Skip to content

Bump vite to 6.4.3 to resolve security alerts#231

Merged
parthban-db merged 1 commit into
mainfrom
parthban-db/stack/bump-vite-security
Jun 16, 2026
Merged

Bump vite to 6.4.3 to resolve security alerts#231
parthban-db merged 1 commit into
mainfrom
parthban-db/stack/bump-vite-security

Conversation

@parthban-db

@parthban-db parthban-db commented Jun 16, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Summary

Bumps vite ^6.4.0 → ^6.4.3 (lockfile 6.4.2 → 6.4.3) to resolve two open Dependabot alerts. This is a patch bump within the existing 6.x line — no major upgrade.

Why

Two Dependabot alerts are open against vite, both fixed in 6.4.3 and both Windows-only development-server issues (vite is a dev/test dependency and ships in no published @databricks/sdk-* package):

  • GHSA-fx2h-pf6j-xcff (high) — server.fs.deny bypass on Windows alternate data-stream paths.
  • GHSA-v6wh-96g9-6wx3 (medium) — launch-editor NTLMv2 hash disclosure via UNC path handling on Windows.

Both have first_patched_version = 6.4.3, and 6.4.3 was published on 2026-06-01 — well past CI's JFrog db-npm 7-day "immature package" cooldown — so it installs cleanly and the PR is mergeable. (This is a follow-up to the dev-dependency security work in #228; the two remaining esbuild alerts are intentionally deferred until esbuild@0.28.1 clears the registry cooldown.)

What changed

Interface changes

None.

Behavioral changes

None for SDK consumers. vite is development/test tooling only.

Internal changes

  • vite: ^6.4.0 → ^6.4.3 in package.json, 6.4.2 → 6.4.3 in package-lock.json. No other dependencies change.

How is this tested?

Ran the full CI suite locally against the bumped version; all stages pass: build, lint + format:check, typecheck, test (Node.js), test:browser (chromium), and check:licenses.

This PR changes only a development dependency and has no consumer-facing effect, so no changelog entry is required.

NO_CHANGELOG=true

This pull request and its description were written by Isaac.

@parthban-db
Bump vite to 6.4.3 to resolve security alerts
54c58ed 
Resolves two open Dependabot alerts on vite, both fixed in 6.4.3 (a patch from
the current 6.4.2): GHSA-fx2h-pf6j-xcff (high, server.fs.deny bypass on Windows
alternate paths) and GHSA-v6wh-96g9-6wx3 (medium, launch-editor NTLMv2 hash
disclosure via UNC paths on Windows). vite is a dev/test dependency and 6.4.3 is
well past the JFrog 7-day cooldown, so this is a clean, mergeable bump.

Co-authored-by: Isaac
@parthban-db parthban-db enabled auto-merge June 16, 2026 12:23
@parthban-db parthban-db added this pull request to the merge queue Jun 16, 2026
Merged via the queue into main with commit 6a35e37 Jun 16, 2026
25 checks passed
@parthban-db parthban-db deleted the parthban-db/stack/bump-vite-security branch June 16, 2026 12:34
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Divyansh-db Divyansh-db Divyansh-db approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@parthban-db @Divyansh-db