Skip to content

fix: update vite to 7.3.5 to resolve CVE-2026-53571#237

Merged
liliwilson merged 1 commit into
mainfrom
independabot/vite-CVE-2026-53571
Jun 18, 2026
Merged

fix: update vite to 7.3.5 to resolve CVE-2026-53571#237
liliwilson merged 1 commit into
mainfrom
independabot/vite-CVE-2026-53571

Conversation

@liliwilson

@liliwilson liliwilson commented Jun 17, 2026

Copy link
Copy Markdown
Contributor

Pins vite to >=7.3.5 via npm overrides to resolve a high-severity vulnerability.

Vulnerability: CVE-2026-53571vite: server.fs.deny bypass on Windows alternate paths
Severity: High
Advisory: GHSA-fx2h-pf6j-xcff
Dependabot alert: https://github.com/warpdotdev/docs/security/dependabot/23

What changed:

  • Added "vite": "7.3.5" to the overrides section in package.json
  • Updated package-lock.json to reflect the pinned version (7.3.2 → 7.3.5)

Verification:

  • npm audit confirms CVE-2026-53571 no longer appears after the update

@oz-agent
fix: update vite to 7.3.5 to resolve CVE-2026-53571
ee1efb6 
Adds npm overrides entry to pin vite >= 7.3.5, addressing the
server.fs.deny bypass vulnerability on Windows alternate paths.

Dependabot alert: https://github.com/warpdotdev/docs/security/dependabot/23

Co-Authored-By: Oz <oz-agent@warp.dev>
@cla-bot cla-bot Bot added the cla-signed label Jun 17, 2026
@vercel

vercel Bot commented Jun 17, 2026
edited
Loading

Copy link
Copy Markdown

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
docs Ready Ready Preview, Comment Jun 17, 2026 7:59pm

Request Review

@liliwilson liliwilson requested a review from petradonka June 17, 2026 19:57
@oz-for-oss

oz-for-oss Bot commented Jun 17, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

@liliwilson

I'm starting a first review of this pull request.

You can view the conversation on Warp.

I completed the review and no human review was requested for this pull request.

Comment /oz-review on this pull request to retrigger a review (up to 3 times on the same pull request).

Powered by Oz

oz-for-oss[bot]
oz-for-oss Bot reviewed Jun 17, 2026
View reviewed changes

@oz-for-oss oz-for-oss Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Overview

This PR adds an npm override for vite 7.3.5 and updates the lockfile entry from 7.3.2 to 7.3.5 to address CVE-2026-53571.

Concerns

  • No blocking correctness or security concerns found in the attached diff.

Verdict

Found: 0 critical, 0 important, 0 suggestions

Approve

Comment /oz-review on this pull request to retrigger a review (up to 3 times on the same pull request).

Powered by Oz

@liliwilson liliwilson merged commit 0513ff4 into main Jun 18, 2026
8 checks passed
@liliwilson liliwilson deleted the independabot/vite-CVE-2026-53571 branch June 18, 2026 02:45
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@oz-for-oss oz-for-oss[bot] oz-for-oss[bot] left review comments

@petradonka petradonka petradonka approved these changes

Assignees

No one assigned

Labels

cla-signed

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@liliwilson @petradonka @oz-agent