chore(deps): update dependency vite to v8

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
vite (source)	~7.3.5 → ~8.0.16

---

Release Notes

vitejs/vite (vite)

v8.0.16

Compare Source

Bug Fixes

• deps: reject UNC paths for launch-editor-middleware (#​22571) (50b9512)
• reject windows alternate paths (#​22572) (dc245c7)

v8.0.15

Compare Source

Features

• send 408 on request timeout (#​22476) (c85c9ee)
• update rolldown to 1.0.3 (#​22538) (646dbed)

Bug Fixes

• capitalize error messages and remove spurious space in parse error (#​22488) (85a0eff)
• deps: update all non-major dependencies (#​22511) (2686d7d)
• dev: fix html-proxy cache key mismatch for /@​fs/ HTML paths (#​21762) (47c4213)
• glob: error on relative glob in virtual module when no files match (#​22497) (5c8e98f)
• optimizer: close the rolldown bundle when write() rejects (#​22528) (e3cfb9d)
• resolve: provide onWarn for viteResolvePlugin in JS plugin containers (#​22509) (40985f1)

Miscellaneous Chores

• deps: update rolldown-related dependencies (#​22566) (3052a67)

Code Refactoring

• correct logic in collectAllModules function (#​22562) (6978a9c)

v8.0.14

Compare Source

Features

• update rolldown to 1.0.2 (#​22484) (96efc88)

Bug Fixes

• deps: update all non-major dependencies (#​22471) (98b8163)
• dev: handle errors when sending messages to vite server (#​22450) (e8e9a34)
• html: handle trailing slash paths in transformIndexHtml (#​22480) (5d94d1b)
• optimizer: pass oxc jsx options to transformSync in dependency scan (#​22342) (b3132da)

Miscellaneous Chores

• deps: update rolldown-related dependencies (#​22470) (7cb728e)
• remove irrelevant commits from changelog (2c69495)

Code Refactoring

• glob: do not rewrite import path for absolute base (#​22310) (0ae2844)

Tests

• css: sass does not use main field (#​22449) (ebf39a0)

v8.0.13

Compare Source

Features

• bundled-dev: add lazy bundling support (#​21406) (4f0949f)
• optimizer: improve the esbuild plugin converter to pass some properties of build result to onEnd (#​22357) (47071ce)
• update rolldown to 1.0.1 (#​22444) (8c766a6)

Bug Fixes

• build: copy public directory after building same environment with write=false (#​22328) (158e8ae)
• css: await sass/less/styl worker disposal on teardown (fix #​22274) (#​22275) (b7edcb7)
• css: keep deprecated name/originalFileName in synthetic assetFileNames call (#​22439) (8e59c97)
• make isBundled per environment (#​22257) (a576326)
• ssr: avoid rewriting labels that collide with imports (#​22451) (d9b18e0)

Miscellaneous Chores

• remove irrelevant commits from changelog (#​22430) (6ea3838)
• update changelog (#​22413) (fcdc87c)

v8.0.12

Compare Source

Features

• update rolldown to 1.0.0 (#​22401) (cf0ff41)

Bug Fixes

• create-vite: pass react framework to TanStack CLI (#​22397) (18f0f90)
• deps: update all non-major dependencies (#​22420) (2be6000)
• module-runner: prevent partial-exports race on concurrent imports of in-flight invalidated re-export chains (#​22369) (f5a22e6)
• refer to rolldownOptions instead of deprecated rollupOptions in messages (#​22400) (b675c7b)
• worker: apply build.target to worker bundle (#​22404) (3c93fde)
• worker: forward define to worker bundle transform (#​22408) (d4838a0)

Miscellaneous Chores

• deps: update dependency eslint-plugin-n to v18 (#​22423) (2fe7bd2)
• deps: update rolldown-related dependencies (#​22421) (66b9eb3)

v8.0.11

Compare Source

Features

• update rolldown to 1.0.0-rc.18 (#​22360) (3f80524)

Bug Fixes

• deps: update all non-major dependencies (#​22334) (672c962)
• deps: update all non-major dependencies (#​22382) (5c0cfcb)
• glob: align hmr matcher options with glob enumeration (#​22306) (30028f9)
• make separate object instance for each environment (#​22276) (7c2aa3b)

Documentation

• create-vite: list react-compiler templates in README (#​22347) (7c3a61f)
• explain mergeConfig skips null/undefined (#​22325) (2151f70)
• mention native config loader in CLI options (#​22348) (0420c5d)
• update evan's x handle (640202a)

