Update vite 8.0.13 → 8.0.14 (patch)

[depfu]

Here is everything you need to know about this update. Please take a good look at what changed and the test results before merging this pull request.

What changed?

✳️ vite (8.0.13 → 8.0.14) · Repo · Changelog

Release Notes

8.0.14

Please refer to CHANGELOG.md for details.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 18 commits:

• release: v8.0.14
• test(glob-import): cover absolute base resolving to files outside root (#22298)
• fix(html): handle trailing slash paths in transformIndexHtml (#22480)
• chore(deps): update dependency lint-staged to v17 (#22424)
• fix(deps): update all non-major dependencies (#22471)
• chore(deps): update dependency ws to v8.20.1 [security] (#22483)
• feat: update rolldown to 1.0.2 (#22484)
• chore: pin official actions as well (#22481)
• test(css): sass does not use main field (#22449)
• refactor(glob): do not rewrite import path for absolute base (#22310)
• test(glob-import): move fixtures into root subdirectory (#22466)
• chore(deps): update rolldown-related dependencies (#22470)
• docs: update pnpm overrides URL link (#22464)
• fix(optimizer): pass oxc jsx options to transformSync in dependency scan (#22342)
• fix(dev): handle errors when sending messages to vite server (#22450)
• release: plugin-legacy@8.0.2
• chore(deps): update `@vitejs/release-scripts` to v1.7.1
• chore: remove irrelevant commits from changelog

↗️ nanoid (indirect, 3.3.11 → 3.3.12) · Repo · Changelog

Release Notes

3.3.12

• Fixed breaking Nano ID by requesting big ID.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 5 commits:

• Release 3.3.12 version
• Backport fix to CommonJS version too
• Update test
• Backport pool breaking fix
• Fix CI

↗️ postcss (indirect, 8.5.14 → 8.5.15) · Repo · Changelog

Release Notes

8.5.15

• Fixed declaration parsing performance (by @homanp).

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 16 commits:

• Release 8.5.15 version
• Update CI actions
• Speed up declaration parsing by avoiding creating new array on each token
• Fix code format
• Update dependencies
• Install older pnpm action for old Node.js
• Revert pnpm action for old Node.js
• Update CI actions
• Fix linter warnings
• Merge pull request #2088 from rootvector2/add-oss-fuzz-harness
• Address review: source-map dict tokens and oxfmt formatting
• Add OSS-Fuzz fuzzing harness under test/fuzzing/
• Remove image since WIkipedia stopped to serve it to third parties
• Fix to another link
• Fix image URL
• Fix CI

↗️ rolldown (indirect, 1.0.1 → 1.0.2) · Repo · Changelog

Release Notes

1.0.2

[1.0.2] - 2026-05-20

🚀 Features

• devtools: emit package size in PackageGraphReady (#9434) by @IWANABETHATGUY
• devtools: classify package dependency types (#9427) by @IWANABETHATGUY
• devtools: map packages to modules and chunks (#9426) by @IWANABETHATGUY
• devtools: mark used packages (#9423) by @IWANABETHATGUY
• devtools: make duplicate packages discoverable (#9422) by @IWANABETHATGUY
• devtools: emit package metadata (#9421) by @IWANABETHATGUY
• update oxc to 0.132.0 (#9449) by @shulaoda
• update oxc to 0.131.0 (#9424) by @shulaoda
• allow checks.* to escalate emissions to hard errors (#9388) by @IWANABETHATGUY
• dev: support watcher options include and exclude (#9395) by @h-a-n-a
• emit warnings for invalid pure annotations (#9381) by @Kyujenius

