chore(deps): update dependency vite to v8.0.5 [security] (#87)

This PR contains the following updates:

| Package | Change |
[Age](https://docs.renovatebot.com/merge-confidence/) |
[Confidence](https://docs.renovatebot.com/merge-confidence/) |
|---|---|---|---|
| [vite](https://vite.dev)
([source](https://redirect.github.com/vitejs/vite/tree/HEAD/packages/vite))
| [`8.0.3` →
`8.0.5`](https://renovatebot.com/diffs/npm/vite/8.0.3/8.0.5) |
![age](https://developer.mend.io/api/mc/badges/age/npm/vite/8.0.5?slim=true)
|
![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/vite/8.0.3/8.0.5?slim=true)
|

### GitHub Vulnerability Alerts

####
[GHSA-4w7w-66w2-5vf9](https://redirect.github.com/vitejs/vite/security/advisories/GHSA-4w7w-66w2-5vf9)

### Summary

Any files ending with `.map` even out side the project can be returned
to the browser.

### Impact

Only apps that match the following conditions are affected:

- explicitly exposes the Vite dev server to the network (using `--host`
or [`server.host` config
option](https://vitejs.dev/config/server-options.html#server-host))
- have a sensitive content in files ending with `.map` and the path is
predictable

### Details

In Vite v7.3.1, the dev server’s handling of `.map` requests for
optimized dependencies resolves file paths and calls `readFile` without
restricting `../` segments in the URL. As a result, it is possible to
bypass the
[`server.fs.strict`](https://vite.dev/config/server-options#server-fs-strict)
allow list and retrieve `.map` files located outside the project root,
provided they can be parsed as valid source map JSON.

### PoC
1. Create a minimal PoC sourcemap outside the project root
    ```bash
    cat > /tmp/poc.map <<'EOF'
    {"version":3,"file":"x.js","sources":[],"names":[],"mappings":""}
    EOF
    ```
2. Start the Vite dev server (example)
    ```bash
    pnpm -C playground/fs-serve dev --host 127.0.0.1 --port 18080
    ```
3. Confirm that direct `/@&#8203;fs` access is blocked by `strict`
(returns 403)
<img width="4004" height="1038" alt="image"
src="https://github.com/user-attachments/assets/15a859a8-1dc6-4105-8d58-80527c0dd9ab"
/>
4. Inject `../` segments under the optimized deps `.map` URL prefix to
reach `/tmp/poc.map`
<img width="2790" height="846" alt="image"
src="https://github.com/user-attachments/assets/5d02957d-2e6a-4c45-9819-3f024e0e81f2"
/>

####
[GHSA-p9ff-h696-f583](https://redirect.github.com/vitejs/vite/security/advisories/GHSA-p9ff-h696-f583)

### Summary

[`server.fs`](https://vite.dev/config/server-options#server-fs-strict)
check was not enforced to the `fetchModule` method that is exposed in
Vite dev server's WebSocket.

### Impact

Only apps that match the following conditions are affected:

- explicitly exposes the Vite dev server to the network (using `--host`
or [`server.host` config
option](https://vitejs.dev/config/server-options.html#server-host))
- WebSocket is not disabled by `server.ws: false`

Arbitrary files on the server (development machine, CI environment,
container, etc.) can be exposed.

### Details

If it is possible to connect to the Vite dev server’s WebSocket
**without an `Origin` header**, an attacker can invoke `fetchModule` via
the custom WebSocket event `vite:invoke` and combine `file://...` with
`?raw` (or `?inline`) to retrieve the contents of arbitrary files on the
server as a JavaScript string (e.g., `export default "..."`).

The access control enforced in the HTTP request path (such as
`server.fs.allow`) is not applied to this WebSocket-based execution
path.

