Skip to content

Bump vite from 7.1.9 to 7.1.11 #124

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Oct 22, 2025
Merged

Bump vite from 7.1.9 to 7.1.11 #124

merged 2 commits into from
Oct 22, 2025

Conversation

@dependabot
Copy link
Contributor

@dependabot dependabot bot commented on behalf of github Oct 20, 2025
edited
Loading

Bumps vite from 7.1.9 to 7.1.11.

Release notes

Sourced from vite's releases.

v7.1.11

Please refer to CHANGELOG.md for details.

v7.1.10

Please refer to CHANGELOG.md for details.

Changelog

Sourced from vite's changelog.

7.1.11 (2025-10-20)

Bug Fixes

  • dev: trim trailing slash before server.fs.deny check (#20968) (f479cc5)

Miscellaneous Chores

Code Refactoring

  • use subpath imports for types module reference (#20921) (d0094af)

Build System

7.1.10 (2025-10-14)

Bug Fixes

  • css: avoid duplicate style for server rendered stylesheet link and client inline style during dev (#20767) (3a92bc7)
  • css: respect emitAssets when cssCodeSplit=false (#20883) (d3e7eee)
  • deps: update all non-major dependencies (879de86)
  • deps: update all non-major dependencies (#20894) (3213f90)
  • dev: allow aliases starting with // (#20760) (b95fa2a)
  • dev: remove timestamp query consistently (#20887) (6537d15)
  • esbuild: inject esbuild helpers correctly for esbuild 0.25.9+ (#20906) (446eb38)
  • normalize path before calling fileToBuiltUrl (#20898) (73b6d24)
  • preserve original sourcemap file field when combining sourcemaps (#20926) (c714776)

Documentation

Miscellaneous Chores

Commits
  • 8b69c9e release: v7.1.11
  • f479cc5 fix(dev): trim trailing slash before server.fs.deny check (#20968)
  • 6fb41a2 chore(deps): update all non-major dependencies (#20966)
  • a817307 build: remove hash from built filenames (#20946)
  • ef411ce build: remove cjs reference in files field (#20945)
  • d0094af refactor: use subpath imports for types module reference (#20921)
  • ed4a0dc release: v7.1.10
  • c714776 fix: preserve original sourcemap file field when combining sourcemaps (#20926)
  • 446eb38 fix(esbuild): inject esbuild helpers correctly for esbuild 0.25.9+ (#20906)
  • 879de86 fix(deps): update all non-major dependencies
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    You can disable automated security fix PRs for this repo from the Security Alerts page.

@dependabot dependabot bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Oct 20, 2025
@changeset-bot
Copy link

changeset-bot bot commented Oct 20, 2025
edited
Loading

🦋 Changeset detected

Latest commit: 9be54e8

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 0 packages

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

@dependabot dependabot bot force-pushed the dependabot/npm_and_yarn/vite-7.1.11 branch from d0b356f to 5d7f8a1 Compare October 21, 2025 09:00
@pkg-pr-new
Copy link

pkg-pr-new bot commented Oct 21, 2025

Open in StackBlitz

npm i https://pkg.pr.new/cloudflare/sandbox-sdk/@cloudflare/sandbox@124

commit: 5d7f8a1

@dependabot dependabot bot force-pushed the dependabot/npm_and_yarn/vite-7.1.11 branch 2 times, most recently from 6048d10 to 9368cbe Compare October 21, 2025 14:47
@dependabot
Bump vite from 7.1.9 to 7.1.11
a61c2fa 
Bumps [vite](https://github.com/vitejs/vite/tree/HEAD/packages/vite) from 7.1.9 to 7.1.11.
- [Release notes](https://github.com/vitejs/vite/releases)
- [Changelog](https://github.com/vitejs/vite/blob/main/packages/vite/CHANGELOG.md)
- [Commits](https://github.com/vitejs/vite/commits/v7.1.11/packages/vite)

---
updated-dependencies:
- dependency-name: vite
  dependency-version: 7.1.11
  dependency-type: direct:development
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot bot force-pushed the dependabot/npm_and_yarn/vite-7.1.11 branch from 9368cbe to a61c2fa Compare October 22, 2025 17:53
@claude
Copy link
Contributor

claude bot commented Oct 22, 2025

PR Review: Bump vite from 7.1.9 to 7.1.11

Summary

This is a Dependabot PR that updates Vite from version 7.1.9 to 7.1.11, which includes two minor patch releases (7.1.10 and 7.1.11).

✅ Code Quality & Best Practices

Positive aspects:

  • Proper changeset added - The PR includes a changeset file (.changeset/nervous-dryers-tie.md) which follows the repository's change management workflow
  • Minimal surface area - Only updates the necessary files (package.json, package-lock.json, and changeset)
  • Automated dependency management - Using Dependabot for dependency updates is a best practice

Observations:

  • The changeset file has empty frontmatter (---\n\n---). While this may be intentional for Dependabot PRs, consider adding a package specifier if this change should be tracked for release notes

🐛 Potential Bugs & Issues

✅ No significant concerns identified

The version bump includes several bug fixes from the Vite changelog:

  • v7.1.11: Fix for server.fs.deny check with trailing slashes (security-adjacent fix)
  • v7.1.10: Multiple bug fixes including CSS handling, esbuild helper injection, sourcemap preservation

These are all fixes, meaning the update reduces bugs rather than introducing them.

⚡ Performance Considerations

✅ Positive performance impact expected

Based on the Vite changelog:

  • Build system improvements (removal of hash from filenames, CJS reference cleanup)
  • Refactoring for better module references (subpath imports for types)
  • Dependencies updated to latest non-major versions

No performance regressions expected from this update.

🔒 Security Concerns

⚠️ Important security fix included

v7.1.11 includes a security-relevant fix:

  • Fix: Trim trailing slash before server.fs.deny check (#20968)
    • This prevents potential bypass of filesystem access restrictions
    • Recommendation: This fix alone justifies merging this PR promptly

No known CVEs in the skipped versions (7.1.9), but staying up-to-date with patch releases is a security best practice.

🧪 Test Coverage

Observations:

  • This is a build-tool dependency update in devDependencies
  • Impact is limited to development and build processes
  • Recommendation: Ensure CI passes before merging, particularly:
    • Build steps complete successfully
    • All existing tests pass
    • No unexpected build output changes

Action item: Verify CI checks are green (especially build and test workflows)

📋 Additional Recommendations

  1. ✅ Safe to merge once CI passes - This is a patch-level update with bug fixes and security improvements
  2. Consider: Reviewing the full changelog if your project uses advanced Vite features:
    • CSS code splitting (cssCodeSplit)
    • Custom filesystem deny rules (server.fs.deny)
    • Sourcemap combining
    • esbuild 0.25.9+ features
  3. Lock file changes: The package-lock.json shows some peer dependency reorganization (removal of "peer": true flags). This is normal and expected with npm lock file format updates.

🎯 Verdict

LGTM with recommendation to merge

This PR should be merged once CI passes. The security fix for filesystem access controls (server.fs.deny) and multiple bug fixes make this a worthwhile update with minimal risk.

Priority: Medium-High (due to security fix)
Risk: Low (patch-level update with fixes only)

@ghostwriternr ghostwriternr merged commit e517b56 into main Oct 22, 2025
8 checks passed
@ghostwriternr ghostwriternr deleted the dependabot/npm_and_yarn/vite-7.1.11 branch October 22, 2025 18:25
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ghostwriternr ghostwriternr ghostwriternr approved these changes

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@ghostwriternr