Bump vite from 7.1.3 to 7.1.5 in /docs by dependabot[bot] · Pull Request #13147 · DefectDojo/django-DefectDojo

dependabot · 2025-09-09T21:10:17Z

Bumps vite from 7.1.3 to 7.1.5.

Release notes

v7.1.5

Please refer to CHANGELOG.md for details.

v7.1.4

Please refer to CHANGELOG.md for details.

Changelog

7.1.5 (2025-09-08)

Bug Fixes

apply fs.strict check to HTML files (#20736) (14015d7)

deps: update all non-major dependencies (#20732) (122bfba)

upgrade sirv to 3.0.2 (#20735) (09f2b52)

7.1.4 (2025-09-01)

Bug Fixes

add missing awaits (#20697) (79d10ed)

deps: update all non-major dependencies (#20676) (5a274b2)

deps: update all non-major dependencies (#20709) (0401feb)

pass rollup watch options when building in watch mode (#20674) (f367453)

Miscellaneous Chores

remove unused constants entry from rolldown.config.ts (#20710) (537fcf9)

Code Refactoring

remove unnecessary minify parameter from finalizeCss (#20701) (8099582)

Commits

5647540 release: v7.1.5
09f2b52 fix: upgrade sirv to 3.0.2 (#20735)
14015d7 fix: apply fs.strict check to HTML files (#20736)
122bfba fix(deps): update all non-major dependencies (#20732)
bcc3144 release: v7.1.4
0401feb fix(deps): update all non-major dependencies (#20709)
537fcf9 chore: remove unused constants entry from rolldown.config.ts (#20710)
79d10ed fix: add missing awaits (#20697)
8099582 refactor: remove unnecessary minify parameter from finalizeCss (#20701)
f367453 fix: pass rollup watch options when building in watch mode (#20674)
Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

@dependabot rebase will rebase this PR
@dependabot recreate will recreate this PR, overwriting any edits that have been made to it
@dependabot merge will merge this PR after your CI passes on it
@dependabot squash and merge will squash and merge this PR after your CI passes on it
@dependabot cancel merge will cancel a previously requested merge and block automerging
@dependabot reopen will reopen this PR if it is closed
@dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
@dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
@dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the Security Alerts page.

Bumps [vite](https://github.com/vitejs/vite/tree/HEAD/packages/vite) from 7.1.3 to 7.1.5. - [Release notes](https://github.com/vitejs/vite/releases) - [Changelog](https://github.com/vitejs/vite/blob/main/packages/vite/CHANGELOG.md) - [Commits](https://github.com/vitejs/vite/commits/v7.1.5/packages/vite) --- updated-dependencies: - dependency-name: vite dependency-version: 7.1.5 dependency-type: direct:development ... Signed-off-by: dependabot[bot] <support@github.com>

dryrunsecurity · 2025-09-09T21:10:48Z

This pull request adds a suspicious dev dependency — vite at version 7.1.5 in docs/package-lock.json — which does not match the known Vite release series (~5.x) and was not found in vulnerability databases. This discrepancy could be a typo, a private fork, or a malicious impersonation posing a supply-chain risk (scanner flagged it as non-blocking).

Potential Supply Chain Risk in Dependency in docs/package-lock.json

Vulnerability	Potential Supply Chain Risk in Dependency
Description	The patch introduces `vite` version `7.1.5` as a development dependency. This version is highly suspicious as it does not align with the known official versioning scheme of Vite (which is currently around 5.x). Searches for `vite 7.1.5` in vulnerability databases yielded no results, strongly suggesting that this is not a legitimate, publicly released version of Vite. This could indicate a typo, a private fork, or a malicious package impersonating Vite, posing a significant supply chain risk.

django-DefectDojo/docs/package-lock.json

Lines 5128 to 5136 in ed80690

    
             "license": "MIT" 
        
           }, 
        
           "node_modules/vite": { 
        
             "version": "7.1.5", 
        
             "resolved": "https://registry.npmjs.org/vite/-/vite-7.1.5.tgz", 
        
             "integrity": "sha512-4cKBO9wR75r0BeIWWWId9XK9Lj6La5X846Zw9dFfzMRw38IlTk2iCcUt6hsyiDRcPidc55ZParFYDXi0nXOeLQ==", 
        
             "dev": true, 
        
             "license": "MIT", 
        
             "dependencies": {

All finding details can be found in the DryRun Security Dashboard.

mtesauro

Approved

Bumps [vite](https://github.com/vitejs/vite/tree/HEAD/packages/vite) from 7.1.3 to 7.1.5. - [Release notes](https://github.com/vitejs/vite/releases) - [Changelog](https://github.com/vitejs/vite/blob/main/packages/vite/CHANGELOG.md) - [Commits](https://github.com/vitejs/vite/commits/v7.1.5/packages/vite) --- updated-dependencies: - dependency-name: vite dependency-version: 7.1.5 dependency-type: direct:development ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update Javascript code labels Sep 9, 2025

dependabot Bot requested a review from Maffooch as a code owner September 9, 2025 21:10

dependabot Bot added the dependencies Pull requests that update a dependency file label Sep 9, 2025

dependabot Bot requested a review from mtesauro as a code owner September 9, 2025 21:10

dependabot Bot added the javascript Pull requests that update Javascript code label Sep 9, 2025

github-actions Bot added the docs label Sep 9, 2025

Maffooch approved these changes Sep 9, 2025

View reviewed changes

mtesauro approved these changes Sep 10, 2025

View reviewed changes

mtesauro merged commit 228d0d5 into master Sep 10, 2025
85 checks passed

dependabot Bot deleted the dependabot/npm_and_yarn/docs/vite-7.1.5 branch September 10, 2025 18:57

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Bump vite from 7.1.3 to 7.1.5 in /docs#13147

Bump vite from 7.1.3 to 7.1.5 in /docs#13147
mtesauro merged 1 commit intomasterfrom
dependabot/npm_and_yarn/docs/vite-7.1.5

dependabot Bot commented on behalf of github Sep 9, 2025

Uh oh!

dryrunsecurity Bot commented Sep 9, 2025

Uh oh!

mtesauro left a comment

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

Conversation

dependabot Bot commented on behalf of github Sep 9, 2025

v7.1.5

v7.1.4

7.1.5 (2025-09-08)

Bug Fixes

7.1.4 (2025-09-01)

Bug Fixes

Miscellaneous Chores

Code Refactoring

Uh oh!

dryrunsecurity Bot commented Sep 9, 2025

Uh oh!

mtesauro left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants