Bump vite from 8.0.10 to 8.0.16

[dependabot]

Bumps vite from 8.0.10 to 8.0.16.

Release notes

Sourced from vite's releases.

v8.0.16

Please refer to CHANGELOG.md for details.

v8.0.15

Please refer to CHANGELOG.md for details.

v8.0.14

Please refer to CHANGELOG.md for details.

v8.0.13

Please refer to CHANGELOG.md for details.

v8.0.12

Please refer to CHANGELOG.md for details.

v8.0.11

Please refer to CHANGELOG.md for details.

Changelog

Sourced from vite's changelog.

8.0.16 (2026-06-01)

Bug Fixes

• deps: reject UNC paths for launch-editor-middleware (#22571) (50b9512)
• reject windows alternate paths (#22572) (dc245c7)

8.0.15 (2026-06-01)

Features

• send 408 on request timeout (#22476) (c85c9ee)
• update rolldown to 1.0.3 (#22538) (646dbed)

Bug Fixes

• capitalize error messages and remove spurious space in parse error (#22488) (85a0eff)
• deps: update all non-major dependencies (#22511) (2686d7d)
• dev: fix html-proxy cache key mismatch for /@fs/ HTML paths (#21762) (47c4213)
• glob: error on relative glob in virtual module when no files match (#22497) (5c8e98f)
• optimizer: close the rolldown bundle when write() rejects (#22528) (e3cfb9d)
• resolve: provide onWarn for viteResolvePlugin in JS plugin containers (#22509) (40985f1)

Miscellaneous Chores

• deps: update rolldown-related dependencies (#22566) (3052a67)

Code Refactoring

• correct logic in collectAllModules function (#22562) (6978a9c)

8.0.14 (2026-05-21)

Features

• update rolldown to 1.0.2 (#22484) (96efc88)

Bug Fixes

• deps: update all non-major dependencies (#22471) (98b8163)
• dev: handle errors when sending messages to vite server (#22450) (e8e9a34)
• html: handle trailing slash paths in transformIndexHtml (#22480) (5d94d1b)
• optimizer: pass oxc jsx options to transformSync in dependency scan (#22342) (b3132da)

Miscellaneous Chores

• deps: update rolldown-related dependencies (#22470) (7cb728e)
• remove irrelevant commits from changelog (2c69495)

Code Refactoring

• glob: do not rewrite import path for absolute base (#22310) (0ae2844)

... (truncated)

Commits

• f94df87 release: v8.0.16
• dc245c7 fix: reject windows alternate paths (#22572)
• 50b9512 fix(deps): reject UNC paths for launch-editor-middleware (#22571)
• 8d1b019 release: v8.0.15
• 2686d7d fix(deps): update all non-major dependencies (#22511)
• 3052a67 chore(deps): update rolldown-related dependencies (#22566)
• e3cfb9d fix(optimizer): close the rolldown bundle when write() rejects (#22528)
• 6978a9c refactor: correct logic in collectAllModules function (#22562)
• 646dbed feat: update rolldown to 1.0.3 (#22538)
• 85a0eff fix: capitalize error messages and remove spurious space in parse error (#22488)
• Additional commits viewable in compare view

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
get-based	Ready	Preview, Comment	Jun 3, 2026 7:40am

[greptile-apps]

Greptile Summary

Routine dependabot bump of vite from 8.0.10 to 8.0.16, pulling in six patch releases. All changed packages are devDependencies — vite is used only for development tooling; production ships as plain ES modules with no bundler.

• Security fixes (8.0.16): rejects UNC paths and Windows alternate paths in launch-editor-middleware, closing two path-traversal vectors in the dev server.
• Bundler stabilization: rolldown advances from 1.0.0-rc.17 to the stable 1.0.3 release, along with all its platform-specific native bindings; postcss moves from 8.5.10 to 8.5.15, nanoid to 3.3.12, and tinyglobby to 0.2.17.
• Peer dependency tightening: vite's @vitejs/devtools peer range moves from ^0.1.0 to ^0.1.18, but this is an optional peer with no effect on runtime behaviour.

Confidence Score: 5/5

Safe to merge — all changes are confined to devDependencies used only during development; no production runtime is affected.

The bump is a pure devDependency update with no production-code changes. The 8.0.16 release patches two path-traversal issues in the dev server's launch-editor middleware, making the upgrade actively beneficial. rolldown reaches its stable 1.0.3 release from an RC, which reduces churn risk rather than introducing it. No breaking changes are documented across the six patch versions.

No files require special attention.

Important Files Changed

Filename	Overview
package.json	Bumps vite from ^8.0.10 to ^8.0.16 in devDependencies
package-lock.json	Lockfile updates: vite 8.0.16, rolldown 1.0.0-rc.17→1.0.3 (stable), postcss 8.5.15, nanoid 3.3.12, tinyglobby 0.2.17, all @rolldown/* bindings to 1.0.3, @vitejs/devtools peer updated to ^0.1.18

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A[vite 8.0.10] -->|bump| B[vite 8.0.16]
    B --> C[rolldown 1.0.3 stable]
    B --> D[postcss 8.5.15]
    B --> E[tinyglobby 0.2.17]
    C --> F[rolldown bindings 1.0.3 all platforms]
    C --> G[oxc-project types 0.133.0]
    D --> H[nanoid 3.3.12]
    B --> I[Security Fixes in 8.0.16]
    I --> J[Reject UNC paths in launch-editor-middleware]
    I --> K[Reject Windows alternate paths]

Loading

_{Reviews (2): Last reviewed commit: "Bump vite from 8.0.10 to 8.0.16" | Re-trigger Greptile}