Bump vite from 6.1.6 to 6.4.1 #19
Conversation
Bumps [vite](https://github.com/vitejs/vite/tree/HEAD/packages/vite) from 6.1.6 to 6.4.1. - [Release notes](https://github.com/vitejs/vite/releases) - [Changelog](https://github.com/vitejs/vite/blob/main/packages/vite/CHANGELOG.md) - [Commits](https://github.com/vitejs/vite/commits/[email protected]/packages/vite) --- updated-dependencies: - dependency-name: vite dependency-version: 6.4.1 dependency-type: direct:development ... Signed-off-by: dependabot[bot] <[email protected]>
dependabot
bot
added
dependencies
|
|
Needs ReviewUnable to perform impact analysis for vite. No dependency changes detected. Dependency UsageVite serves as the core build tool and development server for this SpiceDB Playground application, a React-based interactive schema editor for permission systems. The package is configured in the build system (vite.config.ts) with React and SVG component support, and is invoked through npm scripts for both local development with hot module replacement and optimized production builds. Vite's TypeScript client types are also referenced throughout the application to enable environment variable type safety and modern module features essential for the playground's real-time editing and validation capabilities.
Other Usages (1)These usages were analyzed but no breaking changes were detected: vite
ChangesNo significant changes were found in the dependency updates. fossabot analyzed this PR using static analysis. |
|
@fossa-robszumski analyze |
|
|
|
@fossa-robszumski analyze |
|
|
|
@fossabot analyze |
|
|
✓ Safe to upgradeI recommend merging this upgrade because it resolves three critical security vulnerabilities (including CVE-2025-30208, a high-severity arbitrary file read vulnerability in the development server) and adds two new features plus two bug fixes. The codebase uses a minimal Vite configuration with standard patterns that are fully compatible with the new version. The configuration uses the stable defineConfig API, standard plugin imports, and environment variable access patterns that remain unchanged. While the security alerts mention malicious packages like vite-plugin-react-extend and vite-plugin-vue-extend, these are typosquatting attempts of different packages and are not present in this project's dependencies. What we checked
Dependency UsageVite serves as the foundational build tool and development server for this React-based playground application, configured in vite.config.ts to bundle the application with React and SVG support, with npm scripts using it for both local development (with HTTPS enabled) and production builds. The dependency is referenced across build configuration (vite.config.ts), TypeScript type definitions (vite-env.d.ts for environment variables, tsconfig.json for plugin types), and package.json scripts, establishing it as the core infrastructure that enables the entire development workflow and production deployment pipeline for this SpiceDB authorization playground.
This code is configuring a Vite project to use React, React Fast Refresh, and SVGR (SVG as React components) as build plugins. Other Usages (1)These usages were analyzed but no breaking changes were detected: vite
ChangesVite receives stability improvements including a fix for incorrect bundle size calculation with non-ASCII characters and stabilized CSS module hashes with lightningcss in dev mode. The update adds new import type warnings for
View 14 more changes
References (8)[1]: Vite dependency upgraded from ^6.1.6 to ^6.4.1, resolving CVE-2025-30208 (arbitrary file read vulnerability) Line 85 in 39c10fe [2]: Uses standard defineConfig API which remains stable across Vite 6.x versions Line 1 in 39c10fe [3]: Plugin configuration uses stable API with @vitejs/plugin-react and vite-plugin-svgr - no breaking changes Line 7 in 39c10fe [4]: Type definitions reference 'vite/client' which remains compatible in Vite 6.4.1 Line 1 in 39c10fe [5]: Environment variable access via import.meta.env uses stable API with no changes required [6]: Uses legitimate @vitejs/plugin-react (not the malicious vite-plugin-react-extend typosquat) Line 74 in 39c10fe [7]: Uses legitimate vite-plugin-svgr (no malicious packages detected in dependencies) Line 86 in 39c10fe [8]: TypeScript types configuration for vite-plugin-svgr/client remains compatible Line 7 in 39c10fe fossabot analyzed this PR using static analysis and dependency research. |
|
@fossa-robszumski analyze |
|
|
✓ Safe to upgradeI recommend merging this upgrade because it patches three critical security vulnerabilities (CVE-2025-30208, CVE-2025-31486, and CVE-2024-45811) that affect arbitrary file read access in Vite development servers. The upgrade from version 6.1.6 to 6.4.1 includes security fixes and improvements with no breaking changes detected in the codebase. The project does not use any of the malicious packages mentioned in the security alerts (vite-plugin-react-extend, vite-plugin-vue-extend, vite-plugin-bomb), and the vite configuration is minimal with no custom file system access restrictions that would be affected by the security patches. What we checked
Dependency UsageVite serves as the core build system and development server for this React-based SpiceDB playground application, handling the entire development workflow through dev and build scripts while supporting SVG-as-components and TypeScript compilation. The tooling enables rapid local development with HTTPS support and production builds optimized for Vercel deployment, with environment variable injection for configuring external endpoints like the AuthZed Developer Gateway and analytics services. Vite's configuration integrates with the broader CI/CD pipeline including Docker containerization and is essential for the application's modern frontend architecture that includes Monaco editor, GraphQL clients, and data grid components.
