chore(deps): update dependency vite to v5 [security]

[renovate]

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Change	Age	Confidence
vite (source)	^4.5.14 → ^5.4.21

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

GitHub Vulnerability Alerts

CVE-2025-58752

Summary

Any HTML files on the machine were served regardless of the server.fs settings.

Impact

Only apps that match the following conditions are affected:

• explicitly exposes the Vite dev server to the network (using --host or server.host config option)
• appType: 'spa' (default) or appType: 'mpa' is used

This vulnerability also affects the preview server. The preview server allowed HTML files not under the output directory to be served.

Details

The serveStaticMiddleware function is in charge of serving static files from the server. It returns the viteServeStaticMiddleware function which runs the needed tests and serves the page. The viteServeStaticMiddleware function checks if the extension of the requested file is ".html". If so, it doesn't serve the page. Instead, the server will go on to the next middlewares, in this case htmlFallbackMiddleware, and then to indexHtmlMiddleware. These middlewares don't perform any test against allow or deny rules, and they don't make sure that the accessed file is in the root directory of the server. They just find the file and send back its contents to the client.

PoC

Execute the following shell commands:

npm  create  vite@latest
cd vite-project/
echo  "secret" > /tmp/secret.html
npm install
npm run dev

Then, in a different shell, run the following command:

curl -v --path-as-is 'http://localhost:5173/../../../../../../../../../../../tmp/secret.html'

The contents of /tmp/secret.html will be returned.

This will also work for HTML files that are in the root directory of the project, but are in the deny list (or not in the allow list). Test that by stopping the running server (CTRL+C), and running the following commands in the server's shell:

echo  'import path from "node:path"; import { defineConfig } from "vite"; export default defineConfig({server: {fs: {deny: [path.resolve(__dirname, "secret_files/*")]}}})'  >  [vite.config.js](http://vite.config.js)
mkdir secret_files
echo "secret txt" > secret_files/secret.txt
echo "secret html" > secret_files/secret.html
npm run dev

Then, in a different shell, run the following command:

curl -v --path-as-is 'http://localhost:5173/secret_files/secret.txt'

You will receive a 403 HTTP Response,  because everything in the secret_files directory is denied.

Now in the same shell run the following command:

curl -v --path-as-is 'http://localhost:5173/secret_files/secret.html'

You will receive the contents of secret_files/secret.html.

CVE-2025-58751

Summary

Files starting with the same name with the public directory were served bypassing the server.fs settings.

Impact

Only apps that match the following conditions are affected:

• explicitly exposes the Vite dev server to the network (using --host or server.host config option)
• uses the public directory feature (enabled by default)
• a symlink exists in the public directory

Details

The servePublicMiddleware function is in charge of serving public files from the server. It returns the viteServePublicMiddleware function which runs the needed tests and serves the page. The viteServePublicMiddleware function checks if the publicFiles variable is defined, and then uses it to determine if the requested page is public. In the case that the publicFiles is undefined, the code will treat the requested page as a public page, and go on with the serving function. publicFiles may be undefined if there is a symbolic link anywhere inside the public directory. In that case, every requested page will be passed to the public serving function. The serving function is based on the sirv library. Vite patches the library to add the possibility to test loading access to pages, but when the public page middleware disables this functionality since public pages are meant to be available always, regardless of whether they are in the allow or deny list.

In the case of public pages, the serving function is provided with the path to the public directory as a root directory. The code of the sirv library uses the join function to get the full path to the requested file. For example, if the public directory is "/www/public", and the requested file is "myfile", the code will join them to the string "/www/public/myfile". The code will then pass this string to the normalize function. Afterwards, the code will use the string's startsWith function to determine whether the created path is within the given directory or not. Only if it is, it will be served.

Since sirv trims the trailing slash of the public directory, the string's startsWith function may return true even if the created path is not within the public directory. For example, if the server's root is at "/www", and the public directory is at "/www/p", if the created path will be "/www/private.txt", the startsWith function will still return true, because the string "/www/private.txt" starts with  "/www/p". To achieve this, the attacker will use ".." to ask for the file "../private.txt". The code will then join it to the "/www/p" string, and will receive "/www/p/../private.txt". Then, the normalize function will return "/www/private.txt", which will then be passed to the startsWith function, which will return true, and the processing of the page will continue without checking the deny list (since this is the public directory middleware which doesn't check that).

PoC

Execute the following shell commands:

npm  create  vite@latest
cd vite-project/
mkdir p
cd p
ln -s a b
cd ..
echo  'import path from "node:path"; import { defineConfig } from "vite"; export default defineConfig({publicDir: path.resolve(__dirname, "p/"), server: {fs: {deny: [path.resolve(__dirname, "private.txt")]}}})' > vite.config.js
echo  "secret" > private.txt
npm install
npm run dev

Then, in a different shell, run the following command:

curl -v --path-as-is 'http://localhost:5173/private.txt'

You will receive a 403 HTTP Response,  because private.txt is denied.

Now in the same shell run the following command:

curl -v --path-as-is 'http://localhost:5173/../private.txt'

You will receive the contents of private.txt.

Related links

• lukeed/sirv@f0113f3

CVE-2025-62522

Summary

Files denied by server.fs.deny were sent if the URL ended with \ when the dev server is running on Windows.

