[CLNP-8656] [fix]: bump vite to 6.4.3 (CLNP-8656)#1439
Merged
Conversation
Fix the vite `server.fs.deny` bypass (CVE-2026-53571 / GHSA-fx2h-pf6j-xcff, High) reported in SECURE-3903. On Windows the deny blocklist protecting `.env`/cert files can be bypassed via NTFS alternate-data-stream paths (`/.env::$DATA?raw`) or 8.3 short filenames. vite 5.x/4.x have no patched release, so this upgrades to 6.4.3 (the minimum patched 6.x line). vite is a devDependency only — the published @sendbird/uikit-react package is built with Rollup and does not bundle vite. No runtime/consumer impact; bumped for supply-chain hygiene. Main project (Yarn workspaces): - vite ^5.x -> ^6.4.3 (root, apps/testing, apps/visual-test) - vite-plugin-svgr ^4.2.0 -> ^4.5.0 (4.2.0 peer caps at vite 5) - @vitejs/plugin-react -> ^4.7.0 (4.3.2 peer excludes vite 6) - postcss ^8.3.5 -> ^8.5.3 (+ `yarn dedupe postcss`) so the root and vite 6 share a single postcss 8.5.x; otherwise two copies break `tsc -b` type-checking of vite.config.ts (postcss-rtlcss Plugin vs AcceptedPlugin) - Storybook 8.6 and Node >=18 unchanged (both already support vite 6) Samples (standalone npm apps): - groupchannel/openchannel/router: vite ^4.3.9 -> ^6.4.3, @vitejs/plugin-react -> ^4.7.0, package-lock.json regenerated - typescript_sample: removed unused vite dep (app uses react-scripts) Verified: yarn build, yarn build:storybook (vite 6.4.3), apps vite build, yarn test (941 pass / 10 skip / 0 fail), npm run build for each sample, and `tsc -b` on apps/visual-test no longer reports the postcss type error. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
✅ Deploy Preview for sendbird-uikit-react ready!
To edit notification comments on pull requests, go to your Netlify project configuration. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Fix the vite
server.fs.denybypass (CVE-2026-53571 / GHSA-fx2h-pf6j-xcff, High) reported in SECURE-3903. On Windows the deny blocklist protecting.env/cert files can be bypassed via NTFS alternate-data-stream paths (/.env::$DATA?raw) or 8.3 short filenames. vite 5.x/4.x have no patched release, so this upgrades to 6.4.3 (the minimum patched 6.x line).vite is a devDependency only — the published @sendbird/uikit-react package is built with Rollup and does not bundle vite. No runtime/consumer impact; bumped for supply-chain hygiene.
Main project (Yarn workspaces):
yarn dedupe postcss) so the root and vite 6 share a single postcss 8.5.x; otherwise two copies breaktsc -btype-checking of vite.config.ts (postcss-rtlcss Plugin vs AcceptedPlugin)Samples (standalone npm apps):
Verified: yarn build, yarn build:storybook (vite 6.4.3), apps vite build, yarn test (941 pass / 10 skip / 0 fail), npm run build for each sample, and
tsc -bon apps/visual-test no longer reports the postcss type error.For Internal Contributors
{type}/TICKET_ID/descriptionfeat/fix/chore/doc/releaseTemplate
Checklist
Put an
xin the boxes that apply. You can also fill these out after creating the PR. If unsure, ask the members.This is a reminder of what we look for before merging your code.
External Contributions
This project is not yet set up to accept pull requests from external contributors.
If you have a pull request that you believe should be accepted, please contact
the Developer Relations team developer-advocates@sendbird.com with details
and we'll evaluate if we can set up a CLA to allow for the contribution.