chore(deps-dev): bump vite from 7.3.2 to 7.3.5#134
Conversation
Bumps [vite](https://github.com/vitejs/vite/tree/HEAD/packages/vite) from 7.3.2 to 7.3.5. - [Release notes](https://github.com/vitejs/vite/releases) - [Changelog](https://github.com/vitejs/vite/blob/v7.3.5/packages/vite/CHANGELOG.md) - [Commits](https://github.com/vitejs/vite/commits/v7.3.5/packages/vite) --- updated-dependencies: - dependency-name: vite dependency-version: 7.3.5 dependency-type: direct:development ... Signed-off-by: dependabot[bot] <support@github.com>
dependabot
Bot
added
dependencies
dependabot
Bot
added
dependencies
|
Review the following changes in direct dependencies. Learn more about Socket for GitHub.
|
![sovri[bot]](https://avatars.githubusercontent.com/in/3905700?s=60&v=4){kind=small}
There was a problem hiding this comment.
✅ Approve
1 finding — 1 minor
Review assessment
Effort: ●●●○○ 3/5
Metrics: 1 finding · 1 file touched · 0 blocker plus major findings
Severity distribution:
Total: 1 finding
Bar: █
- 🟡 minor: 1 finding
TL;DR
This dependency update bumps Vite from 7.3.2 to 7.3.5, addressing path sanitization issues (UNC and Windows alternate paths) and Safari compatibility fixes. No direct defects or maintainability concerns were introduced by the version change itself, but transitive dependency updates warrant scrutiny for test coverage and edge cases.
Findings
| Severity | Location | Title | Details |
|---|---|---|---|
| 🟡 | pnpm-lock.yaml:148 | Missing test coverage for Vite 7.3.5 path sanitization fixes | The changelog indicates Vite 7.3.5 includes critical path sanitization fixes (UNC and Windows alternate paths) that mitigate potential security risks (e.g., path traversal). However, the project lacks explicit tests to verify these fixes are effective in the application's context, particularly if custom path handling is used. |
File-by-file
pnpm-lock.yaml
1 finding
- pnpm-lock.yaml:148 Missing test coverage for Vite 7.3.5 path sanitization fixes
Compliance & provenance
Compliance & audit
Model: mistral / mistral-large-latest
Prompt sha256: 05901884d90e43151b2ed77af5b7e8889afa1497f56bd4cfd2e7bb4c2c000881
No signed audit trail is attached
Missing test coverage for Vite 7.3.5 path sanitization fixes — pnpm-lock.yaml:148
🔍 Audit Reference: SOVRI-TC-C9BA-D521
Tokens: 17602 in / 1065 out · Estimated cost: $0.0104 (mistral mistral-large-latest)
| @@ -148,11 +148,11 @@ importers: | |||
| specifier: ~5.8.3 | |||
There was a problem hiding this comment.
🟡 🧪 Test coverage
Missing test coverage for Vite 7.3.5 path sanitization fixes
Problem: The changelog indicates Vite 7.3.5 includes critical path sanitization fixes (UNC and Windows alternate paths) that mitigate potential security risks (e.g., path traversal). However, the project lacks explicit tests to verify these fixes are effective in the application's context, particularly if custom path handling is used.
Fix: Add integration tests that attempt to exploit UNC and Windows alternate paths (e.g., \\?\ prefixes) to ensure the sanitization logic is correctly applied. Verify edge cases like nested paths or malformed inputs.
🔍 Audit Reference: SOVRI-TC-C9BA-D521
Bumps vite from 7.3.2 to 7.3.5.
Release notes
Sourced from vite's releases.
Changelog
Sourced from vite's changelog.
Commits
077945crelease: v7.3.58a6a0c9chore: skip v7.3.4 release8c18556fix: backport #22572, reject windows alternate paths (#22574)f20d64bfix(deps): backport #22571, reject UNC paths for launch-editor-middleware (#2...ca31424release: v7.3.35ab51c0fix: avoid destructure lowering for newer safari (#22346)Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)You can disable automated security fix PRs for this repo from the Security Alerts page.