Impact

Only apps that match the following conditions are affected:

• explicitly exposes the Vite dev server to the network (using --host or server.host config option)
• running the dev server on Windows

Details

server.fs.deny can contain patterns matching against files (by default it includes .env, .env.*, *.{crt,pem} as such patterns). These patterns were able to bypass by using a back slash(\). The root cause is that fs.readFile('/foo.png/') loads /foo.png.

PoC

npm create vite@latest
cd vite-project/
cat "secret" > .env
npm install
npm run dev
curl --request-target /.env\ http://localhost:5173

---

Release Notes

vitejs/vite (vite)

v5.4.21

Compare Source

Please refer to CHANGELOG.md for details.

v5.4.20

Compare Source

Please refer to CHANGELOG.md for details.

v5.4.19

Compare Source

Please refer to CHANGELOG.md for details.

v5.4.18

Compare Source

Please refer to CHANGELOG.md for details.

v5.4.17

Compare Source

Please refer to CHANGELOG.md for details.

v5.4.16

Compare Source

Please refer to CHANGELOG.md for details.

v5.4.15

Compare Source

Please refer to CHANGELOG.md for details.

v5.4.14

Compare Source

Please refer to CHANGELOG.md for details.

v5.4.13

Compare Source

Please refer to CHANGELOG.md for details.

v5.4.12

Compare Source

This version contains a breaking change due to security fixes. See GHSA-vg6x-rcgg-rjx6 for more details.

Please refer to CHANGELOG.md for details.

v5.4.11

Compare Source

Today, we're taking another big step in Vite's story. The Vite team, contributors, and ecosystem partners are excited to announce the release of the next Vite major:

• Vite 6.0 announcement blog post
• Docs
• Translations: 简体中文, 日本語, Español, Português, 한국어, Deutsch
• Migration Guide

We want to thank the more than 1K contributors to Vite Core and the maintainers and contributors of Vite plugins, integrations, tools, and translations that have helped us craft this new major. We invite you to get involved and help us improve Vite for the whole ecosystem. Learn more at our Contributing Guide.

⚠ BREAKING CHANGES

• drop node 21 support in version ranges (#​18729)
• deps: update dependency dotenv-expand to v12 (#​18697)
• resolve: allow removing conditions (#​18395)
• html: support more asset sources (#​11138)
• remove fs.cachedChecks option (#​18493)
• proxy bypass with WebSocket (#​18070)
• css: remove default import in ssr dev (#​17922)
• lib: use package name for css output file name (#​18488)
• update to chokidar v4 (#​18453)
• support file:// resolution (#​18422)
• deps: update postcss-load-config to v6 (#​15235)
• css: change default sass api to modern/modern-compiler (#​17937)
• css: load postcss config within workspace root only (#​18440)
• default build.cssMinify to 'esbuild' for SSR (#​15637)
• json: add json.stringify: 'auto' and make that the default (#​18303)
• bump minimal terser version to 5.16.0 (#​18209)
• deps: migrate fast-glob to tinyglobby (#​18243)

Features

• add support for .cur type (#​18680) (5ec9eed)
• drop node 21 support in version ranges (#​18729) (a384d8f)
• enable HMR by default on ModuleRunner side (#​18749) (4d2abc7)
• support module-sync condition when loading config if enabled (#​18650) (cf5028d)
• add isSsrTargetWebWorker flag to configEnvironment hook (#​18620) (3f5fab0)
• add ssr.resolve.mainFields option (#​18646) (a6f5f5b)
• expose default mainFields/conditions (#​18648) (c12c653)
• extended applyToEnvironment and perEnvironmentPlugin (#​18544) (8fa70cd)
• optimizer: allow users to specify their esbuild platform option (#​18611) (0924879)
• show error when accessing variables not exposed in CJS build (#​18649) (87c5502)
• asset: add ?inline and ?no-inline queries to control inlining (#​15454) (9162172)
• asset: inline svg in dev if within limit (#​18581) (f08b146)
• use a single transport for fetchModule and HMR support (#​18362) (78dc490)
• html: support more asset sources (#​11138) (8a7af50)
• resolve: allow removing conditions (#​18395) (d002e7d)
• html: support vite-ignore attribute to opt-out of processing (#​18494) (d951310)
• lib: use package name for css output file name (#​18488) (61cbf6f)
• log complete config in debug mode (#​18289) (04f6736)
• proxy bypass with WebSocket (#​18070) (3c9836d)
• support file:// resolution (#​18422) (6a7e313)
• update to chokidar v4 (#​18453) (192d555)
• allow custom console in createLogger (#​18379) (0c497d9)
• css: add more stricter typing of lightningcss (#​18460) (b9b925e)
• css: change default sass api to modern/modern-compiler (#​17937) (d4e0442)
• read sec-fetch-dest header to detect JS in transform (#​9981) (e51dc40)
• css: load postcss config within workspace root only (#​18440) (d23a493)
• json: add json.stringify: 'auto' and make that the default (#​18303) (b80daa7)
• add .git to deny list by default (#​18382) (105ca12)
• add environment::listen (#​18263) (4d5f51d)
• enable dependencies discovery and pre-bundling in ssr environments (#​18358) (9b21f69)
• restrict characters useable for environment name (#​18255) (9ab6180)
• support arbitrary module namespace identifier imports from cjs deps (#​18236) (4389a91)
• introduce RunnableDevEnvironment (#​18190) (fb292f2)
• support this.environment in options and onLog hook (#​18142) (7722c06)
• css: support es2023 build target for lightningcss (#​17998) (1a76300)
• Environment API (#​16471) (242f550)
• expose EnvironmentOptions type (#​18080) (35cf59c)

