Update dependency vite to v7 [SECURITY] - autoclosed

[renovate]

Note: This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Change	Age	Confidence
vite (source)	^6.2.0 → ^7.0.0

GitHub Vulnerability Alerts

CVE-2025-62522

Summary

Files denied by server.fs.deny were sent if the URL ended with \ when the dev server is running on Windows.

Impact

Only apps that match the following conditions are affected:

• explicitly exposes the Vite dev server to the network (using --host or server.host config option)
• running the dev server on Windows

Details

server.fs.deny can contain patterns matching against files (by default it includes .env, .env.*, *.{crt,pem} as such patterns). These patterns were able to bypass by using a back slash(\). The root cause is that fs.readFile('/foo.png/') loads /foo.png.

PoC

npm create vite@latest
cd vite-project/
cat "secret" > .env
npm install
npm run dev
curl --request-target /.env\ http://localhost:5173

---

Release Notes

vitejs/vite (vite)

v7.1.11

Compare Source

Bug Fixes

• dev: trim trailing slash before server.fs.deny check (#​20968) (f479cc5)

Miscellaneous Chores

• deps: update all non-major dependencies (#​20966) (6fb41a2)

Code Refactoring

• use subpath imports for types module reference (#​20921) (d0094af)

Build System

• remove cjs reference in files field (#​20945) (ef411ce)
• remove hash from built filenames (#​20946) (a817307)

v7.1.10

Compare Source

Bug Fixes

• css: avoid duplicate style for server rendered stylesheet link and client inline style during dev (#​20767) (3a92bc7)
• css: respect emitAssets when cssCodeSplit=false (#​20883) (d3e7eee)
• deps: update all non-major dependencies (879de86)
• deps: update all non-major dependencies (#​20894) (3213f90)
• dev: allow aliases starting with // (#​20760) (b95fa2a)
• dev: remove timestamp query consistently (#​20887) (6537d15)
• esbuild: inject esbuild helpers correctly for esbuild 0.25.9+ (#​20906) (446eb38)
• normalize path before calling fileToBuiltUrl (#​20898) (73b6d24)
• preserve original sourcemap file field when combining sourcemaps (#​20926) (c714776)

Documentation

• correct WebSocket spelling (#​20890) (29e98dc)

Miscellaneous Chores

• deps: update rolldown-related dependencies (#​20923) (a5e3b06)

v7.1.9

Compare Source

Reverts

• server: drain stdin when not interactive (#​20885) (12d72b0)

v7.1.8

Compare Source

Bug Fixes

• css: improve url escape characters handling (#​20847) (24a61a3)
• deps: update all non-major dependencies (#​20855) (788a183)
• deps: update artichokie to 0.4.2 (#​20864) (e670799)
• dev: skip JS responses for document requests (#​20866) (6bc6c4d)
• glob: fix HMR for array patterns with exclusions (#​20872) (63e040f)
• keep ids for virtual modules as-is (#​20808) (d4eca98)
• server: drain stdin when not interactive (#​20837) (bb950e9)
• server: improve malformed URL handling in middlewares (#​20830) (d65a983)

Documentation

• create-vite: provide deno example (#​20747) (fdb758a)

Miscellaneous Chores

• deps: update rolldown-related dependencies (#​20810) (ea68a88)
• deps: update rolldown-related dependencies (#​20854) (4dd06fd)
• update url of create-react-app license (#​20865) (166a178)

v7.1.7

Compare Source

Bug Fixes

• build: fix ssr environment emitAssets: true when sharedConfigBuild: true (#​20787) (4c4583c)
• client: use CSP nonce when rendering error overlay (#​20791) (9bc9d12)
• deps: update all non-major dependencies (#​20811) (9f2247c)
• glob: handle glob imports from folders starting with dot (#​20800) (105abe8)
• hmr: trigger prune event when import is removed from non hmr module (#​20768) (9f32b1d)
• hmr: wait for import.meta.hot.prune callbacks to complete before running other HMRs (#​20698) (98a3484)

v7.1.6

Compare Source

Bug Fixes

• deps: update all non-major dependencies (#​20773) (88af2ae)
• esbuild: inject esbuild helper functions with minified $ variables correctly (#​20761) (7e8e004)
• fallback terser to main thread when nameCache is provided (#​20750) (a679a64)
• types: strict env typings fail when skipLibCheck is false (#​20755) (cc54e29)

Miscellaneous Chores

• deps: update rolldown-related dependencies (#​20675) (a67bb5f)
• deps: update rolldown-related dependencies (#​20772) (d785e72)

v7.1.5

Compare Source

Bug Fixes

• apply fs.strict check to HTML files (#​20736) (14015d7)
• deps: update all non-major dependencies (#​20732) (122bfba)
• upgrade sirv to 3.0.2 (#​20735) (09f2b52)

v7.1.4

Compare Source

Bug Fixes

• add missing awaits (#​20697) (79d10ed)
• deps: update all non-major dependencies (#​20676) (5a274b2)
• deps: update all non-major dependencies (#​20709) (0401feb)
• pass rollup watch options when building in watch mode (#​20674) (f367453)

Miscellaneous Chores

• remove unused constants entry from rolldown.config.ts (#​20710) (537fcf9)

Code Refactoring

• remove unnecessary minify parameter from finalizeCss (#​20701) (8099582)

v7.1.3

Compare Source

Features

• cli: add Node.js version warning for unsupported versions (#​20638) (a1be1bf)
• generate code frame for parse errors thrown by terser (#​20642) (a9ba017)
• support long lines in generateCodeFrame (#​20640) (1559577)

Bug Fixes

• deps: update all non-major dependencies (#​20634) (4851cab)
• optimizer: incorrect incompatible error (#​20439) (446fe83)
• support multiline new URL(..., import.meta.url) expressions (#​20644) (9ccf142)

Performance Improvements

• cli: dynamically import resolveConfig (#​20646) (f691f57)

Miscellaneous Chores

• deps: update rolldown-related dependencies (#​20633) (98b92e8)

Code Refactoring

• replace startsWith with strict equality (#​20603) (42816de)
• use import in worker threads (#​20641) (530687a)

Tests

• remove checkNodeVersion test (#​20647) (731d3e6)

v7.1.2

Compare Source

Bug Fixes

• client: add [vite] prefixes to debug logs (#​20595) (7cdef61)
• config: make debugger work with bundle loader (#​20573) (c583927)
• deps: update all non-major dependencies (#​20587) (20d4817)
• don't consider ids with npm: prefix as a built-in module (#​20558) (ab33803)
• hmr: watch non-inlined assets referenced by CSS (#​20581) (b7d494b)
• module-runner: prevent crash when sourceMappingURL pattern appears in string literals (#​20554) (2770478)

Miscellaneous Chores

• deps: migrate to @jridgewell/remapping from @ampproject/remapping (#​20577) (0a6048a)
• deps: update rolldown-related dependencies (#​20586) (77632c5)

v7.1.1

Compare Source

Bug Fixes

• dev: trim trailing slash before server.fs.deny check (#​20968) (f479cc5)

Miscellaneous Chores

• deps: update all non-major dependencies (#​20966) (6fb41a2)

Code Refactoring

• use subpath imports for types module reference (#​20921) (d0094af)

Build System

• remove cjs reference in files field (#​20945) (ef411ce)
• remove hash from built filenames (#​20946) (a817307)

v7.1.0

Compare Source

Features

• support files with more than 1000 lines by generateCodeFrame (#​20508) (e7d0b2a)
• add import.meta.main support in config (bundle config loader) (#​20516) (5d3e3c2)
• optimizer: improve dependency optimization error messages with esbuild formatMessages (#​20525) (d17cfed)
• ssr: add import.meta.main support for Node.js module runner (#​20517) (794a8f2)
• add future: 'warn' (#​20473) (e6aaf17)
• add removeServerPluginContainer future deprecation (#​20437) (c1279e7)
• add removeServerReloadModule future deprecation (#​20436) (6970d17)
• add server.warmupRequest to future deprecation (#​20431) (8ad388a)
• add ssrFixStacktrace / ssrRewriteStacktrace to removeSsrLoadModule future deprecation (#​20435) (8c8f587)
• client: ping from SharedWorker (#​19057) (5c97c22)
• dev: add this.fs support (#​20301) (0fe3f2f)
• export defaultExternalConditions (#​20279) (344d302)
• implement removePluginHookSsrArgument future deprecation (#​20433) (95927d9)
• implement removeServerHot future deprecation (#​20434) (259f45d)
• resolve server URLs before calling other listeners (#​19981) (45f6443)
• ssr: resolve externalized packages with resolve.externalConditions and add module-sync to default external condition (#​20409) (c669c52)
• ssr: support import.meta.resolve in module runner (#​20260) (62835f7)

Bug Fixes

• css: avoid warnings for image-set containing __VITE_ASSET__ (#​20520) (f1a2635)
• css: empty CSS entry points should generate CSS files, not JS files (#​20518) (bac9f3e)
• dev: denied request stalled when requested concurrently (#​20503) (64a52e7)
• manifest: initialize entryCssAssetFileNames as an empty Set (#​20542) (6a46cda)
• skip prepareOutDirPlugin in workers (#​20556) (97d5111)
• asset: only watch existing files for new URL(, import.meta.url) (#​20507) (1b211fd)
• client: keep ping on WS constructor error (#​20512) (3676da5)
• deps: update all non-major dependencies (#​20537) (fc9a9d3)
• don't resolve as relative for specifiers starting with a dot (#​20528) (c5a10ec)
• html: allow control character in input stream (#​20483) (c12a4a7)
• merge old and new noExternal: true correctly (#​20502) (9ebe4a5)
• deps: update all non-major dependencies (#​20489) (f6aa04a)
• dev: denied requests overly (#​20410) (4be5270)
• hmr: register css deps as type: asset (#​20391) (7eac8dd)
• optimizer: discover correct jsx runtime during scan (#​20495) (10d48bb)
• preview: set correct host for resolvedUrls (#​20496) (62b3e0d)
• worker: resolve WebKit compat with inline workers by deferring blob URL revocation (#​20460) (8033e5b)

Performance Improvements

• client: reduce reload debounce (#​20429) (22ad43b)

Miscellaneous Chores

• deps: update rolldown-related dependencies (#​20536) (8be2787)
• deps: update dependency parse5 to v8 (#​20490) (744582d)
• format (f20addc)
• stablize cssScopeTo (#​19592) (ced1343)

Code Refactoring

• use hook filters in the worker plugin (#​20527) (958cdf2)
• extract prepareOutDir as a plugin (#​20373) (2c4af1f)
• extract resolve rollup options (#​20375) (61a9778)
• rewrite openchrome.applescript to JXA (#​20424) (7979f9d)
• use http-proxy-3 (#​20402) (26d9872)
• use hook filters in internal plugins (#​20358) (f19c4d7)
• use hook filters in internal resolve plugin (#​20480) (acd2a13)

Tests

• detect ts support via process.features (#​20544) (856d3f0)
• fix unimportant errors in test-unit (#​20545) (1f23554)

Beta Changelogs

7.1.0-beta.1 (2025-08-05)

See 7.1.0-beta.1 changelog

7.1.0-beta.0 (2025-07-30)

See 7.1.0-beta.0 changelog

v7.0.8

Compare Source

Please refer to CHANGELOG.md for details.

v7.0.7

Compare Source

Please refer to CHANGELOG.md for details.

v7.0.6

Compare Source

Features

• support files with more than 1000 lines by generateCodeFrame (#​20508) (e7d0b2a)
• add import.meta.main support in config (bundle config loader) (#​20516) (5d3e3c2)
• optimizer: improve dependency optimization error messages with esbuild formatMessages (#​20525) (d17cfed)
• ssr: add import.meta.main support for Node.js module runner (#​20517) (794a8f2)
• add future: 'warn' (#​20473) (e6aaf17)
• add removeServerPluginContainer future deprecation (#​20437) (c1279e7)
• add removeServerReloadModule future deprecation (#​20436) (6970d17)
• add server.warmupRequest to future deprecation (#​20431) (8ad388a)
• add ssrFixStacktrace / ssrRewriteStacktrace to removeSsrLoadModule future deprecation (#​20435) (8c8f587)
• client: ping from SharedWorker (#​19057) (5c97c22)
• dev: add this.fs support (#​20301) (0fe3f2f)
• export defaultExternalConditions (#​20279) (344d302)
• implement removePluginHookSsrArgument future deprecation (#​20433) (95927d9)
• implement removeServerHot future deprecation (#​20434) (259f45d)
• resolve server URLs before calling other listeners (#​19981) (45f6443)
• ssr: resolve externalized packages with resolve.externalConditions and add module-sync to default external condition (#​20409) (c669c52)
• ssr: support import.meta.resolve in module runner (#​20260) (62835f7)

Bug Fixes

• css: avoid warnings for image-set containing __VITE_ASSET__ (#​20520) (f1a2635)
• css: empty CSS entry points should generate CSS files, not JS files (#​20518) (bac9f3e)
• dev: denied request stalled when requested concurrently (#​20503) (64a52e7)
• manifest: initialize entryCssAssetFileNames as an empty Set (#​20542) (6a46cda)
• skip prepareOutDirPlugin in workers (#​20556) (97d5111)
• asset: only watch existing files for new URL(, import.meta.url) (#​20507) (1b211fd)
• client: keep ping on WS constructor error (#​20512) (3676da5)
• deps: update all non-major dependencies (#​20537) (fc9a9d3)
• don't resolve as relative for specifiers starting with a dot (#​20528) (c5a10ec)
• html: allow control character in input stream (#​20483) (c12a4a7)
• merge old and new noExternal: true correctly (#​20502) (9ebe4a5)
• deps: update all non-major dependencies (#​20489) (f6aa04a)
• dev: denied requests overly (#​20410) (4be5270)
• hmr: register css deps as type: asset (#​20391) (7eac8dd)
• optimizer: discover correct jsx runtime during scan (#​20495) (10d48bb)
• preview: set correct host for resolvedUrls (#​20496) (62b3e0d)
• worker: resolve WebKit compat with inline workers by deferring blob URL revocation (#​20460) (8033e5b)

Performance Improvements

• client: reduce reload debounce (#​20429) (22ad43b)

Miscellaneous Chores

• deps: update rolldown-related dependencies (#​20536) (8be2787)
• deps: update dependency parse5 to v8 (#​20490) (744582d)
• format (f20addc)
• stablize cssScopeTo (#​19592) (ced1343)

Code Refactoring

• use hook filters in the worker plugin (#​20527) (958cdf2)
• extract prepareOutDir as a plugin (#​20373) (2c4af1f)
• extract resolve rollup options (#​20375) (61a9778)
• rewrite openchrome.applescript to JXA (#​20424) (7979f9d)
• use http-proxy-3 (#​20402) (26d9872)
• use hook filters in internal plugins (#​20358) (f19c4d7)
• use hook filters in internal resolve plugin (#​20480) (acd2a13)

Tests

• detect ts support via process.features (#​20544) (856d3f0)
• fix unimportant errors in test-unit (#​20545) (1f23554)

Beta Changelogs

7.1.0-beta.1 (2025-08-05)

See 7.1.0-beta.1 changelog

7.1.0-beta.0 (2025-07-30)

See 7.1.0-beta.0 changelog

v7.0.5

Compare Source

Bug Fixes

• deps: update all non-major dependencies (#​20406) (1a1cc8a)
• remove special handling for Accept: text/html (#​20376) (c9614b9)
• watch assets referenced by new URL(, import.meta.url) (#​20382) (6bc8bf6)

Miscellaneous Chores

• deps: update dependency rolldown to ^1.0.0-beta.27 (#​20405) (1165667)

