Bump vite from 6.4.2 to 7.3.2

[dependabot]

Bumps vite from 6.4.2 to 7.3.2.

Release notes

Sourced from vite's releases.

v7.3.2

Please refer to CHANGELOG.md for details.

v7.3.1

Please refer to CHANGELOG.md for details.

v7.3.0

Please refer to CHANGELOG.md for details.

v7.2.7

Please refer to CHANGELOG.md for details.

v7.2.6

Please refer to CHANGELOG.md for details.

v7.2.5

Please refer to CHANGELOG.md for details.

Note: 7.2.5 failed to publish so it is skipped on npm

v7.2.4

Please refer to CHANGELOG.md for details.

v7.2.3

Please refer to CHANGELOG.md for details.

v7.2.2

Please refer to CHANGELOG.md for details.

plugin-legacy@7.2.1

Please refer to CHANGELOG.md for details.

v7.2.1

Please refer to CHANGELOG.md for details.

plugin-legacy@7.2.0

Please refer to CHANGELOG.md for details.

v7.2.0

Please refer to CHANGELOG.md for details.

v7.2.0-beta.1

Please refer to CHANGELOG.md for details.

v7.2.0-beta.0

Please refer to CHANGELOG.md for details.

v7.1.12

Please refer to CHANGELOG.md for details.

... (truncated)

Changelog

Sourced from vite's changelog.

7.3.2 (2026-04-06)

Bug Fixes

• avoid path traversal with optimize deps sourcemap handler (#22161) (09d8c90)
• backport #22159, apply server.fs check to env transport (#22162) (19db0f2)
• check server.fs after stripping query as well (#22160) (f8103cc)

7.3.1 (2026-01-07)

Features

• add ignoreOutdatedRequests option to optimizeDeps (#21364) (9d39d37)

7.3.0 (2025-12-15)

Features

• deps: update esbuild from ^0.25.0 to ^0.27.0 (#21183) (cff26ec)

7.2.7 (2025-12-08)

Bug Fixes

• plugin shortcut support (#21211) (721f163)

7.2.6 (2025-12-01)

7.2.5 (2025-12-01)

Bug Fixes

• config: handle shebang properly (#21158) (df5a30d)
• deps: update all non-major dependencies (#21146) (a3cd262)
• deps: update all non-major dependencies (#21175) (72e398a)
• fix external: true merging (#21164) (5ef557a)
• shortcuts not rebound after server restart (#21166) (3765f7b)

Performance Improvements

• deps: replace debug with obug (#21137) (203a551)

Documentation

• clarify manifest.json imports field is JS chunks only (#21136) (46d3077)

Miscellaneous Chores

• deps: update rolldown-related dependencies (#21174) (74559c9)

7.2.4 (2025-11-20)

Bug Fixes

• revert "perf(deps): replace debug with obug (#21107)" (2d66b7b)

7.2.3 (2025-11-20)

... (truncated)

Commits

• cc383e0 release: v7.3.2
• 09d8c90 fix: avoid path traversal with optimize deps sourcemap handler (#22161)
• f8103cc fix: check server.fs after stripping query as well (#22160)
• 19db0f2 fix: backport #22159, apply server.fs check to env transport (#22162)
• 95e8923 release: v7.3.1
• 9d39d37 feat: add ignoreOutdatedRequests option to optimizeDeps (#21364)
• acf7e05 release: v7.3.0
• cff26ec feat(deps): update esbuild from ^0.25.0 to ^0.27.0 (#21183)
• 317b3b2 release: v7.2.7
• 721f163 fix: plugin shortcut support (#21211)
• Additional commits viewable in compare view

[dependabot]

Labels

The following labels could not be found: automated. Please create it before Dependabot can add it to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.

[cloudflare-workers-and-pages]

Deploying nodetool-staging with    Cloudflare Pages

Latest commit:	18e9641
Status:	🚫  Build failed.

View logs

[georgi]

@claude review

[claude]

Claude finished @georgi's task in 4m 20s —— View job

---

Vite 6.4.2 → 7.3.2 Upgrade Review

• Gather context: examine changed files and vite config
• Check for Vite 7 breaking changes relevant to this codebase
• Investigate CI failures
• Provide review summary

---

Overview

This is a major version bump (6.x → 7.x). While dependabot.yml has ignore: semver-major, dependabot created this PR because v7.3.2 contains security patches. These patches are legitimate and important:

• Path traversal via optimize deps sourcemap handler (fix: avoid path traversal with optimize deps sourcemap handler vitejs/vite#22161) — server-side security fix
• server.fs check bypass via env transport (fix: backport #22159, apply server.fs check to env transport vitejs/vite#22162) — server-side security fix
• server.fs check skipped when query params present (fix: check server.fs after stripping query as well vitejs/vite#22160) — server-side security fix

Since these are server.* mitigations, they only apply in dev mode (vite serve), not to production builds.

---

Config Compatibility ✅

Both web/vite.config.ts and electron/vite.config.ts look compatible with Vite 7:

• allowedHosts: [".nodetool.ai", "localhost"] — explicitly set, no impact from the Vite 7 default change (web/vite.config.ts:47)
• rollupOptions with manual chunks and CJS format — Vite 7 still uses Rollup 4, no API changes
• vite-plugin-electron@0.29.1 — no strict Vite peer dep declared, compatible
• vite-plugin-svgr@4.5.0 — declares "vite": ">=2.6.0", compatible
• @vitejs/plugin-react@^4.3.4 — supports Vite 6 and 7

Vite 7 Node.js requirement: 20.19+. CI runs Node 20.20.2 ✓. Need to verify Cloudflare Pages uses ≥ 20.19.

---

CI Failures Analysis

Both CI workflows are failing, but the failures appear to be pre-existing issues unrelated to the Vite upgrade:

Web Test & Electron Test — failing at "Set up Node.js":

##[error]Some specified paths were not resolved, unable to cache dependencies.

Cause: .github/workflows/test.yml specifies cache-dependency-path: web/package-lock.json, but no web/package-lock.json exists (only the root package-lock.json). This is a pre-existing CI config bug that would fail on any PR touching these paths.
Fix this →

Packages Test — fails with:

Cannot find module '../src/debug-api.js'
imported from packages/websocket/tests/debug-export.test.ts

Cause: The @nodetool/websocket package has a test that imports a compiled .js file (debug-api.js) that doesn't exist because packages aren't built before tests run. All 36 other test files in the package pass. This is also a pre-existing issue.

Cloudflare Pages — build failed. Most likely cause: Cloudflare Pages may be configured with Node.js < 20.19 (Vite 7's minimum). Check the Cloudflare Pages Node.js version setting — it needs to be 20.19+ or 22.12+.

---

Minor Issues

Missing "automated" label: dependabot.yml references a "automated" label that doesn't exist in the repo, causing the dependabot warning comment. Create this label to fix.

---

Recommendation

Approve and merge — the Vite config is compatible with v7 and the security patches are valuable. However, before merging:

1. Verify Cloudflare Pages Node.js version is ≥ 20.19 (update the Cloudflare Pages build config if needed)
2. The two pre-existing CI failures should be fixed in a separate PR

[georgi]

This is a major version bump (Vite 6 → 7) and should not be merged as a routine dependency update.

Vite 7 includes breaking changes that need careful evaluation and migration work. All CI checks are currently failing (Web Test, Electron Test, Packages Test, Mobile Test).

Recommend closing this PR and handling the Vite 7 migration as a dedicated effort with proper testing and evaluation of breaking changes.

---

Generated by Claude Code

[dependabot]

Looks like vite is up-to-date now, so this is no longer needed.