Bug Fixes

• createRunnableDevEnvironment returns RunnableDevEnvironment, not DevEnvironment (#​18673) (74221c3)
• getModulesByFile should return a serverModule (#​18715) (b80d5ec)
• catch error in full reload handler (#​18713) (a10e741)
• client: overlay not appearing when multiple vite clients were loaded (#​18647) (27d70b5)
• deps: update all non-major dependencies (#​18691) (f005461)
• deps: update dependency dotenv-expand to v12 (#​18697) (0c658de)
• display pre-transform error details (#​18764) (554f45f)
• exit code on SIGTERM (#​18741) (cc55e36)
• expose missing InterceptorOptions type (#​18766) (6252c60)
• html: fix inline proxy modules invalidation (#​18696) (8ab04b7)
• log error when send in module runner failed (#​18753) (ba821bb)
• module-runner: make evaluator optional (#​18672) (fd1283f)
• optimizer: detect npm / yarn / pnpm dependency changes correctly (#​17336) (#​18560) (818cf3e)
• optimizer: trigger onCrawlEnd after manual included deps are registered (#​18733) (dc60410)
• optimizer: workaround firefox's false warning for no sources source map (#​18665) (473424e)
• ssr: replace __vite_ssr_identity__ with (0, ...) and inject ; between statements (#​18748) (94546be)
• cjs build for perEnvironmentState et al (#​18656) (95c4b3c)
• html: externalize rollup.external scripts correctly (#​18618) (55461b4)
• include more modules to prefix-only module list (#​18667) (5a2103f)
• ssr: format ssrTransform parse error (#​18644) (d9be921)
• ssr: preserve fetchModule error details (#​18626) (866a433)
• browser field should not be included by default for consumer: 'server' (#​18575) (87b2347)
• client: detect ws close correctly (#​18548) (637d31b)
• resolve: run ensureVersionQuery for SSR (#​18591) (63207e5)
• use server.perEnvironmentStartEndDuringDev (#​18549) (fe30349)
• allow nested dependency selector to be used for optimizeDeps.include for SSR (#​18506) (826c81a)
• asset new URL(,import.meta.url) match (#​18194) (5286a90)
• close watcher if it's disabled (#​18521) (85bd0e9)
• config: write temporary vite config to node_modules (#​18509) (72eaef5)
• css: cssCodeSplit uses the current environment configuration (#​18486) (eefe895)
• json: don't json.stringify arrays (#​18541) (fa50b03)
• less: prevent rebasing [@import](https://redirect.github.com/import) url(...) (#​17857) (aec5fdd)
• lib: only resolve css bundle name if have styles (#​18530) (5d6dc49)
• scss: improve error logs (#​18522) (3194a6a)
• define in environment config was not working (#​18515) (052799e)
• build: apply resolve.external/noExternal to server environments (#​18495) (5a967cb)
• config: remove error if require resolve to esm (#​18437) (f886f75)
• consider URLs with any protocol to be external (#​17369) (a0336bd)
• css: remove default import in ssr dev (#​17922) (eccf663)
• use picomatch to align with tinyglobby (#​18503) (437795d)
• css: cssCodeSplit in environments.xxx.build is invalid (#​18464) (993e71c)
• css: make sass types work with sass-embedded (#​18459) (89f8303)
• deps: update all non-major dependencies (#​18484) (2ec12df)
• handle warmup glob hang (#​18462) (409fa5c)
• manifest: non entry CSS chunk src was wrong (#​18133) (c148676)
• module-runner: delay function eval until module runner instantiation (#​18480) (472afbd)
• plugins: noop if config hook returns same config reference (#​18467) (bd540d5)
• return the same instance of ModuleNode for the same EnvironmentModuleNode (#​18455) (5ead461)
• set scripts imported by HTML moduleSideEffects=true (#​18411) (2ebe4b4)
• use websocket to test server liveness before client reload (#​17891) (7f9f8c6)
• add typing to CSSOptions.preprocessorOptions (#​18001) (7eeb6f2)
• default build.cssMinify to 'esbuild' for SSR (#​15637) (f1d3bf7)
• dev: prevent double URL encoding in server.open on macOS (#​18443) (56b7176)
• preview: set resolvedUrls null after close (#​18445) (65014a3)
• ssr: inject identity function at the top (#​18449) (0ab20a3)
• ssr: preserve source maps for hoisted imports (fix #​16355) (#​16356) (8e382a6)
• augment hash for CSS files to prevent chromium erroring by loading previous files (#​18367) (a569f42)
• cli: --watch should not override build.watch options (#​18390) (b2965c8)
• css: don't transform sass function calls with namespace (#​18414) (dbb2604)
• deps: update open dependency to 10.1.0 (#​18349) (5cca4bf)
• deps: update all non-major dependencies (#​18345) (5552583)
• more robust plugin.sharedDuringBuild (#​18351) (47b1270)
• ssr: this in exported function should be undefined (#​18329) (bae6a37)
• worker: rewrite rollup output.format with worker.format on worker build error (#​18165) (dc82334)
• injectQuery double encoding (#​18246) (2c5f948)
• add position to import analysis resolve exception (#​18344) (0fe95d4)
• assets: make srcset parsing HTML spec compliant (#​16323) (#​18242) (0e6d4a5)
• css: dont remove JS chunk for pure CSS chunk when the export is used (#​18307) (889bfc0)
• deps: bump tsconfck (#​18322) (67783b2)
• deps: update all non-major dependencies (#​18292) (5cac054)
• destroy the runner when runnable environment is closed (#​18282) (5212d09)
• handle yarn command fail when root does not exist (#​18141) (460aaff)
• hmr: don't try to rewrite imports for direct CSS soft invalidation (#​18252) (a03bb0e)
• make it easier to configure environment runner (#​18273) (fb35a78)
• middleware-mode: call all hot.listen when server restart (#​18261) (007773b)
• optimizer: don't externalize transitive dep package name with asset extension (#​18152) (fafc7e2)
• resolve: fix resolve cache key for external conditions (#​18332) (93d286c)
• resolve: fix resolve cache to consider conditions and more (#​18302) (2017a33)
• types: add more overload to defineConfig (#​18299) (94e34cf)
• asset import should skip handling data URIs (#​18163) (70813c7)
• cache the runnable environment module runner (#​18215) (95020ab)
• call this.hot.close for non-ws HotChannel (#​18212) (bad0ccc)
• close HotChannel on environment close (#​18206) (2d148e3)
• config: treat all files as ESM on deno (#​18081) (c1ed8a5)
• css: ensure sass compiler initialized only once (#​18128) (4cc5322)
• css: fix lightningcss dep url resolution with custom root (#​18125) (eb08f60)
• css: fix missing source file warning with sass modern api custom importer (#​18113) (d7763a5)
• data-uri: only match ids starting with data: (#​18241) (ec0efe8)
• deps: update all non-major dependencies (#​18170) (c8aea5a)
• deps: upgrade rollup 4.22.4+ to ensure avoiding XSS (#​18180) (ea1d0b9)
• html: make build-html plugin work with sharedPlugins (#​18214) (34041b9)
• mixedModuleGraph: handle undefined id in getModulesByFile (#​18201) (768a50f)
• optimizer: re-optimize when changing config webCompatible (#​18221) (a44b0a2)
• require serialization for HMRConnection.send on implementation side (#​18186) (9470011)
• ssr: fix source map remapping with multiple sources (#​18150) (e003a2c)
• use config.consumer instead of options?.ssr / config.build.ssr (#​18140) (21ec1ce)
• vite: refactor "module cache" to "evaluated modules", pass down module to "runInlinedModule" (#​18092) (e83beff)
• avoid DOM Clobbering gadget in getRelativeUrlFromDocument (#​18115) (ade1d89)
• fs raw query (#​18112) (9d2413c)
• preload: throw error preloading module as well (#​18098) (ba56cf4)
• allow scanning exports from script module in svelte (#​18063) (7d699aa)
• build: declare preload-helper has no side effects (#​18057) (587ad7b)
• css: fallback to mainthread if logger or pkgImporter option is set for sass (#​18071) (d81dc59)
• dynamicImportVars: correct glob pattern for paths with parentheses (#​17940) (2a391a7)
• ensure req.url matches moduleByEtag URL to avoid incorrect 304 (#​17997) (abf04c3)
• html: escape html attribute (#​18067) (5983f36)
• incorrect environment consumer option resolution (#​18079) (0e3467e)
• preload: allow ignoring dep errors (#​18046) (3fb2889)
• store backwards compatible ssrModule and ssrError (#​18031) (cf8ced5)

Performance Improvements

• reduce bundle size for Object.keys(import.meta.glob(...)) / Object.values(import.meta.glob(...)) (#​18666) (ed99a2c)
• worker: inline worker without base64 (#​18752) (90c66c9)
• remove strip-ansi for a node built-in (#​18630) (5182272)
• css: skip style.css extraction if code-split css (#​18470) (34fdb6b)
• call module.enableCompileCache() (#​18323) (18f1dad)
• use crypto.hash when available (#​18317) (2a14884)

Documentation

• rename HotUpdateContext to HotUpdateOptions (#​18718) (824c347)
• add jsdocs to flags in BuilderOptions (#​18516) (1507068)
• missing changes guides (#​18491) (5da78a6)
• update fs.deny default in JSDoc (#​18514) (1fcc83d)
• update homepage (#​18274) (a99a0aa)
• fix typo in proxy.ts (#​18162) (49087bd)

Reverts

• use chokidar v3 (#​18659) (49783da)

Miscellaneous Chores

• add 5.4.x changelogs (#​18768) (26b58c8)
• add some comments about mimes (#​18705) (f07e9b9)
• deps: update all non-major dependencies (#​18746) (0ad16e9)
• deps: update all non-major dependencies (#​18634) (e2231a9)
• deps: update transitive deps (#​18602) (0c8b152)
• tweak build config (#​18622) (2a88f71)
• add warning for / mapping in resolve.alias (#​18588) (a51c254)
• deps: update all non-major dependencies (#​18562) (fb227ec)
• remove unused ssr variable (#​18594) (23c39fc)
• fix moduleSideEffects in build script on Windows (#​18518) (25fe9e3)
• use premove instead of rimraf (#​18499) (f97a578)
• deps: update postcss-load-config to v6 (#​15235) (3a27f62)
• deps: update dependency picomatch to v4 (#​15876) (3774881)
• combine deps license with same text (#​18356) (b5d1a05)
• create-vite: mark template files as CC0 (#​18366) (f6b9074)
• deps: bump TypeScript to 5.6 (#​18254) (57a0e85)
• deps: migrate fast-glob to tinyglobby (#​18243) (6f74a3a)
• deps: update all non-major dependencies (#​18404) (802839d)
• deps: update dependency sirv to v3 ([#​18346](http

