chore(deps): update dependency vite to v7.1.11 [security] - autoclosed

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
vite (source)	7.1.6 → 7.1.11

GitHub Vulnerability Alerts

CVE-2025-62522

Summary

Files denied by server.fs.deny were sent if the URL ended with \ when the dev server is running on Windows.

Impact

Only apps that match the following conditions are affected:

• explicitly exposes the Vite dev server to the network (using --host or server.host config option)
• running the dev server on Windows

Details

server.fs.deny can contain patterns matching against files (by default it includes .env, .env.*, *.{crt,pem} as such patterns). These patterns were able to bypass by using a back slash(\). The root cause is that fs.readFile('/foo.png/') loads /foo.png.

PoC

npm create vite@latest
cd vite-project/
cat "secret" > .env
npm install
npm run dev
curl --request-target /.env\ http://localhost:5173

---

Release Notes

vitejs/vite (vite)

v7.1.11

Compare Source

Bug Fixes

• dev: trim trailing slash before server.fs.deny check (#​20968) (f479cc5)

Miscellaneous Chores

• deps: update all non-major dependencies (#​20966) (6fb41a2)

Code Refactoring

• use subpath imports for types module reference (#​20921) (d0094af)

Build System

• remove cjs reference in files field (#​20945) (ef411ce)
• remove hash from built filenames (#​20946) (a817307)

v7.1.10

Compare Source

Bug Fixes

• css: avoid duplicate style for server rendered stylesheet link and client inline style during dev (#​20767) (3a92bc7)
• css: respect emitAssets when cssCodeSplit=false (#​20883) (d3e7eee)
• deps: update all non-major dependencies (879de86)
• deps: update all non-major dependencies (#​20894) (3213f90)
• dev: allow aliases starting with // (#​20760) (b95fa2a)
• dev: remove timestamp query consistently (#​20887) (6537d15)
• esbuild: inject esbuild helpers correctly for esbuild 0.25.9+ (#​20906) (446eb38)
• normalize path before calling fileToBuiltUrl (#​20898) (73b6d24)
• preserve original sourcemap file field when combining sourcemaps (#​20926) (c714776)

Documentation

• correct WebSocket spelling (#​20890) (29e98dc)

Miscellaneous Chores

• deps: update rolldown-related dependencies (#​20923) (a5e3b06)

v7.1.9

Compare Source

Reverts

• server: drain stdin when not interactive (#​20885) (12d72b0)

v7.1.8

Compare Source

Bug Fixes

• css: improve url escape characters handling (#​20847) (24a61a3)
• deps: update all non-major dependencies (#​20855) (788a183)
• deps: update artichokie to 0.4.2 (#​20864) (e670799)
• dev: skip JS responses for document requests (#​20866) (6bc6c4d)
• glob: fix HMR for array patterns with exclusions (#​20872) (63e040f)
• keep ids for virtual modules as-is (#​20808) (d4eca98)
• server: drain stdin when not interactive (#​20837) (bb950e9)
• server: improve malformed URL handling in middlewares (#​20830) (d65a983)

Documentation

• create-vite: provide deno example (#​20747) (fdb758a)

Miscellaneous Chores

• deps: update rolldown-related dependencies (#​20810) (ea68a88)
• deps: update rolldown-related dependencies (#​20854) (4dd06fd)
• update url of create-react-app license (#​20865) (166a178)

v7.1.7

Compare Source

Bug Fixes

• build: fix ssr environment emitAssets: true when sharedConfigBuild: true (#​20787) (4c4583c)
• client: use CSP nonce when rendering error overlay (#​20791) (9bc9d12)
• deps: update all non-major dependencies (#​20811) (9f2247c)
• glob: handle glob imports from folders starting with dot (#​20800) (105abe8)
• hmr: trigger prune event when import is removed from non hmr module (#​20768) (9f32b1d)
• hmr: wait for import.meta.hot.prune callbacks to complete before running other HMRs (#​20698) (98a3484)

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[changeset-bot]

⚠️ No Changeset found

Latest commit: 4135153

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[netlify]

✅ Deploy Preview for openapi-ts canceled.

Name	Link
🔨 Latest commit	4135153
🔍 Latest deploy log	https://app.netlify.com/projects/openapi-ts/deploys/6980f73104b7490008b49df0

[github-actions]

size-limit report 📦

Path	Size
packages/openapi-fetch/dist/index.mjs	6.73 KB (0%)