### PoC

1. Start the dev server on the target 
   Example (used during validation with this repository):
   ```bash
   pnpm -C playground/alias exec vite --host 0.0.0.0 --port 5173
   ```

2. Confirm that access is blocked via the HTTP path (example: arbitrary
file)
   ```bash
   curl -i 'http://localhost:5173/@&#8203;fs/etc/passwd?raw'
   ```
   Result: `403 Restricted` (outside the allow list)
<img width="3898" height="1014" alt="image"
src="https://github.com/user-attachments/assets/f6593377-549c-45d7-b562-5c19833438af"
/>

3. Confirm that the same file can be retrieved via the WebSocket path
By connecting to the HMR WebSocket without an `Origin` header and
sending a `vite:invoke` request that calls `fetchModule` with a
`file://...` URL and `?raw`, the file contents are returned as a
JavaScript module.
<img width="1049" height="296" alt="image"
src="https://github.com/user-attachments/assets/af969f7b-d34e-4af4-8adb-5e2b83b31972"
/>
<img width="1382" height="955" alt="image"
src="https://github.com/user-attachments/assets/6a230d2e-197a-4c9c-b373-d0129756d5d7"
/>

####
[GHSA-v2wj-q39q-566r](https://redirect.github.com/vitejs/vite/security/advisories/GHSA-v2wj-q39q-566r)

### Summary

The contents of files that are specified by
[`server.fs.deny`](https://vite.dev/config/server-options#server-fs-deny)
can be returned to the browser.

### Impact

Only apps that match the following conditions are affected:

- explicitly exposes the Vite dev server to the network (using `--host`
or [`server.host` config
option](https://vitejs.dev/config/server-options.html#server-host))
- the sensitive file exists in the allowed directories specified by
[`server.fs.allow`](https://vite.dev/config/server-options#server-fs-allow)
- the sensitive file is denied with a pattern that matches a file by
[`server.fs.deny`](https://vite.dev/config/server-options#server-fs-deny)

### Details

On the Vite dev server, files that should be blocked by `server.fs.deny`
(e.g., `.env`, `*.crt`) can be retrieved with HTTP 200 responses when
query parameters such as `?raw`, `?import&raw`, or `?import&url&inline`
are appended.

### PoC

1. Start the dev server: `pnpm exec vite root --host 127.0.0.1 --port
5175 --strictPort`
2. Confirm that `server.fs.deny` is enforced (expect 403): `curl -i
http://127.0.0.1:5175/src/.env | head -n 20`
<img width="3944" height="1092" alt="image"
src="https://github.com/user-attachments/assets/ecb9f2e0-e08f-4ac7-b194-e0f988c4cd4f"
/>
3. Confirm that the same files can be retrieved with query parameters
(expect 200):
<img width="2014" height="373" alt="image"
src="https://github.com/user-attachments/assets/76bc2a6a-44f4-4161-ae47-eab5ae0c04a8"
/>

---

### Release Notes

<details>
<summary>vitejs/vite (vite)</summary>

###
[`v8.0.5`](https://redirect.github.com/vitejs/vite/blob/HEAD/packages/vite/CHANGELOG.md#small-805-2026-04-06-small)

[Compare
Source](https://redirect.github.com/vitejs/vite/compare/v8.0.4...v8.0.5)

##### Bug Fixes

- apply server.fs check to env transport
([#&#8203;22159](https://redirect.github.com/vitejs/vite/issues/22159))
([f02d9fd](https://redirect.github.com/vitejs/vite/commit/f02d9fde0b195afe3ea2944414186962fbbe41e0))
- avoid path traversal with optimize deps sourcemap handler
([#&#8203;22161](https://redirect.github.com/vitejs/vite/issues/22161))
([79f002f](https://redirect.github.com/vitejs/vite/commit/79f002f2286c03c88c7b74c511c7f9fc6dc46694))
- check `server.fs` after stripping query as well
([#&#8203;22160](https://redirect.github.com/vitejs/vite/issues/22160))
([a9a3df2](https://redirect.github.com/vitejs/vite/commit/a9a3df299378d9cbc5f069e3536a369f8188c8ff))
- disallow referencing files outside the package from sourcemap
([#&#8203;22158](https://redirect.github.com/vitejs/vite/issues/22158))
([f05f501](https://redirect.github.com/vitejs/vite/commit/f05f50173461789e0f1323fe06b51f18ca41c132))

###
[`v8.0.4`](https://redirect.github.com/vitejs/vite/blob/HEAD/packages/vite/CHANGELOG.md#small-804-2026-04-06-small)

[Compare
Source](https://redirect.github.com/vitejs/vite/compare/v8.0.3...v8.0.4)

##### Features

- allow esbuild 0.28 as peer deps
([#&#8203;22155](https://redirect.github.com/vitejs/vite/issues/22155))
([b0da973](https://redirect.github.com/vitejs/vite/commit/b0da97372f5dba73e78035d1cc7680466ff6cf7f))
- **hmr:** truncate list of files on hmr update
([#&#8203;21535](https://redirect.github.com/vitejs/vite/issues/21535))
([d00e806](https://redirect.github.com/vitejs/vite/commit/d00e806d7be15ebbfe7875e9244963d80ee8b142))
- **optimizer:** log when dependency scanning or bundling takes over 1s
([#&#8203;21797](https://redirect.github.com/vitejs/vite/issues/21797))
([f61a1ab](https://redirect.github.com/vitejs/vite/commit/f61a1ab33b05dc6f6a7eda6e8bc9c4c5b9aab133))

##### Bug Fixes

- `hasBothRollupOptionsAndRolldownOptions` should return `false` for
proxy case
([#&#8203;22043](https://redirect.github.com/vitejs/vite/issues/22043))
([99897d2](https://redirect.github.com/vitejs/vite/commit/99897d27b44dd73307fa03e2f11f0baa1a1dc939))
- add types for `vite/modulepreload-polyfill`
([#&#8203;22126](https://redirect.github.com/vitejs/vite/issues/22126))
([17330d2](https://redirect.github.com/vitejs/vite/commit/17330d2b9e132460f194d6d4b547cfee7e25c788))
- **deps:** update all non-major dependencies
([#&#8203;22073](https://redirect.github.com/vitejs/vite/issues/22073))
([6daa10f](https://redirect.github.com/vitejs/vite/commit/6daa10ff1e8d15a90f49d8dd909ff208da85d6d8))
- **deps:** update all non-major dependencies
([#&#8203;22143](https://redirect.github.com/vitejs/vite/issues/22143))
([22b0166](https://redirect.github.com/vitejs/vite/commit/22b016612703320db45c64a2fe44472051ef5ec5))
- **resolve:** resolve tsconfig paths starting with `#`
([#&#8203;22038](https://redirect.github.com/vitejs/vite/issues/22038))
([3460fc5](https://redirect.github.com/vitejs/vite/commit/3460fc55aa89aef4103d2c05ac2e446032511a6d))
- **ssr:** use browser platform for webworker SSR builds (fix
[#&#8203;21969](https://redirect.github.com/vitejs/vite/issues/21969))
([#&#8203;21963](https://redirect.github.com/vitejs/vite/issues/21963))
([364c227](https://redirect.github.com/vitejs/vite/commit/364c2273a121dad4d93ec3b9ec87ffbe0d6e860b))

##### Documentation

- add `environment.fetchModule` documentation
([#&#8203;22035](https://redirect.github.com/vitejs/vite/issues/22035))
([54229e7](https://redirect.github.com/vitejs/vite/commit/54229e78631ebf10d1db767b51ea85f3cf06718a))

##### Miscellaneous Chores

- **deps:** update rolldown-related dependencies
([#&#8203;21989](https://redirect.github.com/vitejs/vite/issues/21989))
([0ded627](https://redirect.github.com/vitejs/vite/commit/0ded6274579e8bda6b22a7ba93b15d15b4c28b78))

##### Code Refactoring

- upgrade to typescript 6
([#&#8203;22110](https://redirect.github.com/vitejs/vite/issues/22110))
([cc41398](https://redirect.github.com/vitejs/vite/commit/cc41398c2cf0bb5061cf0ca5dc3b408ae7e41191))

</details>

---

### Configuration

📅 **Schedule**: Branch creation - At any time (no schedule defined),
Automerge - At any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR was generated by [Mend Renovate](https://mend.io/renovate/).
View the [repository job
log](https://developer.mend.io/github/promptfoo/crabcode).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xMDIuMTEiLCJ1cGRhdGVkSW5WZXIiOiI0My4xMDIuMTEiLCJ0YXJnZXRCcmFuY2giOiJtYWluIiwibGFiZWxzIjpbXX0=-->

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>

Author: renovate[bot]