Updates its own vite peer dependency to >= 8.0.16

[hadilovic-codetribe]

Describe the bug

When will Vitest update its own peer dependency of Vite to >=8.0.16? Since it's causing vulnerabilities <8.0.16?

Reproduction

On github security and quality there's a vulnerability with affected vite version >= 8.0.0, <= 8.0.15.
Since it's not FE project, and using vitest for testing, vitest should update that peer dependency

System Info

MacOS Tahoe 26.5.1

Used Package Manager

pnpm

Validations

• Follow our Code of Conduct
• Read the Contributing Guidelines.
• Read the docs.
• Check that there isn't already an issue that reports the same bug to avoid creating a duplicate.
• Check that this is a concrete bug. For Q&A open a GitHub Discussion or join our Discord Chat Server.
• The provided reproduction is a minimal reproducible example of the bug.

[hi-ogawa]

I was about to suggest pnpm update vite, but apparently this doesn't work for our pattern of auto peer dependency install of vite. For now, the workaround I suggest is something more elaborate pnpm add -D vite@8.0.16 && pnpm remove vite.

Ideally pnpm update vite should work and that's what I was expecting, but it doesn't, so we should either revisit peer dep strategy or explicitly call out the vite update gotcha in documentation.

(Btw, pnpm update some-dep does work for normal transitive dependencies, so not working for our peer dependency setup may be package manager issue)

That said, to be clear, narrowing Vite dependency version range whenever upstream patch or vulnerability won't be an ergonomic process, so I don't expect that should be the solution.

[hi-ogawa]

With the same scenario, npm update vite works but pnpm update vite doesn't. I've reported to pnpm

• pnpm update <pkg> does not upgrade an auto-installed peer dependency to a newer in-range version pnpm/pnpm#12487

[sheremet-va]

I think this issue is just to update this repository‘s vite version, not a peer dependency change.