Miscellaneous Chores

• deps: update dependency tsdown to ^0.21.10 (#​22333) (3b51e05)
• deps: update rolldown-related dependencies (#​22383) (555ff36)
• deps: update transitive packages to fix npm audit alerts (#​22316) (86aee62)

Code Refactoring

• devtools integration (#​22312) (3c8bf06)
• remove unnecessary async (#​22296) (b31fd35)
• show direct path type in bad character warning (#​22339) (0c162e9)

Tests

• create-vite: use short help alias (#​22389) (994ab66)

v8.0.10

Compare Source

Features

• update rolldown to 1.0.0-rc.17 (#​22299) (a4d06d9)

Bug Fixes

• hmrClient.logger.debug and hmrClient.logger.error looked different from other HMR logs (#​22147) (a4d828f)
• css: show filename in CSS minification warnings for .css?inline (#​22292) (83f0a78)
• optimizer: allow user transform.target to override default in optimizeDeps (#​22273) (5c7cec6)
• remove format sniffing module resolution from JS resolver (#​22297) (b8a21cc)

Code Refactoring

• enable some typecheck rules (#​22278) (9437518)
• typecheck client directory (#​22284) (40a0847)

v8.0.9

Compare Source

Features

• update rolldown to 1.0.0-rc.16 (#​22248) (2947edd)

Bug Fixes

• allow binding when strictPort is set but wildcard port is in use (#​22150) (dfc8aa5)
• build: emptyOutDir should happen for watch rebuilds (#​22207) (ee52267)
• bundled-dev: reject requests to HMR patch files in non potentially trustworthy origins (#​22269) (868f141)
• css: use unique key for cssEntriesMap to prevent same-basename collision (#​22039) (374bb5d)
• deps: update all non-major dependencies (#​22219) (4cd0d67)
• deps: update all non-major dependencies (#​22268) (c28e9c1)
• detect Deno workspace root (fix #​22237) (#​22238) (1b793c0)
• dev: handle errors in watchChange hook (#​22188) (fc08bda)
• optimizer: handle more chars that will be sanitized (#​22208) (3f24533)
• skip fallback sourcemap generation for ?raw imports (#​22148) (3ec9cda)

Documentation

• align the descriptions in READMEs (#​22231) (44c42b9)
• fix reuses wording in dev environment comment (#​22173) (9163412)
• fix wording in sass error comment (#​22214) (bc5c6a7)
• update build CLI defaults (#​22261) (605bb97)

Miscellaneous Chores

• deps: update dependency dotenv-expand to v13 (#​22271) (0a3887d)

v8.0.8

Compare Source

Features

• update rolldown to 1.0.0-rc.15 (#​22201) (6baf587)

Bug Fixes

• avoid dns.getDefaultResultOrder temporary (#​22202) (15f1c15)
• ssr: class property keys hoisting matching imports (#​22199) (e137601)

v8.0.7

Compare Source

Bug Fixes

• use sync dns.getDefaultResultOrder instead of dns.promises (#​22185) (5c05b04)

v8.0.6

Compare Source

Features

• update rolldown to 1.0.0-rc.13 (#​22097) (51d3e48)

Bug Fixes

• css: avoid mutating sass error multiple times (#​22115) (d5081c2)
• optimize-deps: hoist CJS interop assignment (#​22156) (17a8f9e)

Performance Improvements

• early return in getLocalhostAddressIfDiffersFromDNS when DNS order is verbatim (#​22151) (56ec256)

Miscellaneous Chores

• create-vite: remove unnecessary DOM.Iterable (#​22168) (bdc53ab)
• replace remaining prettier script (#​22179) (af71fb2)

v8.0.5

Compare Source

Bug Fixes

• apply server.fs check to env transport (#​22159) (f02d9fd)
• avoid path traversal with optimize deps sourcemap handler (#​22161) (79f002f)
• check server.fs after stripping query as well (#​22160) (a9a3df2)
• disallow referencing files outside the package from sourcemap (#​22158) (f05f501)

v8.0.4

Compare Source

Features

• allow esbuild 0.28 as peer deps (#​22155) (b0da973)
• hmr: truncate list of files on hmr update (#​21535) (d00e806)
• optimizer: log when dependency scanning or bundling takes over 1s (#​21797) (f61a1ab)

Bug Fixes

• hasBothRollupOptionsAndRolldownOptions should return false for proxy case (#​22043) (99897d2)
• add types for vite/modulepreload-polyfill (#​22126) (17330d2)
• deps: update all non-major dependencies (#​22073) (6daa10f)
• deps: update all non-major dependencies (#​22143) (22b0166)
• resolve: resolve tsconfig paths starting with # (#​22038) (3460fc5)
• ssr: use browser platform for webworker SSR builds (fix #​21969) (#​21963) (364c227)

