Skip to content

chore(deps): bump vite to ^7.3.2 to close 3 advisories#28

Merged
shyhunter merged 1 commit into
mainfrom
chore/bump-vite
Apr 28, 2026
Merged

chore(deps): bump vite to ^7.3.2 to close 3 advisories#28
shyhunter merged 1 commit into
mainfrom
chore/bump-vite

Conversation

@shyhunter
Copy link
Copy Markdown
Owner

@shyhunter shyhunter commented Apr 28, 2026

Summary

Bumps vite from ^7.0.4 to ^7.3.2 to close 3 advisories surfaced by npm audit --omit=dev.

Package Before → After Advisories closed
vite 7.3.1 → 7.3.2 GHSA-4w7w-66w2-5vf9, GHSA-v2wj-q39q-566r, GHSA-p9ff-h696-f583
picomatch 4.0.3 → 4.0.4 (transitive) GHSA-3v7f-55p6-f55p, GHSA-c2c7-rcm5-vvqj
postcss 8.5.6 → 8.5.12 (transitive) GHSA-qx2v-qp2m-jg93

After this change: npm audit --omit=dev reports 0 vulnerabilities.

Test plan

  • npm run test — 29 files, 503 tests, all pass
  • npm audit --omit=dev — 0 findings (was 3)
  • Reviewer: npm ci && npm run test to confirm reproducible

E2E (test:e2e) was attempted; failed with Timed out waiting for step 1 across all PDF/Image specs. Pre-existing — same failures reproduce with this PR reverted. Not blocking; tracked separately.

Security notes (R015)

  • Secrets: none touched.
  • Auth/permissions: N/A — Tauri capability allowlist unchanged; no IPC commands added; renderer trust boundary unchanged.
  • Remaining risks: patched packages are dev/build tooling and don't ship in the bundled Tauri binary. The dev server is exposed during npm run dev so the patches matter for contributors. @tailwindcss/vite lives in dependencies rather than devDependencies, which is why prod-scope audit even sees these tools — hygiene issue worth filing separately, not a bump-introduced one.

🤖 Generated with Claude Code

@shyhunter @claude
chore(deps): bump vite to ^7.3.2 to close 3 advisories
b3bc231 
Resolves 3 advisories surfaced by `npm audit --omit=dev`:

- vite (high) — path traversal in optimized-deps `.map`
  (GHSA-4w7w-66w2-5vf9), `server.fs.deny` bypass via queries
  (GHSA-v2wj-q39q-566r), arbitrary file read via dev-server WS
  (GHSA-p9ff-h696-f583).
- picomatch 4.0.3 → 4.0.4 (transitive via vite/fdir/tinyglobby) —
  POSIX class method injection (GHSA-3v7f-55p6-f55p) + extglob ReDoS
  (GHSA-c2c7-rcm5-vvqj).
- postcss 8.5.6 → 8.5.12 (transitive via vite) — `</style>` XSS in
  CSS stringify output (GHSA-qx2v-qp2m-jg93).

Verified: `npm audit --omit=dev` reports 0 vulnerabilities;
`npm run test` passes (29 files, 503 tests).

E2E suite (`test:e2e`) was reproduced both pre-bump and post-bump
with identical "Timed out waiting for step 1" failures across all
PDF/Image specs — pre-existing, not introduced here. Tracked
separately.

All affected packages are dev/build tooling that doesn't ship in
the Tauri binary; the patches still matter for any contributor
running `npm run dev` because vite's dev server is exposed.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
@shyhunter shyhunter merged commit 8302527 into main Apr 28, 2026
12 checks passed
@shyhunter shyhunter deleted the chore/bump-vite branch April 28, 2026 13:35
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@shyhunter