chore(deps): update dependency vite to v7.1.11 [security] (#7842)

This PR contains the following updates:

| Package | Change | Age | Confidence |
|---|---|---|---|
| [vite](https://vite.dev)
([source](https://redirect.github.com/vitejs/vite/tree/HEAD/packages/vite))
| [`7.1.9` ->
`7.1.11`](https://renovatebot.com/diffs/npm/vite/7.1.9/7.1.11) |
[![age](https://developer.mend.io/api/mc/badges/age/npm/vite/7.1.11?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/vite/7.1.9/7.1.11?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|

### GitHub Vulnerability Alerts

####
[CVE-2025-62522](https://redirect.github.com/vitejs/vite/security/advisories/GHSA-93m4-6634-74q7)

### Summary
Files denied by
[`server.fs.deny`](https://vitejs.dev/config/server-options.html#server-fs-deny)
were sent if the URL ended with `\` when the dev server is running on
Windows.

### Impact
Only apps that match the following conditions are affected:

- explicitly exposes the Vite dev server to the network (using --host or
[`server.host` config
option](https://vitejs.dev/config/server-options.html#server-host))
- running the dev server on Windows

### Details
`server.fs.deny` can contain patterns matching against files (by default
it includes `.env`, `.env.*`, `*.{crt,pem}` as such patterns). These
patterns were able to bypass by using a back slash(`\`). The root cause
is that `fs.readFile('/foo.png/')` loads `/foo.png`.

### PoC
```shell
npm create vite@latest
cd vite-project/
cat "secret" > .env
npm install
npm run dev
curl --request-target /.env\ http://localhost:5173
```
<img width="1593" height="616" alt="image"
src="https://github.com/user-attachments/assets/36212f4e-1d3c-4686-b16f-16b35ca9e175"
/>

---

### Release Notes

<details>
<summary>vitejs/vite (vite)</summary>

###
[`v7.1.11`](https://redirect.github.com/vitejs/vite/blob/HEAD/packages/vite/CHANGELOG.md#small-7111-2025-10-20-small)

[Compare
Source](https://redirect.github.com/vitejs/vite/compare/v7.1.10...v7.1.11)

##### Bug Fixes

- **dev:** trim trailing slash before `server.fs.deny` check
([#&#8203;20968](https://redirect.github.com/vitejs/vite/issues/20968))
([f479cc5](https://redirect.github.com/vitejs/vite/commit/f479cc57c425ed41ceb434fecebd63931b1ed4ed))

##### Miscellaneous Chores

- **deps:** update all non-major dependencies
([#&#8203;20966](https://redirect.github.com/vitejs/vite/issues/20966))
([6fb41a2](https://redirect.github.com/vitejs/vite/commit/6fb41a260bda443685e719ea4765d3faca3db944))

##### Code Refactoring

- use subpath imports for types module reference
([#&#8203;20921](https://redirect.github.com/vitejs/vite/issues/20921))
([d0094af](https://redirect.github.com/vitejs/vite/commit/d0094af639d9ebbb51d4e00910b74f23eb8fe131))

##### Build System

- remove cjs reference in files field
([#&#8203;20945](https://redirect.github.com/vitejs/vite/issues/20945))
([ef411ce](https://redirect.github.com/vitejs/vite/commit/ef411cee2696af3ba791879fdae9aad165f178b2))
- remove hash from built filenames
([#&#8203;20946](https://redirect.github.com/vitejs/vite/issues/20946))
([a817307](https://redirect.github.com/vitejs/vite/commit/a81730754d655d1371ce0f4354af1c84e12f9f2d))

###
[`v7.1.10`](https://redirect.github.com/vitejs/vite/blob/HEAD/packages/vite/CHANGELOG.md#small-7110-2025-10-14-small)

[Compare
Source](https://redirect.github.com/vitejs/vite/compare/v7.1.9...v7.1.10)

##### Bug Fixes

- **css:** avoid duplicate style for server rendered stylesheet link and
client inline style during dev
([#&#8203;20767](https://redirect.github.com/vitejs/vite/issues/20767))
([3a92bc7](https://redirect.github.com/vitejs/vite/commit/3a92bc79b306a01b8aaf37f80b2239eaf6e488e7))
- **css:** respect emitAssets when cssCodeSplit=false
([#&#8203;20883](https://redirect.github.com/vitejs/vite/issues/20883))
([d3e7eee](https://redirect.github.com/vitejs/vite/commit/d3e7eeefa91e1992f47694d16fe4dbe708c4d80e))
- **deps:** update all non-major dependencies
([879de86](https://redirect.github.com/vitejs/vite/commit/879de86935a31b4e47ab907ddd859366518ce268))
- **deps:** update all non-major dependencies
([#&#8203;20894](https://redirect.github.com/vitejs/vite/issues/20894))
([3213f90](https://redirect.github.com/vitejs/vite/commit/3213f90ff0d8f274bcec65f40aac6dfcff1ac244))
- **dev:** allow aliases starting with `//`
([#&#8203;20760](https://redirect.github.com/vitejs/vite/issues/20760))
([b95fa2a](https://redirect.github.com/vitejs/vite/commit/b95fa2aa7564eda4c9f05ee7616a2dbada35e463))
- **dev:** remove timestamp query consistently
([#&#8203;20887](https://redirect.github.com/vitejs/vite/issues/20887))
([6537d15](https://redirect.github.com/vitejs/vite/commit/6537d15591619d7e1cfc1e50599bec16cd88340f))
- **esbuild:** inject esbuild helpers correctly for esbuild 0.25.9+
([#&#8203;20906](https://redirect.github.com/vitejs/vite/issues/20906))
([446eb38](https://redirect.github.com/vitejs/vite/commit/446eb386329ef682d614c77958a542f2dc222880))
- normalize path before calling `fileToBuiltUrl`
([#&#8203;20898](https://redirect.github.com/vitejs/vite/issues/20898))
([73b6d24](https://redirect.github.com/vitejs/vite/commit/73b6d243e0398ee5d8d44c7d24162f4a0f4b1cf1))
- preserve original sourcemap file field when combining sourcemaps
([#&#8203;20926](https://redirect.github.com/vitejs/vite/issues/20926))
([c714776](https://redirect.github.com/vitejs/vite/commit/c714776aa1dcc24299a81c1495cbcbb1b1ef1dd3))

