Gathering detailed insights and metrics for @gustavotoyota/vitejs-plugin-legacy
Gathering detailed insights and metrics for @gustavotoyota/vitejs-plugin-legacy
Next generation frontend tooling. It's fast!
Installations
npm install @gustavotoyota/vitejs-plugin-legacyDeveloper Guide
BETA
Typescript
Yes
Module System
CommonJS
Min. Node Version
>=12.0.0
Node Version
18.12.0
NPM Version
8.19.2
Releases
586
plugin-legacy@7.0.1
plugin-legacy@7.0.1
Updated on Jul 17, 2025
v7.0.5
v7.0.5
Updated on Jul 17, 2025
create-vite@7.0.3
create-vite@7.0.3
Updated on Jul 11, 2025
create-vite@7.0.2
create-vite@7.0.2
Updated on Jul 10, 2025
v7.0.4
v7.0.4
Updated on Jul 10, 2025
create-vite@7.0.1
create-vite@7.0.1
Updated on Jul 08, 2025
Languages
15
TypeScript
JavaScript
HTML
CSS
Vue
AppleScript
SCSS
Svelte
Less
Stylus
Shell
Pug
Sass
SugarSS
Astro
TypeScript (83.23%)
JavaScript (9.81%)
HTML (5.17%)
CSS (1.23%)
Vue (0.14%)
AppleScript (0.11%)
SCSS (0.1%)
Svelte (0.1%)
Less (0.05%)
Stylus (0.02%)
Shell (0.01%)
Pug (0.01%)
Sass (0.01%)
SugarSS (0.01%)
Developer
Download Statistics
Total Downloads
0
Last Day
0
Last Week
0
Last Month
0
Last Year
0
GitHub Statistics
MIT License
74,185 Stars
7,943 Commits
6,955 Forks
459 Watchers
43 Branches
1,128 Contributors
Updated on Jul 17, 2025
Maintainers
1
Package Meta Information
Latest Version
1.8.3
Package Id
@gustavotoyota/vitejs-plugin-legacy@1.8.3
Unpacked Size
30.22 kB
Size
9.75 kB
File Count
5
NPM Version
8.19.2
Node Version
18.12.0
Total Downloads
Cumulative downloads
Total Downloads
NaN
Last Day
0%
NaN
Compared to previous day
Last Week
0%
NaN
Compared to previous week
Last Month
0%
NaN
Compared to previous month
Last Year
0%
NaN
Compared to previous year
Weekly Downloads
Monthly Downloads
Yearly Downloads
Peer Dependencies
1
@vitejs/plugin-legacy 
Vite's default browser support baseline is Native ESM. This plugin provides support for legacy browsers that do not support native ESM when building for production.
By default, this plugin will:
-
Generate a corresponding legacy chunk for every chunk in the final bundle, transformed with @babel/preset-env and emitted as SystemJS modules (code splitting is still supported!).
-
Generate a polyfill chunk including SystemJS runtime, and any necessary polyfills determined by specified browser targets and actual usage in the bundle.
-
Inject
<script nomodule>tags into generated HTML to conditionally load the polyfills and legacy bundle only in browsers without native ESM support. -
Inject the
import.meta.env.LEGACYenv variable, which will only betruein the legacy production build, andfalsein all other cases.
Usage
1// vite.config.js 2import legacy from '@vitejs/plugin-legacy' 3 4export default { 5 plugins: [ 6 legacy({ 7 targets: ['defaults', 'not IE 11'] 8 }) 9 ] 10}
When targeting IE11, you also need regenerator-runtime:
1// vite.config.js 2import legacy from '@vitejs/plugin-legacy' 3 4export default { 5 plugins: [ 6 legacy({ 7 targets: ['ie >= 11'], 8 additionalLegacyPolyfills: ['regenerator-runtime/runtime'] 9 }) 10 ] 11}
Options
targets
-
Type:
string | string[] | { [key: string]: string } -
Default:
'defaults'If explicitly set, it's passed on to
@babel/preset-env.The query is also Browserslist compatible. The default value,
'defaults', is what is recommended by Browserslist. See Browserslist Best Practices for more details.
polyfills
-
Type:
boolean | string[] -
Default:
trueBy default, a polyfills chunk is generated based on the target browser ranges and actual usage in the final bundle (detected via
@babel/preset-env'suseBuiltIns: 'usage').Set to a list of strings to explicitly control which polyfills to include. See Polyfill Specifiers for details.
Set to
falseto avoid generating polyfills and handle it yourself (will still generate legacy chunks with syntax transformations).
additionalLegacyPolyfills
-
Type:
string[]Add custom imports to the legacy polyfills chunk. Since the usage-based polyfill detection only covers ES language features, it may be necessary to manually specify additional DOM API polyfills using this option.
