🚨 [security] Update vite 7.1.9 → 7.1.11 (patch)

[depfu]

---

🚨 Your current dependencies have known security vulnerabilities 🚨

This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!

---

Here is everything you need to know about this update. Please take a good look at what changed and the test results before merging this pull request.

What changed?

✳️ vite (7.1.9 → 7.1.11) · Repo · Changelog

Security Advisories 🚨

🚨 vite allows server.fs.deny bypass via backslash on Windows

Summary

Files denied by server.fs.deny were sent if the URL ended with \ when the dev server is running on Windows.

Impact

Only apps that match the following conditions are affected:

• explicitly exposes the Vite dev server to the network (using --host or server.host config option)
• running the dev server on Windows

Details

server.fs.deny can contain patterns matching against files (by default it includes .env, .env.*, *.{crt,pem} as such patterns). These patterns were able to bypass by using a back slash(\). The root cause is that fs.readFile('/foo.png/') loads /foo.png.

PoC

npm create vite@latest
cd vite-project/
cat "secret" > .env
npm install
npm run dev
curl --request-target /.env\ http://localhost:5173

Release Notes

7.1.10

Please refer to CHANGELOG.md for details.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 37 commits:

• release: v7.1.11
• fix(dev): trim trailing slash before `server.fs.deny` check (#20968)
• chore(deps): update actions/setup-node action to v6 (#20967)
• chore(deps): update all non-major dependencies (#20966)
• docs: replace legacy docker compose command (#20960)
• ci: update default env variables url (#20957)
• docs: add note that bun's env loading behavior interferes with Vite's one (#20947)
• build: remove hash from built filenames (#20946)
• build: remove cjs reference in files field (#20945)
• build(legacy): remove duplicated rolldown-vite file (#20943)
• refactor: use subpath imports for types module reference (#20921)
• docs(rolldown): update links to match new docs (#20941)
• release: v7.1.10
• fix: preserve original sourcemap file field when combining sourcemaps (#20926)
• docs: add the vite documentary to resources (#20939)
• docs: add viteconf 2025 video playlist (#20938)
• fix(esbuild): inject esbuild helpers correctly for esbuild 0.25.9+ (#20906)
• test: add timeout to `untilBrowserLog` (#20905)
• docs: update banner to Vite+ (#20931)
• Merge pull request #20925 from vitejs/renovate/all-minor-patch
• fix(deps): update all non-major dependencies
• chore(deps): update rolldown-related dependencies (#20923)
• build: override rolldown for stable lockfile (#20919)
• fix(css): avoid duplicate style for server rendered stylesheet link and client inline style during dev (#20767)
• test: use `expect.poll` in build-old playground (#20904)
• fix: normalize path before calling `fileToBuiltUrl` (#20898)
• fix(dev): allow aliases starting with `//` (#20760)
• chore(deps): update dependency markdown-it-image-size to v15 (#20897)
• docs(cli): document `vite preview` with more information (#20888)
• chore(deps): update dependency tsdown to ^0.15.6 (#20893)
• fix(deps): update all non-major dependencies (#20894)
• ci: remove unnecessary commit hash ambiguity check
• ci: prevent running ecosystem-ci on commits after the trigger comments
• docs: correct `WebSocket` spelling (#20890)
• fix(css): respect emitAssets when cssCodeSplit=false (#20883)
• fix(dev): remove timestamp query consistently (#20887)
• test: add test that ensures syntaxes not supported are lowered (#20886)

---

Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.

All Depfu comment commands

@​depfu rebase

Rebases against your default branch and redoes this update

@​depfu recreate

Recreates this PR, overwriting any edits that you've made to it

@​depfu merge

Merges this PR once your tests are passing and conflicts are resolved

@​depfu cancel merge

Cancels automatic merging of this PR

@​depfu close

Closes this PR and deletes the branch

@​depfu reopen

Restores the branch and reopens this PR (if it's closed)

@​depfu pause

Ignores all future updates for this dependency and closes this PR

@​depfu pause [minor|major]

Ignores all future minor/major updates for this dependency and closes this PR

@​depfu resume

Future versions of this dependency will create PRs again (leaves this PR as is)

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	tar-fs@​2.1.1
	isarray@​1.0.0
	safer-buffer@​2.1.2
	is-core-module@​2.13.0 ⏵ 2.12.1
	fs-constants@​1.0.0
	get-value@​2.0.6
	static-extend@​0.1.2
	set-blocking@​2.0.0
	object-copy@​0.1.0
	restore-cursor@​3.1.0
	require-main-filename@​2.0.0
	spawn-command@​0.0.2
	lighthouse-logger@​1.4.2
	mkdirp-classic@​0.5.3
	use-sync-external-store@​1.4.0
	inflation@​2.0.0
	esbuild@​0.17.19
	decamelize@​1.2.0
	lodash.deburr@​4.1.0
	get-caller-file@​2.0.5
	playwright-core@​1.36.0
	urix@​0.1.0
	resolve-url@​0.2.1
	unpipe@​1.0.0
	source-map-url@​0.4.1
	fragment-cache@​0.2.1
	posix-character-classes@​0.1.1
	to-object-path@​0.3.0
	istanbul-reports@​3.1.5
	p-try@​2.2.0
	map-cache@​0.2.2
	proxy-from-env@​1.1.0
	glob-to-regexp@​0.3.0
	source-map-resolve@​0.5.3
See 129 more rows in the dashboard

View full report

[socket-security]

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action	Severity	Alert  (click "▶" to expand/collapse)
Warn		safer-buffer@2.1.2 has Obfuscated code. Confidence: 0.94 Location: Package overview From: yarn.lock → npm/safer-buffer@2.1.2 ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/safer-buffer@2.1.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report