Update dependency vite to v7 [SECURITY]

[renovate]

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
vite (source)	6.4.2 → 7.3.5

---

vite: server.fs.deny bypass on Windows alternate paths

CVE-2026-53571 / GHSA-fx2h-pf6j-xcff

More information

Details

Summary

The contents of files that are specified by server.fs.deny can be returned to the browser on Windows.

Impact

Only apps that match the following conditions are affected:

• explicitly exposes the Vite dev server to the network (using --host or server.host config option)
• the sensitive file exists in the allowed directories specified by server.fs.allow
• either of:
  • the sensitive file exists in an NTFS volume
  • the dev server is running on Windows and the sensitive file exists in a volume that 8.3 short name generation is enabled (it is enabled by default on system volumes)

Details

Vite’s dev server denies direct access to sensitive files through server.fs.deny, including entries such as .env, .env.*, and *.{crt,pem}. However, on Windows, the deny logic does not correctly normalize NTFS ADS path forms before access checks are applied.
Because of this, requests such as /.env::$DATA?raw are treated as allowed paths, while Windows resolves them to the original file's default data stream.

Similar to that, Windows allows accessing a file using a different name with the 8.3 short name compatibility feature. Vite did not reject accessing files via them.

PoC

$ npm create vite@latest
$ cd vite-project/
$ npm install
$ npm run dev

Access via browser at http://localhost:5173/.env::$DATA?raw

Example expected result:

• /.env::$DATA?raw returns the contents of .env
• /tls.pem::$DATA?raw returns the contents of tls.pem

Severity

• CVSS Score: 8.2 / 10 (High)
• Vector String: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

References

• https://github.com/vitejs/vite/security/advisories/GHSA-fx2h-pf6j-xcff
• https://github.com/advisories/GHSA-fx2h-pf6j-xcff

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

vitejs/vite (vite)

v7.3.5

Compare Source

Please refer to CHANGELOG.md for details.

v7.3.3

Compare Source

Please refer to CHANGELOG.md for details.

v7.3.2

Compare Source

Please refer to CHANGELOG.md for details.

v7.3.1

Compare Source

Please refer to CHANGELOG.md for details.

v7.3.0

Compare Source

Please refer to CHANGELOG.md for details.

v7.2.7

Compare Source

v7.2.6

Compare Source

7.2.6 (2025-12-01)

v7.2.4

Compare Source

Bug Fixes

• revert "perf(deps): replace debug with obug (#​21107)" (2d66b7b)

v7.2.3

Compare Source

Bug Fixes

• allow multiple bindCLIShortcuts calls with shortcut merging (#​21103) (5909efd)
• deps: update all non-major dependencies (#​21096) (6a34ac3)
• deps: update all non-major dependencies (#​21128) (4f8171e)

Performance Improvements

• deps: replace debug with obug (#​21107) (acfe939)

Miscellaneous Chores

• deps: update dependency @​rollup/plugin-commonjs to v29 (#​21099) (02ceaec)
• deps: update rolldown-related dependencies (#​21095) (39a0a15)
• deps: update rolldown-related dependencies (#​21127) (5029720)

v7.2.2

Compare Source

Bug Fixes

• revert "refactor: use fs.cpSync (#​21019)" (#​21081) (728c8ee)

v7.2.1

Compare Source

Bug Fixes

• worker: some worker asset was missing (#​21074) (82d2d6c)

Code Refactoring

• build: rename indexOfMatchInSlice to findPreloadMarker (#​21054) (f83264f)

v7.2.0

Compare Source

Bug Fixes

• css: fallback to sass when sass-embedded platform binary is missing (#​21002) (b1fd616)
• module-runner: make getBuiltins response JSON serializable (#​21029) (ad5b3bf)
• types: add undefined to optional properties for exactOptionalProperties type compatibility (#​21040) (2833c55)

Miscellaneous Chores

• deps: update rolldown-related dependencies (#​21047) (e3a6a83)

v7.1.12

Compare Source

Please refer to CHANGELOG.md for details.

