Update dependency vite to v7 [SECURITY]

[nbudin]

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Change	Age	Confidence
vite (source)	^6.4.2 → ^7.0.0

GitHub Vulnerability Alerts

CVE-2026-39364

Summary

The contents of files that are specified by server.fs.deny can be returned to the browser.

Impact

Only apps that match the following conditions are affected:

• explicitly exposes the Vite dev server to the network (using --host or server.host config option)
• the sensitive file exists in the allowed directories specified by server.fs.allow
• the sensitive file is denied with a pattern that matches a file by server.fs.deny

Details

On the Vite dev server, files that should be blocked by server.fs.deny (e.g., .env, *.crt) can be retrieved with HTTP 200 responses when query parameters such as ?raw, ?import&raw, or ?import&url&inline are appended.

PoC

1. Start the dev server: pnpm exec vite root --host 127.0.0.1 --port 5175 --strictPort
2. Confirm that server.fs.deny is enforced (expect 403): curl -i http://127.0.0.1:5175/src/.env | head -n 20
   
3. Confirm that the same files can be retrieved with query parameters (expect 200):
   

CVE-2026-39363

Summary

server.fs check was not enforced to the fetchModule method that is exposed in Vite dev server's WebSocket.

Impact

Only apps that match the following conditions are affected:

• explicitly exposes the Vite dev server to the network (using --host or server.host config option)
• WebSocket is not disabled by server.ws: false

Arbitrary files on the server (development machine, CI environment, container, etc.) can be exposed.

Details

If it is possible to connect to the Vite dev server’s WebSocket without an Origin header, an attacker can invoke fetchModule via the custom WebSocket event vite:invoke and combine file://... with ?raw (or ?inline) to retrieve the contents of arbitrary files on the server as a JavaScript string (e.g., export default "...").

The access control enforced in the HTTP request path (such as server.fs.allow) is not applied to this WebSocket-based execution path.

PoC

1. Start the dev server on the target
   Example (used during validation with this repository):

   pnpm -C playground/alias exec vite --host 0.0.0.0 --port 5173

2. Confirm that access is blocked via the HTTP path (example: arbitrary file)

   curl -i 'http://localhost:5173/@​fs/etc/passwd?raw'

   Result: 403 Restricted (outside the allow list)
   

3. Confirm that the same file can be retrieved via the WebSocket path
   By connecting to the HMR WebSocket without an Origin header and sending a vite:invoke request that calls fetchModule with a file://... URL and ?raw, the file contents are returned as a JavaScript module.

CVE-2026-39365

Summary

Any files ending with .map even out side the project can be returned to the browser.

Impact

Only apps that match the following conditions are affected:

• explicitly exposes the Vite dev server to the network (using --host or server.host config option)
• have a sensitive content in files ending with .map and the path is predictable

Details

In Vite v7.3.1, the dev server’s handling of .map requests for optimized dependencies resolves file paths and calls readFile without restricting ../ segments in the URL. As a result, it is possible to bypass the server.fs.strict allow list and retrieve .map files located outside the project root, provided they can be parsed as valid source map JSON.

PoC

1. Create a minimal PoC sourcemap outside the project root

   cat > /tmp/poc.map <<'EOF'
   {"version":3,"file":"x.js","sources":[],"names":[],"mappings":""}
   EOF

2. Start the Vite dev server (example)

   pnpm -C playground/fs-serve dev --host 127.0.0.1 --port 18080

3. Confirm that direct /@​fs access is blocked by strict (returns 403)
   
4. Inject ../ segments under the optimized deps .map URL prefix to reach /tmp/poc.map
   

---

Release Notes

vitejs/vite (vite)

v7.3.2

Compare Source

Please refer to CHANGELOG.md for details.

v7.3.1

Compare Source

Features

• add ignoreOutdatedRequests option to optimizeDeps (#​21364) (9d39d37)

v7.3.0

Compare Source

Features

• deps: update esbuild from ^0.25.0 to ^0.27.0 (#​21183) (cff26ec)

v7.2.7

Compare Source

Bug Fixes

• plugin shortcut support (#​21211) (721f163)

v7.2.6

Compare Source

7.2.6 (2025-12-01)

v7.2.4

Compare Source

Today, we're thrilled to announce the release of the next Vite major:

• Vite 8.0 announcement blog post
• Docs (translations: 简体中文, 日本語, Español, Português, 한국어, Deutsch, فارسی)
• Migration Guide

⚠ BREAKING CHANGES

• remove import.meta.hot.accept resolution fallback (#​21382)
• update default browser target (#​21193)
• the epic rolldown-vite merge (#​21189)

Features

• update rolldown to 1.0.0-rc.9 (#​21813) (f05be0e)
• warn when vite-tsconfig-paths plugin is detected (#​21781) (ada493e)
• css: support es2025 build target for lightningcss (#​21769) (08906e7)
• forward browser console logs and errors to dev server terminal (#​20916) (2540ed0)
• update rolldown to 1.0.0-rc.8 (#​21790) (a0c950e)
• export Visitor and ESTree from rolldown/utils (#​21664) (45de31e)
• update rolldown to 1.0.0-rc.6 (#​21714) (37a65f8)
• use util.inspect for CLI error display (#​21668) (5f425a9)
• update rolldown to 1.0.0-rc.5 (#​21660) (b3ddbc5)
• update rolldown to 1.0.0-rc.4 (#​21617) (1ee5c7f)
• wasm: add SSR support for .wasm?init (#​21102) (216a3b5)
• integrate devtools (#​21331) (acbf507)
• update rolldown to 1.0.0-rc.3 (#​21554) (43358e9)
• manifest: add assets field for standalone CSS entry points (#​21015) (f289b9b)
• update rolldown to 1.0.0-rc.2 (#​21512) (fa136a9)
• bundled-dev: support worker in initial bundle (#​21415) (f3d3149)
• dev: detect port conflicts on wildcard hosts (#​21381) (b0dd5a9)
• shortcuts case insensitive (#​21224) (7796ade)
• update rolldown to 1.0.0-rc.1 (#​21463) (ff9dd7f)
• warn if envPrefix contains spaces (#​21292) (9fcde3c)
• update rolldown to 1.0.0-beta.60 (#​21408) (c33aa7c)
• update rolldown to 1.0.0-beta.59 (#​21374) (0037943)
• add ignoreOutdatedRequests option to optimizeDeps (#​21364) (b2e75aa)
• add ios to default esbuild targets (#​21342) (daae6e9)
• update rolldown to 1.0.0-beta.58 (#​21354) (ba40cef)
• update rolldown to 1.0.0-beta.57 (#​21335) (d5412ef)
• css: support es2024 build target for lightningcss (#​21294) (bd33b8e)
• update rolldown to 1.0.0-beta.56 (#​21323) (9847a63)
• introduce v2 native plugins and enable it by default (#​21268) (42f2ab3)
• ssr: avoid errors when rewriting already rewritten stacktrace (#​21269) (98d9a33)
• update rolldown to 1.0.0-beta.55 (#​21300) (2c8db85)
• update rolldown to 1.0.0-beta.54 (#​21267) (c751172)
• add a warning that is output when a plugin sets esbuild related options (#​21218) (200646b)
• highly experimental full bundle mode (#​21235) (83d8c99)
• print esbuild options when both esbuild and oxc options are set (#​21216) (08ae87b)
• update default browser target (#​21193) (8c3dd06)
• the epic rolldown-vite merge (#​21189) (4a7f8d4)