Less Important Usages (1)These usages were analyzed but no breaking changes were detected: vite
ChangesVite updated with two key fixes: corrected bundle size calculation for non-ASCII characters and improved JSON module type handling with new
View 14 more changes
References (5)[1]: Vite upgraded to ^6.4.1 which patches CVE-2025-30208 (arbitrary file read via @fs path traversal), CVE-2025-31486 (path access restriction bypass), and CVE-2024-45811 (server bypass vulnerability) Line 85 in 39c10fe [2]: Vite 6.4.1 successfully resolved and installed from npm registry with integrity hash verified Line 5866 in 39c10fe [3]: Minimal Vite configuration with no custom server.fs settings or @fs path usage that would be impacted by the security patches Line 6 in 39c10fe [4]: Project uses legitimate vite-plugin-svgr (^4.3.0), not any of the malicious packages (vite-plugin-react-extend, vite-plugin-vue-extend, vite-plugin-bomb) mentioned in security alerts Line 86 in 39c10fe [5]: Project uses official @vitejs/plugin-react (^4.3.4), not the typosquatted vite-plugin-react-extend Line 74 in 39c10fe fossabot analyzed this PR using static analysis and dependency research. |
|
@fossa-robszumski analyze |
|
|
✓ Safe to upgradeI recommend merging this upgrade because it patches critical security vulnerabilities including CVE-2025-30208 (arbitrary file read) while maintaining backward compatibility with the existing configuration. The project uses a simple Vite setup with standard React and SVG plugins, and the upgrade from version 6.1.6 to 6.4.1 includes important bug fixes and security patches without introducing breaking changes that affect this codebase. The development server is already configured with HTTPS, and the malicious packages mentioned in the security context are unrelated typosquatting packages that are not used in this project. What we checked
Dependency UsageVite serves as the build tool and development server foundation for this SpiceDB Playground application, a React-based interactive schema editor and testing environment. The dependency is configured with React and SVG component support in the build configuration, and powers both the development workflow with HTTPS support and the production build pipeline that outputs to Vercel-compatible directories. Beyond direct imports, Vite is deeply integrated into the project's npm scripts for development, building, and the overall TypeScript compilation workflow that enables the application's core functionality of running SpiceDB and zed entirely in-browser via WebAssembly.
Less Important Usages (1)These usages were analyzed but no breaking changes were detected: vite
ChangesVite has been upgraded, fixing incorrect bundle size calculations with non-ASCII characters in the reporter and improving sourcemap handling for multi-source files. The update adds support for
View 14 more changes
References (5)[1]: Vite upgraded from 6.1.6 to 6.4.1 in devDependencies, patching critical security vulnerabilities Line 85 in 39c10fe [2]: Standard Vite configuration using defineConfig - no deprecated APIs or breaking change patterns detected Line 1 in 39c10fe [3]: Simple plugin configuration with @vitejs/plugin-react and vite-plugin-svgr - both compatible with Vite 6.4.1 Line 7 in 39c10fe [4]: Development script uses HTTPS mode which provides additional security for the dev server Line 90 in 39c10fe [5]: Vite 6 migration guide confirms breaking changes (resolve.conditions, CSS library output) do not affect this project's configuration (source link) fossabot analyzed this PR using static analysis and dependency research. |
Bumps vite from 6.1.6 to 6.4.1.
Release notes
Sourced from vite's releases.
... (truncated)
Commits
a7349efrelease: v6.3.1a152b7cfix: backward compat for internal plugintransformcalls (#19878)35c7f35fix: avoid usingPromise.allSettledin preload function (#19805)5fdcfe7release: v6.3.0d4ee5e8fix(hmr): avoid infinite loop happening withhot.invalidatein circular dep...5003434fix(preview): use host url to open browser (#19836)bf9728erelease: v6.3.0-beta.2380c10efix(hmr): run HMR handler sequentially (#19793)8bed1defix: addWatchFile doesn't work if base is specified (fixes #19792) (#19794)0a0c50arefactor: simplify pluginFilter implementation (#19828)Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot mergewill merge this PR after your CI passes on it@dependabot squash and mergewill squash and merge this PR after your CI passes on it@dependabot cancel mergewill cancel a previously requested merge and block automerging@dependabot reopenwill reopen this PR if it is closed@dependabot closewill close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)You can disable automated security fix PRs for this repo from the Security Alerts page.