chore(deps): update dependency vite to v8 [security]#18

Open

renovate[bot] wants to merge 1 commit intomainfrom

renovate/npm-vite-vulnerability

renovate bot commented Apr 8, 2026

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
vite (source)	`^5.2.11` → `^8.0.0`

GitHub Vulnerability Alerts

CVE-2026-39365

Summary

Any files ending with .map even out side the project can be returned to the browser.

Impact

Only apps that match the following conditions are affected:

explicitly exposes the Vite dev server to the network (using --host or server.host config option)
have a sensitive content in files ending with .map and the path is predictable

Details

In Vite v7.3.1, the dev server’s handling of .map requests for optimized dependencies resolves file paths and calls readFile without restricting ../ segments in the URL. As a result, it is possible to bypass the server.fs.strict allow list and retrieve .map files located outside the project root, provided they can be parsed as valid source map JSON.

PoC

Create a minimal PoC sourcemap outside the project root

cat > /tmp/poc.map <<'EOF'
{"version":3,"file":"x.js","sources":[],"names":[],"mappings":""}
EOF

Start the Vite dev server (example)

pnpm -C playground/fs-serve dev --host 127.0.0.1 --port 18080

Confirm that direct /@fs access is blocked by strict (returns 403)
Inject ../ segments under the optimized deps .map URL prefix to reach /tmp/poc.map

Release Notes

vitejs/vite (vite)

`v8.0.7`

Bug Fixes

use sync dns.getDefaultResultOrder instead of dns.promises (#22185) (5c05b04)

`v8.0.6`

Features

update rolldown to 1.0.0-rc.13 (#22097) (51d3e48)

Bug Fixes

css: avoid mutating sass error multiple times (#22115) (d5081c2)
optimize-deps: hoist CJS interop assignment (#22156) (17a8f9e)

Performance Improvements

early return in getLocalhostAddressIfDiffersFromDNS when DNS order is verbatim (#22151) (56ec256)

Miscellaneous Chores

create-vite: remove unnecessary DOM.Iterable (#22168) (bdc53ab)
replace remaining prettier script (#22179) (af71fb2)

`v8.0.5`

Bug Fixes

apply server.fs check to env transport (#22159) (f02d9fd)
avoid path traversal with optimize deps sourcemap handler (#22161) (79f002f)
check server.fs after stripping query as well (#22160) (a9a3df2)
disallow referencing files outside the package from sourcemap (#22158) (f05f501)

`v8.0.4`

Features

allow esbuild 0.28 as peer deps (#22155) (b0da973)
hmr: truncate list of files on hmr update (#21535) (d00e806)
optimizer: log when dependency scanning or bundling takes over 1s (#21797) (f61a1ab)

Bug Fixes

hasBothRollupOptionsAndRolldownOptions should return false for proxy case (#22043) (99897d2)
add types for vite/modulepreload-polyfill (#22126) (17330d2)
deps: update all non-major dependencies (#22073) (6daa10f)
deps: update all non-major dependencies (#22143) (22b0166)
resolve: resolve tsconfig paths starting with # (#22038) (3460fc5)
ssr: use browser platform for webworker SSR builds (fix #21969) (#21963) (364c227)

Documentation

add environment.fetchModule documentation (#22035) (54229e7)

Miscellaneous Chores

deps: update rolldown-related dependencies (#21989) (0ded627)

Code Refactoring

upgrade to typescript 6 (#22110) (cc41398)

`v8.0.3`

Features

update rolldown to 1.0.0-rc.12 (#22024) (84164ef)

Bug Fixes

html: cache unfiltered CSS list to prevent missing styles across entries (#22017) (5464190)
module-runner: handle non-ascii characters in base64 sourcemaps (#21985) (77c95bf)
module-runner: skip re-import if the runner is closed (#22020) (ee2c2cd)
optimizer: scan is not resolving sub path import if used in a glob import (#22018) (ddfe20d)
ssr: ssrTransform incorrectly rewrites meta identifier inside import.meta when a binding named meta exists (#22019) (cff5f0c)

Miscellaneous Chores

deps: bump picomatch from 4.0.3 to 4.0.4 (#22027) (7e56003)

Tests

html: add tests for getCssFilesForChunk (#22016) (43fbbf9)

`v8.0.2`

Features

update rolldown to 1.0.0-rc.11 (#21998) (ff91c31)

Bug Fixes

deps: update all non-major dependencies (#21988) (9b7d150)

Miscellaneous Chores

deps: update dependency @vitejs/devtools to ^0.1.5 (#21992) (b2dd65b)

`v8.0.1`

Features

update rolldown to 1.0.0-rc.10 (#21932) (b3c067d)

