[Security] Bump vite and laravel-vite-plugin

Bumps vite and laravel-vite-plugin. These dependencies needed to be updated together. Updates vite from 6.3.6 to 7.1.11 This update includes a security fix.

Vulnerabilities fixed

vite allows server.fs.deny bypass via backslash on Windows

Summary

Files denied by server.fs.deny were sent if the URL ended with \ when the dev server is running on Windows.

Impact

Only apps that match the following conditions are affected:

• explicitly exposes the Vite dev server to the network (using --host or server.host config option)
• running the dev server on Windows

Details

server.fs.deny can contain patterns matching against files (by default it includes .env, .env.*, *.{crt,pem} as such patterns). These patterns were able to bypass by using a back slash(\). The root cause is that fs.readFile('/foo.png/') loads /foo.png.

PoC

npm create vite@latest
cd vite-project/
cat "secret" > .env
npm install
npm run dev
curl --request-target /.env\ http://localhost:5173
</tr></table> 

... (truncated)

Patched versions: 5.4.21; 5.4.21; 5.4.21; 5.4.21; 6.4.1; 7.0.8; 7.1.11 Affected versions: >= 5.2.6, = 7.1.0, <= 7.1.10

Release notes

Sourced from vite's releases.

create-vite@7.1.3

Please refer to CHANGELOG.md for details.

create-vite@7.1.2

Please refer to CHANGELOG.md for details.

create-vite@7.1.1

Please refer to CHANGELOG.md for details.

create-vite@7.1.0

Please refer to CHANGELOG.md for details.

create-vite@7.0.3

Please refer to CHANGELOG.md for details.

create-vite@7.0.2

Please refer to CHANGELOG.md for details.

create-vite@7.0.1

Please refer to CHANGELOG.md for details.

create-vite@7.0.0

Please refer to CHANGELOG.md for details.

create-vite@6.5.0

Please refer to CHANGELOG.md for details.

create-vite@6.4.1

Please refer to CHANGELOG.md for details.

create-vite@6.4.0

Please refer to CHANGELOG.md for details.

Changelog

Sourced from vite's changelog.

7.1.11 (2025-10-20)

Bug Fixes

• dev: trim trailing slash before server.fs.deny check (#20968) (f479cc5)

Miscellaneous Chores

• deps: update all non-major dependencies (#20966) (6fb41a2)

Code Refactoring

• use subpath imports for types module reference (#20921) (d0094af)

Build System

• remove cjs reference in files field (#20945) (ef411ce)
• remove hash from built filenames (#20946) (a817307)

7.1.10 (2025-10-14)

Bug Fixes

• css: avoid duplicate style for server rendered stylesheet link and client inline style during dev (#20767) (3a92bc7)
• css: respect emitAssets when cssCodeSplit=false (#20883) (d3e7eee)
• deps: update all non-major dependencies (879de86)
• deps: update all non-major dependencies (#20894) (3213f90)
• dev: allow aliases starting with // (#20760) (b95fa2a)
• dev: remove timestamp query consistently (#20887) (6537d15)
• esbuild: inject esbuild helpers correctly for esbuild 0.25.9+ (#20906) (446eb38)
• normalize path before calling fileToBuiltUrl (#20898) (73b6d24)
• preserve original sourcemap file field when combining sourcemaps (#20926) (c714776)

Documentation

• correct WebSocket spelling (#20890) (29e98dc)

Miscellaneous Chores

• deps: update rolldown-related dependencies (#20923) (a5e3b06)

7.1.9 (2025-10-03)

Reverts

• server: drain stdin when not interactive (#20885) (12d72b0)

7.1.8 (2025-10-02)

Bug Fixes

• css: improve url escape characters handling (#20847) (24a61a3)
• deps: update all non-major dependencies (#20855) (788a183)
• deps: update artichokie to 0.4.2 (#20864) (e670799)

... (truncated)

Commits

• 8b69c9e release: v7.1.11
• f479cc5 fix(dev): trim trailing slash before server.fs.deny check (#20968)
• 6fb41a2 chore(deps): update all non-major dependencies (#20966)
• a817307 build: remove hash from built filenames (#20946)
• ef411ce build: remove cjs reference in files field (#20945)
• d0094af refactor: use subpath imports for types module reference (#20921)
• ed4a0dc release: v7.1.10
• c714776 fix: preserve original sourcemap file field when combining sourcemaps (#20926)
• 446eb38 fix(esbuild): inject esbuild helpers correctly for esbuild 0.25.9+ (#20906)
• 879de86 fix(deps): update all non-major dependencies
• Additional commits viewable in compare view

Updates laravel-vite-plugin from 1.3.0 to 2.0.1

Release notes

Sourced from laravel-vite-plugin's releases.

v2.0.1

• Automatically create hotFile parent directory by @​adrum in laravel/vite-plugin#334

v2.0.0

• Vite 7 Support by @​sweptsquash in laravel/vite-plugin#328
• Upgrade dependencies by @​timacdonald in laravel/vite-plugin#331

Changelog

Sourced from laravel-vite-plugin's changelog.

v2.0.1 - 2025-08-26

• Automatically create hotFile parent directory by @​adrum in laravel/vite-plugin#334

Upgrade guide

Sourced from laravel-vite-plugin's upgrade guide.

Upgrade Guide

0.x to 1.x

• Adds support for Vite 5 and removes support for Vite 3 and 4.
• Introduces an npx clean-orphaned-assets command to clean orphaned assets in Vite's build directories.
• Introduces Valet / Herd TLS certificate auto detection.
• Adds app/Livewire/** to the default "refresh" paths.
• Adds output of SSR manifest for SSR builds.

Notable Changes

1. Dropped CJS build: laravel/vite-plugin#235
2. Dropped support for a boolean value of server.https option in vite.config.js: laravel/vite-plugin#254
3. Dropped support for Node 14, 15, 16, 17, and 19: laravel/vite-plugin#269

Please see the Vite migration documentation for why these changes have been made and additional changes you may need to consider.

Upgrade Path

1. Update to the latest version of the laravel-vite-plugin, vite, and any Vite plugins you may have installed, such as @​vitejs/plugin-vue which requires version ^4.5.0 or @​vitejs/plugin-react which requires version ^4.2.0 to be compatible with Vite 5.

The following command will update laravel-vite-plugin and vite only. You may need to include any additional plugin updates as needed by your application:

npm install --save-dev vite@^5.0.0 laravel-vite-plugin@^1.0.0

You should also check the upgrade guide and changelogs for any packages you update, including Vite's migrations guide.

2. Ensure your package.json contains "type": "module".

Run the following command in your project's root directory or anywhere you have your package.json files:

npm pkg set type=module

You may also need to rename any *.js configuration files that contain CJS, which is the older-style Node-flavored var plugin = require('plugin') syntax, to filename.cjs after making this change.

Migrating from Laravel Mix to Vite

Note
This upgrade guide does not cover all possible Mix use cases, such as Sass compilation. Please consult the Vite documentation for information on configuring Vite for these scenarios.

Update Laravel Framework

To make use of the new Vite integration, you will need to update to at least version 9.19.0 of the laravel/framework:

</tr></table> 

... (truncated)

Commits

• 297259e 2.0.1
• 6774e33 Automatically create hotFile parent directory (#334)
• 1ffbf14 2.0.0
• a289b84 Upgrade dependencies (#331)
• 746c04c Vite 7 Support (#328)
• 4a1c055 Update CHANGELOG
• See full diff in compare view