Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly
Sign up
Appearance settings

chore(deps): update dependency vite to v5 [security] #9708

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
renovate wants to merge 1 commit into main
base: main
Choose a base branch
Loading
from renovate/npm-vite-vulnerability

Conversation

Copy link
Contributor

@renovate renovate bot commented Sep 27, 2025
edited
Loading

This PR contains the following updates:

Package Change Age Confidence
vite (source) ^4.5.14 -> ^5.4.20 age confidence

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

GitHub Vulnerability Alerts

CVE-2025-58752

Summary

Any HTML files on the machine were served regardless of the server.fs settings.

Impact

Only apps that match the following conditions are affected:

  • explicitly exposes the Vite dev server to the network (using --host or server.host config option)
  • appType: 'spa' (default) or appType: 'mpa' is used

This vulnerability also affects the preview server. The preview server allowed HTML files not under the output directory to be served.

Details

The serveStaticMiddleware function is in charge of serving static files from the server. It returns the viteServeStaticMiddleware function which runs the needed tests and serves the page. The viteServeStaticMiddleware function checks if the extension of the requested file is ".html". If so, it doesn't serve the page. Instead, the server will go on to the next middlewares, in this case htmlFallbackMiddleware, and then to indexHtmlMiddleware. These middlewares don't perform any test against allow or deny rules, and they don't make sure that the accessed file is in the root directory of the server. They just find the file and send back its contents to the client.

PoC

Execute the following shell commands:

npm create vite@latest
cd vite-project/
echo "secret" > /tmp/secret.html
npm install
npm run dev

Then, in a different shell, run the following command:

curl -v --path-as-is 'http://localhost:5173/../../../../../../../../../../../tmp/secret.html'

The contents of /tmp/secret.html will be returned.

This will also work for HTML files that are in the root directory of the project, but are in the deny list (or not in the allow list). Test that by stopping the running server (CTRL+C), and running the following commands in the server's shell:

echo 'import path from "node:path"; import { defineConfig } from "vite"; export default defineConfig({server: {fs: {deny: [path.resolve(__dirname, "secret_files/*")]}}})' > [vite.config.js](http://vite.config.js)
mkdir secret_files
echo "secret txt" > secret_files/secret.txt
echo "secret html" > secret_files/secret.html
npm run dev

Then, in a different shell, run the following command:

curl -v --path-as-is 'http://localhost:5173/secret_files/secret.txt'

You will receive a 403 HTTP Response, because everything in the secret_files directory is denied.

Now in the same shell run the following command:

curl -v --path-as-is 'http://localhost:5173/secret_files/secret.html'

You will receive the contents of secret_files/secret.html.

CVE-2025-58751

Summary

Files starting with the same name with the public directory were served bypassing the server.fs settings.

Impact

Only apps that match the following conditions are affected:

Details

The servePublicMiddleware function is in charge of serving public files from the server. It returns the viteServePublicMiddleware function which runs the needed tests and serves the page. The viteServePublicMiddleware function checks if the publicFiles variable is defined, and then uses it to determine if the requested page is public. In the case that the publicFiles is undefined, the code will treat the requested page as a public page, and go on with the serving function. publicFiles may be undefined if there is a symbolic link anywhere inside the public directory. In that case, every requested page will be passed to the public serving function. The serving function is based on the sirv library. Vite patches the library to add the possibility to test loading access to pages, but when the public page middleware disables this functionality since public pages are meant to be available always, regardless of whether they are in the allow or deny list.

In the case of public pages, the serving function is provided with the path to the public directory as a root directory. The code of the sirv library uses the join function to get the full path to the requested file. For example, if the public directory is "/www/public", and the requested file is "myfile", the code will join them to the string "/www/public/myfile". The code will then pass this string to the normalize function. Afterwards, the code will use the string's startsWith function to determine whether the created path is within the given directory or not. Only if it is, it will be served.

Since sirv trims the trailing slash of the public directory, the string's startsWith function may return true even if the created path is not within the public directory. For example, if the server's root is at "/www", and the public directory is at "/www/p", if the created path will be "/www/private.txt", the startsWith function will still return true, because the string "/www/private.txt" starts with "/www/p". To achieve this, the attacker will use ".." to ask for the file "../private.txt". The code will then join it to the "/www/p" string, and will receive "/www/p/../private.txt". Then, the normalize function will return "/www/private.txt", which will then be passed to the startsWith function, which will return true, and the processing of the page will continue without checking the deny list (since this is the public directory middleware which doesn't check that).

PoC

Execute the following shell commands:

npm create vite@latest
cd vite-project/
mkdir p
cd p
ln -s a b
cd ..
echo 'import path from "node:path"; import { defineConfig } from "vite"; export default defineConfig({publicDir: path.resolve(__dirname, "p/"), server: {fs: {deny: [path.resolve(__dirname, "private.txt")]}}})' > vite.config.js
echo "secret" > private.txt
npm install
npm run dev

Then, in a different shell, run the following command:

curl -v --path-as-is 'http://localhost:5173/private.txt'

You will receive a 403 HTTP Response, because private.txt is denied.

Now in the same shell run the following command:

curl -v --path-as-is 'http://localhost:5173/../private.txt'

You will receive the contents of private.txt.

Related links

Release Notes

vitejs/vite (vite)

v5.4.20

Compare Source

Please refer to CHANGELOG.md for details.

v5.4.19

Compare Source

Please refer to CHANGELOG.md for details.

v5.4.18

Compare Source

Please refer to CHANGELOG.md for details.

v5.4.17

Compare Source

Please refer to CHANGELOG.md for details.

v5.4.16

Compare Source

Please refer to CHANGELOG.md for details.

v5.4.15

Compare Source

Please refer to CHANGELOG.md for details.

v5.4.14

Compare Source

Please refer to CHANGELOG.md for details.

v5.4.13

Compare Source

Please refer to CHANGELOG.md for details.

v5.4.12

Compare Source

This version contains a breaking change due to security fixes. See GHSA-vg6x-rcgg-rjx6 for more details.

Please refer to CHANGELOG.md for details.

v5.4.11

Compare Source

Vite 6 is out!

Today, we're taking another big step in Vite's story. The Vite team, contributors, and ecosystem partners are excited to announce the release of the next Vite major:

We want to thank the more than 1K contributors to Vite Core and the maintainers and contributors of Vite plugins, integrations, tools, and translations that have helped us craft this new major. We invite you to get involved and help us improve Vite for the whole ecosystem. Learn more at our Contributing Guide.

⚠ BREAKING CHANGES
  • drop node 21 support in version ranges (#​18729)
  • deps: update dependency dotenv-expand to v12 (#​18697)
  • resolve: allow removing conditions (#​18395)
  • html: support more asset sources (#​11138)
  • remove fs.cachedChecks option (#​18493)
  • proxy bypass with WebSocket (#​18070)
  • css: remove default import in ssr dev (#​17922)
  • lib: use package name for css output file name (#​18488)
  • update to chokidar v4 (#​18453)
  • support file:// resolution (#​18422)
  • deps: update postcss-load-config to v6 (#​15235)
  • css: change default sass api to modern/modern-compiler (#​17937)
  • css: load postcss config within workspace root only (#​18440)
  • default build.cssMinify to 'esbuild' for SSR (#​15637)
  • json: add json.stringify: 'auto' and make that the default (#​18303)
  • bump minimal terser version to 5.16.0 (#​18209)
  • deps: migrate fast-glob to tinyglobby (#​18243)
Features
Bug Fixes
Performance Improvements
Documentation
Reverts
Miscellaneous Chores

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot added the dependencies Pull requests that update a dependency file label Sep 27, 2025
Copy link

changeset-bot bot commented Sep 27, 2025
edited
Loading

⚠️ No Changeset found

Latest commit: 9bb0864

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

Copy link
Contributor

coderabbitai bot commented Sep 27, 2025
edited
Loading

Walkthrough

DevDependency vite was updated from ^4.5.14 to ^5.4.20 in two Vue example package.json files; no other dependencies, scripts, source code, or exported/public declarations were modified.

Changes

Cohort / File(s) Summary of Changes
Vue examples: Vite bump
examples/vue/2.6-basic/package.json, examples/vue/2.7-basic/package.json		 Updated devDependency vite from ^4.5.14 to ^5.4.20; no other edits.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

Poem

I nibble keys beneath the light,
Two Vue burrows shine so bright,
Vite hopped up to a newer day,
Builds twitch whiskers, then away! 🐇✨

Pre-merge checks and finishing touches

❌ Failed checks (1 warning)
Check name Status Explanation Resolution
Description Check ⚠️ Warning The PR description does not follow the repository’s required template because it omits the "## 🎯 Changes," "## ✅ Checklist," and "## 🚀 Release Impact" sections, instead providing raw vulnerability details and extensive release notes without the structured summary, contributor confirmations, and release impact guidance. Please restructure the PR description to match the template by adding the "## 🎯 Changes" section summarizing the update and motivation, the "## ✅ Checklist" with contribution and testing confirmations, and the "## 🚀 Release Impact" indicating whether a changeset is required or if the change is dev‐only.
✅ Passed checks (2 passed)
Check name Status Explanation
Title Check ✅ Passed The title succinctly describes the primary change—a dependency update of Vite to version 5—and includes the security context, clearly reflecting the main purpose of the PR without extraneous detail.
Docstring Coverage ✅ Passed No functions found in the changes. Docstring coverage check skipped.
✨ Finishing touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Post copyable unit tests in a comment
  • Commit unit tests in branch renovate/npm-vite-vulnerability
📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 33e4b66 and 9bb0864.

📒 Files selected for processing (2)
  • examples/vue/2.6-basic/package.json (1 hunks)
  • examples/vue/2.7-basic/package.json (1 hunks)
🚧 Files skipped from review as they are similar to previous changes (1)
  • examples/vue/2.7-basic/package.json
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)
  • GitHub Check: Test

Comment @coderabbitai help to get the list of available commands and usage tips.

Copy link

nx-cloud bot commented Sep 27, 2025
edited
Loading

View your CI Pipeline Execution ↗ for commit 9bb0864

Command Status Duration Result
nx affected --targets=test:sherif,test:knip,tes... ✅ Succeeded 35s View ↗
nx run-many --target=build --exclude=examples/*... ✅ Succeeded 2s View ↗

☁️ Nx Cloud last updated this comment at 2025年10月16日 16:15:48 UTC

Copy link

pkg-pr-new bot commented Sep 27, 2025
edited
Loading

More templates
@tanstack/angular-query-experimental
npm i https://pkg.pr.new/@tanstack/angular-query-experimental@9708
@tanstack/eslint-plugin-query
npm i https://pkg.pr.new/@tanstack/eslint-plugin-query@9708
@tanstack/query-async-storage-persister
npm i https://pkg.pr.new/@tanstack/query-async-storage-persister@9708
@tanstack/query-broadcast-client-experimental
npm i https://pkg.pr.new/@tanstack/query-broadcast-client-experimental@9708
@tanstack/query-core
npm i https://pkg.pr.new/@tanstack/query-core@9708
@tanstack/query-devtools
npm i https://pkg.pr.new/@tanstack/query-devtools@9708
@tanstack/query-persist-client-core
npm i https://pkg.pr.new/@tanstack/query-persist-client-core@9708
@tanstack/query-sync-storage-persister
npm i https://pkg.pr.new/@tanstack/query-sync-storage-persister@9708
@tanstack/react-query
npm i https://pkg.pr.new/@tanstack/react-query@9708
@tanstack/react-query-devtools
npm i https://pkg.pr.new/@tanstack/react-query-devtools@9708
@tanstack/react-query-next-experimental
npm i https://pkg.pr.new/@tanstack/react-query-next-experimental@9708
@tanstack/react-query-persist-client
npm i https://pkg.pr.new/@tanstack/react-query-persist-client@9708
@tanstack/solid-query
npm i https://pkg.pr.new/@tanstack/solid-query@9708
@tanstack/solid-query-devtools
npm i https://pkg.pr.new/@tanstack/solid-query-devtools@9708
@tanstack/solid-query-persist-client
npm i https://pkg.pr.new/@tanstack/solid-query-persist-client@9708
@tanstack/svelte-query
npm i https://pkg.pr.new/@tanstack/svelte-query@9708
@tanstack/svelte-query-devtools
npm i https://pkg.pr.new/@tanstack/svelte-query-devtools@9708
@tanstack/svelte-query-persist-client
npm i https://pkg.pr.new/@tanstack/svelte-query-persist-client@9708
@tanstack/vue-query
npm i https://pkg.pr.new/@tanstack/vue-query@9708
@tanstack/vue-query-devtools
npm i https://pkg.pr.new/@tanstack/vue-query-devtools@9708

commit: 9bb0864

Copy link
Contributor

github-actions bot commented Sep 27, 2025
edited
Loading

Sizes for commit 9bb0864:

Branch Bundle Size
Main
This PR

@renovate renovate bot force-pushed the renovate/npm-vite-vulnerability branch from 5c81be8 to c15730d Compare September 27, 2025 23:57
@renovate renovate bot changed the title (削除) chore(deps): update dependency vite to v5 [security] (削除ここまで) (追記) chore(deps): update dependency vite to v7 [security] (追記ここまで) Sep 27, 2025
@renovate renovate bot force-pushed the renovate/npm-vite-vulnerability branch from c15730d to 42e2d9c Compare September 28, 2025 00:00
@renovate renovate bot changed the title (削除) chore(deps): update dependency vite to v7 [security] (削除ここまで) (追記) chore(deps): update dependency vite to v5 [security] (追記ここまで) Sep 28, 2025
Copy link
Contributor

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 2

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between dcc7bd9 and 42e2d9c.

📒 Files selected for processing (2)
  • examples/vue/2.6-basic/package.json (1 hunks)
  • examples/vue/2.7-basic/package.json (1 hunks)

Comment on lines 17 to 19
"typescript": "5.8.3",
"vite": "^4.5.14",
"vite": "^5.4.20",
"vite-plugin-vue2": "2.0.3"
Copy link
Contributor

@coderabbitai coderabbitai bot Sep 28, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🔴 Critical

Upgrade blocked by Vue 2.6 plugin compatibility

Line 17 moves this example to Vite ^5.4.20 while retaining vite-plugin-vue2@2.0.3, but that plugin’s peer constraint is vite ^2 || ^3, so installation will fail and the tooling won’t run.(npmpeer.dev) Compounding that, the package is in maintenance mode and only supports Vue 2.6 or earlier with no Vite 5-ready release, so we either keep this example on Vite 4 or migrate it to Vue 2.7 plus @vitejs/plugin-vue2 before bumping Vite.(npm.io)

🤖 Prompt for AI Agents 
In examples/vue/2.6-basic/package.json around lines 17-19, Vite was bumped to
^5.4.20 but the project still depends on vite-plugin-vue2@2.0.3 which only
supports vite ^2 || ^3 and is not Vite 5 compatible; fix by either (A) pinning
Vite to a Vite-4-compatible version (e.g., ^4.x) so the existing
vite-plugin-vue2 remains valid, or (B) migrate the example to Vue 2.7 and
replace vite-plugin-vue2 with a Vite-5-compatible plugin (e.g.,
@vitejs/plugin-vue2), update package.json and any plugin-related config/code,
then run npm install and smoke-test the dev/build to ensure tooling works.

Comment on lines +17 to 18
"vite": "^5.4.20",
"vite-plugin-vue2": "2.0.3"
Copy link
Contributor

@coderabbitai coderabbitai bot Sep 28, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🔴 Critical

Vite 5 breaks the current Vue 2 build

Line 17 upgrades Vite to ^5.4.20, but the example still depends on vite-plugin-vue2@2.0.3, whose peer dependency caps Vite at ^3.x; npm install/pnpm install will dead-stop with an ERESOLVE failure and the dev server won’t start.(npmpeer.dev) To land Vite 5 you need to swap over to the maintained @vitejs/plugin-vue2 (and update the config imports), because its peer range now covers Vite ^5 alongside Vue 2.7.(github.com)

- "vite": "^5.4.20",
- "vite-plugin-vue2": "2.0.3"
+ "vite": "^5.4.20",
+ "@vitejs/plugin-vue2": "^2.3.3"
📝 Committable suggestion

!!️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
"vite": "^5.4.20",
"vite-plugin-vue2": "2.0.3"
"vite": "^5.4.20",
"@vitejs/plugin-vue2": "^2.3.3"
🤖 Prompt for AI Agents 
In examples/vue/2.7-basic/package.json around lines 17-18, the project declares
"vite": "^5.4.20" but still depends on "vite-plugin-vue2": "2.0.3", which has a
peer range limited to Vite ^3 and causes ERESOLVE; replace "vite-plugin-vue2"
with the maintained "@vitejs/plugin-vue2" (use a current compatible version) in
package.json, run install to update lockfile, and then update any Vite
config/imports (e.g., vite.config.js or vite.config.ts) to import and use the
plugin from "@vitejs/plugin-vue2" instead of "vite-plugin-vue2" so the example
works with Vite 5.

@renovate renovate bot force-pushed the renovate/npm-vite-vulnerability branch from 42e2d9c to 8d1bd64 Compare September 28, 2025 00:44
@renovate renovate bot changed the title (削除) chore(deps): update dependency vite to v5 [security] (削除ここまで) (追記) chore(deps): update dependency vite to v7 [security] (追記ここまで) Sep 28, 2025
@renovate renovate bot force-pushed the renovate/npm-vite-vulnerability branch from 8d1bd64 to d00a37c Compare September 28, 2025 04:25
@renovate renovate bot changed the title (削除) chore(deps): update dependency vite to v7 [security] (削除ここまで) (追記) chore(deps): update dependency vite to v5 [security] (追記ここまで) Sep 28, 2025
@renovate renovate bot force-pushed the renovate/npm-vite-vulnerability branch from d00a37c to f89407a Compare September 29, 2025 04:34
@renovate renovate bot changed the title (削除) chore(deps): update dependency vite to v5 [security] (削除ここまで) (追記) chore(deps): update dependency vite to v7 [security] (追記ここまで) Sep 29, 2025
@renovate renovate bot force-pushed the renovate/npm-vite-vulnerability branch from f89407a to b66ddd4 Compare September 29, 2025 09:51
@renovate renovate bot changed the title (削除) chore(deps): update dependency vite to v7 [security] (削除ここまで) (追記) chore(deps): update dependency vite to v5 [security] (追記ここまで) Sep 29, 2025
@renovate renovate bot force-pushed the renovate/npm-vite-vulnerability branch from b66ddd4 to ed605e7 Compare September 29, 2025 15:13
@renovate renovate bot changed the title (削除) chore(deps): update dependency vite to v5 [security] (削除ここまで) (追記) chore(deps): update dependency vite to v7 [security] (追記ここまで) Sep 29, 2025
@renovate renovate bot force-pushed the renovate/npm-vite-vulnerability branch from ed605e7 to 78144d3 Compare September 29, 2025 17:43
@renovate renovate bot changed the title (削除) chore(deps): update dependency vite to v7 [security] (削除ここまで) (追記) chore(deps): update dependency vite to v5 [security] (追記ここまで) Sep 29, 2025
@renovate renovate bot force-pushed the renovate/npm-vite-vulnerability branch from 78144d3 to ec9eec7 Compare September 30, 2025 04:06
@renovate renovate bot changed the title (削除) chore(deps): update dependency vite to v5 [security] (削除ここまで) (追記) chore(deps): update dependency vite to v7 [security] (追記ここまで) Sep 30, 2025
@renovate renovate bot force-pushed the renovate/npm-vite-vulnerability branch from ec9eec7 to 01758f7 Compare September 30, 2025 05:07
@renovate renovate bot changed the title (削除) chore(deps): update dependency vite to v7 [security] (削除ここまで) (追記) chore(deps): update dependency vite to v5 [security] (追記ここまで) Sep 30, 2025
Copy link
Contributor

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

♻️ Duplicate comments (1)
examples/vue/2.6-basic/package.json (1)

18-20: Blocker: vite-plugin-vue2 is incompatible with Vite 5+ here; install/build will break

This example bumps Vite to ^5.4.20 but keeps vite-plugin-vue2@2.0.3 (for Vue 2.6). That plugin’s peer range targets older Vite, so the toolchain won’t resolve or run. Either revert Vite here or migrate the example to Vue 2.7 + @vitejs/plugin-vue2 before taking Vite ≥5.

Minimal safe fix (Option A: keep Vue 2.6):

 "devDependencies": {
 "typescript": "5.8.3",
- "vite": "^5.4.20",
+ "vite": "^4.5.14",
 "vite-plugin-vue2": "2.0.3"
 }

Preferred fix (Option B: upgrade path):

  • Move to Vue 2.7.x and align vue-template-compiler to the same 2.7.x.
  • Drop @vue/composition-api (built into 2.7).
  • Replace vite-plugin-vue2 with @vitejs/plugin-vue2 and then bump Vite to the target version (see next comment).
📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between ec9eec7 and 01758f7.

📒 Files selected for processing (2)
  • examples/vue/2.6-basic/package.json (1 hunks)
  • examples/vue/2.7-basic/package.json (1 hunks)
🚧 Files skipped from review as they are similar to previous changes (1)
  • examples/vue/2.7-basic/package.json
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)
  • GitHub Check: Test

@renovate renovate bot force-pushed the renovate/npm-vite-vulnerability branch from 01758f7 to ac77791 Compare September 30, 2025 05:32
@renovate renovate bot changed the title (削除) chore(deps): update dependency vite to v5 [security] (削除ここまで) (追記) chore(deps): update dependency vite to v7 [security] (追記ここまで) Oct 9, 2025
@renovate renovate bot changed the title (削除) chore(deps): update dependency vite to v7 [security] (削除ここまで) (追記) chore(deps): update dependency vite to v5 [security] (追記ここまで) Oct 9, 2025
@renovate renovate bot force-pushed the renovate/npm-vite-vulnerability branch 2 times, most recently from b5ae54c to dc527af Compare October 10, 2025 21:06
@renovate renovate bot changed the title (削除) chore(deps): update dependency vite to v5 [security] (削除ここまで) (追記) chore(deps): update dependency vite to v7 [security] (追記ここまで) Oct 10, 2025
@renovate renovate bot force-pushed the renovate/npm-vite-vulnerability branch from dc527af to ea1ef5e Compare October 11, 2025 01:11
@renovate renovate bot changed the title (削除) chore(deps): update dependency vite to v7 [security] (削除ここまで) (追記) chore(deps): update dependency vite to v5 [security] (追記ここまで) Oct 11, 2025
@renovate renovate bot force-pushed the renovate/npm-vite-vulnerability branch from ea1ef5e to 4515456 Compare October 13, 2025 12:32
@renovate renovate bot changed the title (削除) chore(deps): update dependency vite to v5 [security] (削除ここまで) (追記) chore(deps): update dependency vite to v7 [security] (追記ここまで) Oct 13, 2025
@renovate renovate bot force-pushed the renovate/npm-vite-vulnerability branch from 4515456 to 084ee1b Compare October 13, 2025 18:41
@renovate renovate bot changed the title (削除) chore(deps): update dependency vite to v7 [security] (削除ここまで) (追記) chore(deps): update dependency vite to v5 [security] (追記ここまで) Oct 13, 2025
@renovate renovate bot force-pushed the renovate/npm-vite-vulnerability branch from 084ee1b to a6b7992 Compare October 13, 2025 18:52
@renovate renovate bot changed the title (削除) chore(deps): update dependency vite to v5 [security] (削除ここまで) (追記) chore(deps): update dependency vite to v7 [security] (追記ここまで) Oct 13, 2025
Copy link
Contributor

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 084ee1b and a6b7992.

📒 Files selected for processing (2)
  • examples/vue/2.6-basic/package.json (1 hunks)
  • examples/vue/2.7-basic/package.json (1 hunks)
🚧 Files skipped from review as they are similar to previous changes (1)
  • examples/vue/2.6-basic/package.json

Comment on lines 17 to 19
"vite": "^7.1.9",
"vite-plugin-vue2": "2.0.3"
}
Copy link
Contributor

@coderabbitai coderabbitai bot Oct 13, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🔴 Critical

Blocker: vite-plugin-vue2@2.0.3 is incompatible with Vite 7

vite-plugin-vue2@2.0.3 peers only with vite ^2 || ^3, so upgrading Vite to ^7.1.9 will make installs fail (ERESOLVE) and the Vue 2 example cannot run. Swap to the maintained @vitejs/plugin-vue2 (current v2.4.x range) whose peer dependency covers Vite 5–7, and update the Vite config to import/use it. Without that, the security bump can’t ship.

🤖 Prompt for AI Agents 
In examples/vue/2.7-basic/package.json around lines 17 to 19, the project
currently lists "vite-plugin-vue2": "2.0.3" which is incompatible with Vite ^7;
replace that dependency with the maintained "@vitejs/plugin-vue2" at a
2.4.x-compatible range (e.g. "^2.4.0") and remove "vite-plugin-vue2"; then
update the Vite config file to import from "@vitejs/plugin-vue2" and register
the plugin in the plugins array (replace the old plugin import/use pattern with
the @vitejs/plugin-vue2 import and call).

@renovate renovate bot force-pushed the renovate/npm-vite-vulnerability branch from a6b7992 to a8f397b Compare October 13, 2025 20:27
@renovate renovate bot changed the title (削除) chore(deps): update dependency vite to v7 [security] (削除ここまで) (追記) chore(deps): update dependency vite to v5 [security] (追記ここまで) Oct 13, 2025
Copy link
Contributor

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between a6b7992 and a8f397b.

