Fix supply-chain CI: bump vite to 8.0.16 to resolve npm audit failure by caesay · Pull Request #952 · velopack/velopack · GitHub
Skip to content

Fix supply-chain CI: bump vite to 8.0.16 to resolve npm audit failure#952

Merged
caesay merged 1 commit into
developfrom
claude/cool-ramanujan-j55osp
Jun 19, 2026
Merged

Fix supply-chain CI: bump vite to 8.0.16 to resolve npm audit failure#952
caesay merged 1 commit into
developfrom
claude/cool-ramanujan-j55osp

Conversation

@caesay

@caesay caesay commented Jun 19, 2026
edited
Loading

Copy link
Copy Markdown
Member

Problem

The build-tests / supply-chain job is failing on develop, breaking CI.

Looking at the logs, the cargo deny check step passes (only duplicate-crate warnings), but the npm audit step in src/lib-nodejs exits with code 1:

vite  8.0.0 - 8.0.15
Severity: high
launch-editor: NTLMv2 hash disclosure via UNC path handling on Windows - GHSA-v6wh-96g9-6wx3
vite: `server.fs.deny` bypass on Windows alternate paths - GHSA-fx2h-pf6j-xcff
1 high severity vulnerability

vite is pulled in transitively (dev-only) via vitest, and the lockfile had it pinned at 8.0.14, which is inside the vulnerable range.

@caesay
Fix supply-chain CI: bump vite to 8.0.16 to resolve npm audit vuln
5d245f6 
npm audit in src/lib-nodejs failed on develop due to a high-severity
advisory in vite 8.0.0-8.0.15 (GHSA-fx2h-pf6j-xcff, GHSA-v6wh-96g9-6wx3),
pulled in transitively via vitest. Run npm audit fix to update vite to
8.0.16 (and related rollup/esbuild transitive dev deps). npm audit now
reports 0 vulnerabilities.
@caesay caesay force-pushed the claude/cool-ramanujan-j55osp branch from e919bb4 to 5d245f6 Compare June 19, 2026 16:43
@caesay caesay merged commit 612bf47 into develop Jun 19, 2026
47 checks passed
@caesay caesay deleted the claude/cool-ramanujan-j55osp branch June 19, 2026 16:44
@codecov

codecov Bot commented Jun 19, 2026
edited
Loading

Copy link
Copy Markdown

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@caesay