chore: upgrade vite to 8.x (esbuild CVE-2026 GHSA-gv7w-rqvm-qjhr / GHSA-g7r4-m6w7-qqqr) #123
Labels
No labels
a11y
backlog
beta-feedback
bug
enhancement
feature-request
frontend
needs-triage
question
vue
No milestone
No project
No assignees
1 participant
Notifications
Due date
No due date set.
Dependencies
No dependencies set.
Reference: Circuit-Forge/peregrine#123
Loading…
Reference in a new issue
No description provided.
Delete branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Summary
npm audit fixresolved 7/9 npm CVEs. The remaining 2 are in esbuild (bundled with vite 4.2–8.0.3) and require upgrading vite to 8.x, which is a breaking change.CVEs:
GHSA-gv7w-rqvm-qjhr— esbuild missing binary integrity check in Deno module (enables RCE via NPM_CONFIG_REGISTRY)GHSA-g7r4-m6w7-qqqr— esbuild allows arbitrary file read when running dev server on WindowsNote: Both are low-exploitability in this deployment (Linux + no Deno + dev server not exposed to internet). Upgrading is still correct hygiene.
Current: vite ^7.3.1, @vitejs/plugin-vue ^6.0.2
Target: vite ^8.0.16
Steps
Then verify:
npm run buildsucceedsnpm run devlaunches without errorsnpx vitest run)Related
Part of the 2026-06-13 CVE scan. The other 7 npm CVEs were already fixed by
npm audit fix.