🐛 Bug Fixes

• hash: keep chunk file names stable when an unrelated entry is added (#9444) by @hyf0
• call codeSplitting.groups[].name in deterministic order (#9457) by @sapphi-red
• dev/lazy: make resolve_id idempotent when the resolved id is already a lazy entry (#9439) by @h-a-n-a
• chunk-optimization: publish absorbed dynamic-entry namespace cross-chunk (#9448) by @IWANABETHATGUY
• treeshake: propagate pure annotation through compound exprs (#9431) by @Dunqing
• finalizer: skip redundant init call when barrel executes in same chunk (#9354) by @IWANABETHATGUY
• linking: initialize wrapped ESM re-export owners (#9353) by @IWANABETHATGUY
• do not inherit __toESM across chunks for named-only external imports (#9333) (#9415) by @IWANABETHATGUY
• watcher: don't write output or emit events after close() (#9328) by @situ2001
• chunk-optimization: avoid unsafe dynamic-only merges (#9398) by @IWANABETHATGUY
• cjs: rename CJS-wrapped locals that would shadow chunk-scope names (#9392) by @hyf0
• dev/lazy: watch lazy modules added in rebuilds (#9391) by @h-a-n-a

🚜 Refactor

• rolldown_dev: move dev example to break publish cycle (#9465) by @Boshen
• binding: drop unsafe napi string helper, hoist transform ArcStr (#9456) by @hyf0
• ecmascript_utils: split rewrite_ident_reference off JsxExt trait (#9417) by @IWANABETHATGUY
• use ThreadsafeFunction::call_async_catch (#9390) by @sapphi-red

📚 Documentation

• devtools: document @rolldown/debug usage and package graph consumption (#9435) by @IWANABETHATGUY
• replace Inter with system font stack in OG template SVG (#9240) by @yvbopeng
• remove output.comments warning as all issues have been resolved (#9393) by @sapphi-red
• in-depth: clarify @PURE scope and document positions (#9389) by @Kyujenius
• readme: remove release candidate notice (#9387) by @shulaoda

⚡ Performance

• vite-resolve: cache importer existence checks (#9443) by @Brooooooklyn
• binding: reduce plugin string clones (#9436) by @Brooooooklyn

🧪 Testing

• enable legal_comments_inline test (#9394) by @sapphi-red

⚙️ Miscellaneous Tasks

• bump pnpm to v11.1.2 (#9447) by @Boshen
• deps: update rust crates (#9461) by @renovate[bot]
• deps: update rollup submodule for tests to v4.60.4 (#9453) by @rolldown-guard[bot]
• deps: update test262 submodule for tests (#9454) by @rolldown-guard[bot]
• deps: update npm packages (#9430) by @renovate[bot]
• deps: update github actions (#9429) by @renovate[bot]
• deps: update dependency rolldown-plugin-dts to v0.25.1 (#9452) by @renovate[bot]
• deps: update rust crates (#9428) by @renovate[bot]
• revert allow checks.* to escalate emissions to hard errors (#9388) (#9438) by @IWANABETHATGUY
• update mimalloc-safe to 0.1.61 (#9413) by @shulaoda
• deny todo, unimplemented, and print_stderr clippy lints (#9412) by @Boshen
• deps: update mimalloc-safe to 0.1.60 (#9410) by @shulaoda
• remove pip install setuptools workaround for node-gyp on macOS (#9370) by @sapphi-red
• renovate: disable automerge to require manual approval (#9386) by @shulaoda
• deps: update napi (#9385) by @renovate[bot]

❤️ New Contributors

• @yvbopeng made their first contribution in #9240

Co-authored-by: shulaoda 165626830+shulaoda@users.noreply.github.com

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 51 commits:

• release: v1.0.2 (#9478)
• docs(devtools): document @rolldown/debug usage and package graph consumption (#9435)
• refactor(rolldown_dev): move dev example to break publish cycle (#9465)
• chore: bump pnpm to v11.1.2 (#9447)
• fix(hash): keep chunk file names stable when an unrelated entry is added (#9444)
• refactor(binding): drop unsafe napi string helper, hoist transform ArcStr (#9456)
• chore(deps): update rust crates (#9461)
• feat(devtools): emit package size in PackageGraphReady (#9434)
• feat(devtools): classify package dependency types (#9427)
• fix: call `codeSplitting.groups[].name` in deterministic order (#9457)
• fix(dev/lazy): make `resolve_id` idempotent when the resolved id is already a lazy entry (#9439)
• perf(vite-resolve): cache importer existence checks (#9443)
• docs: replace `Inter` with system font stack in OG template SVG (#9240)
• chore(deps): update rollup submodule for tests to v4.60.4 (#9453)
• chore(deps): update test262 submodule for tests (#9454)
• feat(devtools): map packages to modules and chunks (#9426)
• perf(binding): reduce plugin string clones (#9436)
• feat(devtools): mark used packages (#9423)
• feat(devtools): make duplicate packages discoverable (#9422)
• fix(chunk-optimization): publish absorbed dynamic-entry namespace cross-chunk (#9448)
• chore(deps): update npm packages (#9430)
• chore(deps): update github actions (#9429)
• chore(deps): update dependency rolldown-plugin-dts to v0.25.1 (#9452)
• chore(deps): update rust crates (#9428)
• feat(devtools): emit package metadata (#9421)
• feat: update oxc to 0.132.0 (#9449)
• feat: update oxc to 0.131.0 (#9424)
• fix(treeshake): propagate pure annotation through compound exprs (#9431)
• chore: revert allow checks.* to escalate emissions to hard errors (#9388) (#9438)
• fix(finalizer): skip redundant init call when barrel executes in same chunk (#9354)
• fix(linking): initialize wrapped ESM re-export owners (#9353)
• feat: allow checks.* to escalate emissions to hard errors (#9388)
• fix: do not inherit __toESM across chunks for named-only external imports (#9333) (#9415)
• fix(watcher): don't write output or emit events after close() (#9328)
• chore: update mimalloc-safe to 0.1.61 (#9413)
• refactor(ecmascript_utils): split rewrite_ident_reference off JsxExt trait (#9417)
• chore: deny `todo`, `unimplemented`, and `print_stderr` clippy lints (#9412)
• chore(deps): update mimalloc-safe to 0.1.60 (#9410)
• fix(chunk-optimization): avoid unsafe dynamic-only merges (#9398)
• feat(dev): support watcher options `include` and `exclude` (#9395)
• fix(cjs): rename CJS-wrapped locals that would shadow chunk-scope names (#9392)
• test: enable `legal_comments_inline` test (#9394)
• ci: remove `pip install setuptools` workaround for node-gyp on macOS (#9370)
• docs: remove `output.comments` warning as all issues have been resolved (#9393)
• fix(dev/lazy): watch lazy modules added in rebuilds (#9391)
• refactor: use `ThreadsafeFunction::call_async_catch` (#9390)
• docs(in-depth): clarify @__PURE__ scope and document positions (#9389)
• feat: emit warnings for invalid pure annotations (#9381)
• docs(readme): remove release candidate notice (#9387)
• chore(renovate): disable automerge to require manual approval (#9386)
• chore(deps): update napi (#9385)

---

Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.

All Depfu comment commands

@​depfu rebase

Rebases against your default branch and redoes this update

@​depfu recreate

Recreates this PR, overwriting any edits that you've made to it

@​depfu merge

Merges this PR once your tests are passing and conflicts are resolved

@​depfu cancel merge

Cancels automatic merging of this PR

@​depfu close

Closes this PR and deletes the branch

@​depfu reopen

Restores the branch and reopens this PR (if it's closed)

@​depfu pause

Ignores all future updates for this dependency and closes this PR

@​depfu pause [minor|major]

Ignores all future minor/major updates for this dependency and closes this PR

@​depfu resume

Future versions of this dependency will create PRs again (leaves this PR as is)

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	vite@​8.0.13 ⏵ 8.0.14	+1		+1	+1

View full report

[socket-security]

Caution

Review the following alerts detected in dependencies.

According to your organization's Security Policy, you must resolve all "Block" alerts before proceeding. Learn more about Socket for GitHub.

