chore(deps-dev): bump vite from 7.3.1 to 7.3.2 in the npm_and_yarn group across 1 directory#404
Conversation
dependabot
Bot
added
dependencies
|
/review Auto-triggered after E2E tests passed. |
Code ReviewDependabot patch bump: This is a security patch release. The changelog includes three fixes:
The first two are security-relevant — they close potential file-system access bypasses in Vite's dev server. While these primarily affect development (not production builds), merging promptly is still the right call. Electron security checklist: No privilege-boundary files touched — this is a dev dependency update only. All checklist items N/A. Verdict: Clean patch, no concerns. Merge. |
✅ Ready to MergeCode review found no significant issues. This PR is ready for human approval and merge. |
Bumps the npm_and_yarn group with 1 update in the / directory: [vite](https://github.com/vitejs/vite/tree/HEAD/packages/vite). Updates `vite` from 7.3.1 to 7.3.2 - [Release notes](https://github.com/vitejs/vite/releases) - [Changelog](https://github.com/vitejs/vite/blob/v7.3.2/packages/vite/CHANGELOG.md) - [Commits](https://github.com/vitejs/vite/commits/v7.3.2/packages/vite) --- updated-dependencies: - dependency-name: vite dependency-version: 7.3.2 dependency-type: direct:development dependency-group: npm_and_yarn ... Signed-off-by: dependabot[bot] <support@github.com>
dependabot
Bot
force-pushed
the
dependabot/npm_and_yarn/npm_and_yarn-c4bc6a0a9e
branch
from
00b08a0 to
d3b413a
Compare
|
/review Auto-triggered after E2E tests passed. |
Code ReviewDependabot security patch: vite 7.3.1 → 7.3.2 This PR bumps vite from 7.3.1 to 7.3.2. The changelog reveals this is a security patch addressing path traversal and filesystem boundary bypass vulnerabilities in the dev server:
These are dev-server-only vulnerabilities (not production runtime), but they could allow an attacker to read arbitrary files outside the project root during development if a malicious file or dependency triggers the affected code paths. Merging promptly is the right call. Electron security checklist: No privilege-boundary files touched — this is a devDependency update only. No IPC, preload, or main process changes. Checklist items are N/A. Verdict: Clean patch, correct lockfile update, no unrelated changes. Merge immediately. |
✅ Ready to MergeCode review found no significant issues. This PR is ready for human approval and merge. |
dependabot
Bot
deleted the
dependabot/npm_and_yarn/npm_and_yarn-c4bc6a0a9e
branch
1 participant
Bumps the npm_and_yarn group with 1 update in the / directory: vite.
Updates
vitefrom 7.3.1 to 7.3.2Release notes
Sourced from vite's releases.
Changelog
Sourced from vite's changelog.
Commits
cc383e0release: v7.3.209d8c90fix: avoid path traversal with optimize deps sourcemap handler (#22161)f8103ccfix: checkserver.fsafter stripping query as well (#22160)19db0f2fix: backport #22159, apply server.fs check to env transport (#22162)