chore(deps): update dependency vite to v7.1.11 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
vite (source)	7.1.10 -> 7.1.11

GitHub Vulnerability Alerts

CVE-2025-62522

Summary

Files denied by server.fs.deny were sent if the URL ended with \ when the dev server is running on Windows.

Impact

Only apps that match the following conditions are affected:

• explicitly exposes the Vite dev server to the network (using --host or server.host config option)
• running the dev server on Windows

Details

server.fs.deny can contain patterns matching against files (by default it includes .env, .env.*, *.{crt,pem} as such patterns). These patterns were able to bypass by using a back slash(\). The root cause is that fs.readFile('/foo.png/') loads /foo.png.

PoC

npm create vite@latest
cd vite-project/
cat "secret" > .env
npm install
npm run dev
curl --request-target /.env\ http://localhost:5173

---

Release Notes

vitejs/vite (vite)

v7.1.11

Compare Source

Bug Fixes

• dev: trim trailing slash before server.fs.deny check (#​20968) (f479cc5)

Miscellaneous Chores

• deps: update all non-major dependencies (#​20966) (6fb41a2)

Code Refactoring

• use subpath imports for types module reference (#​20921) (d0094af)

Build System

• remove cjs reference in files field (#​20945) (ef411ce)
• remove hash from built filenames (#​20946) (a817307)

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[hi-ogawa]

I think CI failure is due to rollup update.

$ pnpm -C packages/plugin-rsc/examples/starter-cf-single/ build
...
9:49:39 AM [vite] Unexpected Node.js imports for environment "rsc". Do you need to enable the "nodejs_compat" compatibility flag? Refer to https://developers.cloudflare.com/workers/runtime-apis/nodejs/ for more details.
 - "node:module" imported from "node:async_hooks?commonjs-external"

dist/client/wrangler.json                      1.23 kB │ gzip:   0.61 kB
dist/client/assets/react-CHdo91hT.svg          4.13 kB │ gzip:   2.05 kB
dist/client/assets/index-BoQsawTv.css          1.78 kB │ gzip:   0.80 kB
dist/client/assets/worker-entry-HlElc0dF.js    0.40 kB │ gzip:   0.27 kB
dist/client/assets/index-B_LLvm3p.js         622.42 kB │ gzip: 111.73 kB
✓ built in 435ms
vite v7.1.11 building SSR bundle for production...
✓ 40 modules transformed.
dist/rsc/ssr/assets/worker-entry-BQBrefET.js    0.45 kB
dist/rsc/ssr/index.js                         590.27 kB
✓ built in 327ms

[hi-ogawa]

Maybe not. I override rollup but it didn't fix. I also pinned esbuild but it didn't change as well.

[sapphi-red]

It sounds like it's related to rollup/plugins#1909 (7.0.11 includes that via vitejs/vite#20966)

[hi-ogawa]

Good find. Hmm, commonjs plugin to magically injecting createRequire doesn't seem good.