Skip to content

chore(deps): update dependency vite to v7.3.2 [security] - autoclosed #303

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
renovate wants to merge 1 commit into from
Closed

chore(deps): update dependency vite to v7.3.2 [security] - autoclosed #303

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion examples/preact/simple/package.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,7 @@
"eslint": "^9.37.0",
"eslint-config-preact": "^2.0.0",
"typescript": "5.6.3",
"vite": "^6.3.6"
"vite": "^7.0.0"
},
"eslintConfig": {
"extends": "preact"
Expand Down
2 changes: 1 addition & 1 deletion examples/react/simple/package.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,7 @@
"@types/react-dom": "^18.3.0",
"@vitejs/plugin-react": "^4.7.0",
"react-scan": "^0.4.3",
"vite": "^6.3.6"
"vite": "^7.0.0"
},
"browserslist": {
"production": [
Expand Down
2 changes: 1 addition & 1 deletion examples/solid/simple/package.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,7 @@
},
"devDependencies": {
"typescript": "5.6.3",
"vite": "^6.3.6",
"vite": "^7.0.0",
"vite-plugin-solid": "^2.11.9"
}
}
2 changes: 1 addition & 1 deletion examples/svelte/simple/package.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,7 @@
"svelte-check": "^4.3.3",
"tslib": "^2.8.1",
"typescript": "5.6.3",
"vite": "^6.3.6"
"vite": "^7.0.0"
},
"dependencies": {
"@tanstack/svelte-store": "^0.10.3"
Expand Down
2 changes: 1 addition & 1 deletion examples/vue/simple/package.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,7 @@
"devDependencies": {
"@vitejs/plugin-vue": "^5.2.4",
"typescript": "5.6.3",
"vite": "^6.3.6",
"vite": "^7.0.0",
Copy link
Copy Markdown

@coderabbitai coderabbitai bot Apr 7, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Check `@vitejs/plugin-vue` peer dependency requirements for Vite compatibility
curl -s https://registry.npmjs.org/@vitejs/plugin-vue/5.2.4 | jq '.peerDependencies'

Repository: TanStack/store

Length of output: 2060

🌐 Web query:

Vite 7.0.0 security vulnerabilities server.fs.deny bypass

💡 Result:

Vite 7.0.0 is affected by at least these server.fs.deny / server.fs bypass issues:

  • CVE-2025-62522 (GHSA-93m4-6634-74q7) — On Windows, files matched by server.fs.deny can be served if the request URL ends with a backslash (\) (only when the Vite dev server is exposed to the network via --host / server.host). Affected: >= 7.0.0, <= 7.0.7. Fix: upgrade to 7.0.8+. [1][2]
  • CVE-2025-58752 (GHSA-jqfw-vq24-v9c3)server.fs allow/deny rules were not applied to HTML files, allowing reading HTML files outside the intended root/deny rules (requires the dev server be exposed to the network; also impacts the preview server). Affected: >= 7.0.0, <= 7.0.6. Fix: upgrade to 7.0.7+. [3]

Recommended remediation for Vite 7.0.0: upgrade to Vite 7.0.8 or later (covers both). [1][3]

Sources
[1] (github.com)
[2] (nvd.nist.gov)
[3] (github.com)

Citations:

🌐 Web query:

@vitejs/plugin-vue 5.2.4 compatible Vite 7.x peer dependency

💡 Result:

@vitejs/plugin-vue@5.2.4 declares a Vite peer dependency of:

  • vite: "^5.0.0 || ^6.0.0" (so not compatible with Vite 7.x without ignoring peer-dep checks). [1]

If you need Vite 7.x, you’ll need to upgrade to @vitejs/plugin-vue 6.x (which is used with Vite 7 in the wild). [2]

Sources:
[1] @vitejs/plugin-vue@5.2.4 dependency metadata (shows viteVersion: ^5.0.0 || ^6.0.0) [1]
[2] Example lockfile showing @vitejs/plugin-vue@6.0.1 used with vite@7.2.2 [2]

Critical blocker: @vitejs/plugin-vue 5.x incompatible with Vite 7.x

While the security update to Vite 7 addresses real CVEs (server.fs.deny/allow bypasses on Windows and HTML file disclosure), @vitejs/plugin-vue@^5.2.4 declares peer dependency vite: "^5.0.0 || ^6.0.0" and is incompatible with Vite 7.x. Upgrade @vitejs/plugin-vue to 6.x to proceed with Vite 7.

Note: ^7.0.0 initially resolves to versions 7.0.0–7.0.7 which contain the vulnerabilities. Upgrade to ^7.0.8 to immediately get fixed versions.

🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In `@examples/vue/simple/package.json` at line 19, Update package.json
dependencies so Vite and the Vue plugin are compatible and include the security
fix: change the "vite" version to at least "^7.0.8" (to pull the patched 7.x
release) and upgrade "@vitejs/plugin-vue" to a 6.x release (e.g., "^6.0.0") so
its peer dependency supports Vite 7; modify the "vite" and "@vitejs/plugin-vue"
entries in package.json accordingly and run a fresh install to verify peer
compatibility.

"vue-tsc": "^2.2.12"
}
}
Loading
Loading