feat(plugin-vite): upgrade vite 8

[0xlau]

close #4166

• I have read the contribution documentation for this project.
• I agree to follow the code of conduct that this project follows, as appropriate.
• The changes are appropriately documented (if applicable).
• The changes have sufficient test coverage (if applicable).
• The testsuite passes successfully on my local machine (if applicable).

Summary

This PR updates @electron-forge/plugin-vite to support Vite 8.

Electron Forge next currently uses Vite 7, while Vite 8 has already been released. This change updates the plugin so projects using Electron Forge can adopt the latest Vite version.

Changes

• update Vite dependency to v8
• adjust code to handle breaking changes between Vite 7 → Vite 8
• ensure the plugin continues to work with the current Electron Forge build pipeline

Testing

Tested with a local Electron Forge project using @electron-forge/plugin-vite and Vite 8.
Build, dev server, and renderer reload all work as expected.

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	vitest@​4.0.14 ⏵ 4.1.2			+1
	vite@​7.2.4 ⏵ 8.0.3	-2			-1
	webpack@​5.105.4 ⏵ 5.94.0	+2	-1

View full report

[socket-security]

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action	Severity	Alert  (click "▶" to expand/collapse)
Warn		High CVE: npm @isaacs/brace-expansion has Uncontrolled Resource Consumption CVE: GHSA-7h2j-956f-4vf2 @isaacs/brace-expansion has Uncontrolled Resource Consumption (HIGH) Affected versions: < 5.0.1 Patched version: 5.0.1 From: ? → npm/@electron/packager@19.0.5 → npm/lerna@9.0.6 → npm/@isaacs/brace-expansion@5.0.0 ℹ Read more on: This package | This alert | What is a CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Remove or replace dependencies that include known high severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@isaacs/brace-expansion@5.0.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		High CVE: node-npm tar Symlink Path Traversal via Drive-Relative Linkpath CVE: GHSA-9ppj-qmqm-q256 node-tar Symlink Path Traversal via Drive-Relative Linkpath (HIGH) Affected versions: < 7.5.11 Patched version: 7.5.11 From: ? → npm/@electron/rebuild@4.0.3 → npm/tar@7.5.9 ℹ Read more on: This package | This alert | What is a CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Remove or replace dependencies that include known high severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/tar@7.5.9. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		High CVE: npm tar has Hardlink Path Traversal via Drive-Relative Linkpath CVE: GHSA-qffp-2rhf-9h96 tar has Hardlink Path Traversal via Drive-Relative Linkpath (HIGH) Affected versions: < 7.5.10 Patched version: 7.5.10 From: ? → npm/@electron/rebuild@4.0.3 → npm/tar@7.5.9 ℹ Read more on: This package | This alert | What is a CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Remove or replace dependencies that include known high severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/tar@7.5.9. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Deprecated by its maintainer: npm tar Reason: Old versions of tar are not supported, and contain widely publicized security vulnerabilities, which have been fixed in the current version. Please update. Support for old versions may be purchased (at exorbitant rates) by contacting i@izs.me From: ? → npm/@electron/rebuild@4.0.3 → npm/tar@7.4.4 ℹ Read more on: This package | This alert | What is a deprecated package? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Research the state of the package and determine if there are non-deprecated versions that can be used, or if it should be replaced with a new, supported solution. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/tar@7.4.4. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Ignoring alerts on:

• vite@8.0.3

View full report

[0xlau]

Caution

Review the following alerts detected in dependencies.

According to your organization's Security Policy, you must resolve all "Block" alerts before proceeding. Learn more about Socket for GitHub.

Action Severity Alert  (click "▶" to expand/collapse)
Block
Obfuscated code: npm vite is 91.0% likely obfuscated
Confidence: 0.91

Location: Package overview

From: package.json → npm/vite@8.0.0

ℹ Read more on: This package | This alert | What is obfuscated code?

Next steps: Take a moment to review the security alert above. Review
the linked package source code to understand the potential risk. Ensure the
package is not malicious before proceeding. If you're unsure how to proceed,
reach out to your security team or ask the Socket team for help at
support@socket.dev.

Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.

_Mark the package as acceptable risk_. To ignore this alert only
in this pull request, reply with the comment
`@SocketSecurity ignore npm/vite@8.0.0`. You can
also ignore all packages with `@SocketSecurity ignore-all`.
To ignore an alert for all future pull requests, use Socket's Dashboard to
change the [triage state of this alert](https://socket.dev/dashboard/org/electron-conjk/diff-scan/b16d3784-d451-4ab9-96ac-ee759f6a1a1d/alert/QACwIJpkJ4G7yTQSBEZd7r_CRsKnJkVfKAXZ4cAmFGbY).

View full report

@SocketSecurity ignore npm/vite@8.0.0

[erickzhao]

@SocketSecurity ignore npm/vite@8.0.0

[erickzhao]

Does this map to some breaking change in Vite 7 -> 8?

[median-dxz]

Hi, I'm using the latest stable version of Electron Forge (v7.11.1). After I updated Vite to v8, I encountered a warning when running my application:

 WARN  inlineDynamicImports option is deprecated, please use codeSplitting: false instead.

I guess we need to adjust the inlineDynamicImports configuration?

[erickzhao]

@SocketSecurity ignore npm/vite@8.0.3

[erickzhao]

Latest commit upgrades Vitest to also use Vite 8 under the hood. We only have one copy of Vite for the whole repo now:

yarn why vite 
├─ @electron-forge/plugin-vite@workspace:packages/plugin/vite
│  └─ vite@npm:8.0.3 [fe286] (via npm:^8.0.0 [b1696])
│
├─ vitest@npm:4.1.2 [a4919]
│  └─ vite@npm:8.0.3 [fe286] (via npm:^6.0.0 || ^7.0.0 || ^8.0.0 [fe286])
│
└─ vitest@npm:4.1.2 [f5868]
   └─ vite@npm:8.0.3 [d529d] (via npm:^6.0.0 || ^7.0.0 || ^8.0.0 [d529d])

I started a Yarn Catalog so we only have a single source of truth for the vite version across all workspaces.