Update vite 8.0.0 → 8.0.1 (patch)

[depfu]

Here is everything you need to know about this update. Please take a good look at what changed and the test results before merging this pull request.

What changed?

✳️ vite (8.0.0 → 8.0.1) · Repo · Changelog

Release Notes

8.0.1

Please refer to CHANGELOG.md for details.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 42 commits:

• release: v8.0.1
• chore(deps): update rolldown-related dependencies (#21787)
• fix(worker): make worker output consistent with client and SSR (#21871)
• chore(deps): bump required `@vitejs/devtools` version to 0.1+ (#21925)
• fix(dev): always use ESM Oxc runtime (#21829)
• fix: improve `no-cors` request block error (#21902)
• feat: update rolldown to 1.0.0-rc.10 (#21932)
• fix(css): lightningcss minify failed when `build.target: 'es6'` (#21933)
• chore: add auto timestamp diff detection at live video (#21936)
• ci: run issue template check workflow for any issues (#21927)
• ci: remove clarity label workflow (#21926)
• docs: use rolldownOptions in library mode multiple entries example (#21916)
• docs: fix typo in worker-options.md (#21897)
• fix(dev): handle concurrent restarts in `_createServer` (#21810)
• test(worker): make inline worker assertion more stable (#21848)
• fix(worker): `require(json)` result should not be wrapped (#21847)
• fix: handle `+` symbol in package subpath exports during dep optimization (#21886)
• fix: use precise regexes for transform filter to avoid backtracking (#21800)
• fix(bundled-dev): properly disable `inlineConst` optimization (#21865)
• test: remove stale resolve sniffing test (#21883)
• fix(deps): update all non-major dependencies (#21878)
• chore(deps): update warpdotdev/oz-agent-action digest to 827a9ad (#21877)
• chore(deps): update actions/create-github-app-token action to v3 (#21879)
• docs: update banner for vite+ alpha (#21804)
• chore: remove `rolldown-vite` issue link from issue create modal (#21869)
• docs(getting-started): use rolldown instead of rollup (#21854)
• docs(releases): update v7 latest minor (#21842)
• release: create-vite@9.0.2
• chore: add changelog rearrange script (#21835)
• docs: add install size section to Vite 8 post (#21840)
• fix(create-vue): add `lang="ts"` to vue files to fix type errors in vue-ts template (#21838)
• chore: rearrange 8.0 changelog
• chore: rearrange 8.0 changelog (#21834)
• release: create-vite@9.0.1
• fix(create-vite): add `@babel/core` and `@types/babel__core` for react compiler template (#21833)
• release: create-vite@9.0.0
• feat(deps): bump plugin versions in create-vite templates (#21832)
• feat(create-vite): update react template for new plugin-react (#21742)
• fix(create-vite): tanstack cli `--template` is deprecated (#21831)
• fix(create-vite): handle double dash for `npm exec` (#21830)
• release: plugin-legacy@8.0.0
• chore(legacy): update peer dep Vite to 8

↗️ @​emnapi/core (indirect, 1.9.0 → 1.9.1) · Repo

Commits

See the full diff on Github. The new version differs by 2 commits:

• 1.9.1
• fix for emscripten 5.0.3

↗️ @​emnapi/runtime (indirect, 1.9.0 → 1.9.1) · Repo

Commits

See the full diff on Github. The new version differs by 2 commits:

• 1.9.1
• fix for emscripten 5.0.3

↗️ rolldown (indirect, 1.0.0-rc.9 → 1.0.0-rc.10) · Repo · Changelog

🗑️ @​oxc-project/runtime (removed)

---

Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.

All Depfu comment commands

@​depfu rebase

Rebases against your default branch and redoes this update

@​depfu recreate

Recreates this PR, overwriting any edits that you've made to it

@​depfu merge

Merges this PR once your tests are passing and conflicts are resolved

@​depfu cancel merge

Cancels automatic merging of this PR

@​depfu close

Closes this PR and deletes the branch

@​depfu reopen

Restores the branch and reopens this PR (if it's closed)

@​depfu pause

Ignores all future updates for this dependency and closes this PR

@​depfu pause [minor|major]

Ignores all future minor/major updates for this dependency and closes this PR

@​depfu resume

Future versions of this dependency will create PRs again (leaves this PR as is)

Go to the Depfu Dashboard to see the state of your dependencies and to customize how Depfu works.

[sourcery-ai]

Hi @depfu[bot]! 👋

Your private repo does not have access to Sourcery.

Please upgrade to continue using Sourcery ✨

[coderabbitai]

Important

Review skipped

Bot user detected.

To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Free

Run ID: 95f2f8df-1431-4ca4-9a95-6a8cbbecfa25

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

📝 Coding Plan

• Generate coding plan for human review comments

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[guibranco]

Automatically approved by gstraccini[bot]

[guibranco]

@depfu merge

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	vite@​8.0.0 ⏵ 8.0.1	+1		+1

View full report

[socket-security]

Caution

Review the following alerts detected in dependencies.

According to your organization's Security Policy, you must resolve all "Block" alerts before proceeding. Learn more about Socket for GitHub.

Action	Severity	Alert  (click "▶" to expand/collapse)
Block		Potential code anomaly (AI signal): npm @rolldown/binding-wasm32-wasi is 90.0% likely to have a medium risk anomaly Notes: The JS loader is not itself executing obvious malicious JavaScript (no eval, no external network calls, no hard-coded credentials). However it intentionally grants a WebAssembly module broad privileges: it passes the full process.env into WASI and the worker, and preopens the host filesystem root so the wasm can access the filesystem. It also forwards worker messages into a filesystem proxy function. These design choices make running an untrusted or tampered-with wasm binary dangerous: a malicious wasm could read environment variables, enumerate and modify host files, and exfiltrate data via any network capability inside the wasm or worker. Therefore the module should be treated as high-risk if the wasm artifact (local file or npm package) is not from a trusted source. Recommended mitigations: avoid preopening the root (limit to specific directories), avoid passing full process.env, validate integrity of the wasm binary (signing/checksums), and avoid installing untrusted package replacements. Confidence: 0.90 Severity: 0.60 From: package-lock.json → npm/vite@8.0.1 → npm/@rolldown/binding-wasm32-wasi@1.0.0-rc.10 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@rolldown/binding-wasm32-wasi@1.0.0-rc.10. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm @rolldown/binding-wasm32-wasi is 90.0% likely to have a medium risk anomaly Notes: The file itself does not contain overt malicious code (no network calls, no obfuscated payloads, no hardcoded credentials). However, it deliberately exposes powerful capabilities to loaded WASM modules and local scripts: it passes all environment variables into WASI and preopens the filesystem root, and it implements importScripts by reading and eval-ing local files. These choices make the environment capable of data theft or system access if untrusted wasm or scripts are executed. Treat wasm modules and files loaded via importScripts as fully trusted/native — do not run untrusted modules with this loader. Recommend restricting WASI preopens to a minimal directory and avoid passing full process.env, and avoid eval-based importScripts when possible. Confidence: 0.90 Severity: 0.60 From: package-lock.json → npm/vite@8.0.1 → npm/@rolldown/binding-wasm32-wasi@1.0.0-rc.10 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@rolldown/binding-wasm32-wasi@1.0.0-rc.10. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Embedded URLs or IPs: npm rolldown URLs: https://rollupjs.org/plugin-development/#generatebundle:~:text=DANGER,this.emitFile., Function.prototype.name, Class.prototype.name, https://github.com/webpack/enhanced-resolve#resolver-options, https://webpack.js.org/configuration/resolve/, https://github.com/defunctzombie/package-browser-field-spec, https://github.com/webpack/enhanced-resolve/pull/285, https://webpack.js.org/configuration/module/#resolvefullyspecified, https://nodejs.org/api/module.html#modulebuiltinmodules, https://github.com/vitejs/vite/pull/20252, https://github.com/nodejs/node/issues/58827, https://nodejs.org/docs/latest/api/esm.html#resolution-algorithm-specification, https://github.com/dividab/tsconfig-paths-webpack-plugin#options, https://www.typescriptlang.org/tsconfig/#experimentalDecorators, https://www.typescriptlang.org/tsconfig/#emitDecoratorMetadata, https://www.typescriptlang.org/tsconfig/#stripInternal, https://oxc.rs/docs/guide/usage/transformer/jsx, https://github.com/facebook/react/tree/v18.3.1/packages/react-refresh, https://oxc.rs/docs/guide/usage/transformer/plugins#styled-components, https://oxc.rs/docs/guide/usage/transformer/typescript, https://oxc.rs/docs/guide/usage/transformer/lowering#target, https://oxc.rs/docs/guide/usage/transformer/global-variable-replacement#define, https://oxc.rs/docs/guide/usage/transformer/global-variable-replacement#inject, https://oxc.rs/docs/guide/usage/transformer/plugins, https://www.typescriptlang.org/docs/handbook/release-notes/typescript-5-5.html#isolated-declarations, https://www.typescriptlang.org/tsconfig/#declaration, https://github.com/npm/cli/issues/4828, output.name, https://github.com/streamich/memfs, https://rolldown.rs/., https://developer.mozilla.org/en-US/docs/Glossary/IIFE, https://github.com/umdjs/umd, https://github.com/tc39/ecma426/blob/main/proposals/debug-id.md, https://cdn.jsdelivr.net/npm/d3@7, comments.legal, https://rolldown.rs/in-depth/directives, https://rolldown.rs/guide/troubleshooting#avoiding-direct-eval, https://rolldown.rs/reference/OutputOptions.globals, https://rolldown.rs/reference/OutputOptions.name, https://rolldown.rs/reference/OutputOptions.exports, https://rolldown.rs/in-depth/non-esm-output-formats#import-meta, https://rolldown.rs/reference/OutputOptions.cleanDir, https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Operators/Property_accessors, https://oxc.rs/docs/guide/usage/transformer/global-variable-replacement.html#inject, https://rolldown.rs/apis/plugin-api/hook-filters, https://rolldown.rs/apis/plugin-api/inter-plugin-communication#custom-resolver-options, https://oxc.rs/docs/guide/usage/minifier/dead-code-elimination#define-pure-functions, https://oxc.rs/docs/guide/usage/minifier/dead-code-elimination#ignoring-global-variable-access-side-effects, https://oxc.rs/docs/guide/usage/minifier/dead-code-elimination#ignoring-invalid-import-statement-side-effects, exports.property, https://rolldown.rs/apis/plugin-api, https://api.example.com, https://esbuild.github.io/api/#loader, https://rolldown.rs/in-depth/module-types, https://github.com/rolldown/rolldown/issues/7258, https://github.com/rolldown/rolldown/tree/main/examples/native-magic-string, https://rolldown.rs/in-depth/lazy-barrel-optimization Location: Package overview From: package-lock.json → npm/vite@8.0.1 → npm/rolldown@1.0.0-rc.10 ℹ Read more on: This package | This alert | What are URL strings? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Review all remote URLs to ensure they are intentional, pointing to trusted sources, and not being used for data exfiltration or loading untrusted code at runtime. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/rolldown@1.0.0-rc.10. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Embedded URLs or IPs: npm vite URLs: https://en.wikipedia.org/wiki/Combining_Diacritical_Marks, https://en.wikipedia.org/wiki/Combining_Diacritical_Marks_for_Symbols, https://mathiasbynens.be/notes/javascript-unicode, http://eev.ee/blog/2015/09/12/dark-corners-of-unicode/, https://en.wikipedia.org/wiki/CamelCase, https://en.wikipedia.org/wiki/Latin-1_Supplement_, https://en.wikipedia.org/wiki/Latin_Extended-A, _.map, https://vite.dev/config/server-options.html#server-hmr, http://vite.dev, https://html.spec.whatwg.org/multipage/parsing.html#named-character-reference-state, http://www.w3.org/1999/xhtml, http://www.w3.org/1998/Math/MathML, http://www.w3.org/2000/svg, http://www.w3.org/1999/xlink, http://www.w3.org/XML/1998/namespace, http://www.w3.org/2000/xmlns/, https://dom.spec.whatwg.org/#concept-document-limited-quirks, http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtd, https://github.com/rollup/plugins/tree/master/packages/alias#entries, https://github.com/micromatch/anymatch, https://nodejs.org/api/fs.html#fs_class_fs_stats, example.com, foo.example.com, foo.bar.example.com, http://jsonplaceholder.typicode.com, https://github.com/SuperchupuDev/tinyglobby, https://esbuild.github.io/api/#target, https://esbuild.github.io/content-types/#javascript, license.md, https://rollupjs.org/configuration-options/#watch, http://127.0.0.1:8080, config.server.watch, server.environments.client.hot, import.meta.hot, 127.0.0.1, 0.0.0.0, https://example.com Location: Package overview From: package-lock.json → npm/vite@8.0.1 ℹ Read more on: This package | This alert | What are URL strings? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Review all remote URLs to ensure they are intentional, pointing to trusted sources, and not being used for data exfiltration or loading untrusted code at runtime. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/vite@8.0.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report