chore(deps): bump vite to ≥7.3.2 (GHSA-p9ff-h696-f583)

[Copilot]

Vite 7.3.0 exposes arbitrary files via the fetchModule WebSocket handler (vite:invoke) — server.fs.allow checks are not applied to this code path, only to HTTP. Fixed in 7.3.2.

Changes

• package.json — adds pnpm.overrides to pin vite out of the vulnerable range:

  "pnpm": {
    "overrides": {
      "vite": "^7.3.2"
    }
  }

• pnpm-lock.yaml — vite resolves to 7.3.3 (previously 7.3.0)

Reachability

Not actively reachable. The exploit requires the dev server to be network-exposed (--host / server.host). This repo runs nuxt dev with no host override — the server binds to localhost only and is never exposed in CI. Update is defence-in-depth / scanner hygiene. Confidence: high.

Original prompt

---

This section details the Dependabot vulnerability alert you should resolve

<alert_title>Vite Vulnerable to Arbitrary File Read via Vite Dev Server WebSocket</alert_title>
<alert_description>### Summary

server.fs check was not enforced to the fetchModule method that is exposed in Vite dev server's WebSocket.

Impact

Only apps that match the following conditions are affected:

• explicitly exposes the Vite dev server to the network (using --host or server.host config option)
• WebSocket is not disabled by server.ws: false

Arbitrary files on the server (development machine, CI environment, container, etc.) can be exposed.

Details

If it is possible to connect to the Vite dev server’s WebSocket without an Origin header, an attacker can invoke fetchModule via the custom WebSocket event vite:invoke and combine file://... with ?raw (or ?inline) to retrieve the contents of arbitrary files on the server as a JavaScript string (e.g., export default "...").

The access control enforced in the HTTP request path (such as server.fs.allow) is not applied to this WebSocket-based execution path.

PoC

1. Start the dev server on the target
   Example (used during validation with this repository):

   pnpm -C playground/alias exec vite --host 0.0.0.0 --port 5173

2. Confirm that access is blocked via the HTTP path (example: arbitrary file)

   curl -i 'http://localhost:5173/@fs/etc/passwd?raw'

   Result: 403 Restricted (outside the allow list)
   

3. Confirm that the same file can be retrieved via the WebSocket path
   By connecting to the HMR WebSocket without an Origin header and sending a vite:invoke request that calls fetchModule with a file://... URL and ?raw, the file contents are returned as a JavaScript module.

high
GHSA-p9ff-h696-f583, CVE-2026-39363
vite
npm
<vulnerable_versions>7.3.0</vulnerable_versions>
<patched_version>7.3.2</patched_version>
<manifest_path>pnpm-lock.yaml</manifest_path>

https://github.com/vitejs/vite/security/advisories/GHSA-p9ff-h696-f583 https://github.com/vitejs/vite/pull/22159 https://github.com/vitejs/vite/commit/f02d9fde0b195afe3ea2944414186962fbbe41e0 https://github.com/vitejs/vite/releases/tag/v6.4.2 https://github.com/vitejs/vite/releases/tag/v7.3.2 https://github.com/vitejs/vite/releases/tag/v8.0.5 https://nvd.nist.gov/vuln/detail/CVE-2026-39363 https://github.com/advisories/GHSA-p9ff-h696-f583

<task_instructions>Resolve this alert by updating the affected package to a non-vulnerable version. Prefer the lowest non-vulnerable version (see the patched_version field above) over the latest to minimize breaking changes. Include a Reachability Assessment section in the PR description. Review the alert_description field to understand which APIs, features, or configurations are affected, then search the codebase for usage of those specific items. If the vulnerable code path is reachable, explain how (which files, APIs, or call sites use the affected functionality) and note that the codebase is actively exposed to this vulnerability. If the vulnerable code path is not reachable, explain why (e.g. the affected API is never called, the vulnerable configuration is not used) and note that the update is primarily to satisfy vulnerability scanners rather than to address an active risk. If the advisory is too vague to determine reachability (e.g. 'improper input validation' with no specific API named), state that reachability could not be determined and explain why. Include a confidence level in the reachability assessment (e.g. high confidence if the advisory names a specific API and you confirmed it is or is not called, low confidence if the usage is indirect and hard to trace). If no patched version is available, check the alert_description field for a Workarounds section — the advisory may describe configuration changes or usage patterns that mitigate the vulnerability without a version update. If a workaround is available, apply it and leave a code comment referencing the advisory identifier explaining it is a temporary mitigation. If neither a patch nor a workaround is available, explain in the PR description why the alert cannot be resolved automatically...

• Resolves TruMedia-Creative/tmc alert web design project overview #77

[Copilot]

Pull request overview

This PR mitigates GHSA-p9ff-h696-f583 by ensuring the repo does not resolve to the vulnerable Vite 7.3.0 in development tooling, improving security scanner hygiene for the Nuxt/Vite-based dev server setup.

Changes:

• Added a pnpm.overrides entry to constrain vite to a non-vulnerable version range (≥ 7.3.2).
• Updated pnpm-lock.yaml so vite resolves to 7.3.3 instead of 7.3.0.

Reviewed changes

Copilot reviewed 1 out of 2 changed files in this pull request and generated 1 comment.

File	Description
package.json	Adds pnpm.overrides for vite to avoid the vulnerable range.
pnpm-lock.yaml	Updates resolved vite version and lock metadata to reflect the override.

Files not reviewed (1)

• pnpm-lock.yaml: Language not supported