Merged
Conversation
Three HIGH/MODERATE severity advisories affect Vite <=7.3.1: - GHSA-p9ff-h696-f583 (High): Arbitrary file read via dev server WS - GHSA-v2wj-q39q-566r (High): server.fs.deny bypass with queries - GHSA-4w7w-66w2-5vf9 (Moderate): Path traversal in optimized deps .map All patched in 7.3.2. Context ------- Updated 41 package.json files across playgrounds, community, starter, docs, and SDK to pin vite@~7.3.2. Also updated the root pnpm override from vite@7.1.9->7.3.1 to vite@7.3.1->7.3.2 to intercept the vitest->@antfu/eslint-config transitive chain. Consumers --------- The SDK's peer dep range ("vite": "^6.2.6 || 7.x") already accepts 7.3.2. No SDK changes needed for consumers to receive the patched version. The SDK's own dev dependency also updated to ~7.3.2.
Deploying redwood-sdk-docs with
|
| Latest commit: |
92b79d6
|
| Status: | ✅ Deploy successful! |
| Preview URL: | https://7e5c492e.redwood-sdk-docs.pages.dev |
| Branch Preview URL: | https://fix-vite-7-3-2-security-upda.redwood-sdk-docs.pages.dev |
Bumps vite across the monorepo to 7.3.2, including updated wrangler versions from main merge.
Collaborator
Author
|
Released as part of v1.0.7. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Context
Bumps vite across the monorepo to
7.3.2in preparation for an upcoming minor release. This applies to all workspace packages that declare a vite dependency.What Changed
41 package.json files updated across the monorepo:
playground/*(29 packages) —"vite": "7.3.1"→"vite": "~7.3.2"community/playground/*(5 packages) — samestarter,docs,sdk(5 packages) —"vite": "~7.3.1"→"vite": "~7.3.2"Root pnpm override updated to point to the new version.
Lockfile updated to reflect
vite@7.3.2across all workspaces.Details
All playgrounds, starter, community workspaces, docs, and the SDK are now pinned to
vite@~7.3.2. Root-level dev tooling (vitest chain) also resolved to the same version.Consumers
No action required. The SDK's peer dependency range already accepts
7.3.2:Consumers running
pnpm installwill resolvevite@7.3.2automatically if no direct pin is in place. No breaking changes — this is a patch bump within the existing semver range.