Gathering detailed insights and metrics for @vitejs/plugin-react
Gathering detailed insights and metrics for @vitejs/plugin-react
The all-in-one Vite plugin for React projects.
Installations
npm install @vitejs/plugin-reactDeveloper Guide
BETA
Typescript
Yes
Module System
ESM
Min. Node Version
^14.18.0 || >=16.0.0
Node Version
20.19.2
NPM Version
10.8.2
Score
66
Supply Chain
88.7
Quality
93.4
Maintenance
100
Vulnerability
98.6
License
Releases
40
plugin-react@4.6.0
plugin-react@4.6.0
Updated on Jun 23, 2025
plugin-react-oxc@0.2.3
plugin-react-oxc@0.2.3
Updated on Jun 16, 2025
plugin-react-oxc@0.2.2
plugin-react-oxc@0.2.2
Updated on Jun 10, 2025
plugin-react-swc@3.10.2
plugin-react-swc@3.10.2
Updated on Jun 10, 2025
plugin-react@4.5.2
plugin-react@4.5.2
Updated on Jun 10, 2025
plugin-react-oxc@0.2.1
plugin-react-oxc@0.2.1
Updated on Jun 03, 2025
Languages
5
TypeScript
JavaScript
CSS
HTML
MDX
TypeScript (66.66%)
JavaScript (22.89%)
CSS (5.69%)
HTML (4.58%)
MDX (0.18%)
Developer
vitejs
Download Statistics
Total Downloads
544,380,413
Last Day
471,159
Last Week
8,707,363
Last Month
36,556,311
Last Year
306,544,226
GitHub Statistics
MIT License
747 Stars
1,136 Commits
159 Forks
12 Watchers
5 Branches
45 Contributors
Updated on Jul 04, 2025
Bundle Size
10.19 kB
Minified
3.97 kB
Minified + Gzipped
Maintainers
4
Package Meta Information
Latest Version
4.6.0
Package Id
@vitejs/plugin-react@4.6.0
Unpacked Size
62.16 kB
Size
18.53 kB
File Count
9
NPM Version
10.8.2
Node Version
20.19.2
Published on
Jun 23, 2025
Total Downloads
Cumulative downloads
Total Downloads
544,380,413
Last Day
-9%
471,159
Compared to previous day
Last Week
-5.5%
8,707,363
Compared to previous week
Last Month
6.8%
36,556,311
Compared to previous month
Last Year
73.3%
306,544,226
Compared to previous year
Weekly Downloads
Monthly Downloads
Yearly Downloads
@vitejs/plugin-react 
The default Vite plugin for React projects.
- enable Fast Refresh in development (requires react >= 16.9)
- use the automatic JSX runtime
- use custom Babel plugins/presets
- small installation size
1// vite.config.js 2import { defineConfig } from 'vite' 3import react from '@vitejs/plugin-react' 4 5export default defineConfig({ 6 plugins: [react()], 7})
Options
include/exclude
Includes .js, .jsx, .ts & .tsx by default. This option can be used to add fast refresh to .mdx files:
1import { defineConfig } from 'vite' 2import react from '@vitejs/plugin-react' 3import mdx from '@mdx-js/rollup' 4 5export default defineConfig({ 6 plugins: [ 7 { enforce: 'pre', ...mdx() }, 8 react({ include: /\.(mdx|js|jsx|ts|tsx)$/ }), 9 ], 10})
node_modulesare never processed by this plugin (but esbuild will)
jsxImportSource
Control where the JSX factory is imported from. Default to 'react'
1react({ jsxImportSource: '@emotion/react' })
jsxRuntime
By default, the plugin uses the automatic JSX runtime. However, if you encounter any issues, you may opt out using the jsxRuntime option.
1react({ jsxRuntime: 'classic' })
babel
The babel option lets you add plugins, presets, and other configuration to the Babel transformation performed on each included file.
1react({ 2 babel: { 3 presets: [...], 4 // Your plugins run before any built-in transform (eg: Fast Refresh) 5 plugins: [...], 6 // Use .babelrc files 7 babelrc: true, 8 // Use babel.config.js files 9 configFile: true, 10 } 11})
Note: When not using plugins, only esbuild is used for production builds, resulting in faster builds.
Proposed syntax
If you are using ES syntax that are still in proposal status (e.g. class properties), you can selectively enable them with the babel.parserOpts.plugins option:
1react({ 2 babel: { 3 parserOpts: { 4 plugins: ['decorators-legacy'], 5 }, 6 }, 7})
This option does not enable code transformation. That is handled by esbuild.
