Vite 8 Migration Resolves HIGH Severity Rollup Vulnerability in Project

A critical security vulnerability has prompted a mandatory upgrade from Vite 7 to Vite 8 within a project's development pipeline. The move directly addresses a HIGH severity flaw in Rollup 4, identified as GHSA-mw96-cpmx-2vgc, which allows for arbitrary file writes via path traversal. Vite 8 resolves this by replacing the underlying Rollup bundler with Rolldown, eliminating the attack vector.

Technical analysis confirms the project is well-positioned for a smooth transition. The existing Vite configuration is minimal, comprising only 23 lines with no custom plugins or complex `rollupOptions`. All `import.meta.env` usages are compatible, and the Node.js version (22.19.0) meets the new requirement. The update also includes migrating `@vitejs/plugin-react` from version 5 to 6, which swaps Babel for the Oxc compiler, promising smaller bundle sizes.

The migration is part of a broader 'Phase 2: Security Fixes' epic. The primary changes are confined to version bumps in `package.json` for `vite` and `@vitejs/plugin-react`. The `vitest` dependency also requires a compatibility check for its 5.x or 6.x versions. Crucially, the core configuration files (`vite.config.ts`, `vitest.config.ts`) require no modifications, indicating a low-risk, high-impact security patch that fortifies the build chain against a documented exploit.