Skip to content

[CLNP-8656] [fix]: bump vite to 6.4.3 (CLNP-8656)#1439

Merged
sf-tyler-jeong merged 1 commit into
mainfrom
fix/clnp-8656
Jun 23, 2026
Merged

[CLNP-8656] [fix]: bump vite to 6.4.3 (CLNP-8656)#1439
sf-tyler-jeong merged 1 commit into
mainfrom
fix/clnp-8656

Conversation

@sf-tyler-jeong

Copy link
Copy Markdown
Contributor

Fix the vite server.fs.deny bypass (CVE-2026-53571 / GHSA-fx2h-pf6j-xcff, High) reported in SECURE-3903. On Windows the deny blocklist protecting .env/cert files can be bypassed via NTFS alternate-data-stream paths (/.env::$DATA?raw) or 8.3 short filenames. vite 5.x/4.x have no patched release, so this upgrades to 6.4.3 (the minimum patched 6.x line).

vite is a devDependency only — the published @sendbird/uikit-react package is built with Rollup and does not bundle vite. No runtime/consumer impact; bumped for supply-chain hygiene.

Main project (Yarn workspaces):

  • vite ^5.x -> ^6.4.3 (root, apps/testing, apps/visual-test)
  • vite-plugin-svgr ^4.2.0 -> ^4.5.0 (4.2.0 peer caps at vite 5)
  • @vitejs/plugin-react -> ^4.7.0 (4.3.2 peer excludes vite 6)
  • postcss ^8.3.5 -> ^8.5.3 (+ yarn dedupe postcss) so the root and vite 6 share a single postcss 8.5.x; otherwise two copies break tsc -b type-checking of vite.config.ts (postcss-rtlcss Plugin vs AcceptedPlugin)
  • Storybook 8.6 and Node >=18 unchanged (both already support vite 6)

Samples (standalone npm apps):

  • groupchannel/openchannel/router: vite ^4.3.9 -> ^6.4.3, @vitejs/plugin-react -> ^4.7.0, package-lock.json regenerated
  • typescript_sample: removed unused vite dep (app uses react-scripts)

Verified: yarn build, yarn build:storybook (vite 6.4.3), apps vite build, yarn test (941 pass / 10 skip / 0 fail), npm run build for each sample, and tsc -b on apps/visual-test no longer reports the postcss type error.

For Internal Contributors

  • Follow the Scaled Trunk-Based Development workflow
  • Branch naming format: {type}/TICKET_ID/description
    • Type: feat / fix / chore / doc / release
  • Receive PR review approvals
  • Rebase your branch with the main branch and wait for CI to pass
  • Squash merge your commit
    • Use imperative language in the title and description
    • Follow the provided template for PR description and squashing

Template

// PR title (Required)
[type]: A short description of the changes in imperative language.

// PR description (Optional)
Add a brief description of the changes in this PR. Bullet points are also fine.

// Footer (Recommended)
Fixes [<TICKET_ID>](https://sendbird.atlassian.net/browse/<TICKET_ID>)

// Changelogs (Recommended)
// Add (internal) at the end of each changelog if internal.
### Changelogs

// Co-authors
// Add this if you pair programmed or they made significant contributions to the ideas in the code and you want to thank them.
Co-authored-by: Name name@example.com, Name2 name@example.com

Checklist

Put an x in the boxes that apply. You can also fill these out after creating the PR. If unsure, ask the members.
This is a reminder of what we look for before merging your code.

  • All tests pass locally with my changes
  • I have added tests that prove my fix is effective or that my feature works
  • Public components / utils / props are appropriately exported
  • I have added necessary documentation (if appropriate)

External Contributions

This project is not yet set up to accept pull requests from external contributors.

If you have a pull request that you believe should be accepted, please contact
the Developer Relations team developer-advocates@sendbird.com with details
and we'll evaluate if we can set up a CLA to allow for the contribution.

Fix the vite `server.fs.deny` bypass (CVE-2026-53571 / GHSA-fx2h-pf6j-xcff,
High) reported in SECURE-3903. On Windows the deny blocklist protecting
`.env`/cert files can be bypassed via NTFS alternate-data-stream paths
(`/.env::$DATA?raw`) or 8.3 short filenames. vite 5.x/4.x have no patched
release, so this upgrades to 6.4.3 (the minimum patched 6.x line).

vite is a devDependency only — the published @sendbird/uikit-react package is
built with Rollup and does not bundle vite. No runtime/consumer impact; bumped
for supply-chain hygiene.

Main project (Yarn workspaces):
- vite ^5.x -> ^6.4.3 (root, apps/testing, apps/visual-test)
- vite-plugin-svgr ^4.2.0 -> ^4.5.0 (4.2.0 peer caps at vite 5)
- @vitejs/plugin-react -> ^4.7.0 (4.3.2 peer excludes vite 6)
- postcss ^8.3.5 -> ^8.5.3 (+ `yarn dedupe postcss`) so the root and vite 6
  share a single postcss 8.5.x; otherwise two copies break `tsc -b`
  type-checking of vite.config.ts (postcss-rtlcss Plugin vs AcceptedPlugin)
- Storybook 8.6 and Node >=18 unchanged (both already support vite 6)

Samples (standalone npm apps):
- groupchannel/openchannel/router: vite ^4.3.9 -> ^6.4.3,
  @vitejs/plugin-react -> ^4.7.0, package-lock.json regenerated
- typescript_sample: removed unused vite dep (app uses react-scripts)

Verified: yarn build, yarn build:storybook (vite 6.4.3), apps vite build,
yarn test (941 pass / 10 skip / 0 fail), npm run build for each sample, and
`tsc -b` on apps/visual-test no longer reports the postcss type error.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@netlify

netlify Bot commented Jun 22, 2026

Copy link
Copy Markdown

Deploy Preview for sendbird-uikit-react ready!

Name Link
🔨 Latest commit 9c8d7c4
🔍 Latest deploy log https://app.netlify.com/projects/sendbird-uikit-react/deploys/6a3909d91eadf50008ca7dbf
😎 Deploy Preview https://deploy-preview-1439--sendbird-uikit-react.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify project configuration.

@danney-chun danney-chun left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm~

@sf-tyler-jeong sf-tyler-jeong merged commit 182424c into main Jun 23, 2026
8 checks passed
@sf-tyler-jeong sf-tyler-jeong deleted the fix/clnp-8656 branch June 23, 2026 02:48
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants