Version Details and Security Vulnerabilities

📦

vite

6.3.2

Comparision Betweeen 6.3.2 and 6.3.1

Identify the differences between the current version of the package and the previous one.

Version

Dependencies

Dev Dependencies

Peer Dependencies

Distributed Files

Unpacked Size

2.53 MB

Version 6.3.2 Details

Vite 6.3.2 introduces several notable updates compared to version 6.3.1, impacting both development dependencies and potentially build processes. A primary difference lies in the updated versions of developer tools. Notably, sass and sass-embedded have been bumped from 1.85.1 to 1.86.3, bringing improvements and potentially bug fixes to Sass processing. Similarly, @babel/parser moves from 7.26.10 to 7.27.0, incorporating newer ECMAScript syntax support.

Several other dev-dependencies are also updated, including dotenv (16.4.7 -> 16.5.0). nanoid receives an update (5.1.4 -> 5.1.5). open updates from 10.1.0 to 10.1.1 and ufo from 1.5.4 to 1.6.1. These upgrades could introduce minor performance enhancements or bug resolutions. Developers should be aware of these version bumps and consult individual changelogs for detailed information.

While the core dependencies remain consistent, the evolution of the devDependencies suggests a focus on stability and compatibility with the latest tooling ecosystems. Package size sees slight reduction: unpackedSize: 2649883 (6.3.1) to unpackedSize: 2649534 (6.3.2). Developers leveraging Vite for rapid web development will appreciate these incremental improvements and should assess compatibility with their existing projects when upgrading. The updated release date for version 6.3.2 is also noteworthy (April 18th, 2025), indicating a more recent build compared to the previous version (April 17th, 2025).

Security Vulnerabilities

This site is an independent open-source project and is not affiliated with, endorsed by, or sponsored by npm, Inc. or GitHub, Inc. The name “npm” is a registered trademark of npm, Inc., used here solely to describe compatibility and reference publicly available npm package data.

Version Details and Security Vulnerabilities

📦

vite

6.3.2

Comparision Betweeen 6.3.2 and 6.3.1

Identify the differences between the current version of the package and the previous one.

Version

Dependencies

Dev Dependencies

Peer Dependencies

Distributed Files

Unpacked Size

2.53 MB

Version 6.3.2 Details

Security Vulnerabilities

Security Details

Comprehensive list of direct or transitive vulnerabilities for version 6.3.2 of the package vite.

All Security Vulnerabilities

All the vulnerabilities related to the version 6.3.2 of the package

Summary:

Vite's server.fs.deny bypassed with /. for files under project root

Details:

Summary

The contents of files in the project root that are denied by a file matching pattern can be returned to the browser.

Impact

Only apps explicitly exposing the Vite dev server to the network (using --host or server.host config option) are affected. Only files that are under project root and are denied by a file matching pattern can be bypassed.

Examples of file matching patterns: .env, .env.*, *.{crt,pem}, **/.env
Examples of other patterns: **/.git/**, .git/**, .git/**/*

Details

server.fs.deny can contain patterns matching against files (by default it includes .env, .env.*, *.{crt,pem} as such patterns). These patterns were able to bypass for files under root by using a combination of slash and dot (/.).

PoC

npm create vite@latest
cd vite-project/
cat "secret" > .env
npm install
npm run dev
curl --request-target /.env/. http://localhost:5173

Details about vite@6.3.2

Security Details

Comprehensive list of direct or transitive vulnerabilities for version 6.3.2 of the package vite.

All Security Vulnerabilities

All the vulnerabilities related to the version 6.3.2 of the package

Summary:

Vite's server.fs.deny bypassed with /. for files under project root

Details:

Summary

The contents of files in the project root that are denied by a file matching pattern can be returned to the browser.

Impact

Examples of file matching patterns: .env, .env.*, *.{crt,pem}, **/.env
Examples of other patterns: **/.git/**, .git/**, .git/**/*

Details

PoC

npm create vite@latest
cd vite-project/
cat "secret" > .env
npm install
npm run dev
curl --request-target /.env/. http://localhost:5173

Details about vite@6.3.2

Version Details and Security Vulnerabilities

vite

Comparision Betweeen 6.3.2 and 6.3.1

Version 6.3.2 Details

Security Vulnerabilities

Version Details and Security Vulnerabilities

vite

Comparision Betweeen 6.3.2 and 6.3.1

Version 6.3.2 Details

Security Vulnerabilities

Security Details

All

Transitive Dependencies

Package

All Security Vulnerabilities

Summary

Impact

Details

PoC

Security Details

All

Transitive Dependencies

Package

All Security Vulnerabilities

Summary

Impact

Details

PoC

Version Details and Security Vulnerabilities

vite

Comparision Betweeen 6.3.2 and 6.3.1

Version 6.3.2 Details

Security Vulnerabilities

Version Details and Security Vulnerabilities

vite

Comparision Betweeen 6.3.2 and 6.3.1

Version 6.3.2 Details

Security Vulnerabilities

Security Details

All

Transitive Dependencies

Package

All Security Vulnerabilities

vite@6.3.2 GHSA-859w-5945-r5v3 6

Summary

Impact

Details

PoC

Security Details

All

Transitive Dependencies

Package

All Security Vulnerabilities

vite@6.3.2 GHSA-859w-5945-r5v3 6

Summary

Impact

Details

PoC