chore(deps-dev): Bump vite from 8.0.16 to 8.1.0 in the npm group#72
Conversation
Bumps the npm group with 1 update: [vite](https://github.com/vitejs/vite/tree/HEAD/packages/vite). Updates `vite` from 8.0.16 to 8.1.0 - [Release notes](https://github.com/vitejs/vite/releases) - [Changelog](https://github.com/vitejs/vite/blob/main/packages/vite/CHANGELOG.md) - [Commits](https://github.com/vitejs/vite/commits/create-vite@8.1.0/packages/vite) --- updated-dependencies: - dependency-name: vite dependency-version: 8.1.0 dependency-type: direct:development update-type: version-update:semver-minor dependency-group: npm ... Signed-off-by: dependabot[bot] <support@github.com>
There was a problem hiding this comment.
LGTM — minor version bump of vite dev dependency.
Extended reasoning...
Overview
This PR bumps vite from 8.0.16 to 8.1.0 in devDependencies via Dependabot. Only package.json and pnpm-lock.yaml are modified; no source code, workflows, or configuration files change.
Security risks
None material. Vite is a devDependency used only for the test runner (vitest) — it does not ship in the compiled action bundle (dist/) and is not present at runtime for consumers of this GitHub Action. The 8.1.0 release notes include a security-relevant expansion of server.fs.deny, which is a strict improvement.
Level of scrutiny
Low. This is a minor semver bump of a build-time-only dependency with no API changes to the surface this repo consumes (vitest peer resolves cleanly to the new vite version in the lockfile).
Other factors
The bug-hunting system flagged nothing. Transitive updates (rolldown, postcss, nanoid) are consistent with vite's own upstream dependency bumps. No CODEOWNER-owned production paths are touched.
|
| Experiment | Status | Actions |
|---|---|---|
| Uppercase (py) | ✅ Pass | View GitHub Action Run · View in Langfuse |
| Uppercase (ts) | ✅ Pass | View GitHub Action Run · View in Langfuse |
| Mixed dir (node) | ✅ Pass | View GitHub Action Run · View in Langfuse |
| Mixed dir (python) | ✅ Pass | View GitHub Action Run · View in Langfuse |
| Regression fixture | ❌ Regression | View GitHub Action Run · View in Langfuse |
Details
Bumps the npm group with 1 update: vite.
Updates
vitefrom 8.0.16 to 8.1.0Release notes
Sourced from vite's releases.
Changelog
Sourced from vite's changelog.
... (truncated)
Commits
5909efdfix: allow multiplebindCLIShortcutscalls with shortcut merging (#21103)39a0a15chore(deps): update rolldown-related dependencies (#21095)6a34ac3fix(deps): update all non-major dependencies (#21096)02ceaecchore(deps): update dependency@rollup/plugin-commonjsto v29 (#21099)572aacarelease: v7.2.2728c8eefix: revert "refactor: use fs.cpSync (#21019)" (#21081)a532e68release: v7.2.182d2d6cfix(worker): some worker asset was missing (#21074)f83264frefactor(build): renameindexOfMatchInSlicetofindPreloadMarker(#21054)8293de0release: v7.2.0Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore <dependency name> major versionwill close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)@dependabot ignore <dependency name> minor versionwill close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)@dependabot ignore <dependency name>will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)@dependabot unignore <dependency name>will remove all of the ignore conditions of the specified dependency@dependabot unignore <dependency name> <ignore condition>will remove the ignore condition of the specified dependency and ignore conditions