v7.1.11

Compare Source

Bug Fixes

• dev: trim trailing slash before server.fs.deny check (#​20968) (f479cc5)

Miscellaneous Chores

• deps: update all non-major dependencies (#​20966) (6fb41a2)

Code Refactoring

• use subpath imports for types module reference (#​20921) (d0094af)

Build System

• remove cjs reference in files field (#​20945) (ef411ce)
• remove hash from built filenames (#​20946) (a817307)

v7.1.10

Compare Source

Bug Fixes

• css: avoid duplicate style for server rendered stylesheet link and client inline style during dev (#​20767) (3a92bc7)
• css: respect emitAssets when cssCodeSplit=false (#​20883) (d3e7eee)
• deps: update all non-major dependencies (879de86)
• deps: update all non-major dependencies (#​20894) (3213f90)
• dev: allow aliases starting with // (#​20760) (b95fa2a)
• dev: remove timestamp query consistently (#​20887) (6537d15)
• esbuild: inject esbuild helpers correctly for esbuild 0.25.9+ (#​20906) (446eb38)
• normalize path before calling fileToBuiltUrl (#​20898) (73b6d24)
• preserve original sourcemap file field when combining sourcemaps (#​20926) (c714776)

Documentation

• correct WebSocket spelling (#​20890) (29e98dc)

Miscellaneous Chores

• deps: update rolldown-related dependencies (#​20923) (a5e3b06)

v7.1.9

Compare Source

Reverts

• server: drain stdin when not interactive (#​20885) (12d72b0)

v7.1.8

Compare Source

Bug Fixes

• css: improve url escape characters handling (#​20847) (24a61a3)
• deps: update all non-major dependencies (#​20855) (788a183)
• deps: update artichokie to 0.4.2 (#​20864) (e670799)
• dev: skip JS responses for document requests (#​20866) (6bc6c4d)
• glob: fix HMR for array patterns with exclusions (#​20872) (63e040f)
• keep ids for virtual modules as-is (#​20808) (d4eca98)
• server: drain stdin when not interactive (#​20837) (bb950e9)
• server: improve malformed URL handling in middlewares (#​20830) (d65a983)

Documentation

• create-vite: provide deno example (#​20747) (fdb758a)

Miscellaneous Chores

• deps: update rolldown-related dependencies (#​20810) (ea68a88)
• deps: update rolldown-related dependencies (#​20854) (4dd06fd)
• update url of create-react-app license (#​20865) (166a178)

v7.1.7

Compare Source

Bug Fixes

• build: fix ssr environment emitAssets: true when sharedConfigBuild: true (#​20787) (4c4583c)
• client: use CSP nonce when rendering error overlay (#​20791) (9bc9d12)
• deps: update all non-major dependencies (#​20811) (9f2247c)
• glob: handle glob imports from folders starting with dot (#​20800) (105abe8)
• hmr: trigger prune event when import is removed from non hmr module (#​20768) (9f32b1d)
• hmr: wait for import.meta.hot.prune callbacks to complete before running other HMRs (#​20698) (98a3484)

v7.1.6

Compare Source

Bug Fixes

• deps: update all non-major dependencies (#​20773) (88af2ae)
• esbuild: inject esbuild helper functions with minified $ variables correctly (#​20761) (7e8e004)
• fallback terser to main thread when nameCache is provided (#​20750) (a679a64)
• types: strict env typings fail when skipLibCheck is false (#​20755) (cc54e29)

Miscellaneous Chores

• deps: update rolldown-related dependencies (#​20675) (a67bb5f)
• deps: update rolldown-related dependencies (#​20772) (d785e72)

v7.1.5

Compare Source

Bug Fixes

• apply fs.strict check to HTML files (#​20736) (14015d7)
• deps: update all non-major dependencies (#​20732) (122bfba)
• upgrade sirv to 3.0.2 (#​20735) (09f2b52)

v7.1.4

Compare Source

Bug Fixes

• add missing awaits (#​20697) (79d10ed)
• deps: update all non-major dependencies (#​20676) (5a274b2)
• deps: update all non-major dependencies (#​20709) (0401feb)
• pass rollup watch options when building in watch mode (#​20674) (f367453)

Miscellaneous Chores

• remove unused constants entry from rolldown.config.ts (#​20710) (537fcf9)

Code Refactoring

• remove unnecessary minify parameter from finalizeCss (#​20701) (8099582)

v7.1.3

Compare Source

Features

• cli: add Node.js version warning for unsupported versions (#​20638) (a1be1bf)
• generate code frame for parse errors thrown by terser (#​20642) (a9ba017)
• support long lines in generateCodeFrame (#​20640) (1559577)

Bug Fixes

• deps: update all non-major dependencies (#​20634) (4851cab)
• optimizer: incorrect incompatible error (#​20439) (446fe83)
• support multiline new URL(..., import.meta.url) expressions (#​20644) (9ccf142)

Performance Improvements

• cli: dynamically import resolveConfig (#​20646) (f691f57)

Miscellaneous Chores

• deps: update rolldown-related dependencies (#​20633) (98b92e8)

Code Refactoring

• replace startsWith with strict equality (#​20603) (42816de)
• use import in worker threads (#​20641) (530687a)

Tests

• remove checkNodeVersion test (#​20647) (731d3e6)

v7.1.2

Compare Source

Bug Fixes

• client: add [vite] prefixes to debug logs (#​20595) (7cdef61)
• config: make debugger work with bundle loader (#​20573) (c583927)
• deps: update all non-major dependencies (#​20587) (20d4817)
• don't consider ids with npm: prefix as a built-in module (#​20558) (ab33803)
• hmr: watch non-inlined assets referenced by CSS (#​20581) (b7d494b)
• module-runner: prevent crash when sourceMappingURL pattern appears in string literals (#​20554) (2770478)

Miscellaneous Chores

• deps: migrate to @jridgewell/remapping from @ampproject/remapping (#​20577) (0a6048a)
• deps: update rolldown-related dependencies (#​20586) (77632c5)

v7.1.1

Compare Source

Bug Fixes

• dev: trim trailing slash before server.fs.deny check (#​20968) (f479cc5)

Miscellaneous Chores

• deps: update all non-major dependencies (#​20966) (6fb41a2)

Code Refactoring

• use subpath imports for types module reference (#​20921) (d0094af)

Build System

• remove cjs reference in files field (#​20945) (ef411ce)
• remove hash from built filenames (#​20946) (a817307)

v7.1.0

Compare Source

Features

• support files with more than 1000 lines by generateCodeFrame (#​20508) (e7d0b2a)
• add import.meta.main support in config (bundle config loader) (#​20516) (5d3e3c2)
• optimizer: improve dependency optimization error messages with esbuild formatMessages (#​20525) (d17cfed)
• ssr: add import.meta.main support for Node.js module runner (#​20517) (794a8f2)
• add future: 'warn' (#​20473) (e6aaf17)
• add removeServerPluginContainer future deprecation (#​20437) (c1279e7)
• add removeServerReloadModule future deprecation (#​20436) (6970d17)
• add server.warmupRequest to future deprecation (#​20431) (8ad388a)
• add ssrFixStacktrace / ssrRewriteStacktrace to removeSsrLoadModule future deprecation (#​20435) (8c8f587)
• client: ping from SharedWorker (#​19057) (5c97c22)
• dev: add this.fs support (#​20301) (0fe3f2f)
• export defaultExternalConditions (#​20279) (344d302)
• implement removePluginHookSsrArgument future deprecation (#​20433) (95927d9)
• implement removeServerHot future deprecation (#​20434) (259f45d)
• resolve server URLs before calling other listeners (#​19981) (45f6443)
• ssr: resolve externalized packages with resolve.externalConditions and add module-sync to default external condition (#​20409) (c669c52)
• ssr: support import.meta.resolve in module runner (#​20260) (62835f7)

Bug Fixes

• css: avoid warnings for image-set containing __VITE_ASSET__ (#​20520) (f1a2635)
• css: empty CSS entry points should generate CSS files, not JS files (#​20518) (bac9f3e)
• dev: denied request stalled when requested concurrently (#​20503) (64a52e7)
• manifest: initialize entryCssAssetFileNames as an empty Set (#​20542) (6a46cda)
• skip prepareOutDirPlugin in workers (#​20556) (97d5111)
• asset: only watch existing files for new URL(, import.meta.url) (#​20507) (1b211fd)
• client: keep ping on WS constructor error (#​20512) (3676da5)
• deps: update all non-major dependencies (#​20537) (fc9a9d3)
• don't resolve as relative for specifiers starting with a dot (#​20528) (c5a10ec)
• html: allow control character in input stream (#​20483) (c12a4a7)
• merge old and new noExternal: true correctly (#​20502) (9ebe4a5)
• deps: update all non-major dependencies (#​20489) (f6aa04a)
• dev: denied requests overly (#​20410) (4be5270)
• hmr: register css deps as type: asset (#​20391) (7eac8dd)
• optimizer: discover correct jsx runtime during scan (#​20495) (10d48bb)
• preview: set correct host for resolvedUrls (#​20496) (62b3e0d)
• worker: resolve WebKit compat with inline workers by deferring blob URL revocation (#​20460) (8033e5b)

Performance Improvements

• client: reduce reload debounce (#​20429) (22ad43b)

Miscellaneous Chores

• deps: update rolldown-related dependencies (#​20536) (8be2787)
• deps: update dependency parse5 to v8 (#​20490) (744582d)
• format (f20addc)
• stablize cssScopeTo (#​19592) (ced1343)

Code Refactoring

• use hook filters in the worker plugin (#​20527) (958cdf2)
• extract prepareOutDir as a plugin (#​20373) (2c4af1f)
• extract resolve rollup options (#​20375) (61a9778)
• rewrite openchrome.applescript to JXA (#​20424) (7979f9d)
• use http-proxy-3 (#​20402) (26d9872)
• use hook filters in internal plugins (#​20358) (f19c4d7)
• use hook filters in internal resolve plugin (#​20480) (acd2a13)

Tests

• detect ts support via process.features (#​20544) (856d3f0)
• fix unimportant errors in test-unit (#​20545) (1f23554)

Beta Changelogs

7.1.0-beta.1 (2025-08-05)

See 7.1.0-beta.1 changelog

7.1.0-beta.0 (2025-07-30)

See 7.1.0-beta.0 changelog

v7.0.8

Compare Source

Please refer to CHANGELOG.md for details.

v7.0.7

Compare Source

Please refer to CHANGELOG.md for details.

v7.0.6

Compare Source

Features

• support files with more than 1000 lines by generateCodeFrame (#​20508) (e7d0b2a)
• add import.meta.main support in config (bundle config loader) (#​20516) (5d3e3c2)
• optimizer: improve dependency optimization error messages with esbuild formatMessages (#​20525) (d17cfed)
• ssr: add import.meta.main support for Node.js module runner (#​20517) (794a8f2)
• add future: 'warn' (#​20473) (e6aaf17)
• add removeServerPluginContainer future deprecation (#​20437) (c1279e7)
• add removeServerReloadModule future deprecation (#​20436) (6970d17)
• add server.warmupRequest to future deprecation (#​20431) (8ad388a)
• add ssrFixStacktrace / ssrRewriteStacktrace to removeSsrLoadModule future deprecation (#​20435) (8c8f587)
• client: ping from SharedWorker (#​19057) (5c97c22)
• dev: add this.fs support (#​20301) (0fe3f2f)
• export defaultExternalConditions (#​20279) (344d302)
• implement removePluginHookSsrArgument future deprecation (#​20433) (95927d9)
• implement removeServerHot future deprecation (#​20434) (259f45d)
• resolve server URLs before calling other listeners (#​19981) (45f6443)
• ssr: resolve externalized packages with resolve.externalConditions and add module-sync to default external condition (#​20409) (c669c52)
• ssr: support import.meta.resolve in module runner (#​20260) (62835f7)

Bug Fixes

• css: avoid warnings for image-set containing __VITE_ASSET__ (#​20520) (f1a2635)
• css: empty CSS entry points should generate CSS files, not JS files (#​20518) (bac9f3e)
• dev: denied request stalled when requested concurrently (#​20503) (64a52e7)
• manifest: initialize entryCssAssetFileNames as an empty Set (#​20542) (6a46cda)
• skip prepareOutDirPlugin in workers (#​20556) (97d5111)
• asset: only watch existing files for new URL(, import.meta.url) (#​20507) (1b211fd)
• client: keep ping on WS constructor error (#​20512) (3676da5)
• deps: update all non-major dependencies (#​20537) (fc9a9d3)
• don't resolve as relative for specifiers starting with a dot (#​20528) (c5a10ec)
• html: allow control character in input stream (#​20483) (c12a4a7)
• merge old and new noExternal: true correctly (#​20502) (9ebe4a5)
• deps: update all non-major dependencies (#​20489) (f6aa04a)
• dev: denied requests overly (#​20410) (4be5270)
• hmr: register css deps as type: asset (#​20391) (7eac8dd)
• optimizer: discover correct jsx runtime during scan (#​20495) (10d48bb)
• preview: set correct host for resolvedUrls (#​20496) (62b3e0d)
• worker: resolve WebKit compat with inline workers by deferring blob URL revocation (#​20460) (8033e5b)

Performance Improvements

• client: reduce reload debounce (#​20429) (22ad43b)

Miscellaneous Chores

• deps: update rolldown-related dependencies (#​20536) (8be2787)
• deps: update dependency parse5 to v8 (#​20490) (744582d)
• format (f20addc)
• stablize cssScopeTo (#​19592) (ced1343)

Code Refactoring

• use hook filters in the worker plugin (#​20527) (958cdf2)
• extract prepareOutDir as a plugin (#​20373) (2c4af1f)
• extract resolve rollup options (#​20375) (61a9778)
• rewrite openchrome.applescript to JXA (#​20424) (7979f9d)
• use http-proxy-3 (#​20402) (26d9872)
• use hook filters in internal plugins (#​20358) (f19c4d7)
• use hook filters in internal resolve plugin (#​20480) (acd2a13)

Tests

• detect ts support via process.features (#​20544) (856d3f0)
• fix unimportant errors in test-unit (#​20545) (1f23554)

Beta Changelogs

7.1.0-beta.1 (2025-08-05)

See 7.1.0-beta.1 changelog

7.1.0-beta.0 (2025-07-30)

See 7.1.0-beta.0 changelog

v7.0.5

Compare Source

Bug Fixes

• deps: update all non-major dependencies (#​20406) (1a1cc8a)
• remove special handling for Accept: text/html (#​20376) (c9614b9)
• watch assets referenced by new URL(, import.meta.url) (#​20382) (6bc8bf6)

Miscellaneous Chores

• deps: update dependency rolldown to ^1.0.0-beta.27 (#​20405) (1165667)

Code Refactoring

• use foo.endsWith("bar") instead of /bar$/.test(foo) (#​20413) (862e192)

v7.0.4

Compare Source

Bug Fixes

• allow resolving bare specifiers to relative paths for entries (#​20379) (324669c)

Build System

• remove @oxc-project/runtime devDep (#​20389) (5e29602)

v7.0.3

Compare Source

Bug Fixes

• client: protect against window being defined but addEv undefined (#​20359) (31d1467)
• define: replace optional values (#​20338) (9465ae1)
• deps: update all non-major dependencies (#​20366) (43ac73d)

Miscellaneous Chores

• deps: update dependency dotenv to v17 (#​20325) (45040d4)
• deps: update dependency rolldown

✂ Note

PR body was truncated to here.

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Never, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[changeset-bot]

⚠️ No Changeset found

Latest commit: 85691f4

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR