Skip to content

build(deps-dev): Bump vite from 7.1.9 to 7.1.11 #125

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Oct 21, 2025
Merged

build(deps-dev): Bump vite from 7.1.9 to 7.1.11 #125

merged 1 commit into from
Oct 21, 2025

Conversation

dependabot[bot]
Copy link
Contributor

@dependabot dependabot bot commented on behalf of github Oct 20, 2025

Bumps vite from 7.1.9 to 7.1.11.

Release notes

Sourced from vite's releases.

v7.1.11

Please refer to CHANGELOG.md for details.

v7.1.10

Please refer to CHANGELOG.md for details.

Changelog

Sourced from vite's changelog.

7.1.11 (2025-10-20)

Bug Fixes

  • dev: trim trailing slash before server.fs.deny check (#20968) (f479cc5)

Miscellaneous Chores

Code Refactoring

  • use subpath imports for types module reference (#20921) (d0094af)

Build System

7.1.10 (2025-10-14)

Bug Fixes

  • css: avoid duplicate style for server rendered stylesheet link and client inline style during dev (#20767) (3a92bc7)
  • css: respect emitAssets when cssCodeSplit=false (#20883) (d3e7eee)
  • deps: update all non-major dependencies (879de86)
  • deps: update all non-major dependencies (#20894) (3213f90)
  • dev: allow aliases starting with // (#20760) (b95fa2a)
  • dev: remove timestamp query consistently (#20887) (6537d15)
  • esbuild: inject esbuild helpers correctly for esbuild 0.25.9+ (#20906) (446eb38)
  • normalize path before calling fileToBuiltUrl (#20898) (73b6d24)
  • preserve original sourcemap file field when combining sourcemaps (#20926) (c714776)

Documentation

Miscellaneous Chores

Commits
  • 8b69c9e release: v7.1.11
  • f479cc5 fix(dev): trim trailing slash before server.fs.deny check (#20968)
  • 6fb41a2 chore(deps): update all non-major dependencies (#20966)
  • a817307 build: remove hash from built filenames (#20946)
  • ef411ce build: remove cjs reference in files field (#20945)
  • d0094af refactor: use subpath imports for types module reference (#20921)
  • ed4a0dc release: v7.1.10
  • c714776 fix: preserve original sourcemap file field when combining sourcemaps (#20926)
  • 446eb38 fix(esbuild): inject esbuild helpers correctly for esbuild 0.25.9+ (#20906)
  • 879de86 fix(deps): update all non-major dependencies
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    You can disable automated security fix PRs for this repo from the Security Alerts page.

@dependabot
build(deps-dev): Bump vite from 7.1.9 to 7.1.11
4c8806b 
Bumps [vite](https://github.com/vitejs/vite/tree/HEAD/packages/vite) from 7.1.9 to 7.1.11.
- [Release notes](https://github.com/vitejs/vite/releases)
- [Changelog](https://github.com/vitejs/vite/blob/main/packages/vite/CHANGELOG.md)
- [Commits](https://github.com/vitejs/vite/commits/v7.1.11/packages/vite)

---
updated-dependencies:
- dependency-name: vite
  dependency-version: 7.1.11
  dependency-type: direct:development
...

Signed-off-by: dependabot[bot] <[email protected]>
@dependabot dependabot bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Oct 20, 2025
@cloudflare-workers-and-pages
Copy link

cloudflare-workers-and-pages bot commented Oct 20, 2025
edited
Loading

Deploying blinklabs-vpn with  Cloudflare Pages  Cloudflare Pages

Latest commit: 4c8806b
Status: ✅  Deploy successful!
Preview URL: https://5e4c2d11.blinklabs-vpn.pages.dev
Branch Preview URL: https://dependabot-npm-and-yarn-vite-7xvk.blinklabs-vpn.pages.dev