Code Refactoring

• use foo.endsWith("bar") instead of /bar$/.test(foo) (#​20413) (862e192)

v7.0.4

Compare Source

Bug Fixes

• allow resolving bare specifiers to relative paths for entries (#​20379) (324669c)

Build System

• remove @oxc-project/runtime devDep (#​20389) (5e29602)

v7.0.3

Compare Source

Bug Fixes

• client: protect against window being defined but addEv undefined (#​20359) (31d1467)
• define: replace optional values (#​20338) (9465ae1)
• deps: update all non-major dependencies (#​20366) (43ac73d)

Miscellaneous Chores

• deps: update dependency dotenv to v17 (#​20325) (45040d4)
• deps: update dependency rolldown to ^1.0.0-beta.24 (#​20365) (5ab25e7)
• use n/prefer-node-protocol rule (#​20368) (38bb268)

Code Refactoring

• minor changes to reduce diff between normal Vite and rolldown-vite (#​20354) (2e8050e)

v7.0.2

Compare Source

Bug Fixes

• css: resolve relative paths in sass, revert #​20300 (#​20349) (db8bd41)

v7.0.1

Compare Source

Bug Fixes

• css: skip resolving resolved paths in sass (#​20300) (ac528a4)
• deps: update all non-major dependencies (#​20324) (3e81af3)
• types: add a global interface for Worker (#​20243) (37bdfc1)

Miscellaneous Chores

• deps: update rolldown-related dependencies (#​20323) (30d2f1b)
• fix typos and grammatical errors across documentation and comments (#​20337) (c1c951d)
• group commits by category in changelog (#​20310) (41e83f6)
• rearrange 7.0 changelog (#​20280) (eafd28a)

v7.0.0

Compare Source

Today, we're excited to announce the release of the next Vite major:

• Vite 7.0 announcement blog post
• Docs (translations: 简体中文, 日本語, Español, Português, 한국어, Deutsch, فارسی)
• Migration Guide

⚠ BREAKING CHANGES

• ssr: don't access Object variable in ssr transformed code (#​19996)
• remove experimental.skipSsrTransform option (#​20038)
• remove HotBroadcaster (#​19988)
• css: always use sass compiler API (#​19978)
• bump build.target and name it baseline-widely-available (#​20007)
• bump required node version to 20.19+, 22.12+ and remove cjs build (#​20032)
• css: remove sass legacy API support (#​19977)
• remove deprecated HotBroadcaster related types (#​19987)
• remove deprecated no-op type only properties (#​19985)
• remove node 18 support (#​19972)
• remove deprecated hook-level enforce/transform from transformIndexHtml hook (#​19349)
• remove deprecated splitVendorChunkPlugin (#​19255)

Features

• types: use terser types from terser package (#​20274) (a5799fa)
• apply some middlewares before configurePreviewServer hook (#​20224) (b989c42)
• apply some middlewares before configureServer hook (#​20222) (f5cc4c0)
• add base option to import.meta.glob (#​20163) (253d6c6)
• add this.meta.viteVersion (#​20088) (f55bf41)
• allow passing down resolved config to vite's createServer (#​19894) (c1ae9bd)
• buildApp hook (#​19971) (5da659d)
• build: provide names for asset entrypoints (#​19912) (c4e01dc)
• bump build.target and name it baseline-widely-available (#​20007) (4a8aa82)
• client: support opening fileURL in editor (#​20040) (1bde4d2)
• make PluginContext available for Vite-specific hooks (#​19936) (7063839)
• resolve environments plugins at config time (#​20120) (f6a28d5)
• stabilize css.preprocessorMaxWorkers and default to true (#​19992) (70aee13)
• stabilize optimizeDeps.noDiscovery (#​19984) (6d2dcb4)

Bug Fixes

• deps: update all non-major dependencies (#​20271) (6b64d63)
• keep import.meta.url in bundled Vite (#​20235) (3bf3a8a)
• module-runner: export ssrExportNameKey (#​20266) (ac302a7)
• *module-runner:

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.