Skip to content

chore(deps): update dependency vite-node to v5 (3.x)#33674

Merged
danielroe merged 1 commit into3.xfrom
renovate/3.x-vite-node-5.x
Nov 6, 2025
Merged

chore(deps): update dependency vite-node to v5 (3.x)#33674
danielroe merged 1 commit into3.xfrom
renovate/3.x-vite-node-5.x

Conversation

@renovate
Copy link
Contributor

@renovate renovate bot commented Nov 6, 2025

This PR contains the following updates:

Package Change Age Confidence
vite-node (source) ^3.2.4 -> ^5.0.0 age confidence

Release Notes

antfu-collective/vite-node (vite-node)

v5.0.0

Compare Source

   🚨 Breaking Changes
  • Migrate back from Vitest repo  -  by @​antfu in #​5 (adda4)
    • v4.0.0 is skipped to avoid collision with original Vitest versions.
    View changes on GitHub

Configuration

📅 Schedule: Branch creation - "on Monday" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot requested a review from danielroe as a code owner November 6, 2025 21:34
@bolt-new-by-stackblitz
Copy link

bolt-new-by-stackblitz bot commented Nov 6, 2025

Review PR in StackBlitz Codeflow Run & review this pull request in StackBlitz Codeflow.

@socket-security
Copy link

socket-security bot commented Nov 6, 2025

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security		 Vulnerability Quality Maintenance License
Addedhappy-dom@​20.0.099258896100
Addedcssnano@​7.1.1991006986100
Addedesbuild@​0.25.10921007394100
Addederrx@​0.1.01001008577100
Addeddefu@​6.1.410010010078100
Addedeslint-plugin-no-only-tests@​3.3.01001009278100
Addedcookie-es@​2.0.01001008578100
Addedcompatx@​0.2.01001009978100
Addedget-port-please@​3.2.010010010078100
Addedautoprefixer@​10.4.211001009279100
Addeddestr@​2.0.510010010079100
Addedimpound@​1.0.0991008679100
Addedchokidar@​4.0.39910010080100
Addedfork-ts-checker-webpack-plugin@​9.1.09810010080100
Addedexternality@​1.0.21001009580100
Addedchangelogen@​0.6.29910010080100
Addedcase-police@​2.0.0981008081100
Addedcss-loader@​7.1.29910010081100
Addedeslint-typegen@​2.3.01001009782100
Addedbeasties@​0.3.510010010082100
Addedcss-minimizer-webpack-plugin@​7.0.29910010083100
Addedfile-loader@​6.2.09910010083100
Addedconsola@​3.4.29910010084100
Addedesbuild-loader@​4.4.010010010084100
Addedhookable@​5.5.310010010085100
Addedexsolve@​1.0.710010010086100
Addedeslint-plugin-import-x@​4.16.19910010087100
Addedhtmlnano@​2.1.5991009287100
Addedh3@​1.15.4991008893100
Addedc12@​3.3.09910010089100
Addedeslint-plugin-perfectionist@​4.15.110010010090100
Addeddevalue@​5.3.210010010091100
Addedeslint@​9.37.09710010096100
Addedhtml-validate@​10.1.1100100100100100

View full report

@socket-security
Copy link

socket-security bot commented Nov 6, 2025

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action Severity Alert  (click "▶" to expand/collapse)
Warn Critical
Critical CVE: npm happy-dom's `--disallow-code-generation-from-strings` is not sufficient for isolating untrusted JavaScript

CVE: GHSA-qpm2-6cq5-7pq5 happy-dom's --disallow-code-generation-from-strings is not sufficient for isolating untrusted JavaScript (CRITICAL)

Affected versions: < 20.0.2

Patched version: 20.0.2

From: package.jsonnpm/happy-dom@20.0.0

ℹ Read more on: This package | This alert | What is a critical CVE?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Remove or replace dependencies that include known critical CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/happy-dom@20.0.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

@pkg-pr-new
Copy link

pkg-pr-new bot commented Nov 6, 2025

Open in StackBlitz

@nuxt/kit

npm i https://pkg.pr.new/@nuxt/kit@33674

nuxt

npm i https://pkg.pr.new/nuxt@33674

@nuxt/rspack-builder

npm i https://pkg.pr.new/@nuxt/rspack-builder@33674

@nuxt/schema

npm i https://pkg.pr.new/@nuxt/schema@33674

@nuxt/vite-builder

npm i https://pkg.pr.new/@nuxt/vite-builder@33674

@nuxt/webpack-builder

npm i https://pkg.pr.new/@nuxt/webpack-builder@33674

commit: d434908

@codspeed-hq
Copy link

codspeed-hq bot commented Nov 6, 2025

CodSpeed Performance Report

Merging #33674 will improve performances by 23.33%

Comparing renovate/3.x-vite-node-5.x (d434908) with 3.x (0b077f8)

Summary

⚡ 1 improvement
✅ 9 untouched

Benchmarks breakdown

Benchmark BASE HEAD Change
loadNuxtConfig in the empty directory 26.3 ms 21.3 ms +23.33%

@danielroe danielroe merged commit 1be1abb into 3.x Nov 6, 2025
58 checks passed
@danielroe danielroe deleted the renovate/3.x-vite-node-5.x branch November 6, 2025 22:05
@s1gr1d s1gr1d mentioned this pull request Feb 11, 2026
Merged
s1gr1d added a commit to getsentry/sentry-javascript that referenced this pull request Feb 11, 2026
@chargome @claude @s1gr1d
fix(deps): Bump nuxt devDependency to fix CVE-2026-24001 (#19249)
912b324 
Bump nuxt from ^3.13.2 to ^3.21.1 in @sentry/nuxt devDependencies. This
pulls in @nuxt/devtools@3.1.1 which depends on diff@^8.0.2, replacing
the vulnerable diff@7.0.0 (DoS via parsePatch infinite loop).

Nuxt can only be upgraded to `3.17.7` because later versions are using
Vite v7 as dependency and this causes our Node 18 tests to fail.

---

Summary of Vite dependency chain:
`nuxt` -
[@nuxt/vite-builder](https://github.com/nuxt/nuxt/blob/617b266c732267755a8771b967d693b32e74fca4/packages/nuxt/package.json#L83)
->
[vite-node](https://github.com/nuxt/nuxt/blob/617b266c732267755a8771b967d693b32e74fca4/packages/vite/package.json#L66)
->
[vite](https://github.com/antfu-collective/vite-node/blob/48f3ec7044513349597045ac7053efd8c3db2ba4/package.json#L89)

And from Nuxt `3.20.1`, vite-node was bumped from [major 3 to
5](nuxt/nuxt#33674) which uses [vite
7](https://github.com/antfu-collective/vite-node/blob/2a2d77749c6f97117557c6a584abef15e1f7a46e/package.json#L56)

But also, Nuxt `3.17.7` is the last version which uses Vite 6:
https://github.com/nuxt/nuxt/blob/b56bc134455391f3ea43d29140162f0b04b615b0/packages/vite/package.json#L62

---

Fixes
https://github.com/getsentry/sentry-javascript/security/dependabot/958

---------

Co-authored-by: Claude <noreply@anthropic.com>
Co-authored-by: s1gr1d <32902192+s1gr1d@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@danielroe danielroe danielroe approved these changes

Assignees

No one assigned

Labels

3.x chore

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@danielroe