Vite v8.0.5 Security Update Patches Critical Dev Server File Exposure Vulnerability (GHSA-4w7w-66w2-5vf9)

A critical security vulnerability in the Vite development server allows unauthorized access to `.map` files from anywhere on the host system, posing a significant data exposure risk. The flaw, tracked as GHSA-4w7w-66w2-5vf9, is present in versions prior to 8.0.5 and enables potential source code and internal file leakage if specific, common development configurations are used.

The vulnerability is triggered when a Vite dev server is explicitly exposed to the network using the `--host` command-line flag or the `server.host` configuration option. Under these conditions, an attacker could request files ending in `.map` from directories outside the intended project root. This bypasses standard access controls, potentially exposing sensitive source map files that can contain original source code, file paths, and other internal development artifacts not meant for public consumption.

The Vite maintainers have released version 8.0.5 to patch this issue. The update is classified as a security dependency chore, automatically flagged by tools like RenovateBot. The immediate impact is confined to development environments where the server is network-accessible, but the exposure of source maps could significantly aid reverse engineering efforts or reveal proprietary code structures. Teams must apply the patch promptly to mitigate the risk of unintended information disclosure from their development workflows.