Skip to content

chore(deps): update dependency vite [security] #9708

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
renovate wants to merge 1 commit into
base: main
Choose a base branch
from
+2,691 −2,062
Open

chore(deps): update dependency vite [security] #9708

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion examples/vue/2.6-basic/package.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,7 @@
},
"devDependencies": {
"typescript": "5.8.3",
"vite": "^4.5.14",
"vite": "^5.4.21",
"vite-plugin-vue2": "2.0.3"
}
}
2 changes: 1 addition & 1 deletion examples/vue/2.7-basic/package.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,7 @@
},
"devDependencies": {
"typescript": "5.8.3",
"vite": "^4.5.14",
"vite": "^5.4.21",
"vite-plugin-vue2": "2.0.3"
}
Comment on lines 15 to 19
Copy link
Contributor

@coderabbitai coderabbitai bot Jan 11, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🌐 Web query:

CVE-2025-31486 CVE-2025-32395 CVE-2025-46565 Vite vulnerability fix versions

💡 Result:

  • CVE-2025-31486 — fixed in Vite 4.5.12, 5.4.17, 6.0.14, 6.1.4, and 6.2.5. [1]

  • CVE-2025-32395 — fixed in Vite 4.5.13, 5.4.18, 6.0.15, 6.1.5, and 6.2.6. [2]

  • CVE-2025-46565 — fixed in Vite 4.5.14, 5.4.19, 6.1.6, 6.2.7, and 6.3.4. [3]

Sources: [1] NVD/GitHub advisory for CVE-2025-31486. [2] Vite/GitHub advisory summaries for CVE-2025-32395. [3] CVE details/GitHub advisory for CVE-2025-46565.

🌐 Web query:

vite-plugin-vue2 compatibility Vite 5 6 7

💡 Result:

Short answer: don't use the old community "vite-plugin-vue2" for Vite 5/6/7 — use the official @vitejs/plugin-vue2 (for Vue 2.7+) which is the supported plugin for Vite's modern releases. [1][2][3][4]

Notes:

  • vite-plugin-vue2 has been deprecated/put into maintenance and only supports older Vue 2.6-era setups. [1][4]
  • @vitejs/plugin-vue2 is the official plugin for Vue 2.7+ and is the one referenced in Vite docs; JSX/TSX for Vue 2 is handled by a separate plugin. Use @vitejs/plugin-vue2 with Vite 5/6/7. [2][3]

Sources:

  • vite-plugin-vue2 deprecation/maintenance notice. [1]
  • @vitejs/plugin-vue2 GitHub / npm (official plugin for Vue 2.7+). [2][3]
  • Vite plugins documentation listing @vitejs/plugin-vue2. [4]

🏁 Script executed:

# Check if there are other package.json files or lock files in the repo that might provide context
git ls-files | grep -E "(package\.json|pnpm-lock|yarn\.lock|package-lock)" | head -20

Repository: TanStack/query

Length of output: 939

🌐 Web query:

CVE-2025-58751 CVE-2025-58752 Vite vulnerability fix

💡 Result:

Short answer — what happened and what to do:

  • Two Vite dev-server vulnerabilities (CVE-2025-58751 and CVE-2025-58752) allow the dev/preview server to serve HTML or public files outside the intended root (path traversal / public-file serving bypass) when the dev server is exposed to the network and the public dir / symlink conditions are met. [1][2]

  • Affected versions (examples): 7.1.0–7.1.4, 7.0.0–7.0.6, 6.0.0–6.3.5, and <=5.4.19 (see advisories for full ranges). [1][2]

  • Patched versions: 7.1.5, 7.0.7, 6.3.6, and 5.4.20. Upgrade to one of these or any later release. Example: npm install vite@7.1.5 (or update your package.json and run your package manager). [1][2]

  • Short mitigations until you can upgrade: do NOT expose the Vite dev server to untrusted networks (avoid --host / server.host), remove symlinks in the public directory, and avoid enabling the preview server to untrusted networks. [1][3]

Sources:

  1. GitHub Security Advisory (vite): GHSA-g4jq-h2w9-997c (patch/patched versions).
  2. NVD entries for CVE-2025-58751 and CVE-2025-58752 (details and fixed versions).
  3. Vendor/third‑party writeups summarizing impact and mitigations.

🌐 Web query:

CVE-2025-62522 Vite vulnerability

💡 Result:

Short summary — CVE-2025-62522 (published Oct 20, 2025): a path-handling bug in the Vite dev server on Windows that lets an attacker bypass server.fs.deny by requesting a URL that ends with a backslash, causing denied files (e.g., .env, *.pem) to be served if the dev server is exposed to the network. Affects multiple Vite release ranges (see below). [1][2][3]

Affected versions (per advisories): Vite 2.9.18 → <3.0.0, 3.2.9 → <4.0.0, 4.5.3 → <5.0.0, 5.2.6 → <5.4.21, 6.0.0 → <6.4.1, 7.0.0 → <7.0.8, 7.1.0 → <7.1.11. Published/confirmed Oct 20, 2025. [1][2]

Impact: medium severity (CVSS v4.0 = 6.0). Only exploitable when the Vite dev server is intentionally exposed to the network and running on Windows; it can disclose sensitive files normally blocked by server.fs.deny. [1][3]

Mitigation:

  • Upgrade Vite to a patched release: 5.4.21, 6.4.1, 7.0.8, or 7.1.11 (or later). [1][2]
  • As a workaround, do not expose the dev server to external networks (bind to localhost / block with firewall) and ensure sensitive files aren’t served by the project. [2][3]

References:
[1] GitHub / Vite advisory & fixes (commit/advisory referenced by vendor).
[2] NVD / CVE-2025-62522 summary.
[3] Positive Technologies / dbugs advisory (technical details and recommendations).

🏁 Script executed:

# Check for lockfiles in the vue example directory and parent
cd examples/vue/2.7-basic && ls -la

Repository: TanStack/query

Length of output: 581

🏁 Script executed:

# Also check the current full package.json to see dependencies context
cat examples/vue/2.7-basic/package.json

Repository: TanStack/query

Length of output: 505

🏁 Script executed:

# Check if there are comments or PR description in nearby files
git log --oneline -n 20 -- examples/vue/2.7-basic/package.json 2>/dev/null | head -5

Repository: TanStack/query

Length of output: 113

Replace deprecated vite-plugin-vue2 with the official @vitejs/plugin-vue2.

The vite version bump to ^5.4.21 is correct and does address all five CVEs mentioned in the PR (CVE-2025-31486, CVE-2025-32395, CVE-2025-46565, CVE-2025-58751/58752, and CVE-2025-62522—which is specifically fixed in 5.4.21).

However, vite-plugin-vue2@2.0.3 is deprecated and not recommended for modern Vite versions. For Vue 2.7+, use the official @vitejs/plugin-vue2 plugin instead. Update the devDependency accordingly.

🤖 Prompt for AI Agents 
In @examples/vue/2.7-basic/package.json around lines 15 - 19, Replace the
deprecated devDependency "vite-plugin-vue2" with the official
"@vitejs/plugin-vue2" in package.json's devDependencies (remove
"vite-plugin-vue2": "2.0.3" and add "@vitejs/plugin-vue2" at a compatible
version), then run install; also update any imports/usages in your Vite config
(e.g., change import from "vite-plugin-vue2" to "@vitejs/plugin-vue2" and ensure
the plugin is passed to defineConfig/plugins in vite.config.js) so the project
uses the official Vue 2.7+ Vite plugin compatible with Vite ^5.4.21.

}
Loading
Loading