Bump vite from 7.3.1 to 7.3.2

[dependabot]

Bumps vite from 7.3.1 to 7.3.2.

Release notes

Sourced from vite's releases.

v7.3.2

Please refer to CHANGELOG.md for details.

Changelog

Sourced from vite's changelog.

7.3.2 (2026-04-06)

Bug Fixes

• avoid path traversal with optimize deps sourcemap handler (#22161) (09d8c90)
• backport #22159, apply server.fs check to env transport (#22162) (19db0f2)
• check server.fs after stripping query as well (#22160) (f8103cc)

Commits

• cc383e0 release: v7.3.2
• 09d8c90 fix: avoid path traversal with optimize deps sourcemap handler (#22161)
• f8103cc fix: check server.fs after stripping query as well (#22160)
• 19db0f2 fix: backport #22159, apply server.fs check to env transport (#22162)
• See full diff in compare view

Note
Automatic rebases have been disabled on this pull request as it has been open for over 30 days.

[changeset-bot]

⚠️ No Changeset found

Latest commit: 759b8bf

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	@​react-navigation/​bottom-tabs@​7.2.1
	@​react-navigation/​native@​7.0.15
	@​rollup/​plugin-node-resolve@​16.0.0
	@​rollup/​plugin-typescript@​12.1.2
	@​peculiar/​webcrypto@​1.5.0
	@​playwright/​test@​1.57.0

View full report

[socket-security]

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action	Severity	Alert  (click "▶" to expand/collapse)
Warn		Obfuscated code: npm @react-native/debugger-frontend is 96.0% likely obfuscated Confidence: 0.96 Location: Package overview From: pnpm-lock.yaml → npm/@react-native/debugger-frontend@0.76.9 ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@react-native/debugger-frontend@0.76.9. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

[matt-evervault]

Review: vite 7.3.1 → 7.3.2

Verdict: safe to merge. No code changes required.

What's in the bump

Lockfile-only change. The catalog spec moves vite: ^7.3.1 → ^7.3.2 and every vite: catalog: consumer re-resolves. Side effect: vite's own bundled rollup pin moves 4.57.1 → 4.59.0, which already matches the project's top-level rollup. The remaining lockfile churn (tar@6.2.1 deprecation message typo fix, new deprecation banners on uuid@7.0.3 / uuid@8.3.2) is upstream metadata refresh, not introduced by this PR.

Changelog (7.3.2 is bug-fix only)

All three fixes are dev-server-side security hardenings:

Fix	Advisory	Severity
Avoid path traversal in optimize-deps sourcemap handler (#22161)	GHSA-4w7w-66w2-5vf9	Medium (6.3)
Apply server.fs check to env transport (#22162)	GHSA-p9ff-h696-f583	High
Check server.fs after stripping query (#22160)	GHSA-v2wj-q39q-566r	High (8.2)

No public API changes, no plugin-contract changes, no behavioural changes for vite build.

How vite is used here

• Library builds (production output): packages/3ds, encryption, inputs, browser, ui-components, js, react, card-validator. All run vite build only — unaffected by the dev-server CVEs.
• Dev/preview servers: only invoked by Playwright in e2e-tests/* (browser, browser-pre-release, crypto-harness, inputs, ui-components, ui-components/vanilla-test-server) on localhost ports 4001/4002/4005/4006/4007/4173. Not network-exposed.
• No package configures server.fs.allow|deny, server.host, server.proxy, or custom middleware — defaults are used everywhere, so the upstream tightened checks apply transparently.
• Plugin compatibility: @vitejs/plugin-react@4.7.0, @vitejs/plugin-basic-ssl@2.1.4, vite-plugin-dts@4.5.4, vite-plugin-istanbul@7.2.1, vitest@4.0.18, vitest-react-native@0.1.5 all peer-accept vite 7.x — no relock conflicts.

Verification

• pnpm install --frozen-lockfile ✅
• pnpm run build (recursive @evervault/*...) ✅ — every package built with vite v7.3.2, no errors.

Suspicious / risky findings

None. Patch release, semver-compatible, security-positive (the fixes only narrow attack surface; they don't restrict any legitimate request shape we use). No source edits made.

---

Generated by Claude Code