chore(deps)(deps-dev): bump vite from 8.0.14 to 8.0.16 in /frontend

[dependabot]

Bumps vite from 8.0.14 to 8.0.16.

Release notes

Sourced from vite's releases.

v8.0.16

Please refer to CHANGELOG.md for details.

v8.0.15

Please refer to CHANGELOG.md for details.

Changelog

Sourced from vite's changelog.

8.0.16 (2026-06-01)

Bug Fixes

• deps: reject UNC paths for launch-editor-middleware (#22571) (50b9512)
• reject windows alternate paths (#22572) (dc245c7)

8.0.15 (2026-06-01)

Features

• send 408 on request timeout (#22476) (c85c9ee)
• update rolldown to 1.0.3 (#22538) (646dbed)

Bug Fixes

• capitalize error messages and remove spurious space in parse error (#22488) (85a0eff)
• deps: update all non-major dependencies (#22511) (2686d7d)
• dev: fix html-proxy cache key mismatch for /@fs/ HTML paths (#21762) (47c4213)
• glob: error on relative glob in virtual module when no files match (#22497) (5c8e98f)
• optimizer: close the rolldown bundle when write() rejects (#22528) (e3cfb9d)
• resolve: provide onWarn for viteResolvePlugin in JS plugin containers (#22509) (40985f1)

Miscellaneous Chores

• deps: update rolldown-related dependencies (#22566) (3052a67)

Code Refactoring

• correct logic in collectAllModules function (#22562) (6978a9c)

Commits

• f94df87 release: v8.0.16
• dc245c7 fix: reject windows alternate paths (#22572)
• 50b9512 fix(deps): reject UNC paths for launch-editor-middleware (#22571)
• 8d1b019 release: v8.0.15
• 2686d7d fix(deps): update all non-major dependencies (#22511)
• 3052a67 chore(deps): update rolldown-related dependencies (#22566)
• e3cfb9d fix(optimizer): close the rolldown bundle when write() rejects (#22528)
• 6978a9c refactor: correct logic in collectAllModules function (#22562)
• 646dbed feat: update rolldown to 1.0.3 (#22538)
• 85a0eff fix: capitalize error messages and remove spurious space in parse error (#22488)
• Additional commits viewable in compare view

[coderabbitai]

📝 Walkthrough

Walkthrough

The vite development dependency is bumped from ^8.0.14 to ^8.0.16 in the frontend's package.json file. This is a patch-level version update with no changes to application source code, configuration, or behavior.

Changes

Vite Dependency Update

Layer / File(s)	Summary
Vite version bump frontend/package.json	The vite devDependency is updated from ^8.0.14 to ^8.0.16.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

Possibly related PRs

• hadleyrich/iscreami#81: Both PRs modify frontend/package.json to bump the vite dev dependency to the next patch version.

Poem

🐰 A version bump hops along the way,
From eight point zero, fourteen's day,
To sixteen, swift and light,
The build tool shines more bright! ✨

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately describes the main change: a dependency version bump of vite from 8.0.14 to 8.0.16 in the frontend directory, which matches the changeset exactly.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch dependabot/npm_and_yarn/frontend/main/vite-8.0.16

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@frontend/package.json`:
- Line 37: Approve the Vite bump to 8.0.16 but add an explicit Node pin to avoid
local dev version warnings: update frontend/package.json to include an "engines"
field (e.g., "engines": { "node": ">=20.19.0" } or pin to the CI major like
">=24") and add a top-level .nvmrc file containing the Node major used in CI
(e.g., "24" or "24.0.0"); change these in the same repo area that contains the
vite entry so tooling and contributors see the Node requirement consistently.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro Plus

Run ID: f92de194-5a5b-4300-b329-a5e08f141331

📥 Commits

Reviewing files that changed from the base of the PR and between 908cb5d and ce216df.

⛔ Files ignored due to path filters (1)

• frontend/pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml

📒 Files selected for processing (1)

• frontend/package.json

[coderabbitai]

🧹 Nitpick | 🔵 Trivial

🧩 Analysis chain

🌐 Web query:

Vite 8.0.16 release date npm package

💡 Result:

The Vite 8.0.16 npm package was released on June 1, 2026 [1][2][3]. It is documented in the official Vite GitHub repository releases and the package changelog [1][2][4].

Citations:

• 1: https://github.com/vitejs/vite/releases/tag/v8.0.16
• 2: https://raw.githubusercontent.com/vitejs/vite/main/packages/vite/CHANGELOG.md
• 3: https://www.npmjs.com/package/vite
• 4: https://github.com/vitejs/vite/releases

---

🌐 Web query:

Vite 8.0.14 8.0.15 8.0.16 security vulnerabilities CVE

💡 Result:

As of June 10, 2026, there are no reported security vulnerabilities specifically associated with Vite versions 8.0.14, 8.0.15, or 8.0.16 [1]. These versions are considered secure [1]. Significant security vulnerabilities were identified in earlier versions of Vite 8 (specifically versions 8.0.0 through 8.0.4) [2][3][4][5]. These included: CVE-2026-39364: A bypass of the server.fs.deny configuration, which could allow sensitive files to be retrieved when using specific query parameters [2][5][6]. CVE-2026-39365: A path traversal vulnerability related to the handling of.map files in optimized dependencies [3][4][6]. These issues were addressed and patched in Vite version 8.0.5 [2][3][4]. Users running any version prior to 8.0.5 are encouraged to upgrade to the latest stable release to mitigate these risks [4]. Versions 8.0.14, 8.0.15, and 8.0.16 include these and subsequent security fixes [1][7][8].

