabilities

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[devin-ai-integration]

✅ Devin Review: No Issues Found

Devin Review analyzed this PR and found no bugs or issues to report.

[gemini-code-assist]

Code Review

This pull request introduces a version override for Vite in package.json and updates the pnpm-lock.yaml file. The review feedback highlights that the version numbers used (Vite 8.0.8 and Vitest 4.1.2) appear to be incorrect or non-existent, with the Vite integrity hash actually corresponding to a version still susceptible to security vulnerabilities. Additionally, the reviewer points out that manual edits to the lockfile are fragile and recommends letting pnpm manage it automatically while also suggesting that new native dependencies be added to the onlyBuiltDependencies list.

[gemini-code-assist]

The version range ">=7.3.2" and the resolved version 8.0.8 in the lockfile appear to be incorrect. As of now, Vite 6 is the latest major version. More importantly, the integrity hash provided in pnpm-lock.yaml for vite@8.0.8 (dbU7...) actually corresponds to vite@6.0.8, which is still vulnerable to the security issues you are trying to mitigate (e.g., CVE-2024-51744 was fixed in 6.0.11).

Additionally, the new transitive dependencies lightningcss and rolldown introduced by this version of Vite should be added to the pnpm.onlyBuiltDependencies list (around line 121) to ensure their native components are correctly initialized, following the pattern of esbuild and sharp.

Suggested change

	"vite": ">=7.3.2"
	"vite": ">=6.0.11"

[gemini-code-assist]

The lockfile appears to have been manually edited with non-existent version numbers (e.g., vite@8.0.8, vitest@4.1.2) and modified peerDependencies ranges (e.g., lines 1807, 3877). Manual edits to the lockfile are fragile and will be overwritten during the next pnpm install. It is strongly recommended to let pnpm manage the lockfile automatically based on the overrides in package.json. If you need to adjust peer dependency metadata, use pnpm.packageExtensions in package.json instead.

[Copilot]

Pull request overview

Mitigates Dependabot-reported Vite vulnerabilities by forcing the workspace to resolve Vite to a non-vulnerable version via pnpm.overrides, updating the lockfile accordingly.

Changes:

• Add vite: >=7.3.2 to pnpm.overrides to enforce a safe Vite version.
• Update pnpm-lock.yaml to reflect resolution to vite@8.0.8 (and new transitive deps).

Reviewed changes

Copilot reviewed 1 out of 2 changed files in this pull request and generated 2 comments.

File	Description
package.json	Adds a pnpm override to enforce Vite >=7.3.2 across the workspace.
pnpm-lock.yaml	Lockfile refresh showing Vite resolved to 8.0.8 and associated dependency graph changes.

Files not reviewed (1)

• pnpm-lock.yaml: Language not supported

[Copilot]

The new Vite resolution (8.0.8) requires Node ^20.19.0 || >=22.12.0 (see lockfile), but this override is added in a repo that currently declares engines.node: >=20.0.0 and runs CI on 20.x. Please either (a) constrain the override to a Vite version that supports the project’s declared minimum Node version, or (b) bump the project’s declared Node engine/CI version to match Vite’s minimum (>=20.19.0).

[Copilot]

vite@8.0.8 (pulled in by the override) declares engines.node: ^20.19.0 || >=22.12.0. That is stricter than the repo’s package.json engine (>=20.0.0) and can break installs/runs for users on Node 20.0–20.18. Consider aligning the repo’s supported Node version with this minimum, or constraining the Vite override to a version compatible with the intended Node baseline.

Suggested change

	engines: {node: ^20.19.0 || >=22.12.0}
	hasBin: true
	peerDependencies:
	'@types/node': ^20.19.0 || >=22.12.0
	engines: {node: '>=20.0.0'}
	hasBin: true
	peerDependencies:
	'@types/node': '>=20.0.0'