Bug Fixes

• deps: update all non-major dependencies (#​21786) (eaa4352)
• use watch.watcher instead of watch.notify (#​21793) (88953b3)
• css: apply server.origin to public file URLs in CSS (fix #​18457) (#​21697) (c967f48)
• deps: update all non-major dependencies (#​21732) (5c921ca)
• dev: disable extglobs for consistency (#​21745) (1958eeb)
• lib: keep annotation comments for es output (#​21740) (dd3c4f4)
• optimizer: avoid error happening with a package with asset entrypoint (#​21766) (f7e1d07)
• ssr: throw friendly error when calling ssrLoadModule with non-runnable ssr env (#​21739) (1fa736e)
• types: remove extends ImportMeta from ModuleRunnerImportMeta (#​21710) (0176d45)
• wasm: reset assetUrlRE.lastIndex before .test() in SSR builds (#​21780) (3a0d8d9)
• deps: update all non-major dependencies (#​21691) (521fdc0)
• optimizer: avoid duplicate modules when preserveSymlinks is enabled (#​21720) (72165e0)
• dev: only treat EADDRINUSE as port conflict in wildcard pre-check (#​21642) (e54e25f)
• dev: prevent concurrent server restarts (#​21636) (8ce23a3)
• dev: return "502 Bad Gateway" on proxy failures instead of 500 (#​21652) (e240df2)
• clear tsconfig cache only when tsconfig.json is cached (#​21622) (50c9675)
• deps: update all non-major dependencies (#​21594) (becdc5d)
• lib: CSS injection point error with nested name IIFE output (#​21606) (5003de6)
• module-runner: incorrect column with sourcemapInterceptor: "prepareStackTrace" (#​21562) (416c095)
• module-runner: prevent crash on negative column in stacktrace (#​21585) (a075590)
• rolldownOptions/rollupOptions merging at environment level (#​21612) (db2ecc7)
• scanner: respect tsconfig.json (#​21547) (c6c04db)
• avoid registering customization hook for import meta resolver multiple times (#​21518) (8bb3203)
• config: avoid watching rolldown runtime virtual module (#​21545) (d18b139)
• deps: update all non-major dependencies (#​21540) (9ebaeaa)
• populate originalFileNames when resolving CSS asset paths (#​21542) (8b47ff7)
• deps: update all non-major dependencies (#​21488) (2b32ca2)
• disable tsconfig option when loading config (#​21517) (5025c35)
• optimizer: map relative new URL paths to correct relative file location (#​21434) (ca96cbc)
• avoid using deprecated output.inlineDynamicImport option (#​21464) (471ce62)
• use separate hook object for each environment (#​21472) (66347f6)
• deps: update all non-major dependencies (#​21440) (1835995)
• dev: avoid event emitter leak caused by server.listen callback (#​21451) (602d786)
• lazy hook filter should work (#​21443) (bc0c207)
• optimizer: skip rolldownCjsExternalPlugin for platform: neutral (#​21452) (d2fc4be)
• deps: update all non-major dependencies (#​21389) (30f48df)
• deps: update esbuild peerDependency version (#​21398) (4266c97)
• hmr: trigger prune event when last import is removed (#​20781) (#​21093) (7576735)
• module-runner: use process.getBuiltinModule instead of import('node:module') (#​21402) (6633bcb)
• support .env file mounts (FIFOs) (#​21365) (6e6f82a)
• css: stylus Evaluator support (#​21376) (cf9ace1)
• deps: update all non-major dependencies (#​21321) (9bc7c2e)
• import-analysis: avoid cjs interop for built browser external module (#​21333) (dc5a2fb)
• worker: handle new Worker(..., new URL(import.meta.url)) with trailing comma (#​21325) (4a47241)
• detect import.meta.resolve when formatted across multiple lines (#​21312) (130e718)
• allow no-cors requests for non-script tag requests (#​21299) (ef3d596)
• deps: update all non-major dependencies (#​21285) (4635b2e)
• unreachable error when building with experimental.bundledDev is enabled (#​21296) (e81c183)
• deps: update all non-major dependencies (#​21231) (859789c)
• don't strip base from imports (#​21221) (7da742b)
• allow exiting process before optimizer cleanup is done (#​21170) (55ceffc)
• plugin shortcut support (#​21211) (6a3aca0)

Performance Improvements

• ssr: skip circular import check for already-evaluated modules (#​21632) (235140b)
• use tsconfig cache for oxc transform in dev (#​21643) (57ff177)

Documentation

• bulk of typo fixes (#​21507) (80755da)
• update build.dynamicImportVarsOptions (#​21477) (54ce2ed)
• clarify the pronunciation of vite in IPA symbols (#​21238) (9b1d4d6)
• ensure https links (#​21266) (2eb259a)

Miscellaneous Chores

• deps-dev: bump rollup from 4.57.1 to 4.59.0 (#​21717) (25227bb)
• deps: update dependency cac to v7 (#​21788) (44e33ae)
• deps: update dependency rolldown-plugin-dts to ^0.22.2 (#​21731) (d8ea652)
• deps: remove fdir and @rollup/plugin-commonjs (#​21639) (5abffd5)
• deps: update dependency @​rollup/plugin-alias to v6 (#​21097) (44b5bdf)
• fix broken link for future deprecations (#​21603) (25f4501)
• update customResolver deprecation message to mention enforce: 'pre' (#​21576) (2ce34d5)
• update rolldown-plugin-dts to 0.22.1 (#​21559) (77aab4b)
• deps: update dependency rolldown-plugin-dts to ^0.21.8 (#​21539) (33881cb)
• add missing versions to changelog (#​21515) (4bfb239)
• deps: update rolldown-related dependencies (#​21487) (5863e51)
• deps: update rolldown-related dependencies (#​21390) (be9dd4e)
• fix typo in plugin.ts comment (#​21435) (d31fc66)
• replace caniuse link for ES2024 (#​21355) (2ba4e99)
• cleanup changelog (#​21202) (8c8c56e)
• deps: update rolldown-related dependencies (#​21230) (9349446)
• fix spelling error (#​21223) (cc10e20)

Code Refactoring

• don't add optimization.inlineConst: { mode: 'smart' } as it's enabled by default (#​21794) (22b3d11)
• enable some native plugins even with enable native plugin false (#​21744) (fc46c79)
• avoid deprecated legalComments option (#​21721) (e06496e)
• use ESTree types from rolldown/utils (#​21719) (9239750)
• deprecate customResolver in resolve.alias (#​21476) (81275c9)
• remove unnecessary @rolldown/pluginutils (#​21560) (c367b62)
• enable some native plugins even with enable native plugin false (#​21608) (5a4f692)
• use rolldown/utils (#​21577) (e56103f)
• use internal devtools config (#​21609) (9aea20f)
• use parseEnv (#​21586) (f859d2c)
• wasm: remove native wasm helper plugin usage (#​21566) (71a86be)
• enable some native plugins even with enable native plugin false (#​21511) (b40292c)
• remove experimental.enableNativePlugin: 'resolver' (#​21510) (f9d9213)
• use import.meta.dirname everywhere (#​21509) (7becf5f)
• optimizer: simplify rolldownCjsExternalPlugin (#​21450) (ebda8fd)
• remove import.meta.hot.accept resolution fallback (#​21382) (71d0797)
• optimizer: remove dead code (#​21334) (e9a2cdb)

Tests

• ssr: incorrect handleInvoke was called in server-worker-runner.invoke test (#​21751) (b95ca22)
• add more type tests for defineConfig (#​21698) (4fedbbd)
• test case for catching invalid package resolution error (#​21601) (c9b9359)
• bundled-dev: add worker test cases (#​21557) (569bc98)

Beta Changelogs

8.0.0-beta.18 (2026-03-09)

See 8.0.0-beta.18 changelog

8.0.0-beta.17 (2026-03-09)

See 8.0.0-beta.17 changelog

8.0.0-beta.16 (2026-02-27)

See 8.0.0-beta.16 changelog

8.0.0-beta.15 (2026-02-19)

See 8.0.0-beta.15 changelog

8.0.0-beta.14 (2026-02-12)

See 8.0.0-beta.14 changelog

8.0.0-beta.13 (2026-02-05)

See 8.0.0-beta.13 changelog

8.0.0-beta.12 (2026-02-03)

See 8.0.0-beta.12 changelog

8.0.0-beta.11 (2026-01-29)

See 8.0.0-beta.11 changelog

8.0.0-beta.10 (2026-01-24)

See 8.0.0-beta.10 changelog

8.0.0-beta.9 (2026-01-22)

See 8.0.0-beta.9 changelog

8.0.0-beta.8 (2026-01-15)

See 8.0.0-beta.8 changelog

8.0.0-beta.7 (2026-01-08)

See 8.0.0-beta.7 changelog

8.0.0-beta.6 (2026-01-07)

See 8.0.0-beta.6 changelog

8.0.0-beta.5 (2025-12-25)

See 8.0.0-beta.5 changelog

8.0.0-beta.4 (2025-12-22)

See 8.0.0-beta.4 changelog

8.0.0-beta.3 (2025-12-18)

See 8.0.0-beta.3 changelog

8.0.0-beta.2 (2025-12-12)

See 8.0.0-beta.2 changelog

8.0.0-beta.1 (2025-12-08)

See 8.0.0-beta.1 changelog

8.0.0-beta.0 (2025-12-03)

See 8.0.0-beta.0 changelog

Rolldown-Vite changelogs

See rolldown-vite changelog

v7.2.3

Compare Source

Bug Fixes

• allow multiple bindCLIShortcuts calls with shortcut merging (#​21103) (5909efd)
• deps: update all non-major dependencies (#​21096) (6a34ac3)
• deps: update all non-major dependencies (#​21128) (4f8171e)

Performance Improvements

• deps: replace debug with obug (#​21107) (acfe939)

Miscellaneous Chores

• deps: update dependency @​rollup/plugin-commonjs to v29 (#​21099) (02ceaec)
• deps: update rolldown-related dependencies (#​21095) (39a0a15)
• deps: update rolldown-related dependencies (#​21127) (5029720)

v7.2.2

Compare Source

Bug Fixes

• revert "refactor: use fs.cpSync (#​21019)" (#​21081) (728c8ee)

v7.2.1

Compare Source

Today, we're thrilled to announce the release of the next Vite major:

• Vite 8.0 announcement blog post
• Docs (translations: 简体中文, 日本語, Español, Português, 한국어, Deutsch, فارسی)
• Migration Guide

⚠ BREAKING CHANGES

• remove import.meta.hot.accept resolution fallback (#​21382)
• update default browser target (#​21193)
• the epic rolldown-vite merge (#​21189)

Features

• update rolldown to 1.0.0-rc.9 (#​21813) (f05be0e)
• warn when vite-tsconfig-paths plugin is detected (#​21781) (ada493e)
• css: support es2025 build target for lightningcss (#​21769) (08906e7)
• forward browser console logs and errors to dev server terminal (#​20916) (2540ed0)
• update rolldown to 1.0.0-rc.8 (#​21790) (a0c950e)
• export Visitor and ESTree from rolldown/utils (#​21664) (45de31e)
• update rolldown to 1.0.0-rc.6 (#​21714) (37a65f8)
• use util.inspect for CLI error display (#​21668) (5f425a9)
• update rolldown to 1.0.0-rc.5 (#​21660) (b3ddbc5)
• update rolldown to 1.0.0-rc.4 (#​21617) (1ee5c7f)
• wasm: add SSR support for .wasm?init (#​21102) (216a3b5)
• integrate devtools (#​21331) (acbf507)
• update rolldown to 1.0.0-rc.3 (#​21554) (43358e9)
• manifest: add assets field for standalone CSS entry points (#​21015) (f289b9b)
• update rolldown to 1.0.0-rc.2 (#​21512) (fa136a9)
• bundled-dev: support worker in initial bundle (#​21415) (f3d3149)
• dev: detect port conflicts on wildcard hosts (#​21381) (b0dd5a9)
• shortcuts case insensitive (#​21224) (7796ade)
• update rolldown to 1.0.0-rc.1 (#​21463) (ff9dd7f)
• warn if envPrefix contains spaces (#​21292) (9fcde3c)
• update rolldown to 1.0.0-beta.60 (#​21408) (c33aa7c)
• update rolldown to 1.0.0-beta.59 (#​21374) (0037943)
• add ignoreOutdatedRequests option to optimizeDeps (#​21364) (b2e75aa)
• add ios to default esbuild targets (#​21342) (daae6e9)
• update rolldown to 1.0.0-beta.58 (#​21354) (ba40cef)
• update rolldown to 1.0.0-beta.57 (#​21335) (d5412ef)
• css: support es2024 build target for lightningcss (#​21294) (bd33b8e)
• update rolldown to 1.0.0-beta.56 (#​21323) (9847a63)
• introduce v2 native plugins and enable it by default (#​21268) (42f2ab3)
• ssr: avoid errors when rewriting already rewritten stacktrace (#​21269) (98d9a33)
• update rolldown to 1.0.0-beta.55 (#​21300) (2c8db85)
• update rolldown to 1.0.0-beta.54 (#​21267) (c751172)
• add a warning that is output when a plugin sets esbuild related options (#​21218) (200646b)
• highly experimental full bundle mode (#​21235) (83d8c99)
• print esbuild options when both esbuild and oxc options are set (#​21216) (08ae87b)
• update default browser target (#​21193) (8c3dd06)
• the epic rolldown-vite merge (#​21189) (4a7f8d4)

Bug Fixes

• deps: update all non-major dependencies (#​21786) (eaa4352)
• use watch.watcher instead of watch.notify (#​21793) (88953b3)
• css: apply server.origin to public file URLs in CSS (fix #​18457) (#​21697) (c967f48)
• deps: update all non-major dependencies (#​21732) (5c921ca)
• dev: disable extglobs for consistency (#​21745) (1958eeb)
• lib: keep annotation comments for es output (#​21740) (dd3c4f4)
• optimizer: avoid error happening with a package with asset entrypoint (#​21766) (f7e1d07)
• ssr: throw friendly error when calling ssrLoadModule with non-runnable ssr env (#​21739) ([

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • ""
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Renovate Bot.

[github-actions]

Code Coverage Report: Only Changed Files listed

Package	Base Coverage	New Coverage	Difference
Overall Coverage	🟢 53.11%	🟢 53.11%	⚪ 0%

Minimum allowed coverage is 0%, this run produced 53.11%