Citations:

• 1: https://security.snyk.io/package/npm/vite
• 2: GHSA-v2wj-q39q-566r
• 3: GHSA-4w7w-66w2-5vf9
• 4: https://security.snyk.io/vuln/SNYK-JS-VITE-15922213
• 5: https://osv.dev/vulnerability/GHSA-v2wj-q39q-566r
• 6: https://app.opencve.io/cve/?vendor=vitejs
• 7: https://github.com/vitejs/vite/blob/main/packages/vite/CHANGELOG.md
• 8: https://github.com/vitejs/vite/blob/HEAD/packages/vite/CHANGELOG.md

---

🏁 Script executed:

#!/bin/bash
# Check for Node version constraints in the project and verify against Vite's requirements

echo "=== Checking project Node version constraints ==="
# Check for .nvmrc
if [ -f ".nvmrc" ]; then
  echo "Found .nvmrc:"
  cat .nvmrc
fi

# Check for .node-version
if [ -f ".node-version" ]; then
  echo "Found .node-version:"
  cat .node-version
fi

# Check for engines field in root package.json (if exists)
if [ -f "package.json" ]; then
  echo "Checking root package.json engines field:"
  jq -r '.engines.node // "Not specified"' package.json
fi

# Check engines in frontend/package.json
echo -e "\n=== Frontend package.json engines field ==="
jq -r '.engines.node // "Not specified"' frontend/package.json

echo -e "\n=== Vite 8.0.16 requires: ^20.19.0 || >=22.12.0 (from pnpm-lock.yaml) ==="

echo -e "\n=== Checking for GitHub security advisories for Vite ==="
gh api graphql -f query='
{
  securityVulnerabilities(first: 10, ecosystem: NPM, package: "vite") {
    nodes {
      advisory {
        summary
        severity
        publishedAt
      }
      vulnerableVersionRange
      firstPatchedVersion {
        identifier
      }
    }
  }
}'

Repository: hadleyrich/iscreami

Length of output: 2722

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "=== pnpm-lock.yaml: look for engines/node constraints ==="
if [ -f "pnpm-lock.yaml" ]; then
  # show a small window around "engines" occurrences
  rg -n --context 3 "engines:" pnpm-lock.yaml || true
  rg -n --context 3 "node:" pnpm-lock.yaml | head -n 80 || true
else
  echo "pnpm-lock.yaml not found at repo root"
fi

echo
echo "=== GitHub Actions: look for setup-node versions ==="
if [ -d ".github/workflows" ]; then
  rg -n "setup-node|node-version" .github/workflows -S || true
  # extract likely node-version lines
  rg -n --only-matching "node-version:\s*['\"]?[^'\"\n]+" .github/workflows -S || true
else
  echo ".github/workflows not found"
fi

echo
echo "=== root package.json engines (if present) ==="
if [ -f "package.json" ]; then
  node -e "const p=require('./package.json'); console.log(p.engines||'no engines field')" 2>/dev/null || cat package.json | head -n 60
else
  echo "package.json not found"
fi

Repository: hadleyrich/iscreami

Length of output: 498

---

🌐 Web query:

vite 8.0.16 engines node requirement

💡 Result:

Vite 8.0.16 requires Node.js version 20.19.0 or higher, or 22.12.0 or higher [1][2][3]. These specific Node.js version requirements are maintained to ensure support for require(esm) without requiring additional flags, enabling Vite to be distributed as an ESM-only package [1][4]. Users are encouraged to upgrade their Node.js environment if their package manager provides warnings regarding these version constraints [2][3].

Citations:

• 1: https://vite.dev/blog/announcing-vite8
• 2: https://vite.dev/guide/
• 3: https://github.com/vitejs/vite/blob/main/docs/guide/index.md
• 4: https://vite.dev/blog/announcing-vite7

---

Approve Vite bump to 8.0.16 (existence/security/Node compatibility)

• vite@^8.0.16 exists (released June 1, 2026).
• Security advisories affecting Vite 8.x were for earlier ranges (e.g., >= 8.0.0, <= 8.0.4 patched in 8.0.5), and there are no reported issues specifically tied to 8.0.14/8.0.15/8.0.16.
• Vite 8 requires Node >=20.19.0 (or >=22.12.0); repo CI uses Node 24, so compatibility looks good.

Consider adding an .nvmrc / engines.node pin to reduce “wrong Node version” warnings for local development.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@frontend/package.json` at line 37, Approve the Vite bump to 8.0.16 but add an
explicit Node pin to avoid local dev version warnings: update
frontend/package.json to include an "engines" field (e.g., "engines": { "node":
">=20.19.0" } or pin to the CI major like ">=24") and add a top-level .nvmrc
file containing the Node major used in CI (e.g., "24" or "24.0.0"); change these
in the same repo area that contains the vite entry so tooling and contributors
see the Node requirement consistently.

[dependabot]

Dependabot can't resolve your JavaScript dependency files. Because of this, Dependabot cannot update this pull request.