From b3bc2314f3d99ab03ae80940d75d0c32f67f013a Mon Sep 17 00:00:00 2001 From: Shy Hunter Date: Tue, 28 Apr 2026 15:34:41 +0200 Subject: [PATCH] chore(deps): bump vite to ^7.3.2 to close 3 advisories MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Resolves 3 advisories surfaced by `npm audit --omit=dev`: - vite (high) — path traversal in optimized-deps `.map` (GHSA-4w7w-66w2-5vf9), `server.fs.deny` bypass via queries (GHSA-v2wj-q39q-566r), arbitrary file read via dev-server WS (GHSA-p9ff-h696-f583). - picomatch 4.0.3 → 4.0.4 (transitive via vite/fdir/tinyglobby) — POSIX class method injection (GHSA-3v7f-55p6-f55p) + extglob ReDoS (GHSA-c2c7-rcm5-vvqj). - postcss 8.5.6 → 8.5.12 (transitive via vite) — `` XSS in CSS stringify output (GHSA-qx2v-qp2m-jg93). Verified: `npm audit --omit=dev` reports 0 vulnerabilities; `npm run test` passes (29 files, 503 tests). E2E suite (`test:e2e`) was reproduced both pre-bump and post-bump with identical "Timed out waiting for step 1" failures across all PDF/Image specs — pre-existing, not introduced here. Tracked separately. All affected packages are dev/build tooling that doesn't ship in the Tauri binary; the patches still matter for any contributor running `npm run dev` because vite's dev server is exposed. Co-Authored-By: Claude Opus 4.7 --- package-lock.json | 24 ++++++++++++------------ package.json | 2 +- 2 files changed, 13 insertions(+), 13 deletions(-) diff --git a/package-lock.json b/package-lock.json index d670e09..5d9f399 100644 --- a/package-lock.json +++ b/package-lock.json @@ -1,12 +1,12 @@ { "name": "tauri-app", - "version": "1.0.0-beta.3", + "version": "1.0.0-beta.8", "lockfileVersion": 3, "requires": true, "packages": { "": { "name": "tauri-app", - "version": "1.0.0-beta.3", + "version": "1.0.0-beta.8", "dependencies": { "@tailwindcss/vite": "^4.2.0", "@tauri-apps/api": "^2", @@ -52,7 +52,7 @@ "shadcn": "^3.8.5", "tw-animate-css": "^1.4.0", "typescript": "~5.8.3", - "vite": "^7.0.4", + "vite": "^7.3.2", "vitest": "^4.0.18", "webdriverio": "^9.24.0" } @@ -12234,9 +12234,9 @@ "license": "ISC" }, "node_modules/picomatch": { - "version": "4.0.3", - "resolved": "https://registry.npmjs.org/picomatch/-/picomatch-4.0.3.tgz", - "integrity": "sha512-5gTmgEY/sqK6gFXLIsQNH19lWb4ebPDLA4SdLP7dsWkIXHWlG66oPuVvXSGFPppYZz8ZDZq0dYYrbHfBCVUb1Q==", + "version": "4.0.4", + "resolved": "https://registry.npmjs.org/picomatch/-/picomatch-4.0.4.tgz", + "integrity": "sha512-QP88BAKvMam/3NxH6vj2o21R6MjxZUAd6nlwAS/pnGvN9IVLocLHxGYIzFhg6fUQ+5th6P4dv4eW9jX3DSIj7A==", "license": "MIT", "engines": { "node": ">=12" @@ -12256,9 +12256,9 @@ } }, "node_modules/postcss": { - "version": "8.5.6", - "resolved": "https://registry.npmjs.org/postcss/-/postcss-8.5.6.tgz", - "integrity": "sha512-3Ybi1tAuwAP9s0r1UQ2J4n5Y0G05bJkpUIO0/bI9MhwmD70S5aTWbXGBwxHrelT+XM1k6dM0pk+SwNkpTRN7Pg==", + "version": "8.5.12", + "resolved": "https://registry.npmjs.org/postcss/-/postcss-8.5.12.tgz", + "integrity": "sha512-W62t/Se6rA0Az3DfCL0AqJwXuKwBeYg6nOaIgzP+xZ7N5BFCI7DYi1qs6ygUYT6rvfi6t9k65UMLJC+PHZpDAA==", "funding": [ { "type": "opencollective", @@ -14708,9 +14708,9 @@ } }, "node_modules/vite": { - "version": "7.3.1", - "resolved": "https://registry.npmjs.org/vite/-/vite-7.3.1.tgz", - "integrity": "sha512-w+N7Hifpc3gRjZ63vYBXA56dvvRlNWRczTdmCBBa+CotUzAPf5b7YMdMR/8CQoeYE5LX3W4wj6RYTgonm1b9DA==", + "version": "7.3.2", + "resolved": "https://registry.npmjs.org/vite/-/vite-7.3.2.tgz", + "integrity": "sha512-Bby3NOsna2jsjfLVOHKes8sGwgl4TT0E6vvpYgnAYDIF/tie7MRaFthmKuHx1NSXjiTueXH3do80FMQgvEktRg==", "license": "MIT", "dependencies": { "esbuild": "^0.27.0", diff --git a/package.json b/package.json index 29a993c..ced2dcf 100644 --- a/package.json +++ b/package.json @@ -62,7 +62,7 @@ "shadcn": "^3.8.5", "tw-animate-css": "^1.4.0", "typescript": "~5.8.3", - "vite": "^7.0.4", + "vite": "^7.3.2", "vitest": "^4.0.18", "webdriverio": "^9.24.0" }