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[changeset-bot]

⚠️ No Changeset found

Latest commit: bb3db76

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[coderabbitai]

📝 Walkthrough

Walkthrough

Updated the devDependency vite from ^4.5.14 to ^5.4.21 in two Vue example package.json files; no other files, scripts, or exported/public declarations changed. (≤50 words)

Changes

Cohort / File(s)	Summary of Changes
Vue examples: Vite bump examples/vue/2.6-basic/package.json, examples/vue/2.7-basic/package.json	Updated devDependency vite from ^4.5.14 to ^5.4.21. No other dependency, script, source file, or public export edits.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

• chore(deps): update dependency vite to ^4.5.14 [security] #9636 — Modified the same vite devDependency lines in the same Vue example package.json files (updating Vite version).

Poem

I nibble at the lockfile tight,
Two Vue burrows gleam tonight,
Vite hopped up a version mild,
A tiny hop from one small child,
🐇✨

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Description check	⚠️ Warning	The PR description is comprehensive, detailing the vite update, multiple security vulnerabilities (CVE-2025-58752, CVE-2025-58751, CVE-2025-62522), affected conditions, and PoCs. However, it does not follow the repository's description template with required sections like '🎯 Changes', '✅ Checklist', and '🚀 Release Impact'.	Add the required template sections including 'Changes', 'Checklist' (with links to Contributing guide and test command), and 'Release Impact' to indicate whether this is a release-impacting change or docs/CI/dev-only.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately describes the main change: updating vite dependency to v5 for security reasons across multiple example project package.json files.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[nx-cloud]

View your CI Pipeline Execution ↗ for commit bb3db76

Command	Status	Duration	Result
nx run-many --target=build --exclude=examples/*...	✅ Succeeded	<1s	View ↗
nx affected --targets=test:sherif,test:knip,tes...	✅ Succeeded	35s	View ↗

---

☁️ Nx Cloud last updated this comment at 2026-01-20 16:41:01 UTC

[pkg-pr-new]

More templates

• @tanstack/query-example-angular-auto-refetching
• @tanstack/query-example-angular-basic
• @tanstack/query-example-angular-basic-persister
• @tanstack/query-example-angular-devtools-panel
• @tanstack/query-example-angular-infinite-query-with-max-pages
• @tanstack/query-example-angular-optimistic-updates
• @tanstack/query-example-angular-pagination
• @tanstack/query-example-angular-query-options-from-a-service
• @tanstack/query-example-angular-router
• @tanstack/query-example-angular-rxjs
• @tanstack/query-example-angular-simple
• @tanstack/query-example-solid-astro
• @tanstack/query-example-solid-basic
• @tanstack/query-example-solid-basic-graphql-request
• @tanstack/query-example-solid-default-query-function
• @tanstack/query-example-solid-simple
• @tanstack/query-example-solid-start-streaming
• @tanstack/query-example-react-algolia
• @tanstack/query-example-react-auto-refetching
• @tanstack/query-example-react-basic
• @tanstack/query-example-react-basic-graphql-request
• @tanstack/query-example-chat
• @tanstack/query-example-react-default-query-function
• @tanstack/query-example-react-devtools-panel
• @tanstack/query-example-eslint-legacy
• @tanstack/query-example-react-infinite-query-with-max-pages
• @tanstack/query-example-react-load-more-infinite-scroll
• @tanstack/query-example-react-nextjs
• @tanstack/query-example-react-nextjs-app-prefetching
• @tanstack/query-example-nextjs-suspense-streaming
• @tanstack/query-example-react-offline
• @tanstack/query-example-react-optimistic-updates-cache
• @tanstack/query-example-react-optimistic-updates-ui
• @tanstack/query-example-react-pagination
• @tanstack/query-example-react-playground
• @tanstack/query-example-react-prefetching
• @tanstack/query-example-react-react-native
• @tanstack/query-example-react-router
• @tanstack/query-example-react-rick-morty
• @tanstack/query-example-react-shadow-dom
• @tanstack/query-example-react-simple
• @tanstack/query-example-react-star-wars
• @tanstack/query-example-react-suspense
• @tanstack/query-example-svelte-auto-refetching
• @tanstack/query-example-svelte-basic
• @tanstack/query-example-svelte-load-more-infinite-scroll
• @tanstack/query-example-svelte-optimistic-updates
• @tanstack/query-example-svelte-playground
• @tanstack/query-example-svelte-simple
• @tanstack/query-example-svelte-ssr
• @tanstack/query-example-svelte-star-wars
• @tanstack/query-example-vue-2.6-basic
• @tanstack/query-example-vue-2.7-basic
• @tanstack/query-example-vue-basic
• @tanstack/query-example-vue-dependent-queries
• @tanstack/query-example-vue-nuxt3
• @tanstack/query-example-vue-persister
• @tanstack/query-example-vue-simple