Bug Fixes

bundled-dev: properly disable inlineConst optimization (#21865) (6d97142)
css: lightningcss minify failed when build.target: 'es6' (#21933) (5fcce46)
deps: update all non-major dependencies (#21878) (6dbbd7f)
dev: always use ESM Oxc runtime (#21829) (d323ed7)
dev: handle concurrent restarts in _createServer (#21810) (40bc729)
handle + symbol in package subpath exports during dep optimization (#21886) (86db93d)
improve no-cors request block error (#21902) (5ba688b)
use precise regexes for transform filter to avoid backtracking (#21800) (dbe41bd)
worker: require(json) result should not be wrapped (#21847) (0672fd2)
worker: make worker output consistent with client and SSR (#21871) (69454d7)

Miscellaneous Chores

add changelog rearrange script (#21835) (efef073)
deps: bump required @vitejs/devtools version to 0.1+ (#21925) (12932f5)
deps: update rolldown-related dependencies (#21787) (1af1d3a)
rearrange 8.0 changelog (8e05b61)
rearrange 8.0 changelog (#21834) (86edeee)

`v8.0.0`

Features

update rolldown to 1.0.0-rc.9 (#21813) (f05be0e)
warn when vite-tsconfig-paths plugin is detected (#21781) (ada493e)

Bug Fixes

deps: update all non-major dependencies (#21786) (eaa4352)

`v7.3.2`

Please refer to CHANGELOG.md for details.

`v7.3.1`

Please refer to CHANGELOG.md for details.

`v7.3.0`

Please refer to CHANGELOG.md for details.

`v7.2.7`

`v7.2.6`

7.2.6 (2025-12-01)

`v7.2.4`

Bug Fixes

revert "perf(deps): replace debug with obug (#21107)" (2d66b7b)

`v7.2.3`

Bug Fixes

allow multiple bindCLIShortcuts calls with shortcut merging (#21103) (5909efd)
deps: update all non-major dependencies (#21096) (6a34ac3)
deps: update all non-major dependencies (#21128) (4f8171e)

Performance Improvements

deps: replace debug with obug (#21107) (acfe939)

Miscellaneous Chores

deps: update dependency @rollup/plugin-commonjs to v29 (#21099) (02ceaec)
deps: update rolldown-related dependencies (#21095) (39a0a15)
deps: update rolldown-related dependencies (#21127) (5029720)

`v7.2.2`

Bug Fixes

revert "refactor: use fs.cpSync (#21019)" (#21081) (728c8ee)

`v7.2.1`

Bug Fixes

worker: some worker asset was missing (#21074) (82d2d6c)

Code Refactoring

build: rename indexOfMatchInSlice to findPreloadMarker (#21054) (f83264f)

`v7.2.0`

Bug Fixes

css: fallback to sass when sass-embedded platform binary is missing (#21002) (b1fd616)
module-runner: make getBuiltins response JSON serializable (#21029) (ad5b3bf)
types: add undefined to optional properties for exactOptionalProperties type compatibility (#21040) (2833c55)

Miscellaneous Chores

deps: update rolldown-related dependencies (#21047) (e3a6a83)

`v7.1.12`

Please refer to CHANGELOG.md for details.

`v7.1.11`

Bug Fixes

dev: trim trailing slash before server.fs.deny check (#20968) (f479cc5)

Miscellaneous Chores

deps: update all non-major dependencies (#20966) (6fb41a2)

Code Refactoring

use subpath imports for types module reference (#20921) (d0094af)

Build System

remove cjs reference in files field (#20945) (ef411ce)
remove hash from built filenames (#20946) (a817307)

`v7.1.10`

Bug Fixes

css: avoid duplicate style for server rendered stylesheet link and client inline style during dev (#20767) (3a92bc7)
css: respect emitAssets when cssCodeSplit=false (#20883) (d3e7eee)
deps: update all non-major dependencies (879de86)
deps: update all non-major dependencies (#20894) (3213f90)
dev: allow aliases starting with // (#20760) (b95fa2a)
dev: remove timestamp query consistently (#20887) (6537d15)
esbuild: inject esbuild helpers correctly for esbuild 0.25.9+ (#20906) (446eb38)
normalize path before calling fileToBuiltUrl (#20898) (73b6d24)
preserve original sourcemap file field when combining sourcemaps (#20926) (c714776)

Documentation

correct WebSocket spelling (#20890) (29e98dc)

Miscellaneous Chores

deps: update rolldown-related dependencies (#20923) (a5e3b06)

`v7.1.9`

Reverts

server: drain stdin when not interactive (#20885) (12d72b0)

