chore(deps): bump vite to ^8.0.5 (latest 8.0.x); unpin Python base image#12711
Merged
Conversation
Contributor
There was a problem hiding this comment.
Pull request overview
This PR updates frontend tooling and container base image choices to address security concerns: it bumps the Vite dev dependency and changes the olbase Docker image to track Python 3.12 patch releases automatically.
Changes:
- Bump
vitedependency from^8.0.3to^8.0.5(and update npm lockfile accordingly). - Unpin
docker/Dockerfile.olbasefrompython:3.12.2-slim-bookwormtopython:3.12-slim-bookworm.
Reviewed changes
Copilot reviewed 2 out of 3 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
| package.json | Updates Vite version range used for dev/build tooling. |
| package-lock.json | Updates lockfile to reflect the new Vite dependency range/resolution. |
| docker/Dockerfile.olbase | Switches Python base image tag to a floating 3.12 patch tag for security updates. |
vite 8.0.3–8.0.4 has three CVEs: path traversal in optimized deps (GHSA-4w7w-66w2-5vf9), server.fs.deny bypass (GHSA-v2wj-q39q-566r), and arbitrary file read via dev server WebSocket (GHSA-p9ff-h696-f583). Fixed in 8.0.5. Python base image switched from pinned 3.12.2-slim-bookworm (March 2024) to floating 3.12-slim-bookworm to track CPython security patches automatically. Current is 3.12.11 with several stdlib CVE fixes. JS build verified passing after npm install.
mekarpeles
force-pushed
the
chore/security-dep-bumps-2026-05
branch
from
55cec7a to
46fc271
Compare
mekarpeles
changed the title
|
Done. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
^8.0.3→^8.0.5: fixes three CVEs in 8.0.3–8.0.4 (path traversal in optimized deps GHSA-4w7w-66w2-5vf9,server.fs.denybypass GHSA-v2wj-q39q-566r, arbitrary file read via WebSocket GHSA-p9ff-h696-f583). Risk is developer/CI machines running the Vite dev server.python:3.12.2-slim-bookworm(March 2024) →python:3.12-slim-bookwormto track CPython security patches automatically (current: 3.12.11, includes CVE-2024-6232 tarfile ReDoS, CVE-2024-7592 http.cookies injection, and others).Note: most other security dep bumps identified in a recent audit (Pillow, lodash, HAProxy, svgo, css-minimizer-webpack-plugin) were already applied in master. This PR covers the remaining two.
Testing
npm install— 0 vulnerabilities after vite bumpmake js— JS bundle builds cleanly with vite 8.0.5Checklist