View logs

@fossabot
Copy link

fossabot bot commented Oct 21, 2025
edited
Loading

fossabot is Thinking

@fossabot
Copy link

fossabot bot commented Oct 21, 2025
edited
Loading

✓ Safe to upgrade

I recommend merging this upgrade because it patches critical security vulnerabilities (CVE-2025-30208, CVE-2025-31125, CVE-2025-31486) affecting arbitrary file read operations, includes bug fixes for HMR and optimizer functionality, and is fully compatible with the project's current configuration. The project already has Node.js 24 type definitions installed and uses @​tailwindcss/vite 4.1.14 which explicitly supports Vite 7, eliminating the major compatibility concerns mentioned in preliminary reports.

What we checked

  • Vite successfully upgraded to 7.1.11, patching critical arbitrary file read vulnerabilities [1]
  • @​tailwindcss/vite 4.1.14 peer dependency explicitly supports 'vite': '^5.2.0 || ^6 || ^7', confirming full compatibility [2]
  • @​types/node 24.0.10 installed, satisfying Vite 7.1.11's optional peer dependency requirement of ^20.19.0 || >=22.12.0 [3]
  • Vite's @​types/node peer dependency is marked as optional, preventing installation failures [4]
  • Project uses @​tailwindcss/vite plugin which is confirmed compatible with Vite 7 [5]
  • Vite dependency declaration allows for automatic patch updates within 7.1.x range [6]

Dependency Usage

Vite serves as the foundational build tool and development server for this VPN frontend application, configured with React support, image optimization, and API proxying to enable the entire development workflow. The application uses Vite exclusively through its configuration file and npm scripts to power local development, production builds, preview servers, and the complete test suite via vitest. This centralized build tool architecture enables the team to develop a Cardano wallet-connected VPN interface with optimized assets, hot module reloading, and comprehensive testing capabilities.

Changes

Vite updated with two breaking changes affecting HMR behavior when imports are removed from non-HMR modules and optimizer error handling for incompatible dependencies. The update includes ten bug fixes addressing esbuild helper injection, glob pattern HMR, SSR asset emission, and improved handling of npm-prefixed module IDs, along with three new features including Node.js version warnings and multiline URL expression support.

View 69 more changes
References (6)

[1]: Vite successfully upgraded to 7.1.11, patching critical arbitrary file read vulnerabilities

vpn-frontend/package-lock.json

Line 14461 in 4c8806b

"version": "7.1.11",

[2]: @​tailwindcss/vite 4.1.14 peer dependency explicitly supports 'vite': '^5.2.0 || ^6 || ^7', confirming full compatibility

vpn-frontend/package-lock.json

Line 3082 in 4c8806b

"vite": "^5.2.0 || ^6 || ^7"

[3]: @​types/node 24.0.10 installed, satisfying Vite 7.1.11's optional peer dependency requirement of ^20.19.0 || >=22.12.0

vpn-frontend/package-lock.json

Line 3459 in 4c8806b

"version": "24.0.10",

[4]: Vite's @​types/node peer dependency is marked as optional, preventing installation failures

vpn-frontend/package-lock.json

Line 14499 in 4c8806b

"@types/node": {

[5]: Project uses @​tailwindcss/vite plugin which is confirmed compatible with Vite 7

vpn-frontend/vite.config.ts

Line 3 in 4c8806b

import tailwindcss from '@tailwindcss/vite'

[6]: Vite dependency declaration allows for automatic patch updates within 7.1.x range

vpn-frontend/package.json

Line 51 in 4c8806b

"vite": "^7.1.11",

fossabot analyzed this PR using dependency research.

@wolf31o2 wolf31o2 merged commit 23e95fd into main Oct 21, 2025
3 checks passed
@wolf31o2 wolf31o2 deleted the dependabot/npm_and_yarn/vite-7.1.11 branch October 21, 2025 17:20
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@wolf31o2 wolf31o2 wolf31o2 approved these changes

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@wolf31o2