@tanstack/angular-query-experimental

npm i https://pkg.pr.new/@tanstack/angular-query-experimental@9708

@tanstack/eslint-plugin-query

npm i https://pkg.pr.new/@tanstack/eslint-plugin-query@9708

@tanstack/query-async-storage-persister

npm i https://pkg.pr.new/@tanstack/query-async-storage-persister@9708

@tanstack/query-broadcast-client-experimental

npm i https://pkg.pr.new/@tanstack/query-broadcast-client-experimental@9708

@tanstack/query-core

npm i https://pkg.pr.new/@tanstack/query-core@9708

@tanstack/query-devtools

npm i https://pkg.pr.new/@tanstack/query-devtools@9708

@tanstack/query-persist-client-core

npm i https://pkg.pr.new/@tanstack/query-persist-client-core@9708

@tanstack/query-sync-storage-persister

npm i https://pkg.pr.new/@tanstack/query-sync-storage-persister@9708

@tanstack/react-query

npm i https://pkg.pr.new/@tanstack/react-query@9708

@tanstack/react-query-devtools

npm i https://pkg.pr.new/@tanstack/react-query-devtools@9708

@tanstack/react-query-next-experimental

npm i https://pkg.pr.new/@tanstack/react-query-next-experimental@9708

@tanstack/react-query-persist-client

npm i https://pkg.pr.new/@tanstack/react-query-persist-client@9708

@tanstack/solid-query

npm i https://pkg.pr.new/@tanstack/solid-query@9708

@tanstack/solid-query-devtools

npm i https://pkg.pr.new/@tanstack/solid-query-devtools@9708

@tanstack/solid-query-persist-client

npm i https://pkg.pr.new/@tanstack/solid-query-persist-client@9708

@tanstack/svelte-query

npm i https://pkg.pr.new/@tanstack/svelte-query@9708

@tanstack/svelte-query-devtools

npm i https://pkg.pr.new/@tanstack/svelte-query-devtools@9708

@tanstack/svelte-query-persist-client

npm i https://pkg.pr.new/@tanstack/svelte-query-persist-client@9708

@tanstack/vue-query

npm i https://pkg.pr.new/@tanstack/vue-query@9708

@tanstack/vue-query-devtools

npm i https://pkg.pr.new/@tanstack/vue-query-devtools@9708

commit: bb3db76

[github-actions]

Sizes for commit 1c5c5da:

Branch	Bundle Size
Main
This PR

[coderabbitai]

Actionable comments posted: 2

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between dcc7bd9 and 42e2d9c.

📒 Files selected for processing (2)

• examples/vue/2.6-basic/package.json (1 hunks)
• examples/vue/2.7-basic/package.json (1 hunks)

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

Upgrade blocked by Vue 2.6 plugin compatibility

Line 17 moves this example to Vite ^5.4.20 while retaining [email protected], but that plugin’s peer constraint is vite ^2 || ^3, so installation will fail and the tooling won’t run.(npmpeer.dev) Compounding that, the package is in maintenance mode and only supports Vue 2.6 or earlier with no Vite 5-ready release, so we either keep this example on Vite 4 or migrate it to Vue 2.7 plus @vitejs/plugin-vue2 before bumping Vite.(npm.io)

🤖 Prompt for AI Agents

In examples/vue/2.6-basic/package.json around lines 17-19, Vite was bumped to
^5.4.20 but the project still depends on [email protected] which only
supports vite ^2 || ^3 and is not Vite 5 compatible; fix by either (A) pinning
Vite to a Vite-4-compatible version (e.g., ^4.x) so the existing
vite-plugin-vue2 remains valid, or (B) migrate the example to Vue 2.7 and
replace vite-plugin-vue2 with a Vite-5-compatible plugin (e.g.,
@vitejs/plugin-vue2), update package.json and any plugin-related config/code,
then run npm install and smoke-test the dev/build to ensure tooling works.

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

Vite 5 breaks the current Vue 2 build

Line 17 upgrades Vite to ^5.4.20, but the example still depends on [email protected], whose peer dependency caps Vite at ^3.x; npm install/pnpm install will dead-stop with an ERESOLVE failure and the dev server won’t start.(npmpeer.dev) To land Vite 5 you need to swap over to the maintained @vitejs/plugin-vue2 (and update the config imports), because its peer range now covers Vite ^5 alongside Vue 2.7.(github.com)

-    "vite": "^5.4.20",
-    "vite-plugin-vue2": "2.0.3"
+    "vite": "^5.4.20",
+    "@vitejs/plugin-vue2": "^2.3.3"

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	"vite": "^5.4.20",
	"vite-plugin-vue2": "2.0.3"
	"vite": "^5.4.20",
	"@vitejs/plugin-vue2": "^2.3.3"

🤖 Prompt for AI Agents

In examples/vue/2.7-basic/package.json around lines 17-18, the project declares
"vite": "^5.4.20" but still depends on "vite-plugin-vue2": "2.0.3", which has a
peer range limited to Vite ^3 and causes ERESOLVE; replace "vite-plugin-vue2"
with the maintained "@vitejs/plugin-vue2" (use a current compatible version) in
package.json, run install to update lockfile, and then update any Vite
config/imports (e.g., vite.config.js or vite.config.ts) to import and use the
plugin from "@vitejs/plugin-vue2" instead of "vite-plugin-vue2" so the example
works with Vite 5.