##### Documentation

- correct `WebSocket` spelling
([#&#8203;20890](https://redirect.github.com/vitejs/vite/issues/20890))
([29e98dc](https://redirect.github.com/vitejs/vite/commit/29e98dc3efe35efbd978523367c05db7d2e7a278))

##### Miscellaneous Chores

- **deps:** update rolldown-related dependencies
([#&#8203;20923](https://redirect.github.com/vitejs/vite/issues/20923))
([a5e3b06](https://redirect.github.com/vitejs/vite/commit/a5e3b064fa7ca981cb6f15f8e88806b36a99b8bf))

</details>

---

### Configuration

📅 **Schedule**: Branch creation - "" (UTC), Automerge - At any time (no
schedule defined).

🚦 **Automerge**: Enabled.

♻ **Rebasing**: Whenever PR is behind base branch, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR was generated by [Mend Renovate](https://mend.io/renovate/).
View the [repository job
log](https://developer.mend.io/github/UI5/webcomponents-react).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0MS4xNDMuMSIsInVwZGF0ZWRJblZlciI6IjQxLjE0My4xIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJkZXBlbmRlbmNpZXMiXX0=-->

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>

Author: renovate[bot]

examples/react-router-ts/package-lock.json

@@ -36,7 +36,7 @@
     "globals": "16.4.0",
     "typescript": "5.8.3",
     "typescript-eslint": "8.44.1",
-    "vite": "7.1.9",
+    "vite": "7.1.11",
     "vite-tsconfig-paths": "5.1.4"
   },
   "engines": {

examples/react-router-ts/package.json

@@ -34,6 +34,6 @@
     "eslint-plugin-react-refresh": "0.4.23",
     "globals": "16.4.0",
     "typescript-eslint": "8.44.1",
-    "vite": "7.1.9"
+    "vite": "7.1.11"
   }
 }

examples/vite-ts/package-lock.json

@@ -98,7 +98,7 @@
     "rimraf": "6.0.1",
     "typescript": "5.7.3",
     "typescript-eslint": "8.44.1",
-    "vite": "7.1.9",
+    "vite": "7.1.11",
     "vite-plugin-istanbul": "7.2.0",
     "vite-tsconfig-paths": "5.1.4"
   },

examples/vite-ts/package.json

@@ -28,6 +28,6 @@
     "globals": "16.4.0",
     "typescript": "5.8.3",
     "typescript-eslint": "8.44.1",
-    "vite": "7.1.9"
+    "vite": "7.1.11"
   }
 }

package.json

@@ -32,6 +32,6 @@
     "globals": "16.4.0",
     "typescript": "5.8.3",
     "typescript-eslint": "8.44.1",
-    "vite": "7.1.9"
+    "vite": "7.1.11"
   }
 }

patterns/navigation-layout/package-lock.json

@@ -20242,7 +20242,7 @@ __metadata:
     tocbot: "npm:4.36.4"
     typescript: "npm:5.7.3"
     typescript-eslint: "npm:8.44.1"
-    vite: "npm:7.1.9"
+    vite: "npm:7.1.11"
     vite-plugin-istanbul: "npm:7.2.0"
     vite-tsconfig-paths: "npm:5.1.4"
   languageName: unknown
@@ -20907,9 +20907,9 @@ __metadata:
   languageName: node
   linkType: hard
 
-"vite@npm:7.1.9":
-  version: 7.1.9
-  resolution: "vite@npm:7.1.9"
+"vite@npm:7.1.11":
+  version: 7.1.11
+  resolution: "vite@npm:7.1.11"
   dependencies:
     esbuild: "npm:^0.25.0"
     fdir: "npm:^6.5.0"
@@ -20958,7 +20958,7 @@ __metadata:
       optional: true
   bin:
     vite: bin/vite.js
-  checksum: 10c0/f628f903a137c1410232558bde99c223ea00a090bda6af77752c61f912955f0050aac12d3cfe024d08a0f150ff6fab61b3d0be75d634a59b94d49f525392e1f7
+  checksum: 10c0/c4aa7f47b1fb07f734ed6f4f605d73e5acf7ff9754d75b4adbfbdddf0e520413019834620c1f7b4a207bce7e1d20a2636c584db2b1b17f5a3ba2cd23d47e50ab
   languageName: node
   linkType: hard