`v7.1.8`

Bug Fixes

css: improve url escape characters handling (#20847) (24a61a3)
deps: update all non-major dependencies (#20855) (788a183)
deps: update artichokie to 0.4.2 (#20864) (e670799)
dev: skip JS responses for document requests (#20866) (6bc6c4d)
glob: fix HMR for array patterns with exclusions (#20872) (63e040f)
keep ids for virtual modules as-is (#20808) (d4eca98)
server: drain stdin when not interactive (#20837) (bb950e9)
server: improve malformed URL handling in middlewares (#20830) (d65a983)

Documentation

create-vite: provide deno example (#20747) (fdb758a)

Miscellaneous Chores

deps: update rolldown-related dependencies (#20810) (ea68a88)
deps: update rolldown-related dependencies (#20854) (4dd06fd)
update url of create-react-app license (#20865) (166a178)

`v7.1.7`

Bug Fixes

build: fix ssr environment emitAssets: true when sharedConfigBuild: true (#20787) (4c4583c)
client: use CSP nonce when rendering error overlay (#20791) (9bc9d12)
deps: update all non-major dependencies (#20811) (9f2247c)
glob: handle glob imports from folders starting with dot (#20800) (105abe8)
hmr: trigger prune event when import is removed from non hmr module (#20768) (9f32b1d)
hmr: wait for import.meta.hot.prune callbacks to complete before running other HMRs (#20698) (98a3484)

`v7.1.6`

Bug Fixes

deps: update all non-major dependencies (#20773) (88af2ae)
esbuild: inject esbuild helper functions with minified $ variables correctly (#20761) (7e8e004)
fallback terser to main thread when nameCache is provided (#20750) (a679a64)
types: strict env typings fail when skipLibCheck is false (#20755) (cc54e29)

Miscellaneous Chores

deps: update rolldown-related dependencies (#20675) (a67bb5f)
deps: update rolldown-related dependencies (#20772) (d785e72)

`v7.1.5`

Bug Fixes

apply fs.strict check to HTML files (#20736) (14015d7)
deps: update all non-major dependencies (#20732) (122bfba)
upgrade sirv to 3.0.2 (#20735) (09f2b52)

`v7.1.4`

Bug Fixes

add missing awaits (#20697) (79d10ed)
deps: update all non-major dependencies (#20676) (5a274b2)
deps: update all non-major dependencies (#20709) (0401feb)
pass rollup watch options when building in watch mode (#20674) (f367453)

Miscellaneous Chores

remove unused constants entry from rolldown.config.ts (#20710) (537fcf9)

Code Refactoring

remove unnecessary minify parameter from finalizeCss (#20701) (8099582)

`v7.1.3`

Features

cli: add Node.js version warning for unsupported versions (#20638) (a1be1bf)
generate code frame for parse errors thrown by terser (#20642) (a9ba017)
support long lines in generateCodeFrame (#20640) (1559577)

Bug Fixes

deps: update all non-major dependencies (#20634) (4851cab)
optimizer: incorrect incompatible error (#20439) (446fe83)
support multiline new URL(..., import.meta.url) expressions (#20644) (9ccf142)

Performance Improvements

cli: dynamically import resolveConfig (#20646) (f691f57)

Miscellaneous Chores

deps: update rolldown-related dependencies (#20633) (98b92e8)

Code Refactoring

replace startsWith with strict equality (#20603) (42816de)
use import in worker threads (#20641) (530687a)

Tests

remove checkNodeVersion test (#20647) (731d3e6)

`v7.1.2`

Bug Fixes

client: add [vite] prefixes to debug logs (#20595) (7cdef61)
config: make debugger work with bundle loader (#20573) (c583927)
deps: update all non-major dependencies (#20587) (20d4817)
don't consider ids with npm: prefix as a built-in module (#20558) (ab33803)
hmr: watch non-inlined assets referenced by CSS (#20581) (b7d494b)
module-runner: prevent crash when sourceMappingURL pattern appears in string literals (#20554) (2770478)

Miscellaneous Chores

deps: migrate to @jridgewell/remapping from @ampproject/remapping (#20577) (0a6048a)
deps: update rolldown-related dependencies (#20586) (77632c5)

`v7.1.1`

Bug Fixes

dev: trim trailing slash before server.fs.deny check (#20968) (f479cc5)

Miscellaneous Chores

deps: update all non-major dependencies (#20966) (6fb41a2)

Code Refactoring

use subpath imports for types module reference (#20921) (d0094af)

Build System

remove cjs reference in files field (#20945) (ef411ce)
remove hash from built filenames (#20946) (a817307)

`v7.1.0`

Features

support files with more than 1000 lines by generateCodeFrame (#20508) (e7d0b2a)
add import.meta.main support in config (bundle config loader) (#20516) (5d3e3c2)
optimizer: improve dependency optimization error messages with esbuild formatMessages (#20525) (d17cfed)
ssr: add import.meta.main support for Node.js module runner (#20517) (794a8f2)
add future: 'warn' (#20473) (e6aaf17)
add removeServerPluginContainer future deprecation (#20437) (c1279e7)
add removeServerReloadModule future deprecation (#20436) (6970d17)
add server.warmupRequest to future deprecation (#20431) (8ad388a)
add ssrFixStacktrace / ssrRewriteStacktrace to removeSsrLoadModule future deprecation (#20435) (8c8f587)
client: ping from SharedWorker (#19057) (5c97c22)
dev: add this.fs support (#20301) (0fe3f2f)
export defaultExternalConditions (#20279) (344d302)
implement removePluginHookSsrArgument future deprecation (#20433) (95927d9)
implement removeServerHot future deprecation (#20434) (259f45d)
resolve server URLs before calling other listeners (#19981) (45f6443)
ssr: resolve externalized packages with resolve.externalConditions and add module-sync to default external condition (#20409) (c669c52)
ssr: support import.meta.resolve in module runner (#20260) (62835f7)

Bug Fixes

css: avoid warnings for image-set containing __VITE_ASSET__ (#20520) (f1a2635)
css: empty CSS entry points should generate CSS files, not JS files (#20518) (bac9f3e)
dev: denied request stalled when requested concurrently (#20503) (64a52e7)
manifest: initialize entryCssAssetFileNames as an empty Set (#20542) (6a46cda)
skip prepareOutDirPlugin in workers (#20556) (97d5111)
asset: only watch existing files for new URL(, import.meta.url) (#20507) (1b211fd)
client: keep ping on WS constructor error (#20512) (3676da5)
deps: update all non-major dependencies (#20537) (fc9a9d3)
don't resolve as relative for specifiers starting with a dot (#20528) (c5a10ec)
html: allow control character in input stream (#20483) (c12a4a7)
merge old and new noExternal: true correctly (#20502) (9ebe4a5)
deps: update all non-major dependencies (#20489) (f6aa04a)
dev: denied requests overly (#20410) (4be5270)
hmr: register css deps as type: asset (#20391) (7eac8dd)
optimizer: discover correct jsx runtime during scan (#20495) (10d48bb)
preview: set correct host for resolvedUrls (#20496) (62b3e0d)
worker: resolve WebKit compat with inline workers by deferring blob URL revocation (#20460) (8033e5b)

Performance Improvements

client: reduce reload debounce (#20429) (22ad43b)

Miscellaneous Chores

deps: update rolldown-related dependencies (#20536) (8be2787)
deps: update dependency parse5 to v8 (#20490) (744582d)
format (f20addc)
stablize cssScopeTo (#19592) (ced1343)

Code Refactoring

use hook filters in the worker plugin (#20527) (958cdf2)
extract prepareOutDir as a plugin (#20373) (2c4af1f)
extract resolve rollup options (#20375) (61a9778)
rewrite openchrome.applescript to JXA (#20424) (7979f9d)
use http-proxy-3 (#20402) (26d9872)
use hook filters in internal plugins (#20358) (f19c4d7)
use hook filters in internal resolve plugin (#20480) (acd2a13)

Tests

detect ts support via process.features (#20544) (856d3f0)
fix unimportant errors in test-unit (#20545) (1f23554)

Beta Changelogs

7.1.0-beta.1 (2025-08-05)

See 7.1.0-beta.1 changelog

7.1.0-beta.0 (2025-07-30)

See 7.1.0-beta.0 changelog

`v7.0.8`

Please refer to CHANGELOG.md for details.

`v7.0.7`

Please refer to CHANGELOG.md for details.

`v7.0.6`

Features

support files with more than 1000 lines by generateCodeFrame (#20508) (e7d0b2a)
add import.meta.main support in config (bundle config loader) (#20516) (5d3e3c2)
optimizer: improve dependency optimization error messages with esbuild formatMessages (#20525) (d17cfed)
ssr: add import.meta.main support for Node.js module runner (#20517) (794a8f2)
add future: 'warn' (#20473) (e6aaf17)
add removeServerPluginContainer future deprecation (#20437) (c1279e7)
add removeServerReloadModule future deprecation (#20436) (6970d17)
add server.warmupRequest to future deprecation (#20431) (8ad388a)
add ssrFixStacktrace / ssrRewriteStacktrace to removeSsrLoadModule future deprecation (#20435) ([8c8f587](https://redirect.github.com/vitejs/vite/commit/8c8f5879ead251705c2c363f5b8b94f618fb

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.


          chore(deps): update dependency vite to v8 [security]

46852c1

socket-security bot commented Apr 8, 2026

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	vite@5.4.21 ⏵ 8.0.7	⁺⁸	⁺²

View full report

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet