chore(deps): update dependency vite to v7.3.2 [security]

[renovate]

This PR contains the following updates:

Package	Type	Update	Change	OpenSSF
vite (source)	devDependencies	minor	7.0.8 → 7.3.2

GitHub Vulnerability Alerts

CVE-2026-39363

Summary

server.fs check was not enforced to the fetchModule method that is exposed in Vite dev server's WebSocket.

Impact

Only apps that match the following conditions are affected:

• explicitly exposes the Vite dev server to the network (using --host or server.host config option)
• WebSocket is not disabled by server.ws: false

Arbitrary files on the server (development machine, CI environment, container, etc.) can be exposed.

Details

If it is possible to connect to the Vite dev server’s WebSocket without an Origin header, an attacker can invoke fetchModule via the custom WebSocket event vite:invoke and combine file://... with ?raw (or ?inline) to retrieve the contents of arbitrary files on the server as a JavaScript string (e.g., export default "...").

The access control enforced in the HTTP request path (such as server.fs.allow) is not applied to this WebSocket-based execution path.

PoC

1. Start the dev server on the target
   Example (used during validation with this repository):

   pnpm -C playground/alias exec vite --host 0.0.0.0 --port 5173

2. Confirm that access is blocked via the HTTP path (example: arbitrary file)

   curl -i 'http://localhost:5173/@​fs/etc/passwd?raw'

   Result: 403 Restricted (outside the allow list)
   

3. Confirm that the same file can be retrieved via the WebSocket path
   By connecting to the HMR WebSocket without an Origin header and sending a vite:invoke request that calls fetchModule with a file://... URL and ?raw, the file contents are returned as a JavaScript module.

CVE-2026-39365

Summary

Any files ending with .map even out side the project can be returned to the browser.

Impact

Only apps that match the following conditions are affected:

• explicitly exposes the Vite dev server to the network (using --host or server.host config option)
• have a sensitive content in files ending with .map and the path is predictable

Details

In Vite v7.3.1, the dev server’s handling of .map requests for optimized dependencies resolves file paths and calls readFile without restricting ../ segments in the URL. As a result, it is possible to bypass the server.fs.strict allow list and retrieve .map files located outside the project root, provided they can be parsed as valid source map JSON.

PoC

1. Create a minimal PoC sourcemap outside the project root

   cat > /tmp/poc.map <<'EOF'
   {"version":3,"file":"x.js","sources":[],"names":[],"mappings":""}
   EOF

2. Start the Vite dev server (example)

   pnpm -C playground/fs-serve dev --host 127.0.0.1 --port 18080

3. Confirm that direct /@​fs access is blocked by strict (returns 403)
   
4. Inject ../ segments under the optimized deps .map URL prefix to reach /tmp/poc.map
   

---

Release Notes

vitejs/vite (vite)

v7.3.2

Compare Source

Please refer to CHANGELOG.md for details.

v7.3.1

Compare Source

Please refer to CHANGELOG.md for details.

v7.3.0

Compare Source

Please refer to CHANGELOG.md for details.

v7.2.7

Compare Source

v7.2.6

Compare Source

7.2.6 (2025-12-01)

v7.2.4

Compare Source

Bug Fixes

• revert "perf(deps): replace debug with obug (#​21107)" (2d66b7b)

v7.2.3

Compare Source

Bug Fixes

• allow multiple bindCLIShortcuts calls with shortcut merging (#​21103) (5909efd)
• deps: update all non-major dependencies (#​21096) (6a34ac3)
• deps: update all non-major dependencies (#​21128) (4f8171e)

Performance Improvements

• deps: replace debug with obug (#​21107) (acfe939)

Miscellaneous Chores

• deps: update dependency @​rollup/plugin-commonjs to v29 (#​21099) (02ceaec)
• deps: update rolldown-related dependencies (#​21095) (39a0a15)
• deps: update rolldown-related dependencies (#​21127) (5029720)

v7.2.2

Compare Source

Bug Fixes

• revert "refactor: use fs.cpSync (#​21019)" (#​21081) (728c8ee)

v7.2.1

Compare Source

Bug Fixes

• worker: some worker asset was missing (#​21074) (82d2d6c)

Code Refactoring

• build: rename indexOfMatchInSlice to findPreloadMarker (#​21054) (f83264f)

v7.2.0

Compare Source

Bug Fixes

• css: fallback to sass when sass-embedded platform binary is missing (#​21002) (b1fd616)
• module-runner: make getBuiltins response JSON serializable (#​21029) (ad5b3bf)
• types: add undefined to optional properties for exactOptionalProperties type compatibility (#​21040) (2833c55)

Miscellaneous Chores

• deps: update rolldown-related dependencies (#​21047) (e3a6a83)

v7.1.12

Compare Source

Please refer to CHANGELOG.md for details.

v7.1.11

Compare Source

Bug Fixes

• dev: trim trailing slash before server.fs.deny check (#​20968) (f479cc5)

Miscellaneous Chores

• deps: update all non-major dependencies (#​20966) (6fb41a2)

Code Refactoring

• use subpath imports for types module reference (#​20921) (d0094af)

Build System

• remove cjs reference in files field (#​20945) (ef411ce)
• remove hash from built filenames (#​20946) (a817307)

v7.1.10

Compare Source

Bug Fixes

• css: avoid duplicate style for server rendered stylesheet link and client inline style during dev (#​20767) (3a92bc7)
• css: respect emitAssets when cssCodeSplit=false (#​20883) (d3e7eee)
• deps: update all non-major dependencies (879de86)
• deps: update all non-major dependencies (#​20894) (3213f90)
• dev: allow aliases starting with // (#​20760) (b95fa2a)
• dev: remove timestamp query consistently (#​20887) (6537d15)
• esbuild: inject esbuild helpers correctly for esbuild 0.25.9+ (#​20906) (446eb38)
• normalize path before calling fileToBuiltUrl (#​20898) (73b6d24)
• preserve original sourcemap file field when combining sourcemaps (#​20926) (c714776)

Documentation

• correct WebSocket spelling (#​20890) (29e98dc)

Miscellaneous Chores

• deps: update rolldown-related dependencies (#​20923) (a5e3b06)

v7.1.9

Compare Source

Reverts

• server: drain stdin when not interactive (#​20885) (12d72b0)

v7.1.8

Compare Source

Bug Fixes

• css: improve url escape characters handling (#​20847) (24a61a3)
• deps: update all non-major dependencies (#​20855) (788a183)
• deps: update artichokie to 0.4.2 (#​20864) (e670799)
• dev: skip JS responses for document requests (#​20866) (6bc6c4d)
• glob: fix HMR for array patterns with exclusions (#​20872) (63e040f)
• keep ids for virtual modules as-is (#​20808) (d4eca98)
• server: drain stdin when not interactive (#​20837) (bb950e9)
• server: improve malformed URL handling in middlewares (#​20830) (d65a983)

Documentation

• create-vite: provide deno example (#​20747) (fdb758a)

Miscellaneous Chores

• deps: update rolldown-related dependencies (#​20810) (ea68a88)
• deps: update rolldown-related dependencies (#​20854) (4dd06fd)
• update url of create-react-app license (#​20865) (166a178)

v7.1.7

Compare Source

Bug Fixes

• build: fix ssr environment emitAssets: true when sharedConfigBuild: true (#​20787) (4c4583c)
• client: use CSP nonce when rendering error overlay (#​20791) (9bc9d12)
• deps: update all non-major dependencies (#​20811) (9f2247c)
• glob: handle glob imports from folders starting with dot (#​20800) (105abe8)
• hmr: trigger prune event when import is removed from non hmr module (#​20768) (9f32b1d)
• hmr: wait for import.meta.hot.prune callbacks to complete before running other HMRs (#​20698) (98a3484)

v7.1.6

Compare Source

Bug Fixes

• deps: update all non-major dependencies (#​20773) (88af2ae)
• esbuild: inject esbuild helper functions with minified $ variables correctly (#​20761) (7e8e004)
• fallback terser to main thread when nameCache is provided (#​20750) (a679a64)
• types: strict env typings fail when skipLibCheck is false (#​20755) (cc54e29)

Miscellaneous Chores

• deps: update rolldown-related dependencies (#​20675) (a67bb5f)
• deps: update rolldown-related dependencies (#​20772) (d785e72)

v7.1.5

Compare Source

Bug Fixes

• apply fs.strict check to HTML files (#​20736) (14015d7)
• deps: update all non-major dependencies (#​20732) (122bfba)
• upgrade sirv to 3.0.2 (#​20735) (09f2b52)

v7.1.4

Compare Source

Bug Fixes

• add missing awaits (#​20697) (79d10ed)
• deps: update all non-major dependencies (#​20676) (5a274b2)
• deps: update all non-major dependencies (#​20709) (0401feb)
• pass rollup watch options when building in watch mode (#​20674) (f367453)

Miscellaneous Chores

• remove unused constants entry from rolldown.config.ts (#​20710) (537fcf9)

Code Refactoring

• remove unnecessary minify parameter from finalizeCss (#​20701) (8099582)

v7.1.3

Compare Source

Features

• cli: add Node.js version warning for unsupported versions (#​20638) (a1be1bf)
• generate code frame for parse errors thrown by terser (#​20642) (a9ba017)
• support long lines in generateCodeFrame (#​20640) (1559577)

Bug Fixes

• deps: update all non-major dependencies (#​20634) (4851cab)
• optimizer: incorrect incompatible error (#​20439) (446fe83)
• support multiline new URL(..., import.meta.url) expressions (#​20644) (9ccf142)

Performance Improvements

• cli: dynamically import resolveConfig (#​20646) (f691f57)

Miscellaneous Chores

• deps: update rolldown-related dependencies (#​20633) (98b92e8)

Code Refactoring

• replace startsWith with strict equality (#​20603) (42816de)
• use import in worker threads (#​20641) (530687a)