[coderabbitai]

Actionable comments posted: 1

♻️ Duplicate comments (1)

examples/vue/2.6-basic/package.json (1)

18-20: Blocker: vite-plugin-vue2 is incompatible with Vite 5+ here; install/build will break

This example bumps Vite to ^5.4.20 but keeps [email protected] (for Vue 2.6). That plugin’s peer range targets older Vite, so the toolchain won’t resolve or run. Either revert Vite here or migrate the example to Vue 2.7 + @vitejs/plugin-vue2 before taking Vite ≥5.

Minimal safe fix (Option A: keep Vue 2.6):

   "devDependencies": {
     "typescript": "5.8.3",
-    "vite": "^5.4.20",
+    "vite": "^4.5.14",
     "vite-plugin-vue2": "2.0.3"
   }

Preferred fix (Option B: upgrade path):

• Move to Vue 2.7.x and align vue-template-compiler to the same 2.7.x.
• Drop @vue/composition-api (built into 2.7).
• Replace vite-plugin-vue2 with @vitejs/plugin-vue2 and then bump Vite to the target version (see next comment).

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between ec9eec7 and 01758f7.

📒 Files selected for processing (2)

• examples/vue/2.6-basic/package.json (1 hunks)
• examples/vue/2.7-basic/package.json (1 hunks)

🚧 Files skipped from review as they are similar to previous changes (1)

• examples/vue/2.7-basic/package.json

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: Test

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In @examples/vue/2.6-basic/package.json:
- Around line 18-19: The dependency combination is incompatible: replace
"vite-plugin-vue2" with the official "@vitejs/plugin-vue2" in package.json
(remove "vite-plugin-vue2": "2.0.3" and add "@vitejs/plugin-vue2" with a
compatible version), then update any plugin imports/usages in your Vite config
(e.g., change import from "vite-plugin-vue2" to "@vitejs/plugin-vue2" and call
the new plugin factory in the plugins array), and run a fresh install and build
to verify compatibility with Vite 5.4.21.

📜 Review details

Configuration used: defaults

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between a1deb85 and 1105f27.

⛔ Files ignored due to path filters (1)

• pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml

📒 Files selected for processing (2)

• examples/vue/2.6-basic/package.json
• examples/vue/2.7-basic/package.json

🚧 Files skipped from review as they are similar to previous changes (1)

• examples/vue/2.7-basic/package.json

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Check vite-plugin-vue2 peer dependencies for Vite compatibility
npm view [email protected] peerDependencies --json 2>/dev/null | jq . || echo "Failed to fetch peer dependencies"

echo "---"

# Check available versions of vite-plugin-vue2
npm view vite-plugin-vue2 versions --json 2>/dev/null | jq '.[-10:]' || echo "Failed to fetch versions"

Repository: TanStack/query

Length of output: 254

---

🌐 Web query:

vite-plugin-vue2 2.0.3 compatibility Vite 5

💡 Result:

Short answer: vite-plugin-vue2 (latest 2.0.3) is an older community plugin in maintenance/EOL and does not officially target Vite 5. For Vue 2.7+ use the official @vitejs/plugin-vue2 which supports modern Vite (including Vite 5). Sources: vite-plugin-vue2 package info (maintenance/EOL). [1] and @vitejs/plugin-vue2 docs/npm (supports Vue 2.7 and Vite). [2][3]

References

• vite-plugin-vue2 (package / maintenance note). [1]
• @vitejs/plugin-vue2 (official plugin — works with Vue 2.7 and Vite). [2][3]

Would you like exact install/upgrade steps to switch to @vitejs/plugin-vue2?

---

🌐 Web query:

Vite 5.4.21 CVE security vulnerabilities CVE-2025

💡 Result:

Short answer: Vite 5.4.21 contains the fix for a 2025 CVE (CVE-2025-62522). Upgrade to 5.4.21 or later and avoid exposing the dev server to the network.

Details:

• CVE‑2025‑62522: a server.fs.deny bypass (Windows, trailing backslash) — patched in v5.4.21. See NVD and vendor advisories. [1][2]
• Other related 2025 Vite dev-server information-disclosure CVEs were fixed in earlier 5.4.x releases (examples: CVE‑2025‑30208, CVE‑2025‑31486, CVE‑2025‑58752, CVE‑2025‑46565); many of these only affect Vite dev servers exposed to the network. If you run a dev server, do not bind it to public hosts and upgrade to the patched release. [3][4][5][6][7]

If you want, I can fetch the exact advisory/commit links and provide a brief upgrade checklist for your projects.

Sources:
[1] NVD — CVE-2025-62522.
[2] Positive Technologies / dbugs — PT advisory for CVE-2025-62522.
[3] CVE Details — CVE-2025-62522 summary.
[4] NVD — CVE-2025-30208.
[5] NVD — CVE-2025-31486.
[6] NVD — CVE-2025-58752.
[7] ResolvedSecurity / CVE-2025-46565.

---

This combination will fail: [email protected] does not support Vite 5.x.

The peer dependencies for [email protected] explicitly restrict it to "vite": "^2.0.0 || ^3.0.0 || ^4.0.0". Upgrading vite to 5.4.21 while keeping this plugin will cause build or runtime failures.

Replace with @vitejs/plugin-vue2, the official community plugin that supports Vite 5 and is actively maintained. Update the dependency in package.json and adjust any plugin imports/configuration accordingly if using this example.

