🚨 [security] Update vite 7.3.2 → 8.0.8 (major)

[depfu]

---

🚨 Your current dependencies have known security vulnerabilities 🚨

This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!

---

Here is everything you need to know about this upgrade. Please take a good look at what changed and the test results before merging this pull request.

What changed?

✳️ vite (7.3.2 → 8.0.8) · Repo · Changelog

Security Advisories 🚨

🚨 Vite Vulnerable to Arbitrary File Read via Vite Dev Server WebSocket

Summary

server.fs check was not enforced to the fetchModule method that is exposed in Vite dev server's WebSocket.

Impact

Only apps that match the following conditions are affected:

• explicitly exposes the Vite dev server to the network (using --host or server.host config option)
• WebSocket is not disabled by server.ws: false

Arbitrary files on the server (development machine, CI environment, container, etc.) can be exposed.

Details

If it is possible to connect to the Vite dev server’s WebSocket without an Origin header, an attacker can invoke fetchModule via the custom WebSocket event vite:invoke and combine file://... with ?raw (or ?inline) to retrieve the contents of arbitrary files on the server as a JavaScript string (e.g., export default "...").

The access control enforced in the HTTP request path (such as server.fs.allow) is not applied to this WebSocket-based execution path.

PoC

1. Start the dev server on the target
   Example (used during validation with this repository):

   pnpm -C playground/alias exec vite --host 0.0.0.0 --port 5173

2. Confirm that access is blocked via the HTTP path (example: arbitrary file)

   curl -i 'http://localhost:5173/@fs/etc/passwd?raw'

   Result: 403 Restricted (outside the allow list)
   

3. Confirm that the same file can be retrieved via the WebSocket path
   By connecting to the HMR WebSocket without an Origin header and sending a vite:invoke request that calls fetchModule with a file://... URL and ?raw, the file contents are returned as a JavaScript module.

🚨 Vite: `server.fs.deny` bypassed with queries

Summary

The contents of files that are specified by server.fs.deny can be returned to the browser.

Impact

Only apps that match the following conditions are affected:

• explicitly exposes the Vite dev server to the network (using --host or server.host config option)
• the sensitive file exists in the allowed directories specified by server.fs.allow
• the sensitive file is denied with a pattern that matches a file by server.fs.deny

Details

On the Vite dev server, files that should be blocked by server.fs.deny (e.g., .env, *.crt) can be retrieved with HTTP 200 responses when query parameters such as ?raw, ?import&raw, or ?import&url&inline are appended.

PoC

1. Start the dev server: pnpm exec vite root --host 127.0.0.1 --port 5175 --strictPort
2. Confirm that server.fs.deny is enforced (expect 403): curl -i http://127.0.0.1:5175/src/.env | head -n 20
   
3. Confirm that the same files can be retrieved with query parameters (expect 200):
   

🚨 Vite Vulnerable to Path Traversal in Optimized Deps `.map` Handling

Summary

Any files ending with .map even out side the project can be returned to the browser.

Impact

Only apps that match the following conditions are affected:

• explicitly exposes the Vite dev server to the network (using --host or server.host config option)
• have a sensitive content in files ending with .map and the path is predictable

Details

In Vite v7.3.1, the dev server’s handling of .map requests for optimized dependencies resolves file paths and calls readFile without restricting ../ segments in the URL. As a result, it is possible to bypass the server.fs.strict allow list and retrieve .map files located outside the project root, provided they can be parsed as valid source map JSON.

PoC

1. Create a minimal PoC sourcemap outside the project root

   cat > /tmp/poc.map <<'EOF'
   {"version":3,"file":"x.js","sources":[],"names":[],"mappings":""}
   EOF

2. Start the Vite dev server (example)

   pnpm -C playground/fs-serve dev --host 127.0.0.1 --port 18080

3. Confirm that direct /@fs access is blocked by strict (returns 403)
   
4. Inject ../ segments under the optimized deps .map URL prefix to reach /tmp/poc.map
   

Release Notes

8.0.8

Please refer to CHANGELOG.md for details.

8.0.7

Please refer to CHANGELOG.md for details.

8.0.6

Please refer to CHANGELOG.md for details.

8.0.5

Please refer to CHANGELOG.md for details.

8.0.4

Please refer to CHANGELOG.md for details.

8.0.3

Please refer to CHANGELOG.md for details.

8.0.2

Please refer to CHANGELOG.md for details.

8.0.1

Please refer to CHANGELOG.md for details.