📒 Files selected for processing (2)
  • examples/vue/2.6-basic/package.json (1 hunks)
  • examples/vue/2.7-basic/package.json (1 hunks)
🚧 Files skipped from review as they are similar to previous changes (1)
  • examples/vue/2.7-basic/package.json
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)
  • GitHub Check: Test

Comment on lines +18 to 19
"vite": "^5.4.20",
"vite-plugin-vue2": "2.0.3"
Copy link
Contributor

@coderabbitai coderabbitai bot Oct 13, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

Vite 5 conflicts with vite-plugin-vue2@2.0.3

vite-plugin-vue2@2.0.3 declares a peer range of vite ^2 || ^3, so bumping vite to ^5.4.20 causes npm install (and CI) to fail with an unmet peer dependency. Either keep this example on a Vite 4-compatible version, or migrate to Vue 2.7 + @vitejs/plugin-vue2 before jumping to Vite 7.1.9 as per the PR objective.

Run this to confirm the peer constraint:

🏁 Script executed:

#!/bin/bash
npm view vite-plugin-vue2@2.0.3 peerDependencies

Length of output: 77

vite-plugin-vue2@2.0.3 incompatible with Vite 5 in examples/vue/2.6-basic
vite-plugin-vue2@2.0.3 peer-depends on Vite ^2.0.0 || ^3.0.0 || ^4.0.0, so upgrading to "vite": "^5.4.20" breaks installs. Either pin Vite to ^4.x for this example or migrate to Vue 2.7 + @vitejs/plugin-vue2 before bumping to Vite 7.1.9.

🤖 Prompt for AI Agents 
In examples/vue/2.6-basic/package.json around lines 18-19, the current change
updates "vite" to "^5.4.20" while keeping "vite-plugin-vue2": "2.0.3", but that
plugin peer-depends on Vite ^2/3/4 so installs will break; fix by either pinning
Vite back to a compatible ^4.x for this Vue 2.6 example (set vite to a ^4.0.x
range) OR migrate the example to Vue 2.7 and replace vite-plugin-vue2 with
@vitejs/plugin-vue2 and update related deps before bumping Vite to newer major
versions; update package.json accordingly and verify install/build.

@renovate renovate bot force-pushed the renovate/npm-vite-vulnerability branch from a8f397b to 69d79cf Compare October 15, 2025 08:33
@renovate renovate bot changed the title (削除) chore(deps): update dependency vite to v5 [security] (削除ここまで) (追記) chore(deps): update dependency vite to v7 [security] (追記ここまで) Oct 15, 2025
@renovate renovate bot force-pushed the renovate/npm-vite-vulnerability branch from 69d79cf to 05fedb2 Compare October 15, 2025 12:41
@renovate renovate bot changed the title (削除) chore(deps): update dependency vite to v7 [security] (削除ここまで) (追記) chore(deps): update dependency vite to v5 [security] (追記ここまで) Oct 15, 2025
@renovate renovate bot force-pushed the renovate/npm-vite-vulnerability branch from 05fedb2 to 54288d7 Compare October 16, 2025 08:28
@renovate renovate bot changed the title (削除) chore(deps): update dependency vite to v5 [security] (削除ここまで) (追記) chore(deps): update dependency vite to v7 [security] (追記ここまで) Oct 16, 2025
@renovate renovate bot force-pushed the renovate/npm-vite-vulnerability branch from 54288d7 to 5ed0b20 Compare October 16, 2025 10:49
@renovate renovate bot changed the title (削除) chore(deps): update dependency vite to v7 [security] (削除ここまで) (追記) chore(deps): update dependency vite to v5 [security] (追記ここまで) Oct 16, 2025
@renovate renovate bot force-pushed the renovate/npm-vite-vulnerability branch from 5ed0b20 to 33e4b66 Compare October 16, 2025 11:09
@renovate renovate bot changed the title (削除) chore(deps): update dependency vite to v5 [security] (削除ここまで) (追記) chore(deps): update dependency vite to v7 [security] (追記ここまで) Oct 16, 2025
@renovate renovate bot force-pushed the renovate/npm-vite-vulnerability branch from 33e4b66 to 9bb0864 Compare October 16, 2025 16:13
@renovate renovate bot changed the title (削除) chore(deps): update dependency vite to v7 [security] (削除ここまで) (追記) chore(deps): update dependency vite to v5 [security] (追記ここまで) Oct 16, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@coderabbitai coderabbitai[bot] coderabbitai[bot] left review comments

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants

AltStyle によって変換されたページ (->オリジナル) /