Note: if additional polyfills are needed for both the modern and legacy chunks, they can simply be imported in the application source code.
ignoreBrowserslistConfig
-
Type:
boolean -
Default:
false@babel/preset-envautomatically detectsbrowserslistconfig sources:browserslistfield inpackage.json.browserslistrcfile in cwd.
Set to
falseto ignore these sources.
modernPolyfills
-
Type:
boolean | string[] -
Default:
falseDefaults to
false. Enabling this option will generate a separate polyfills chunk for the modern build (targeting browsers with native ESM support).Set to a list of strings to explicitly control which polyfills to include. See Polyfill Specifiers for details.
Note it is not recommended to use the
truevalue (which uses auto-detection) becausecore-js@3is very aggressive in polyfill inclusions due to all the bleeding edge features it supports. Even when targeting native ESM support, it injects 15kb of polyfills!If you don't have hard reliance on bleeding edge runtime features, it is not that hard to avoid having to use polyfills in the modern build altogether. Alternatively, consider using an on-demand service like Polyfill.io to only inject necessary polyfills based on actual browser user-agents (most modern browsers will need nothing!).
renderLegacyChunks
-
Type:
boolean -
Default:
trueSet to
falseto disable legacy chunks. This is only useful if you are usingmodernPolyfills, which essentially allows you to use this plugin for injecting polyfills to the modern build only:1import legacy from '@vitejs/plugin-legacy' 2 3export default { 4 plugins: [ 5 legacy({ 6 modernPolyfills: [ 7 /* ... */ 8 ], 9 renderLegacyChunks: false 10 }) 11 ] 12}
externalSystemJS
-
Type:
boolean -
Default:
falseDefaults to
false. Enabling this option will excludesystemjs/dist/s.min.jsinside polyfills-legacy chunk.
Dynamic Import
The legacy plugin offers a way to use native import() in the modern build while falling back to the legacy build in browsers with native ESM but without dynamic import support (e.g. Legacy Edge). This feature works by injecting a runtime check and loading the legacy bundle with SystemJs runtime if needed. There are the following drawbacks:
- Modern bundle is downloaded in all ESM browsers
- Modern bundle throws
SyntaxErrorin browsers without dynamic import
Polyfill Specifiers
Polyfill specifier strings for polyfills and modernPolyfills can be either of the following:
-
Any
core-js3 sub import paths - e.g.es/mapwill importcore-js/es/map -
Any individual
core-js3 modules - e.g.es.array.iteratorwill importcore-js/modules/es.array.iterator.js
Example
1import legacy from '@vitejs/plugin-legacy' 2 3export default { 4 plugins: [ 5 legacy({ 6 polyfills: ['es.promise.finally', 'es/map', 'es/set'], 7 modernPolyfills: ['es.promise.finally'] 8 }) 9 ] 10}
Content Security Policy
The legacy plugin requires inline scripts for Safari 10.1 nomodule fix, SystemJS initialization, and dynamic import fallback. If you have a strict CSP policy requirement, you will need to add the corresponding hashes to your script-src list:
sha256-MS6/3FCg4WjP9gwgaBGwLpRCY6fZBgwmhVCdrPrNf3E=sha256-tQjf8gvb2ROOMapIxFvFAYBeUJ0v1HCbOcSmDNXGtDo=sha256-4m6wOIrq/wFDmi9Xh3mFM2mwI4ik9n3TMgHk6xDtLxk=sha256-uS7/g9fhQwNZS1f/MqYqqKv8y9hCu36IfX9XZB5L7YY=
These values (without the sha256- prefix) can also be retrieved via
1const { cspHashes } = require('@vitejs/plugin-legacy')
When using the regenerator-runtime polyfill, it will attempt to use the globalThis object to register itself. If globalThis is not available (it is fairly new and not widely supported, including IE 11), it attempts to perform dynamic Function(...) call which violates the CSP. To avoid dynamic eval in the absence of globalThis consider adding core-js/proposals/global-this to additionalLegacyPolyfills to define it.
References
No vulnerabilities found.
Reason
30 commit(s) and 14 issue activity found in the last 90 days -- score normalized to 10
Reason
no dangerous workflow patterns detected
Reason
license file detected
Details
- Info: project has a license file: LICENSE:0
- Info: FSF or OSI recognized license: MIT License: LICENSE:0
Reason
security policy file detected
Details
- Info: security policy file detected: github.com/vitejs/.github/SECURITY.md:1
- Info: Found linked content: github.com/vitejs/.github/SECURITY.md:1
- Info: Found disclosure, vulnerability, and/or timelines in security policy: github.com/vitejs/.github/SECURITY.md:1
- Info: Found text in security policy: github.com/vitejs/.github/SECURITY.md:1
Reason
0 existing vulnerabilities detected
Reason
detected GitHub workflow tokens with excessive permissions
Details
- Info: jobLevel 'actions' permission set to 'read': .github/workflows/ecosystem-ci-trigger.yml:14
- Info: jobLevel 'contents' permission set to 'read': .github/workflows/ecosystem-ci-trigger.yml:15
- Info: jobLevel 'contents' permission set to 'read': .github/workflows/publish.yml:16
- Warn: jobLevel 'contents' permission set to 'write': .github/workflows/release-tag.yml:17
- Info: jobLevel 'pull-requests' permission set to 'read': .github/workflows/semantic-pull-request.yml:16
- Info: found token with 'none' permissions: .github/workflows/ci.yml:1
- Warn: no topLevel permission defined: .github/workflows/ecosystem-ci-trigger.yml:1
- Warn: no topLevel permission defined: .github/workflows/issue-close-require.yml:1
- Warn: no topLevel permission defined: .github/workflows/issue-labeled.yml:1
- Warn: no topLevel permission defined: .github/workflows/publish.yml:1
- Warn: no topLevel permission defined: .github/workflows/release-tag.yml:1
- Warn: no topLevel permission defined: .github/workflows/semantic-pull-request.yml:1
Reason
binaries present in source code
Details
- Warn: binary detected: playground/wasm/add.wasm:1
- Warn: binary detected: playground/wasm/heavy.wasm:1
- Warn: binary detected: playground/wasm/light.wasm:1
Reason
dependency not pinned by hash detected -- score normalized to 6
Details
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:78: update your workflow using https://app.stepsecurity.io/secureworkflow/vitejs/vite/ci.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:84: update your workflow using https://app.stepsecurity.io/secureworkflow/vitejs/vite/ci.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:107: update your workflow using https://app.stepsecurity.io/secureworkflow/vitejs/vite/ci.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:151: update your workflow using https://app.stepsecurity.io/secureworkflow/vitejs/vite/ci.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:157: update your workflow using https://app.stepsecurity.io/secureworkflow/vitejs/vite/ci.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:42: update your workflow using https://app.stepsecurity.io/secureworkflow/vitejs/vite/ci.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ecosystem-ci-trigger.yml:18: update your workflow using https://app.stepsecurity.io/secureworkflow/vitejs/vite/ecosystem-ci-trigger.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ecosystem-ci-trigger.yml:59: update your workflow using https://app.stepsecurity.io/secureworkflow/vitejs/vite/ecosystem-ci-trigger.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ecosystem-ci-trigger.yml:78: update your workflow using https://app.stepsecurity.io/secureworkflow/vitejs/vite/ecosystem-ci-trigger.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ecosystem-ci-trigger.yml:102: update your workflow using https://app.stepsecurity.io/secureworkflow/vitejs/vite/ecosystem-ci-trigger.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ecosystem-ci-trigger.yml:112: update your workflow using https://app.stepsecurity.io/secureworkflow/vitejs/vite/ecosystem-ci-trigger.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ecosystem-ci-trigger.yml:131: update your workflow using https://app.stepsecurity.io/secureworkflow/vitejs/vite/ecosystem-ci-trigger.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ecosystem-ci-trigger.yml:198: update your workflow using https://app.stepsecurity.io/secureworkflow/vitejs/vite/ecosystem-ci-trigger.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ecosystem-ci-trigger.yml:217: update your workflow using https://app.stepsecurity.io/secureworkflow/vitejs/vite/ecosystem-ci-trigger.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/preview-release.yml:26: update your workflow using https://app.stepsecurity.io/secureworkflow/vitejs/vite/preview-release.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/publish.yml:21: update your workflow using https://app.stepsecurity.io/secureworkflow/vitejs/vite/publish.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/publish.yml:27: update your workflow using https://app.stepsecurity.io/secureworkflow/vitejs/vite/publish.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release-tag.yml:19: update your workflow using https://app.stepsecurity.io/secureworkflow/vitejs/vite/release-tag.yml/main?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/release-tag.yml:44: update your workflow using https://app.stepsecurity.io/secureworkflow/vitejs/vite/release-tag.yml/main?enable=pin
- Warn: downloadThenRun not pinned by hash: .github/workflows/ci.yml:183
- Info: 0 out of 18 GitHub-owned GitHubAction dependencies pinned
- Info: 11 out of 12 third-party GitHubAction dependencies pinned
- Info: 0 out of 1 downloadThenRun dependencies pinned
Reason
Found 14/27 approved changesets -- score normalized to 5
Reason
SAST tool is not run on all commits -- score normalized to 1
Details
- Warn: 4 commits out of 23 are checked with a SAST tool
Reason
no effort to earn an OpenSSF best practices badge detected
Reason
project is not fuzzed
Details
- Warn: no fuzzer integrations found
Score
6.9
/10
Last Scanned on 2025-07-07
The Open Source Security Foundation is a cross-industry collaboration to improve the security of open source software (OSS). The Scorecard provides security health metrics for open source projects.
Learn More