fix: update vite to 5.5.0+ to patch Rollup path traversal vulnerability

[fatihtokus]

• Upgraded vite from 5.4.14 to 5.5.0+ which includes patched Rollup version
• Fixes CVE: Arbitrary File Write via Path Traversal in Rollup
• Rollup now properly sanitizes filenames to prevent path traversal sequences (../)
• This prevents attackers from writing files outside the intended output directory

Resolves: https://github.com/fatihtokus/scan2html/security/dependabot/37

[qodo-code-review]

PR Summary by Qodo

Bump Vite to 5.5.0 to pull patched Rollup and fix path traversal CVE
🐞 Bug fix ⚙️ Configuration changes 🕐 Less than 10 minutes

Description

• Upgrade Vite dev dependency from 5.4.14 to 5.5.0 to pick up patched Rollup.
• Mitigate Rollup path traversal (arbitrary file write) vulnerability during bundling.
• Keep frontend build pipeline unchanged aside from dependency version bump.

Diagram

graph TD
  A["src/frontend-app/package.json"] --> B["Vite 5.5.0"] --> C["Rollup (patched)"]

Loading

High-Level Assessment

The following are alternative approaches to this PR:

1. Force patched Rollup via overrides/resolutions

• ➕ Minimizes surface area by not changing Vite itself
• ➕ Can be applied quickly if Vite upgrade causes issues
• ➖ May create unsupported dependency combinations
• ➖ Requires ongoing maintenance to avoid drift/conflicts

2. Pin Vite to an exact patched patch-version

• ➕ More deterministic builds than a caret range
• ➕ Reduces risk of unintended minor updates
• ➖ Less flexible for getting future patch fixes automatically
• ➖ Requires manual bumps for every patch release

Recommendation: Upgrading Vite to 5.5.0 is the cleanest and most supportable fix because it pulls the patched Rollup through the normal dependency chain. Consider pinning to an exact version if you want maximum determinism for security-driven upgrades; use overrides only as a temporary mitigation if the Vite bump introduces incompatibilities.

Files changed (1) +1 / -1

Other (1) +1 / -1

package.jsonBump Vite devDependency to 5.5.0 +1/-1

Bump Vite devDependency to 5.5.0

• Updates the Vite devDependency from ^5.4.14 to ^5.5.0 to incorporate the Rollup security fix for path traversal/arbitrary file write during bundling.

src/frontend-app/package.json

[qodo-code-review]

CI Feedback 🧐

A test triggered by this PR failed. Here is an AI-generated analysis of the failure:

Action: check_frontend

Failed stage: Install dependencies [❌]

Failed test name: ""

Failure summary: The action failed during the bahmutov/npm-install step (working-directory: src/frontend-app) because npm install could not resolve a requested dependency version: - npm error code ETARGET / notarget No matching version found for vite@^5.5.0. (lines 554-557) - This indicates package.json (or the lockfile) requests vite@^5.5.0, but that version range is not available in the npm registry used by the runner, causing npm to exit with code 1 (lines 559-566). - The peer-dependency warnings about @vitejs/plugin-react and vite-plugin-css-injected-by-js (lines 539-553) are warnings; the actual failure is the missing vite@^5.5.0 version.

Relevant error logs: 1: ##[group]Runner Image Provisioner 2: Hosted Compute Agent ... 512: Node 20 is being deprecated. This workflow is running with Node 24 by default. If you need to temporarily use Node 20, you can set the ACTIONS_ALLOW_USE_UNSECURE_NODE_VERSION=true environment variable. For more information see: https://github.blog/changelog/2025-09-19-deprecation-of-node-20-on-github-actions-runners/ 513: ##[group]Run bahmutov/npm-install@e5c7e14408aa6089501de32bd16123b41738047e 514: with: 515: working-directory: src/frontend-app 516: ##[endgroup] 517: running npm-install GitHub Action 518: trying to restore cached NPM modules 519: cache key npm-linux-x64-54faa63fec6e471f789f4f40fc7ee07a36a598d5913c9e2209c110ae591f4c6a586475bb7921824e9d1a5346a9eb3fd686e08098994d42b150edadfae18be675 520: restore keys [ 521: 'npm-linux-x64-54faa63fec6e471f789f4f40fc7ee07a36a598d5913c9e2209c110ae591f4c6a586475bb7921824e9d1a5346a9eb3fd686e08098994d42b150edadfae18be675', 522: [length]: 1 523: ] 524: input paths [ '/home/runner/.npm', [length]: 1 ] 525: (node:2555) [DEP0040] DeprecationWarning: The `punycode` module is deprecated. Please use a userland alternative instead. 526: (Use `node --trace-deprecation ...` to show where the warning was created) 527: ##[warning]Failed to restore: Cache service responded with 400 528: npm cache miss ... 539: npm warn Could not resolve dependency: 540: npm warn peer vite@"^4.2.0 || ^5.0.0" from @vitejs/plugin-react@4.2.1 541: npm warn node_modules/@vitejs/plugin-react 542: npm warn dev @vitejs/plugin-react@"^4.2.1" from the root project 543: npm warn ERESOLVE overriding peer dependency 544: npm warn While resolving: frontend-app@0.0.0 545: npm warn Found: vite@5.4.14 546: npm warn node_modules/vite 547: npm warn dev vite@"^5.5.0" from the root project 548: npm warn 2 more (@vitejs/plugin-react, vite-plugin-css-injected-by-js) 549: npm warn 550: npm warn Could not resolve dependency: 551: npm warn peer vite@">2.0.0-0" from vite-plugin-css-injected-by-js@3.4.0 552: npm warn node_modules/vite-plugin-css-injected-by-js 553: npm warn dev vite-plugin-css-injected-by-js@"^3.4.0" from the root project 554: npm error code ETARGET 555: npm error notarget No matching version found for vite@^5.5.0. 556: npm error notarget In most cases you or one of your dependencies are requesting 557: npm error notarget a package version that doesn't exist. 558: npm error A complete log of this run can be found in: /home/runner/.npm/_logs/2026-06-17T20_37_58_238Z-debug-0.log 559: Error: The process '/usr/local/bin/npm' failed with exit code 1 560: at ExecState._setResult (/home/runner/work/_actions/bahmutov/npm-install/e5c7e14408aa6089501de32bd16123b41738047e/dist/index.js:6056:25) 561: at ExecState.CheckComplete (/home/runner/work/_actions/bahmutov/npm-install/e5c7e14408aa6089501de32bd16123b41738047e/dist/index.js:6039:18) 562: at ChildProcess.<anonymous> (/home/runner/work/_actions/bahmutov/npm-install/e5c7e14408aa6089501de32bd16123b41738047e/dist/index.js:5933:27) 563: at ChildProcess.emit (node:events:509:28) 564: at maybeClose (node:internal/child_process:1124:16) 565: at ChildProcess._handle.onexit (node:internal/child_process:306:5) 566: ##[error]The process '/usr/local/bin/npm' failed with exit code 1 567: Node 20 is being deprecated. This workflow is running with Node 24 by default. If you need to temporarily use Node 20, you can set the ACTIONS_ALLOW_USE_UNSECURE_NODE_VERSION=true environment variable. For more information see: https://github.blog/changelog/2025-09-19-deprecation-of-node-20-on-github-actions-runners/

[qodo-code-review]

Code Review by Qodo

🐞 Bugs (1) 📘 Rule violations (0) 📜 Skill insights (0)

1. Lockfile still pins old Vite 🐞 Bug ⛨ Security

Description

src/frontend-app/package.json bumps Vite to ^5.5.0, but src/frontend-app/package-lock.json still
resolves Vite 5.4.14 (and Rollup 4.22.4), so installs that honor the lockfile will continue using
the pre-upgrade toolchain. This undermines the PR’s stated goal (shipping the patched Rollup) and
can also break strict installs due to package.json/package-lock.json divergence.

Code

src/frontend-app/package.json[34]

+    "vite": "^5.5.0",

Evidence

The PR changes only the Vite constraint in package.json, while the checked-in lockfile still
declares and resolves the old Vite/Rollup versions, meaning the dependency tree used by
lockfile-based installs remains unchanged.

src/frontend-app/package.json[20-36]
src/frontend-app/package-lock.json[18-34]
src/frontend-app/package-lock.json[4870-4903]
src/frontend-app/package-lock.json[4401-4435]
.github/workflows/check_frontend.yml[25-40]

Agent prompt

The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

### Issue description
`src/frontend-app/package.json` was updated to require `vite: ^5.5.0`, but the committed `src/frontend-app/package-lock.json` still pins `vite@5.4.14` (and its `rollup@4.22.4`). As a result, any install that uses the lockfile will not actually consume the upgraded/patched dependency chain.

### Issue Context
This PR’s intent is to patch a Rollup path traversal vulnerability by upgrading Vite/Rollup. That goal is not achieved if the lockfile continues to resolve the old versions.

### Fix
- From `src/frontend-app/`, run `npm install` (or `npm update vite`), ensuring the resulting `package-lock.json` resolves to `vite@>=5.5.0` and the intended patched Rollup version.
- Commit the updated `src/frontend-app/package-lock.json`.

### Fix Focus Areas
- src/frontend-app/package-lock.json[1-40]
- src/frontend-app/package-lock.json[4401-4435]
- src/frontend-app/package-lock.json[4870-4903]

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

---

[qodo-code-review]

1. Lockfile still pins old vite 🐞 Bug ⛨ Security

src/frontend-app/package.json bumps Vite to ^5.5.0, but src/frontend-app/package-lock.json still
resolves Vite 5.4.14 (and Rollup 4.22.4), so installs that honor the lockfile will continue using
the pre-upgrade toolchain. This undermines the PR’s stated goal (shipping the patched Rollup) and
can also break strict installs due to package.json/package-lock.json divergence.

Agent Prompt

### Issue description
`src/frontend-app/package.json` was updated to require `vite: ^5.5.0`, but the committed `src/frontend-app/package-lock.json` still pins `vite@5.4.14` (and its `rollup@4.22.4`). As a result, any install that uses the lockfile will not actually consume the upgraded/patched dependency chain.

### Issue Context
This PR’s intent is to patch a Rollup path traversal vulnerability by upgrading Vite/Rollup. That goal is not achieved if the lockfile continues to resolve the old versions.

### Fix
- From `src/frontend-app/`, run `npm install` (or `npm update vite`), ensuring the resulting `package-lock.json` resolves to `vite@>=5.5.0` and the intended patched Rollup version.
- Commit the updated `src/frontend-app/package-lock.json`.

### Fix Focus Areas
- src/frontend-app/package-lock.json[1-40]
- src/frontend-app/package-lock.json[4401-4435]
- src/frontend-app/package-lock.json[4870-4903]

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools