fix: update vite and electron for dev tooling security

[jeanduplessis]

Summary

• Updates vite catalog from 7.1.4 to 7.3.1 (already proven working in kilo-vscode/kilo-ui at 7.3.1)
• Updates electron from 40.4.1 to 40.8.5 in desktop-electron (not actively maintained, patch within major)
• Both are dev-only dependencies — lowest priority in the security remediation series

Advisories Fixed

Advisory	Severity	Package	Description
GHSA-4w7w-66w2-5vf9	Moderate	vite	Path traversal in optimized deps .map handling
GHSA-v2wj-q39q-566r	High	vite	server.fs.deny bypassed with queries
GHSA-p9ff-h696-f583	High	vite	Arbitrary file read via WebSocket
Various	High	electron	Context isolation bypass, use-after-free, command injection

[kilo-code-bot]

Code Review Summary

Status: No Issues Found | Recommendation: Merge

Files Reviewed (22 files)

• package.json
• nix/hashes.json
• packages/kilo-gateway/package.json
• packages/kilo-ui/package.json
• packages/opencode/package.json
• packages/ui/package.json
• packages/kilo-vscode/package.json
• packages/desktop-electron/package.json
• packages/kilo-vscode/src/agent-manager/GitOps.ts
• packages/kilo-vscode/src/agent-manager/GitStatsPoller.ts
• packages/kilo-vscode/src/agent-manager/WorktreeManager.ts
• packages/kilo-vscode/tests/unit/git-ops.test.ts
• packages/kilo-vscode/tests/unit/git-stats-poller.test.ts
• packages/opencode/src/server/routes/pty.ts
• packages/kilo-docs/pages/code-with-ai/platforms/vscode/whats-new.md
• packages/kilo-docs/source-links.md
• packages/kilo-vscode/webview-ui/src/components/migration/MigrationWizard.tsx
• packages/kilo-vscode/webview-ui/src/components/migration/migration.css
• packages/kilo-vscode/webview-ui/src/i18n/en.ts
• packages/kilo-vscode/webview-ui/src/i18n/de.ts
• packages/kilo-vscode/webview-ui/src/i18n/zh.ts
• packages/kilo-vscode/webview-ui/src/i18n/zht.ts

---

_{Reviewed by gpt-5.4-20260305 · 2,090,371 tokens}

[jeanduplessis]

Bumped vite from 7.3.1 → 7.3.2. The original 7.3.1 target was still vulnerable to the three security advisories cited in the PR description (GHSA-4w7w-66w2-5vf9, GHSA-v2wj-q39q-566r, GHSA-p9ff-h696-f583) — those were patched in 7.3.2 (released 2026-04-06).

Did an in-depth analysis of both upgrades:

Vite 7.1.4 → 7.3.2: Two semver-minor bumps (7.2.0, 7.3.0) + patches. No breaking changes. The codebase doesn't use server.fs.deny anywhere, and the only server.fs.allow usage is in storybook (standard API, unaffected). All vite plugins (vite-plugin-solid, @tailwindcss/vite, electron-vite ^5) are compatible with 7.3.x. The esbuild peer dep was widened to ^0.27.0 in 7.3.0 — resolves fine.

Electron 40.4.1 → 40.8.5: Same Chromium 144, Node 24, V8 14.4 — no breaking changes within 40.x. Patches 5 CVEs including a critical (CVSS 9.2) use-after-free and a high (CVSS 8.4) context isolation bypass. The codebase uses contextBridge correctly (no VideoFrame objects), sandbox: false is set explicitly, and the opencode:// protocol scheme is RFC 3986 compliant (unaffected by the new protocol validation in 40.8.1).