chore(dev-deps): bump vite from 8.0.10 to 8.0.16

[dependabot]

Bumps vite from 8.0.10 to 8.0.16.

Release notes

Sourced from vite's releases.

v8.0.16

Please refer to CHANGELOG.md for details.

v8.0.15

Please refer to CHANGELOG.md for details.

v8.0.14

Please refer to CHANGELOG.md for details.

v8.0.13

Please refer to CHANGELOG.md for details.

v8.0.12

Please refer to CHANGELOG.md for details.

v8.0.11

Please refer to CHANGELOG.md for details.

Changelog

Sourced from vite's changelog.

8.0.16 (2026-06-01)

Bug Fixes

• deps: reject UNC paths for launch-editor-middleware (#22571) (50b9512)
• reject windows alternate paths (#22572) (dc245c7)

8.0.15 (2026-06-01)

Features

• send 408 on request timeout (#22476) (c85c9ee)
• update rolldown to 1.0.3 (#22538) (646dbed)

Bug Fixes

• capitalize error messages and remove spurious space in parse error (#22488) (85a0eff)
• deps: update all non-major dependencies (#22511) (2686d7d)
• dev: fix html-proxy cache key mismatch for /@fs/ HTML paths (#21762) (47c4213)
• glob: error on relative glob in virtual module when no files match (#22497) (5c8e98f)
• optimizer: close the rolldown bundle when write() rejects (#22528) (e3cfb9d)
• resolve: provide onWarn for viteResolvePlugin in JS plugin containers (#22509) (40985f1)

Miscellaneous Chores

• deps: update rolldown-related dependencies (#22566) (3052a67)

Code Refactoring

• correct logic in collectAllModules function (#22562) (6978a9c)

8.0.14 (2026-05-21)

Features

• update rolldown to 1.0.2 (#22484) (96efc88)

Bug Fixes

• deps: update all non-major dependencies (#22471) (98b8163)
• dev: handle errors when sending messages to vite server (#22450) (e8e9a34)
• html: handle trailing slash paths in transformIndexHtml (#22480) (5d94d1b)
• optimizer: pass oxc jsx options to transformSync in dependency scan (#22342) (b3132da)

Miscellaneous Chores

• deps: update rolldown-related dependencies (#22470) (7cb728e)
• remove irrelevant commits from changelog (2c69495)

Code Refactoring

• glob: do not rewrite import path for absolute base (#22310) (0ae2844)

... (truncated)

Commits

• f94df87 release: v8.0.16
• dc245c7 fix: reject windows alternate paths (#22572)
• 50b9512 fix(deps): reject UNC paths for launch-editor-middleware (#22571)
• 8d1b019 release: v8.0.15
• 2686d7d fix(deps): update all non-major dependencies (#22511)
• 3052a67 chore(deps): update rolldown-related dependencies (#22566)
• e3cfb9d fix(optimizer): close the rolldown bundle when write() rejects (#22528)
• 6978a9c refactor: correct logic in collectAllModules function (#22562)
• 646dbed feat: update rolldown to 1.0.3 (#22538)
• 85a0eff fix: capitalize error messages and remove spurious space in parse error (#22488)
• Additional commits viewable in compare view

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
cli-web-cli	Ready	Preview, Comment	Jun 30, 2026 2:41pm

[ci-lockfile-regen]

Dependabot Fix Assessment

Package: `vite` `8.0.10` → `8.0.16` (patch)
Scope: devDependency (build tool)
Workspace: `packages/react-web-cli`, `examples/web-cli`

What changed upstream

• 8.0.16: Security fixes — reject UNC paths and Windows alternate paths for `launch-editor-middleware`
• 8.0.15: Send HTTP 408 on request timeout, update rolldown to 1.0.3
• 8.0.11–8.0.14: Various minor bug fixes

None of these changes affect runtime behavior of the built web CLI app or its E2E tests.

Migration concerns checked

• Peer dependencies: ✅ OK — no peer dep changes in this range
• Type changes: ✅ OK — no API surface changes
• Config files: ✅ OK — `vite.config.ts` and `vitest.config.ts` are unchanged and compatible
• Module format: ✅ OK — no ESM/CJS format changes
• React compatibility: ✅ OK — existing `dedupe: ["react", "react-dom"]` config still handles this
• Monorepo impact: ✅ OK — both workspace packages updated consistently

What broke

The Web CLI E2E Tests (Parallel) / session-tests job failed with this error at test/e2e/web-cli/session-resume.test.ts:222:

expect(resumedSessionId).toBe(originalSessionId)

The test "connects to public server and can resume session after reconnection" expected that after closing and reopening the WebSocket, the same session ID would be resumed. Instead, a new session was assigned.

Root cause: pre-existing flaky E2E test, not caused by this PR.

The browser logs show the shared dev server (wss://web-cli-terminal.ably-dev.com) hit its anonymous session limit (50/50) during the reconnection attempt. This triggered rate-limiting ("Too many connection attempts. Please try again in N seconds.") across multiple retries. When the connection finally succeeded, the server had no stored session to resume, so it assigned a new session ID.

Evidence this is pre-existing flakiness:

• The identical failure pattern (session-tests, same "Too many connection attempts" / anonymous session limit logs) also occurred on main on 2026-06-12 in run 27413338493, before this Dependabot PR existed
• Subsequent main-branch pushes passed without code changes — the test is sensitive to dev server load at the time of the run

What was fixed

No code changes required. The vite patch bump is safe.

Verification

• Build: ✅ (unchanged — vite is a devDependency, build output is not affected)
• Lint: ✅ (no source changes)
• Unit tests: ✅ (no source changes)
• Web CLI E2E (session-tests): ❌ flaky — pre-existing issue unrelated to this PR

Notes for reviewer

The session-tests job is sensitive to the anonymous session capacity of the shared dev server. The failure is a known-flaky test, not a regression introduced by this PR. The vite bump is safe to merge. Consider re-running the failed job or merging if the flakiness is already tracked.