8.0.0

Please refer to CHANGELOG.md for details.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ picomatch (indirect, 4.0.3 → 4.0.4) · Repo · Changelog

Security Advisories 🚨

🚨 Picomatch has a ReDoS vulnerability via extglob quantifiers

Impact

picomatch is vulnerable to Regular Expression Denial of Service (ReDoS) when processing crafted extglob patterns. Certain patterns using extglob quantifiers such as +() and *(), especially when combined with overlapping alternatives or nested extglobs, are compiled into regular expressions that can exhibit catastrophic backtracking on non-matching input.

Examples of problematic patterns include +(a|aa), +(*|?), +(+(a)), *(+(a)), and +(+(+(a))). In local reproduction, these patterns caused multi-second event-loop blocking with relatively short inputs. For example, +(a|aa) compiled to ^(?:(?=.)(?:a|aa)+)$ and took about 2 seconds to reject a 41-character non-matching input, while nested patterns such as +(+(a)) and *(+(a)) took around 29 seconds to reject a 33-character input on a modern M1 MacBook.

Applications are impacted when they allow untrusted users to supply glob patterns that are passed to picomatch for compilation or matching. In those cases, an attacker can cause excessive CPU consumption and block the Node.js event loop, resulting in a denial of service. Applications that only use trusted, developer-controlled glob patterns are much less likely to be exposed in a security-relevant way.

Patches

This issue is fixed in picomatch 4.0.4, 3.0.2 and 2.3.2.

Users should upgrade to one of these versions or later, depending on their supported release line.

Workarounds

If upgrading is not immediately possible, avoid passing untrusted glob patterns to picomatch.

Possible mitigations include:

• disable extglob support for untrusted patterns by using noextglob: true
• reject or sanitize patterns containing nested extglobs or extglob quantifiers such as +() and *()
• enforce strict allowlists for accepted pattern syntax
• run matching in an isolated worker or separate process with time and resource limits
• apply application-level request throttling and input validation for any endpoint that accepts glob patterns

Resources

• Picomatch repository: https://github.com/micromatch/picomatch
• lib/parse.js and lib/constants.js are involved in generating the vulnerable regex forms
• Comparable ReDoS precedent: CVE-2024-4067 (micromatch)
• Comparable generated-regex precedent: CVE-2024-45296 (path-to-regexp)

🚨 Picomatch: Method Injection in POSIX Character Classes causes incorrect Glob Matching

Impact

picomatch is vulnerable to a method injection vulnerability (CWE-1321) affecting the POSIX_REGEX_SOURCE object. Because the object inherits from Object.prototype, specially crafted POSIX bracket expressions (e.g., [[:constructor:]]) can reference inherited method names. These methods are implicitly converted to strings and injected into the generated regular expression.

This leads to incorrect glob matching behavior (integrity impact), where patterns may match unintended filenames. The issue does not enable remote code execution, but it can cause security-relevant logic errors in applications that rely on glob matching for filtering, validation, or access control.

All users of affected picomatch versions that process untrusted or user-controlled glob patterns are potentially impacted.

Patches

This issue is fixed in picomatch 4.0.4, 3.0.2 and 2.3.2.

Users should upgrade to one of these versions or later, depending on their supported release line.

Workarounds

If upgrading is not immediately possible, avoid passing untrusted glob patterns to picomatch.

Possible mitigations include:

• Sanitizing or rejecting untrusted glob patterns, especially those containing POSIX character classes like [[:...:]].

• Avoiding the use of POSIX bracket expressions if user input is involved.

• Manually patching the library by modifying POSIX_REGEX_SOURCE to use a null prototype:

  const POSIX_REGEX_SOURCE = {
    __proto__: null,
    alnum: 'a-zA-Z0-9',
    alpha: 'a-zA-Z',
    // ... rest unchanged
  };

Resources

• fix for similar issue: #144
• picomatch repository https://github.com/micromatch/picomatch

Release Notes

4.0.4

This is a security release fixing several security relevant issues.

What's Changed

• Fix for CVE-2026-33671
• Fix for CVE-2026-33672

Full Changelog: 4.0.3...4.0.4

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 18 commits:

• Publish 4.0.4
• Merge commit from fork
• Merge commit from fork
• Run benchmark again against latest minimatch version (#161)
• docs: clarify what brace expansion syntax is and isn't supported (#134)
• fix typo in globstars.js test name (#138)
• docs: fix `makeRe` example (#143)
• chore: undocument removed options (#146)
• Remove unused time-require (#160)
• chore(deps): pin dependencies (#158)
• Update github workflow and add renovate config (#157)
• Merge pull request #155 from micromatch/prettier
• Add node 24 and 25
• Revert "chore: use prettier, update eslint, add node 24 and 25 to ci"
• update actions
• run less workflows in prs
• chore: Remove codeql and active in repo settings
• chore: use prettier, update eslint, add node 24 and 25 to ci