Tests

• remove checkNodeVersion test (#​20647) (731d3e6)

v7.1.2

Compare Source

Bug Fixes

• client: add [vite] prefixes to debug logs (#​20595) (7cdef61)
• config: make debugger work with bundle loader (#​20573) (c583927)
• deps: update all non-major dependencies (#​20587) (20d4817)
• don't consider ids with npm: prefix as a built-in module (#​20558) (ab33803)
• hmr: watch non-inlined assets referenced by CSS (#​20581) (b7d494b)
• module-runner: prevent crash when sourceMappingURL pattern appears in string literals (#​20554) (2770478)

Miscellaneous Chores

• deps: migrate to @jridgewell/remapping from @ampproject/remapping (#​20577) (0a6048a)
• deps: update rolldown-related dependencies (#​20586) (77632c5)

v7.1.1

Compare Source

Bug Fixes

• dev: trim trailing slash before server.fs.deny check (#​20968) (f479cc5)

Miscellaneous Chores

• deps: update all non-major dependencies (#​20966) (6fb41a2)

Code Refactoring

• use subpath imports for types module reference (#​20921) (d0094af)

Build System

• remove cjs reference in files field (#​20945) (ef411ce)
• remove hash from built filenames (#​20946) (a817307)

v7.1.0

Compare Source

Features

• support files with more than 1000 lines by generateCodeFrame (#​20508) (e7d0b2a)
• add import.meta.main support in config (bundle config loader) (#​20516) (5d3e3c2)
• optimizer: improve dependency optimization error messages with esbuild formatMessages (#​20525) (d17cfed)
• ssr: add import.meta.main support for Node.js module runner (#​20517) (794a8f2)
• add future: 'warn' (#​20473) (e6aaf17)
• add removeServerPluginContainer future deprecation (#​20437) (c1279e7)
• add removeServerReloadModule future deprecation (#​20436) (6970d17)
• add server.warmupRequest to future deprecation (#​20431) (8ad388a)
• add ssrFixStacktrace / ssrRewriteStacktrace to removeSsrLoadModule future deprecation (#​20435) (8c8f587)
• client: ping from SharedWorker (#​19057) (5c97c22)
• dev: add this.fs support (#​20301) (0fe3f2f)
• export defaultExternalConditions (#​20279) (344d302)
• implement removePluginHookSsrArgument future deprecation (#​20433) (95927d9)
• implement removeServerHot future deprecation (#​20434) (259f45d)
• resolve server URLs before calling other listeners (#​19981) (45f6443)
• ssr: resolve externalized packages with resolve.externalConditions and add module-sync to default external condition (#​20409) (c669c52)
• ssr: support import.meta.resolve in module runner (#​20260) (62835f7)

Bug Fixes

• css: avoid warnings for image-set containing __VITE_ASSET__ (#​20520) (f1a2635)
• css: empty CSS entry points should generate CSS files, not JS files (#​20518) (bac9f3e)
• dev: denied request stalled when requested concurrently (#​20503) (64a52e7)
• manifest: initialize entryCssAssetFileNames as an empty Set (#​20542) (6a46cda)
• skip prepareOutDirPlugin in workers (#​20556) (97d5111)
• asset: only watch existing files for new URL(, import.meta.url) (#​20507) (1b211fd)
• client: keep ping on WS constructor error (#​20512) (3676da5)
• deps: update all non-major dependencies (#​20537) (fc9a9d3)
• don't resolve as relative for specifiers starting with a dot (#​20528) (c5a10ec)
• html: allow control character in input stream (#​20483) (c12a4a7)
• merge old and new noExternal: true correctly (#​20502) (9ebe4a5)
• deps: update all non-major dependencies (#​20489) (f6aa04a)
• dev: denied requests overly (#​20410) (4be5270)
• hmr: register css deps as type: asset (#​20391) (7eac8dd)
• optimizer: discover correct jsx runtime during scan (#​20495) (10d48bb)
• preview: set correct host for resolvedUrls (#​20496) (62b3e0d)
• worker: resolve WebKit compat with inline workers by deferring blob URL revocation (#​20460) (8033e5b)

Performance Improvements

• client: reduce reload debounce (#​20429) (22ad43b)

Miscellaneous Chores

• deps: update rolldown-related dependencies (#​20536) (8be2787)
• deps: update dependency parse5 to v8 (#​20490) (744582d)
• format (f20addc)
• stablize cssScopeTo (#​19592) (ced1343)

Code Refactoring

• use hook filters in the worker plugin (#​20527) (958cdf2)
• extract prepareOutDir as a plugin (#​20373) (2c4af1f)
• extract resolve rollup options (#​20375) (61a9778)
• rewrite openchrome.applescript to JXA (#​20424) (7979f9d)
• use http-proxy-3 (#​20402) (26d9872)
• use hook filters in internal plugins (#​20358) (f19c4d7)
• use hook filters in internal resolve plugin (#​20480) (acd2a13)

Tests

• detect ts support via process.features (#​20544) (856d3f0)
• fix unimportant errors in test-unit (#​20545) (1f23554)

Beta Changelogs

7.1.0-beta.1 (2025-08-05)

See 7.1.0-beta.1 changelog

7.1.0-beta.0 (2025-07-30)

See 7.1.0-beta.0 changelog

---

Configuration

📅 Schedule: (in timezone Europe/Berlin)

• Branch creation
  • ""
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.