chore(deps): update dependency vite to v6 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
vite (source)	^5.3.2 -> ^6.0.0

GitHub Vulnerability Alerts

CVE-2025-30208

Summary

The contents of arbitrary files can be returned to the browser.

Impact

Only apps explicitly exposing the Vite dev server to the network (using --host or server.host config option) are affected.

Details

@fs denies access to files outside of Vite serving allow list. Adding ?raw?? or ?import&raw?? to the URL bypasses this limitation and returns the file content if it exists. This bypass exists because trailing separators such as ? are removed in several places, but are not accounted for in query string regexes.

PoC

$ npm create vite@latest
$ cd vite-project/
$ npm install
$ npm run dev

$ echo "top secret content" > /tmp/secret.txt

# expected behaviour
$ curl "http://localhost:5173/@​fs/tmp/secret.txt"

    <body>
      <h1>403 Restricted</h1>
      <p>The request url &quot;/tmp/secret.txt&quot; is outside of Vite serving allow list.

# security bypassed
$ curl "http://localhost:5173/@&#8203;fs/tmp/secret.txt?import&raw??"
export default "top secret content\n"
//# sourceMappingURL=data:application/json;base64,eyJ2...

---

Release Notes

vitejs/vite (vite)

v6.1.2

Compare Source

Please refer to CHANGELOG.md for details.

v6.1.1

Compare Source

• fix: ensure .[cm]?[tj]sx? static assets are JS mime (#​19453) (e7ba55e), closes #​19453
• fix: ignore *.ipv4 address in cert (#​19416) (973283b), closes #​19416
• fix(css): run rewrite plugin if postcss plugin exists (#​19371) (bcdb51a), closes #​19371
• fix(deps): bump tsconfck (#​19375) (746a583), closes #​19375
• fix(deps): update all non-major dependencies (#​19392) (60456a5), closes #​19392
• fix(deps): update all non-major dependencies (#​19440) (ccac73d), closes #​19440
• fix(html): ignore malformed src attrs (#​19397) (aff7812), closes #​19397
• fix(worker): fix web worker type detection (#​19462) (edc65ea), closes #​19462
• refactor: remove custom .jxl mime (#​19457) (0c85464), closes #​19457
• feat: add support for injecting debug IDs (#​18763) (0ff556a), closes #​18763
• chore: update 6.1.0 changelog (#​19363) (fa7c211), closes #​19363

v6.1.0

Compare Source

Features

• feat: show hosts in cert in CLI (#​19317) (a5e306f), closes #​19317
• feat: support for env var for defining allowed hosts (#​19325) (4d88f6c), closes #​19325
• feat: use native runtime to import the config (#​19178) (7c2a794), closes #​19178
• feat: print port in the logged error message after failed WS connection with EADDRINUSE (#​19212) (14027b0), closes #​19212
• perf(css): only run postcss when needed (#​19061) (30194fa), closes #​19061
• feat: add support for .jxl (#​18855) (57b397c), closes #​18855
• feat: add the builtins environment resolve (#​18584) (2c2d521), closes #​18584
• feat: call Logger for plugin logs in build (#​13757) (bf3e410), closes #​13757
• feat: export defaultAllowedOrigins for user-land config and 3rd party plugins (#​19259) (dc8946b), closes #​19259
• feat: expose createServerModuleRunnerTransport (#​18730) (8c24ee4), closes #​18730
• feat: support async for proxy.bypass (#​18940) (a6b9587), closes #​18940
• feat: support log related functions in dev (#​18922) (3766004), closes #​18922
• feat: use module runner to import the config (#​18637) (b7e0e42), closes #​18637
• feat(css): add friendly errors for IE hacks that are not supported by lightningcss (#​19072) (caad985), closes #​19072
• feat(optimizer): support bun text lockfile (#​18403) (05b005f), closes #​18403
• feat(reporter): add wasm to the compressible assets regex (#​19085) (ce84142), closes #​19085
• feat(worker): support dynamic worker option fields (#​19010) (d0c3523), closes #​19010

Fixes

• fix: avoid builtStart during vite optimize (#​19356) (fdb36e0), closes #​19356
• fix(build): fix stale build manifest on watch rebuild (#​19361) (fcd5785), closes #​19361
• fix: allow expanding env vars in reverse order (#​19352) (3f5f2bd), closes #​19352
• fix: avoid packageJson without name in resolveLibCssFilename (#​19324) (f183bdf), closes #​19324
• fix(html): fix css disorder when building multiple entry html (#​19143) (e7b4ba3), closes #​19143
• fix: don't call buildStart hooks for vite optimize (#​19347) (19ffad0), closes #​19347
• fix: don't call next middleware if user sent response in proxy.bypass (#​19318) (7e6364d), closes #​19318
• fix: respect top-level server.preTransformRequests (#​19272) (12aaa58), closes #​19272
• fix: use nodeLikeBuiltins for ssr.target: 'webworker' without noExternal: true (#​19313) (9fc31b6), closes #​19313
• fix(css): less @plugin imports of JS files treated as CSS and rebased (fix #​19268) (#​19269) (602b373), closes #​19268 #​19269
• fix(deps): update all non-major dependencies (#​19296) (2bea7ce), closes #​19296
• fix(resolve): preserve hash/search of file url (#​19300) (d1e1b24), closes #​19300
• fix(resolve): warn if node-like builtin was imported when resolve.builtin is empty (#​19312) (b7aba0b), closes #​19312
• fix(ssr): fix transform error due to export all id scope (#​19331) (e28bce2), closes #​19331
• fix(ssr): pretty print plugin error in ssrLoadModule (#​19290) (353c467), closes #​19290
• fix: change ResolvedConfig type to interface to allow extending it (#​19210) (bc851e3), closes #​19210
• fix: correctly resolve hmr dep ids and fallback to url (#​18840) (b84498b), closes #​18840
• fix: make --force work for all environments (#​18901) (51a42c6), closes #​18901
• fix: use loc.file from rollup errors if available (#​19222) (ce3fe23), closes #​19222
• fix(deps): update all non-major dependencies (#​19190) (f2c07db), closes #​19190
• fix(hmr): register inlined assets as a dependency of CSS file (#​18979) (eb22a74), closes #​18979
• fix(resolve): support resolving TS files by JS extension specifiers in JS files (#​18889) (612332b), closes #​18889
• fix(ssr): combine empty source mappings (#​19226) (ba03da2), closes #​19226
• fix(utils): clone RegExp values with new RegExp instead of structuredClone (fix #​19245, fix #​1 (56ad2be), closes #​19245 #​18875 #​19247

Chore

• refactor: deprecate vite optimize command (#​19348) (6e0e3c0), closes #​19348
• chore: update deprecate links domain (#​19353) (2b2299c), closes #​19353
• docs: rephrase browser range and features relation (#​19286) (97569ef), closes #​19286
• docs: update build.manifest jsdocs (#​19332) (4583781), closes #​19332
• chore: remove outdated code comment about scanImports not being used in ssr (#​19285) (fbbc6da), closes #​19285
• chore: unneeded name in lockfileFormats (#​19275) (96092cb), closes #​19275
• chore(deps): update dependency strip-literal to v3 (#​19231) (1172d65), closes #​19231

Beta Changelogs

6.1.0-beta.2 (2025-02-04)

See 6.1.0-beta.2 changelog

6.1.0-beta.1 (2025-02-04)

See 6.1.0-beta.1 changelog

6.1.0-beta.0 (2025-01-24)

See 6.1.0-beta.0 changelog

v6.0.15

Compare Source

Please refer to CHANGELOG.md for details.

v6.0.14

Compare Source

Please refer to CHANGELOG.md for details.

v6.0.13

Compare Source

Please refer to CHANGELOG.md for details.

v6.0.12

Compare Source

Please refer to CHANGELOG.md for details.

v6.0.11

Compare Source

• fix: preview.allowedHosts with specific values was not respected (#​19246) (aeb3ec8), closes #​19246
• fix: allow CORS from loopback addresses by default (#​19249) (3d03899), closes #​19249

v6.0.10

Compare Source

• fix: try parse server.origin URL (#​19241) (2495022), closes #​19241

v6.0.9

Compare Source

• fix!: check host header to prevent DNS rebinding attacks and introduce server.allowedHosts (bd896fb)
• fix!: default server.cors: false to disallow fetching from untrusted origins (b09572a)
• fix: verify token for HMR WebSocket connection (029dcd6)

v6.0.8

Compare Source

• fix: avoid SSR HMR for HTML files (#​19193) (3bd55bc), closes #​19193
• fix: build time display 7m 60s (#​19108) (cf0d2c8), closes #​19108
• fix: don't resolve URL starting with double slash (#​19059) (35942cd), closes #​19059
• fix: ensure server.close() only called once (#​19204) (db81c2d), closes #​19204
• fix: resolve.conditions in ResolvedConfig was defaultServerConditions (#​19174) (ad75c56), closes #​19174
• fix: tree shake stringified JSON imports (#​19189) (f2aed62), closes #​19189
• fix: use shared sigterm callback (#​19203) (47039f4), closes #​19203
• fix(deps): update all non-major dependencies (#​19098) (8639538), closes #​19098
• fix(optimizer): use correct default install state path for yarn PnP (#​19119) (e690d8b), closes #​19119
• fix(types): improve ESBuildOptions.include / exclude type to allow readonly (string | RegExp)[] (ea53e70), closes #​19146
• chore(deps): update dependency pathe to v2 (#​19139) (71506f0), closes #​19139

v6.0.7

Compare Source

• fix: fix minify when builder.sharedPlugins: true (#​19025) (f7b1964), closes #​19025
• fix: skip the plugin if it has been called before with the same id and importer (#​19016) (b178c90), closes #​19016
• fix(html): error while removing vite-ignore attribute for inline script (#​19062) (a492253), closes #​19062
• fix(ssr): fix semicolon injection by ssr transform (#​19097) (1c102d5), closes #​19097
• perf: skip globbing for static path in warmup (#​19107) (677508b), closes #​19107
• feat(css): show lightningcss warnings (#​19076) (b07c036), closes #​19076

v6.0.6

Compare Source

• fix: replace runner-side path normalization with fetchModule-side resolve (#​18361) (9f10261), closes #​18361
• fix(css): resolve style tags in HTML files correctly for lightningcss (#​19001) (afff05c), closes #​19001
• fix(css): show correct error when unknown placeholder is used for CSS modules pattern in lightningcs (9290d85), closes #​19070
• fix(resolve): handle package.json with UTF-8 BOM (#​19000) (902567a), closes #​19000
• fix(ssrTransform): preserve line offset when transforming imports (#​19004) (1aa434e), closes #​19004
• chore: fix typo in comment (#​19067) (eb06ec3), closes #​19067
• chore: update comment about build.target (#​19047) (0e9e81f), closes #​19047
• revert: unpin esbuild version (#​19043) (8bfe247), closes #​19043
• test(ssr): test virtual module with query (#​19044) (a1f4b46), closes #​19044

v6.0.5

Compare Source

• fix: esbuild regression (pin to 0.24.0) (#​19027) (4359e0d), closes #​19027

v6.0.4

Compare Source

• fix: this.resolve skipSelf should not skip for different id or import (#​18903) (4727320), closes #​18903
• fix: fallback terser to main thread when function options are used (#​18987) (12b612d), closes #​18987
• fix: merge client and ssr values for pluginContainer.getModuleInfo (#​18895) (258cdd6), closes #​18895
• fix(css): escape double quotes in url() when lightningcss is used (#​18997) (3734f80), closes #​18997
• fix(css): root relative import in sass modern API on Windows (#​18945) (c4b532c), closes #​18945
• fix(css): skip non css in custom sass importer (#​18970) (21680bd), closes #​18970
• fix(deps): update all non-major dependencies (#​18967) (d88d000), closes #​18967
• fix(deps): update all non-major dependencies (#​18996) (2b4f115), closes #​18996
• fix(optimizer): keep NODE_ENV as-is when keepProcessEnv is true (#​18899) (8a6bb4e), closes #​18899
• fix(ssr): recreate ssrCompatModuleRunner on restart (#​18973) (7d6dd5d), closes #​18973
• chore: better validation error message for dts build (#​18948) (63b82f1), closes #​18948
• chore(deps): update all non-major dependencies (#​18916) (ef7a6a3), closes #​18916
• chore(deps): update dependency @​rollup/plugin-node-resolve to v16 (#​18968) (62fad6d), closes #​18968
• refactor: make internal invoke event to use the same interface with handleInvoke (#​18902) (27f691b), closes #​18902
• refactor: simplify manifest plugin code (#​18890) (1bfe21b), closes #​18890
• test: test ModuleRunnerTransport invoke API (#​18865) (e5f5301), closes #​18865
• test: test output hash changes (#​18898) (bfbb130), closes #​18898

v6.0.3

Compare Source

• fix: handle postcss load unhandled rejections (#​18886) (d5fb653), closes #​18886
• fix: make handleInvoke interface compatible with invoke (#​18876) (a1dd396), closes #​18876
• fix: make result interfaces for ModuleRunnerTransport#invoke more explicit (#​18851) (a75fc31), closes #​18851
• fix: merge environments.ssr.resolve with root ssr config (#​18857) (3104331), closes #​18857
• fix: no permission to create vite config file (#​18844) (ff47778), closes #​18844
• fix: remove CSS import in CJS correctly in some cases (#​18885) (690a36f), closes #​18885
• fix(config): bundle files referenced with imports field (#​18887) (2b5926a), closes #​18887
• fix(config): make stacktrace path correct when sourcemap is enabled (#​18833) (20fdf21), closes #​18833
• fix(css): rewrite url when image-set and url exist at the same time (#​18868) (d59efd8), closes #​18868
• fix(deps): update all non-major dependencies (#​18853) (5c02236), closes #​18853
• fix(html): allow unexpected question mark in tag name (#​18852) (1b54e50), closes #​18852
• fix(module-runner): decode uri for file url passed to import (#​18837) (88e49aa), closes #​18837
• refactor: fix logic errors found by no-unnecessary-condition rule (#​18891) (ea802f8), closes #​18891
• chore: fix duplicate attributes issue number in comment (#​18860) (ffee618), closes #​18860

v6.0.2

Compare Source

• chore: run typecheck in unit tests (#​18858) (49f20bb), closes #​18858
• chore: update broken links in changelog (#​18802) (cb754f8), closes #​18802
• chore: update broken links in changelog (#​18804) (47ec49f), closes #​18804
• fix: don't store temporary vite config file in node_modules if deno (#​18823) (a20267b), closes #​18823
• fix(css): referencing aliased svg asset with lightningcss enabled errored (#​18819) (ae68958), closes #​18819
• fix(manifest): use style.css as a key for the style file for cssCodesplit: false (#​18820) (ec51115), closes #​18820
• fix(optimizer): resolve all promises when cancelled (#​18826) (d6e6194), closes #​18826
• fix(resolve): don't set builtinModules to external by default (#​18821) (2250ffa), closes #​18821
• fix(ssr): set ssr.target: 'webworker' defaults as fallback (#​18827) (b39e696), closes #​18827
• feat(css): format lightningcss error (#​18818) (dac7992), closes #​18818
• refactor: make properties of ResolvedServerOptions and ResolvedPreviewOptions required (#​18796) (51a5569), closes #​18796

v6.0.1

Compare Source

• fix: preview.allowedHosts with specific values was not respected (#​19246) (aeb3ec8), closes #​19246
• fix: allow CORS from loopback addresses by default (#​19249) (3d03899), closes #​19249

v6.0.0

Compare Source

Today, we're taking another big step in Vite's story. The Vite team, contributors, and ecosystem partners are excited to announce the release of the next Vite major:

• Vite 6.0 announcement blog post
• Docs
• Translations: 简体中文, 日本語, Español, Português, 한국어, Deutsch
• Migration Guide

We want to thank the more than 1K contributors to Vite Core and the maintainers and contributors of Vite plugins, integrations, tools, and translations that have helped us craft this new major. We invite you to get involved and help us improve Vite for the whole ecosystem. Learn more at our Contributing Guide.

Breaking Changes

• feat!: drop node 21 support in version ranges (#​18729) (a384d8f), closes #​18729
• fix(deps)!: update dependency dotenv-expand to v12 (#​18697) (0c658de), closes #​18697
• feat(html)!: support more asset sources (#​11138) (8a7af50), closes #​11138
• feat(resolve)!: allow removing conditions (#​18395) (d002e7d), closes #​18395
• refactor!: remove fs.cachedChecks option (#​18493) (94b0857), closes #​18493
• feat!: proxy bypass with WebSocket (#​18070) (3c9836d), closes #​18070
• feat!: support file:// resolution (#​18422) (6a7e313), closes #​18422
• feat!: update to chokidar v4 (#​18453) (192d555), closes #​18453
• feat(lib)!: use package name for css output file name (#​18488) (61cbf6f), closes #​18488
• fix(css)!: remove default import in ssr dev (#​17922) (eccf663), closes #​17922
• chore(deps)!: update postcss-load-config to v6 (#​15235) (3a27f62), closes #​15235
• feat(css)!: change default sass api to modern/modern-compiler (#​17937) (d4e0442), closes #​17937
• feat(css)!: load postcss config within workspace root only (#​18440) (d23a493), closes #​18440
• feat(json)!: add json.stringify: 'auto' and make that the default (#​18303) (b80daa7), closes #​18303
• fix!: default build.cssMinify to 'esbuild' for SSR (#​15637) (f1d3bf7), closes #​15637
• chore(deps)!: migrate fast-glob to tinyglobby (#​18243) (6f74a3a), closes #​18243
• refactor!: bump minimal terser version to 5.16.0 (#​18209) (19ce525), closes #​18209
• feat!: Environment API (#​16471) (242f550), closes #​16471

Features

• feat: add support for .cur type (#​18680) (5ec9eed), closes #​18680
• feat: enable HMR by default on ModuleRunner side (#​18749) (4d2abc7), closes #​18749
• feat: support module-sync condition when loading config if enabled (#​18650) (cf5028d), closes #​18650
• feat: add isSsrTargetWebWorker flag to configEnvironment hook (#​18620) (3f5fab0), closes #​18620
• feat: add ssr.resolve.mainFields option (#​18646) (a6f5f5b), closes #​18646
• feat: expose default mainFields/conditions (#​18648) (c12c653), closes #​18648
• feat: extended applyToEnvironment and perEnvironmentPlugin (#​18544) (8fa70cd), closes #​18544
• feat: show error when accessing variables not exposed in CJS build (#​18649) (87c5502), closes #​18649
• feat(optimizer): allow users to specify their esbuild platform option (#​18611) (0924879), closes #​18611
• refactor: introduce mergeWithDefaults and organize how default values for config op

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate using a curated preset maintained by . View repository job log here

[vercel]

The latest updates on your projects. Learn more about Vercel for Git ↗︎

Name	Status	Preview	Comments	Updated (UTC)
template-astro-clean	❌ Failed (Inspect)			Mar 25, 2025 3:32pm

[socket-security]

New, updated, and removed dependencies detected. Learn more about Socket for GitHub ↗︎

Package	New capabilities	Transitives	Size	Publisher
npm/[email protected], 6.1.0 ➜ 6.2.3	None	+67	317 MB	vitebot

🚮 Removed packages: npm/@astrojs/[email protected]

View full report↗︎

[socket-security]

🚨 Potential security issues detected. Learn more about Socket for GitHub ↗︎

To accept the risk, merge this PR and you will not be notified again.

Alert	Package	Note	Source	CI
License Policy Violation	npm/[email protected]	License: unrecognized license (package/LICENSE.md)	astro-app/package.json package-lock.json	⚠︎
License Policy Violation	npm/[email protected]	License: unrecognized license (package/LICENSE.md)	astro-app/package.json package-lock.json	⚠︎

View full report↗︎

Next steps

What is a license policy violation?

This package is not allowed per your license policy. Review the package's license to ensure compliance.

Find a package that does not violate your license policy or adjust your policy to allow this package's license.

Take a deeper look at the dependency

Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support [AT] socket [DOT] dev.

Remove the package

If you happen to install a dependency that Socket reports as Known Malware you should immediately remove it and select a different dependency. For other alert types, you may may wish to investigate alternative packages or consider if there are other ways to mitigate the specific risk posed by the dependency.

Mark a package as acceptable risk

To ignore an alert, reply with a comment starting with @SocketSecurity ignore followed by a space separated list of ecosystem/package-name@version specifiers. e.g. @SocketSecurity ignore npm/[email protected] or ignore all packages with @SocketSecurity ignore-all

• @SocketSecurity ignore npm/[email protected]
• @SocketSecurity ignore npm/[email protected]