🆕 @​oxc-project/types (added, 0.124.0)

🆕 @​rolldown/binding-android-arm64 (added, 1.0.0-rc.15)

🆕 @​rolldown/binding-darwin-arm64 (added, 1.0.0-rc.15)

🆕 @​rolldown/binding-darwin-x64 (added, 1.0.0-rc.15)

🆕 @​rolldown/binding-freebsd-x64 (added, 1.0.0-rc.15)

🆕 @​rolldown/binding-linux-arm-gnueabihf (added, 1.0.0-rc.15)

🆕 @​rolldown/binding-linux-arm64-gnu (added, 1.0.0-rc.15)

🆕 @​rolldown/binding-linux-arm64-musl (added, 1.0.0-rc.15)

🆕 @​rolldown/binding-linux-ppc64-gnu (added, 1.0.0-rc.15)

🆕 @​rolldown/binding-linux-s390x-gnu (added, 1.0.0-rc.15)

🆕 @​rolldown/binding-linux-x64-gnu (added, 1.0.0-rc.15)

🆕 @​rolldown/binding-linux-x64-musl (added, 1.0.0-rc.15)

🆕 @​rolldown/binding-openharmony-arm64 (added, 1.0.0-rc.15)

🆕 @​rolldown/binding-wasm32-wasi (added, 1.0.0-rc.15)

🆕 @​rolldown/binding-win32-arm64-msvc (added, 1.0.0-rc.15)

🆕 @​rolldown/binding-win32-x64-msvc (added, 1.0.0-rc.15)

🆕 rolldown (added, 1.0.0-rc.15)

🆕 @​rolldown/pluginutils (added, 1.0.0-rc.15)

🆕 @​emnapi/core (added, 1.9.2)

🆕 @​emnapi/runtime (added, 1.9.2)

🆕 @​emnapi/wasi-threads (added, 1.2.1)

🆕 @​napi-rs/wasm-runtime (added, 1.1.4)

🗑️ @​rollup/rollup-android-arm-eabi (removed)

🗑️ @​rollup/rollup-android-arm64 (removed)

🗑️ @​rollup/rollup-darwin-arm64 (removed)

🗑️ @​rollup/rollup-darwin-x64 (removed)

🗑️ @​rollup/rollup-freebsd-arm64 (removed)

🗑️ @​rollup/rollup-freebsd-x64 (removed)

🗑️ @​rollup/rollup-linux-arm-gnueabihf (removed)

🗑️ @​rollup/rollup-linux-arm-musleabihf (removed)

🗑️ @​rollup/rollup-linux-arm64-gnu (removed)

🗑️ @​rollup/rollup-linux-arm64-musl (removed)

🗑️ @​rollup/rollup-linux-loong64-gnu (removed)

🗑️ @​rollup/rollup-linux-loong64-musl (removed)

🗑️ @​rollup/rollup-linux-ppc64-gnu (removed)

🗑️ @​rollup/rollup-linux-ppc64-musl (removed)

🗑️ @​rollup/rollup-linux-riscv64-gnu (removed)

🗑️ @​rollup/rollup-linux-riscv64-musl (removed)

🗑️ @​rollup/rollup-linux-s390x-gnu (removed)

🗑️ @​rollup/rollup-linux-x64-gnu (removed)

🗑️ @​rollup/rollup-linux-x64-musl (removed)

🗑️ @​rollup/rollup-openbsd-x64 (removed)

🗑️ @​rollup/rollup-openharmony-arm64 (removed)

🗑️ @​rollup/rollup-win32-arm64-msvc (removed)

🗑️ @​rollup/rollup-win32-ia32-msvc (removed)

🗑️ @​rollup/rollup-win32-x64-gnu (removed)

🗑️ @​rollup/rollup-win32-x64-msvc (removed)

🗑️ rollup (removed)

---

Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.

All Depfu comment commands

@​depfu rebase

Rebases against your default branch and redoes this update

@​depfu recreate

Recreates this PR, overwriting any edits that you've made to it

@​depfu merge

Merges this PR once your tests are passing and conflicts are resolved

@​depfu cancel merge

Cancels automatic merging of this PR

@​depfu close

Closes this PR and deletes the branch

@​depfu reopen

Restores the branch and reopens this PR (if it's closed)

@​depfu pause

Ignores all future updates for this dependency and closes this PR

@​depfu pause [minor|major]

Ignores all future minor/major updates for this dependency and closes this PR

@​depfu resume

Future versions of this dependency will create PRs again (leaves this PR as is)