chore: upgrade vite to 8.x (esbuild CVE-2026 GHSA-gv7w-rqvm-qjhr / GHSA-g7r4-m6w7-qqqr) #123

Open
opened 2026-06-13 21:35:55 -07:00 by pyr0ball · 0 comments
Owner

Summary

npm audit fix resolved 7/9 npm CVEs. The remaining 2 are in esbuild (bundled with vite 4.2–8.0.3) and require upgrading vite to 8.x, which is a breaking change.

CVEs:

  • GHSA-gv7w-rqvm-qjhr — esbuild missing binary integrity check in Deno module (enables RCE via NPM_CONFIG_REGISTRY)
  • GHSA-g7r4-m6w7-qqqr — esbuild allows arbitrary file read when running dev server on Windows

Note: Both are low-exploitability in this deployment (Linux + no Deno + dev server not exposed to internet). Upgrading is still correct hygiene.

Current: vite ^7.3.1, @vitejs/plugin-vue ^6.0.2
Target: vite ^8.0.16

Steps

cd web
npm audit fix --force   # upgrades vite to 8.x

Then verify:

  • npm run build succeeds
  • npm run dev launches without errors
  • Hot reload works in dev
  • All vitest tests pass (npx vitest run)

Part of the 2026-06-13 CVE scan. The other 7 npm CVEs were already fixed by npm audit fix.

## Summary `npm audit fix` resolved 7/9 npm CVEs. The remaining 2 are in esbuild (bundled with vite 4.2–8.0.3) and require upgrading vite to 8.x, which is a breaking change. **CVEs:** - `GHSA-gv7w-rqvm-qjhr` — esbuild missing binary integrity check in Deno module (enables RCE via NPM_CONFIG_REGISTRY) - `GHSA-g7r4-m6w7-qqqr` — esbuild allows arbitrary file read when running dev server on Windows **Note:** Both are low-exploitability in this deployment (Linux + no Deno + dev server not exposed to internet). Upgrading is still correct hygiene. **Current:** vite ^7.3.1, @vitejs/plugin-vue ^6.0.2 **Target:** vite ^8.0.16 ## Steps ```bash cd web npm audit fix --force # upgrades vite to 8.x ``` Then verify: - [ ] `npm run build` succeeds - [ ] `npm run dev` launches without errors - [ ] Hot reload works in dev - [ ] All vitest tests pass (`npx vitest run`) ## Related Part of the 2026-06-13 CVE scan. The other 7 npm CVEs were already fixed by `npm audit fix`.
Sign in to join this conversation.
No milestone
No project
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: Circuit-Forge/peregrine#123
No description provided.