Skip to content

chore: upgrade vite to ^8.0.16 to address CVE-2026-53571#1313

Merged
brendan-kellam merged 2 commits into
mainfrom
brendan/sou-1333-sourcebot-devsourcebot-cve-2026-53571-vite-serverfsdeny-fc23
Jun 17, 2026
Merged

chore: upgrade vite to ^8.0.16 to address CVE-2026-53571#1313
brendan-kellam merged 2 commits into
mainfrom
brendan/sou-1333-sourcebot-devsourcebot-cve-2026-53571-vite-serverfsdeny-fc23

Conversation

@brendan-kellam

@brendan-kellam brendan-kellam commented Jun 17, 2026
edited by coderabbitai Bot
Loading

Copy link
Copy Markdown
Contributor

Fixes SOU-1333

Addresses CVE-2026-53571 (HIGH): vite's dev-server server.fs.deny logic could be bypassed on Windows via NTFS ADS and 8.3 short-name paths, exposing files like .env.

vite is pulled in transitively via vitest@4.1.4. The existing ^6.0.0 || ^7.0.0 || ^8.0.0 range already admits the patched 8.0.16, so this is a lockfile refresh only (yarn up -R vite) — no package.json or resolutions changes. yarn why vite --recursive confirms all instances are now at 8.0.16.

Summary by CodeRabbit

  • Documentation

    • Updated CHANGELOG with dependency upgrade information

  • Chores

    • Vite upgraded to v8.0.16

brendan-kellam and others added 2 commits June 17, 2026 21:49
@brendan-kellam @linear-code
chore: upgrade vite to ^8.0.16 to address CVE-2026-53571
278435b 
Co-authored-by: linear-code[bot] <222613912+linear-code[bot]@users.noreply.github.com>
@brendan-kellam @linear-code
chore: fix changelog PR link
346755d 
Co-authored-by: linear-code[bot] <222613912+linear-code[bot]@users.noreply.github.com>
@coderabbitai

coderabbitai Bot commented Jun 17, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Review Change Stack

Caution

Review failed

The pull request is closed.

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 05c7a71c-e3c6-473f-bc85-01e1e23d9d7b

📥 Commits

Reviewing files that changed from the base of the PR and between 242fd2e and 346755d.

⛔ Files ignored due to path filters (1)
  • yarn.lock is excluded by !**/yarn.lock, !**/*.lock
📒 Files selected for processing (1)
  • CHANGELOG.md

Walkthrough

The CHANGELOG.md "Unreleased" section gains a single "Fixed" entry recording that vite was upgraded to ^8.0.16.

Changes

Changelog update

Layer / File(s) Summary
Unreleased Fixed entry for vite upgrade
CHANGELOG.md		 Adds a line under the Unreleased → Fixed subsection documenting the vite dependency upgrade to ^8.0.16.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~1 minutes

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch brendan/sou-1333-sourcebot-devsourcebot-cve-2026-53571-vite-serverfsdeny-fc23

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@github-actions

github-actions Bot commented Jun 17, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

License Audit

⚠️ Status: PASS

Metric Count
Total packages 2137
Resolved (non-standard) 20
Unresolved 0
Strong copyleft 0
Weak copyleft 38

Weak Copyleft Packages (informational)

Package Version License
@img/sharp-libvips-darwin-arm64 1.0.4 LGPL-3.0-or-later
@img/sharp-libvips-darwin-arm64 1.2.4 LGPL-3.0-or-later
@img/sharp-libvips-darwin-x64 1.0.4 LGPL-3.0-or-later
@img/sharp-libvips-darwin-x64 1.2.4 LGPL-3.0-or-later
@img/sharp-libvips-linux-arm 1.0.5 LGPL-3.0-or-later
@img/sharp-libvips-linux-arm 1.2.4 LGPL-3.0-or-later
@img/sharp-libvips-linux-arm64 1.0.4 LGPL-3.0-or-later
@img/sharp-libvips-linux-arm64 1.2.4 LGPL-3.0-or-later
@img/sharp-libvips-linux-ppc64 1.2.4 LGPL-3.0-or-later
@img/sharp-libvips-linux-riscv64 1.2.4 LGPL-3.0-or-later
@img/sharp-libvips-linux-s390x 1.0.4 LGPL-3.0-or-later
@img/sharp-libvips-linux-s390x 1.2.4 LGPL-3.0-or-later
@img/sharp-libvips-linux-x64 1.0.4 LGPL-3.0-or-later
@img/sharp-libvips-linux-x64 1.2.4 LGPL-3.0-or-later
@img/sharp-libvips-linuxmusl-arm64 1.0.4 LGPL-3.0-or-later
@img/sharp-libvips-linuxmusl-arm64 1.2.4 LGPL-3.0-or-later
@img/sharp-libvips-linuxmusl-x64 1.0.4 LGPL-3.0-or-later
@img/sharp-libvips-linuxmusl-x64 1.2.4 LGPL-3.0-or-later
@img/sharp-wasm32 0.33.5 Apache-2.0 AND LGPL-3.0-or-later AND MIT
@img/sharp-wasm32 0.34.5 Apache-2.0 AND LGPL-3.0-or-later AND MIT
@img/sharp-win32-arm64 0.34.5 Apache-2.0 AND LGPL-3.0-or-later
@img/sharp-win32-ia32 0.33.5 Apache-2.0 AND LGPL-3.0-or-later
@img/sharp-win32-ia32 0.34.5 Apache-2.0 AND LGPL-3.0-or-later
@img/sharp-win32-x64 0.33.5 Apache-2.0 AND LGPL-3.0-or-later
@img/sharp-win32-x64 0.34.5 Apache-2.0 AND LGPL-3.0-or-later
axe-core 4.10.3 MPL-2.0
lightningcss 1.32.0 MPL-2.0
lightningcss-android-arm64 1.32.0 MPL-2.0
lightningcss-darwin-arm64 1.32.0 MPL-2.0
lightningcss-darwin-x64 1.32.0 MPL-2.0
lightningcss-freebsd-x64 1.32.0 MPL-2.0
lightningcss-linux-arm-gnueabihf 1.32.0 MPL-2.0
lightningcss-linux-arm64-gnu 1.32.0 MPL-2.0
lightningcss-linux-arm64-musl 1.32.0 MPL-2.0
lightningcss-linux-x64-gnu 1.32.0 MPL-2.0
lightningcss-linux-x64-musl 1.32.0 MPL-2.0
lightningcss-win32-arm64-msvc 1.32.0 MPL-2.0
lightningcss-win32-x64-msvc 1.32.0 MPL-2.0
Resolved Packages (20)
Package Version Original Resolved Source
@react-grab/cli 0.1.23 UNKNOWN MIT GitHub repo (aidenybai/react-grab license API: MIT)
@react-grab/cli 0.1.29 UNKNOWN MIT GitHub repo (aidenybai/react-grab license API: MIT)
@react-grab/mcp 0.1.29 UNKNOWN MIT GitHub repo (aidenybai/react-grab monorepo, MIT)
@sentry/cli 2.58.5 FSL-1.1-MIT FSL-1.1-MIT npm page / Functional Source License 1.1 (MIT future grant)
@sentry/cli-darwin 2.58.5 FSL-1.1-MIT FSL-1.1-MIT npm page / Functional Source License 1.1 (MIT future grant)
@sentry/cli-linux-arm 2.58.5 FSL-1.1-MIT FSL-1.1-MIT npm page / Functional Source License 1.1 (MIT future grant)
@sentry/cli-linux-arm64 2.58.5 FSL-1.1-MIT FSL-1.1-MIT npm page / Functional Source License 1.1 (MIT future grant)
@sentry/cli-linux-i686 2.58.5 FSL-1.1-MIT FSL-1.1-MIT npm page / Functional Source License 1.1 (MIT future grant)
@sentry/cli-linux-x64 2.58.5 FSL-1.1-MIT FSL-1.1-MIT npm page / Functional Source License 1.1 (MIT future grant)
@sentry/cli-win32-arm64 2.58.5 FSL-1.1-MIT FSL-1.1-MIT npm page / Functional Source License 1.1 (MIT future grant)
@sentry/cli-win32-i686 2.58.5 FSL-1.1-MIT FSL-1.1-MIT npm page / Functional Source License 1.1 (MIT future grant)
@sentry/cli-win32-x64 2.58.5 FSL-1.1-MIT FSL-1.1-MIT npm page / Functional Source License 1.1 (MIT future grant)
codemirror-lang-elixir 4.0.0 UNKNOWN Apache-2.0 npm registry metadata
element-source 0.0.3 UNKNOWN MIT LICENSE file inside published npm tarball
lezer-elixir 1.1.2 UNKNOWN Apache-2.0 npm registry metadata
map-stream 0.1.0 UNKNOWN MIT npm registry metadata
memorystream 0.3.1 UNKNOWN MIT npm registry (licenses[].type field)
pause-stream 0.0.11 ["MIT","Apache2"] MIT OR Apache-2.0 extracted from object/array ["MIT","Apache2"]
posthog-js 1.369.0 SEE LICENSE IN LICENSE Apache-2.0 GitHub repo LICENSE file (PostHog/posthog-js)
valid-url 1.0.9 UNKNOWN MIT GitHub repo LICENSE file (ogt/valid-url)

@brendan-kellam brendan-kellam marked this pull request as ready for review June 17, 2026 21:56
@brendan-kellam brendan-kellam merged commit f5dab5f into main Jun 17, 2026
10 of 11 checks passed
@brendan-kellam brendan-kellam deleted the brendan/sou-1333-sourcebot-devsourcebot-cve-2026-53571-vite-serverfsdeny-fc23 branch June 17, 2026 21:57
@github-actions github-actions Bot mentioned this pull request Jun 17, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@brendan-kellam