Action	Severity	Alert  (click "▶" to expand/collapse)
Block		Potential code anomaly (AI signal): npm @rolldown/binding-wasm32-wasi is 100.0% likely to have a medium risk anomaly Notes: This loader establishes a Node.js WASI/worker environment that: 1) passes the entire host process.env into the WASI instance (exposing all environment variables, including secrets, to loaded modules); 2) preopens the filesystem root (granting broad file read/write access under the host’s root directory); and 3) implements importScripts via synchronous fs.readFileSync + eval (allowing any local JS file to be executed in the loader context). If an untrusted or compromised WASM module or script is provided, it can read sensitive environment variables, access or modify arbitrary files, and execute arbitrary JavaScript—posing a moderate security risk. Recommended mitigations: restrict WASI preopens to a minimal directory, limit or sanitize environment variables passed into WASI, and replace or sandbox the eval-based importScripts mechanism. Confidence: 1.00 Severity: 0.60 From: package-lock.json → npm/vite@8.0.14 → npm/@rolldown/binding-wasm32-wasi@1.0.2 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@rolldown/binding-wasm32-wasi@1.0.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm @rolldown/binding-wasm32-wasi is 100.0% likely to have a medium risk anomaly Notes: A JS loader bootstraps a WASI-enabled WebAssembly module and forwards the full host process.env into the WASI environment and worker contexts while preopening the host filesystem root. This design enables an untrusted or tampered WASM binary to read environment variables and access numerous files, potentially exfiltrating data through any available host or network channel. Treat the module as high-risk unless the WASM artifact is from a trusted source; mitigate by restricting preopens to specific directories, avoiding full process.env exposure, and validating the integrity of the WASM binary. Confidence: 1.00 Severity: 0.60 From: package-lock.json → npm/vite@8.0.14 → npm/@rolldown/binding-wasm32-wasi@1.0.2 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@rolldown/binding-wasm32-wasi@1.0.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Embedded URLs or IPs: npm rolldown URLs: https://github.com/streamich/memfs, output.name, https://github.com/npm/cli/issues/4828, https://developer.mozilla.org/en-US/docs/Glossary/IIFE, https://github.com/umdjs/umd, https://github.com/tc39/ecma426/blob/main/proposals/debug-id.md, https://cdn.jsdelivr.net/npm/d3@7, comments.legal, https://rolldown.rs/in-depth/manual-code-splitting, https://rolldown.rs/reference/OutputOptions.exports, https://rolldown.rs/in-depth/non-esm-output-formats#import-meta, https://rolldown.rs/reference/OutputOptions.cleanDir, https://github.com/rolldown/plugins/tree/main/packages/transform-imports, https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Operators/Property_accessors, https://oxc.rs/docs/guide/usage/transformer/global-variable-replacement.html#inject, https://rolldown.rs/apis/plugin-api/hook-filters, https://rolldown.rs/apis/plugin-api/inter-plugin-communication#custom-resolver-options, https://oxc.rs/docs/guide/usage/minifier/dead-code-elimination#define-pure-functions, https://oxc.rs/docs/guide/usage/minifier/dead-code-elimination#ignoring-global-variable-access-side-effects, https://oxc.rs/docs/guide/usage/minifier/dead-code-elimination#ignoring-invalid-import-statement-side-effects, exports.property, https://rolldown.rs/apis/plugin-api, https://api.example.com, https://esbuild.github.io/api/#loader, https://rolldown.rs/in-depth/module-types, https://github.com/rolldown/rolldown/issues/7258, https://github.com/rolldown/rolldown/tree/main/examples/native-magic-string, https://rolldown.rs/in-depth/lazy-barrel-optimization, https://rollupjs.org/plugin-development/#generatebundle:~:text=DANGER,this.emitFile., https://rolldown.rs/., Function.prototype.name, Class.prototype.name, https://github.com/webpack/enhanced-resolve#resolver-options, https://webpack.js.org/configuration/resolve/, https://github.com/defunctzombie/package-browser-field-spec, https://github.com/webpack/enhanced-resolve/pull/285, https://webpack.js.org/configuration/module/#resolvefullyspecified, https://nodejs.org/api/module.html#modulebuiltinmodules, https://github.com/vitejs/vite/pull/20252, https://github.com/nodejs/node/issues/58827, https://nodejs.org/docs/latest/api/esm.html#resolution-algorithm-specification, https://github.com/dividab/tsconfig-paths-webpack-plugin#options, https://www.typescriptlang.org/tsconfig/#experimentalDecorators, https://www.typescriptlang.org/tsconfig/#emitDecoratorMetadata, https://www.typescriptlang.org/tsconfig/#stripInternal, https://oxc.rs/docs/guide/usage/transformer/jsx, https://github.com/facebook/react/tree/v18.3.1/packages/react-refresh, https://oxc.rs/docs/guide/usage/transformer/plugins#styled-components, https://oxc.rs/docs/guide/usage/transformer/typescript, https://oxc.rs/docs/guide/usage/transformer/lowering#target, https://oxc.rs/docs/guide/usage/transformer/global-variable-replacement#define, https://oxc.rs/docs/guide/usage/transformer/global-variable-replacement#inject, https://oxc.rs/docs/guide/usage/transformer/plugins, https://www.typescriptlang.org/docs/handbook/release-notes/typescript-5-5.html#isolated-declarations, https://www.typescriptlang.org/tsconfig/#declaration Location: Package overview From: package-lock.json → npm/vite@8.0.14 → npm/rolldown@1.0.2 ℹ Read more on: This package | This alert | What are URL strings? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Review all remote URLs to ensure they are intentional, pointing to trusted sources, and not being used for data exfiltration or loading untrusted code at runtime. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/rolldown@1.0.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Embedded URLs or IPs: npm vite URLs: https://vite.dev/config/server-options.html#server-hmr, http://vite.dev, https://github.com/rollup/plugins/tree/master/packages/alias#entries, https://github.com/micromatch/anymatch, https://nodejs.org/api/fs.html#fs_class_fs_stats, example.com, foo.example.com, foo.bar.example.com, http://jsonplaceholder.typicode.com, https://github.com/SuperchupuDev/tinyglobby, https://esbuild.github.io/api/#target, https://esbuild.github.io/content-types/#javascript, license.md, https://rollupjs.org/configuration-options/#watch, http://127.0.0.1:8080, config.server.watch, server.environments.client.hot, import.meta.hot, https://en.wikipedia.org/wiki/Combining_Diacritical_Marks, https://en.wikipedia.org/wiki/Combining_Diacritical_Marks_for_Symbols, https://mathiasbynens.be/notes/javascript-unicode, http://eev.ee/blog/2015/09/12/dark-corners-of-unicode/, https://en.wikipedia.org/wiki/CamelCase, https://en.wikipedia.org/wiki/Latin-1_Supplement_, https://en.wikipedia.org/wiki/Latin_Extended-A, _.map, 127.0.0.1, 0.0.0.0, https://example.com, https://html.spec.whatwg.org/multipage/parsing.html#named-character-reference-state, http://www.w3.org/1999/xhtml, http://www.w3.org/1998/Math/MathML, http://www.w3.org/2000/svg, http://www.w3.org/1999/xlink, http://www.w3.org/XML/1998/namespace, http://www.w3.org/2000/xmlns/, https://dom.spec.whatwg.org/#concept-document-limited-quirks, http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtd Location: Package overview From: package-lock.json → npm/vite@8.0.14 ℹ Read more on: This package | This alert | What are URL strings? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Review all remote URLs to ensure they are intentional, pointing to trusted sources, and not being used for data exfiltration or loading untrusted code at runtime. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/vite@8.0.14. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

[guibranco]

Automatically approved by gstraccini[bot]

[guibranco]

Automatically approved by gstraccini[bot]

[guibranco]

@depfu merge