Vite 5.4.21 does address the mentioned CVEs (including CVE-2025-62522 and earlier 2025 dev-server vulnerabilities).

🤖 Prompt for AI Agents

In @examples/vue/2.6-basic/package.json around lines 18 - 19, The dependency
combination is incompatible: replace "vite-plugin-vue2" with the official
"@vitejs/plugin-vue2" in package.json (remove "vite-plugin-vue2": "2.0.3" and
add "@vitejs/plugin-vue2" with a compatible version), then update any plugin
imports/usages in your Vite config (e.g., change import from "vite-plugin-vue2"
to "@vitejs/plugin-vue2" and call the new plugin factory in the plugins array),
and run a fresh install and build to verify compatibility with Vite 5.4.21.

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In @examples/vue/2.7-basic/package.json:
- Line 17: The project currently lists "vite": "^7.3.1" which is incompatible
with the installed [email protected] (peer supports only ^5 || ^6); either
change the Vite dependency in package.json to a compatible version (e.g.,
"vite": "^6.x") or replace vite-plugin-vue2 with the official
@vitejs/plugin-vue2 and update any plugin configuration in the build setup
(e.g., where vite-plugin-vue2 is referenced) to use the new plugin API.

📜 Review details

Configuration used: defaults

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 1105f27 and 86384ca.

⛔ Files ignored due to path filters (1)

• pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml

📒 Files selected for processing (2)

• examples/vue/2.6-basic/package.json
• examples/vue/2.7-basic/package.json

🚧 Files skipped from review as they are similar to previous changes (1)

• examples/vue/2.6-basic/package.json

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)

• GitHub Check: Test
• GitHub Check: Preview

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In @examples/vue/2.7-basic/package.json:
- Line 17: Update the dependency in package.json to replace the legacy
"vite-plugin-vue2" with the official "@vitejs/plugin-vue2"; then update any Vite
config files (e.g., vite.config.js or vite.config.ts) to change imports and
plugin usage from "vite-plugin-vue2" to "@vitejs/plugin-vue2" (replace
import/require and the plugin() invocation), run npm/yarn install to refresh
lockfile, and verify the project builds with Vite 5.x.

📜 Review details

Configuration used: defaults

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 86384ca and 6ccf759.

⛔ Files ignored due to path filters (1)

• pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml

📒 Files selected for processing (2)

• examples/vue/2.6-basic/package.json
• examples/vue/2.7-basic/package.json

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: Test

🔇 Additional comments (1)

examples/vue/2.6-basic/package.json (1)

18-18: Consistent with sibling example.

The vite version update aligns with examples/vue/2.7-basic/package.json. The compatibility and security verification concerns noted in the sibling file apply here as well.

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🌐 Web query:

vite-plugin-vue2 compatibility vite 5.x 6.x 7.x

💡 Result:

Short answer: use @vitejs/plugin-vue2 (official) for Vue 2.7 — the older community package vite-plugin-vue2 (underfin) is legacy/maintenance-EOL and not recommended for recent Vite major releases. The official @vitejs/plugin-vue2 is the supported plugin for Vue 2.7 and is what you should use with current Vite versions; some third‑party Vue2 ecosystem plugins may still have strict peerDependencies and need updates for Vite 7 (peer‑dep conflicts have been reported). [1][2][3]

References:

• @vitejs/plugin-vue2 README (official plugin for Vue 2.7). [1]
• Vite docs / migration notes: recommends @vitejs/plugin-vue2 for Vue 2.7 and notes vite-plugin-vue2 is superseded. [2]
• Vite GitHub issue showing ecosystem peer-dependency problems with Vite 7 (example of plugins needing updates). [3]

---

🏁 Script executed:

# Search for PR context or comments about vite version choice
cd /tmp && find . -type f -name "*.md" -o -name "*.json" | head -20
git ls-files | grep -E "(CHANGELOG|README|PR|\.github)" | head -20

Repository: TanStack/query

Length of output: 126

---

🏁 Script executed:

# Check if there are any CVE references in the repository
rg -i "cve|security|vulnerability" --type md --type json | head -30

Repository: TanStack/query

Length of output: 2043

---

🏁 Script executed:

# Check the actual package.json file and its git history for context
cat -n examples/vue/2.7-basic/package.json

Repository: TanStack/query

Length of output: 645

---

Replace vite-plugin-vue2 with the official @vitejs/plugin-vue2.

The package uses [email protected], which is a legacy community plugin that is no longer maintained. The official plugin is @vitejs/plugin-vue2 from the Vite team, which is the recommended choice for Vue 2.7 projects. The Vite 5.x constraint appears intentional for compatibility with the legacy plugin, but you should migrate to the official plugin instead to ensure long-term support and compatibility with current and future Vite versions.

🤖 Prompt for AI Agents

In @examples/vue/2.7-basic/package.json at line 17, Update the dependency in
package.json to replace the legacy "vite-plugin-vue2" with the official
"@vitejs/plugin-vue2"; then update any Vite config files (e.g., vite.config.js
or vite.config.ts) to change imports and plugin usage from "vite-plugin-vue2" to
"@vitejs/plugin-vue2" (replace import/require and the plugin() invocation), run
npm/yarn install to refresh lockfile, and verify the project builds with Vite
5.x.

[github-actions]

size-limit report 📦

Path	Size
react full	11.93 KB (0%)
react minimal	8.95 KB (0%)