chore(deps): update dependency vite to v7.1.11 [security] #83

renovate · 2025-10-20T21:46:48Z

This PR contains the following updates:

Package	Change	Age	Confidence
vite (source)	`7.1.7` -> `7.1.11`

GitHub Vulnerability Alerts

CVE-2025-62522

Summary

Files denied by server.fs.deny were sent if the URL ended with \ when the dev server is running on Windows.

Impact

Only apps that match the following conditions are affected:

explicitly exposes the Vite dev server to the network (using --host or server.host config option)
running the dev server on Windows

Details

server.fs.deny can contain patterns matching against files (by default it includes .env, .env.*, *.{crt,pem} as such patterns). These patterns were able to bypass by using a back slash(\). The root cause is that fs.readFile('/foo.png/') loads /foo.png.

PoC

npm create vite@latest
cd vite-project/
cat "secret" > .env
npm install
npm run dev
curl --request-target /.env\ http://localhost:5173

Release Notes

vitejs/vite (vite)

`v7.1.11`

Compare Source

Bug Fixes

dev: trim trailing slash before server.fs.deny check (#20968) (f479cc5)

Miscellaneous Chores

deps: update all non-major dependencies (#20966) (6fb41a2)

Code Refactoring

use subpath imports for types module reference (#20921) (d0094af)

Build System

remove cjs reference in files field (#20945) (ef411ce)
remove hash from built filenames (#20946) (a817307)

`v7.1.10`

Compare Source

Bug Fixes

css: avoid duplicate style for server rendered stylesheet link and client inline style during dev (#20767) (3a92bc7)
css: respect emitAssets when cssCodeSplit=false (#20883) (d3e7eee)
deps: update all non-major dependencies (879de86)
deps: update all non-major dependencies (#20894) (3213f90)
dev: allow aliases starting with // (#20760) (b95fa2a)
dev: remove timestamp query consistently (#20887) (6537d15)
esbuild: inject esbuild helpers correctly for esbuild 0.25.9+ (#20906) (446eb38)
normalize path before calling fileToBuiltUrl (#20898) (73b6d24)
preserve original sourcemap file field when combining sourcemaps (#20926) (c714776)

Documentation

correct WebSocket spelling (#20890) (29e98dc)

Miscellaneous Chores

deps: update rolldown-related dependencies (#20923) (a5e3b06)

`v7.1.9`

Compare Source

Reverts

server: drain stdin when not interactive (#20885) (12d72b0)

`v7.1.8`

Compare Source

Bug Fixes

css: improve url escape characters handling (#20847) (24a61a3)
deps: update all non-major dependencies (#20855) (788a183)
deps: update artichokie to 0.4.2 (#20864) (e670799)
dev: skip JS responses for document requests (#20866) (6bc6c4d)
glob: fix HMR for array patterns with exclusions (#20872) (63e040f)
keep ids for virtual modules as-is (#20808) (d4eca98)
server: drain stdin when not interactive (#20837) (bb950e9)
server: improve malformed URL handling in middlewares (#20830) (d65a983)

Documentation

create-vite: provide deno example (#20747) (fdb758a)

Miscellaneous Chores

deps: update rolldown-related dependencies (#20810) (ea68a88)
deps: update rolldown-related dependencies (#20854) (4dd06fd)
update url of create-react-app license (#20865) (166a178)

coderabbitai · 2025-10-20T21:47:02Z

Important

Review skipped

Bot user detected.

To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

renovate bot requested a review from a team as a code owner October 20, 2025 21:46

renovate bot force-pushed the renovate/npm-vite-vulnerability branch from 83899c1 to e5052e8 Compare November 10, 2025 14:54

chore(deps): update dependency vite to v7.1.11 [security]

5d6e8fe

renovate bot force-pushed the renovate/npm-vite-vulnerability branch from e5052e8 to 5d6e8fe Compare December 3, 2025 19:10

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

chore(deps): update dependency vite to v7.1.11 [security] #83

chore(deps): update dependency vite to v7.1.11 [security] #83

Uh oh!

renovate bot commented Oct 20, 2025 •

edited

Loading

Uh oh!

coderabbitai bot commented Oct 20, 2025

Review skipped

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

chore(deps): update dependency vite to v7.1.11 [security] #83

Are you sure you want to change the base?

chore(deps): update dependency vite to v7.1.11 [security] #83

Uh oh!

Conversation

renovate bot commented Oct 20, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

GitHub Vulnerability Alerts

CVE-2025-62522

Summary

Impact

Details

PoC

Release Notes

v7.1.11

Bug Fixes

Miscellaneous Chores

Code Refactoring

Build System

v7.1.10

Bug Fixes

Documentation

Miscellaneous Chores

v7.1.9

Reverts

v7.1.8

Bug Fixes

Documentation

Miscellaneous Chores

Uh oh!

coderabbitai bot commented Oct 20, 2025

Review skipped

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

renovate bot commented Oct 20, 2025 •

edited

Loading

`v7.1.11`

`v7.1.10`

`v7.1.9`

`v7.1.8`