Documentation

• add environment.fetchModule documentation (#​22035) (54229e7)

Miscellaneous Chores

• deps: update rolldown-related dependencies (#​21989) (0ded627)

Code Refactoring

• upgrade to typescript 6 (#​22110) (cc41398)

v8.0.3

Compare Source

Features

• update rolldown to 1.0.0-rc.12 (#​22024) (84164ef)

Bug Fixes

• html: cache unfiltered CSS list to prevent missing styles across entries (#​22017) (5464190)
• module-runner: handle non-ascii characters in base64 sourcemaps (#​21985) (77c95bf)
• module-runner: skip re-import if the runner is closed (#​22020) (ee2c2cd)
• optimizer: scan is not resolving sub path import if used in a glob import (#​22018) (ddfe20d)
• ssr: ssrTransform incorrectly rewrites meta identifier inside import.meta when a binding named meta exists (#​22019) (cff5f0c)

Miscellaneous Chores

• deps: bump picomatch from 4.0.3 to 4.0.4 (#​22027) (7e56003)

Tests

• html: add tests for getCssFilesForChunk (#​22016) (43fbbf9)

v8.0.2

Compare Source

Features

• update rolldown to 1.0.0-rc.11 (#​21998) (ff91c31)

Bug Fixes

• deps: update all non-major dependencies (#​21988) (9b7d150)

Miscellaneous Chores

• deps: update dependency @​vitejs/devtools to ^0.1.5 (#​21992) (b2dd65b)

v8.0.1

Compare Source

Features

• update rolldown to 1.0.0-rc.10 (#​21932) (b3c067d)

Bug Fixes

• bundled-dev: properly disable inlineConst optimization (#​21865) (6d97142)
• css: lightningcss minify failed when build.target: 'es6' (#​21933) (5fcce46)
• deps: update all non-major dependencies (#​21878) (6dbbd7f)
• dev: always use ESM Oxc runtime (#​21829) (d323ed7)
• dev: handle concurrent restarts in _createServer (#​21810) (40bc729)
• handle + symbol in package subpath exports during dep optimization (#​21886) (86db93d)
• improve no-cors request block error (#​21902) (5ba688b)
• use precise regexes for transform filter to avoid backtracking (#​21800) (dbe41bd)
• worker: require(json) result should not be wrapped (#​21847) (0672fd2)
• worker: make worker output consistent with client and SSR (#​21871) (69454d7)

Miscellaneous Chores

• add changelog rearrange script (#​21835) (efef073)
• deps: bump required @vitejs/devtools version to 0.1+ (#​21925) (12932f5)
• deps: update rolldown-related dependencies (#​21787) (1af1d3a)
• rearrange 8.0 changelog (8e05b61)
• rearrange 8.0 changelog (#​21834) (86edeee)

v8.0.0

Compare Source

Features

• update rolldown to 1.0.0-rc.9 (#​21813) (f05be0e)
• warn when vite-tsconfig-paths plugin is detected (#​21781) (ada493e)

Bug Fixes

• deps: update all non-major dependencies (#​21786) (eaa4352)

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • "on Monday"
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[socket-security]

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action	Severity	Alert  (click "▶" to expand/collapse)
Warn		Obfuscated code: npm ioredis is 96.0% likely obfuscated Confidence: 0.96 Location: Package overview From: pnpm-lock.yaml → npm/ioredis@5.10.1 ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/ioredis@5.10.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Obfuscated code: npm kind-of is 90.0% likely obfuscated Confidence: 0.90 Location: Package overview From: pnpm-lock.yaml → npm/kind-of@6.0.3 ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/kind-of@6.0.3. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Obfuscated code: npm node-fetch-native is 90.0% likely obfuscated Confidence: 0.90 Location: Package overview From: pnpm-lock.yaml → npm/@nuxt/test-utils@3.23.0 → npm/ofetch@1.5.1 → npm/node-fetch-native@1.6.7 ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/node-fetch-native@1.6.7. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

[pkg-pr-new]

Open in StackBlitz

npm i https://pkg.pr.new/@nuxt/bridge@1805

npm i https://pkg.pr.new/@nuxt/bridge-schema@1805

commit: 9e4102c

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	ofetch@​1.5.1
	playwright-core@​1.60.0
	ohash@​2.0.11
	perfect-debounce@​2.1.0
	pathe@​2.0.3
	ufo@​1.6.4
	std-env@​4.1.0
	node-fetch@​3.3.2
	jiti@​2.7.0
	nypm@​0.6.6
	magic-string@​0.30.21
	pkg-types@​2.3.1

View full report