Note: TypeScript syntax is handled automatically.
Here's the complete list of Babel parser plugins.
reactRefreshHost
The reactRefreshHost option is only necessary in a module federation context. It enables HMR to work between a remote & host application. In your remote Vite config, you would add your host origin:
1react({ reactRefreshHost: 'http://localhost:3000' })
Under the hood, this simply updates the React Fash Refresh runtime URL from /@react-refresh to http://localhost:3000/@react-refresh to ensure there is only one Refresh runtime across the whole application. Note that if you define base option in the host application, you need to include it in the option, like: http://localhost:3000/{base}.
Middleware mode
In middleware mode, you should make sure your entry index.html file is transformed by Vite. Here's an example for an Express server:
1app.get('/', async (req, res, next) => {
2 try {
3 let html = fs.readFileSync(path.resolve(root, 'index.html'), 'utf-8')
4
5 // Transform HTML using Vite plugins.
6 html = await viteServer.transformIndexHtml(req.url, html)
7
8 res.send(html)
9 } catch (e) {
10 return next(e)
11 }
12})Otherwise, you'll probably get this error:
Uncaught Error: @vitejs/plugin-react can't detect preamble. Something is wrong.
disableOxcRecommendation
If set, disables the recommendation to use @vitejs/plugin-react-oxc (which is shown when rolldown-vite is detected and babel is not configured).
Consistent components exports
For React refresh to work correctly, your file should only export React components. You can find a good explanation in the Gatsby docs.
If an incompatible change in exports is found, the module will be invalidated and HMR will propagate. To make it easier to export simple constants alongside your component, the module is only invalidated when their value changes.
You can catch mistakes and get more detailed warning with this eslint rule.
No vulnerabilities found.
Reason
30 commit(s) and 23 issue activity found in the last 90 days -- score normalized to 10
Reason
no dangerous workflow patterns detected
Reason
no binaries found in the repo
Reason
license file detected
Details
- Info: project has a license file: LICENSE:0
- Info: FSF or OSI recognized license: MIT License: LICENSE:0
Reason
security policy file detected
Details
- Info: security policy file detected: github.com/vitejs/.github/SECURITY.md:1
- Info: Found linked content: github.com/vitejs/.github/SECURITY.md:1
- Info: Found disclosure, vulnerability, and/or timelines in security policy: github.com/vitejs/.github/SECURITY.md:1
- Info: Found text in security policy: github.com/vitejs/.github/SECURITY.md:1
Reason
detected GitHub workflow tokens with excessive permissions
Details
- Warn: jobLevel 'contents' permission set to 'write': .github/workflows/publish.yml:12
- Info: jobLevel 'pull-requests' permission set to 'read': .github/workflows/semantic-pull-request.yml:16
- Info: found token with 'none' permissions: .github/workflows/ci.yml:1
- Warn: no topLevel permission defined: .github/workflows/issue-close-require.yml:1
- Warn: no topLevel permission defined: .github/workflows/issue-labeled.yml:1
- Warn: no topLevel permission defined: .github/workflows/publish.yml:1
- Info: found token with 'none' permissions: .github/workflows/release-continuous.yml:1
- Warn: no topLevel permission defined: .github/workflows/semantic-pull-request.yml:1
Reason
dependency not pinned by hash detected -- score normalized to 8
Details
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:44: update your workflow using https://app.stepsecurity.io/secureworkflow/vitejs/vite-plugin-react/ci.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:50: update your workflow using https://app.stepsecurity.io/secureworkflow/vitejs/vite-plugin-react/ci.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:73: update your workflow using https://app.stepsecurity.io/secureworkflow/vitejs/vite-plugin-react/ci.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:102: update your workflow using https://app.stepsecurity.io/secureworkflow/vitejs/vite-plugin-react/ci.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:110: update your workflow using https://app.stepsecurity.io/secureworkflow/vitejs/vite-plugin-react/ci.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/publish.yml:17: update your workflow using https://app.stepsecurity.io/secureworkflow/vitejs/vite-plugin-react/publish.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/publish.yml:23: update your workflow using https://app.stepsecurity.io/secureworkflow/vitejs/vite-plugin-react/publish.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release-continuous.yml:21: update your workflow using https://app.stepsecurity.io/secureworkflow/vitejs/vite-plugin-react/release-continuous.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release-continuous.yml:26: update your workflow using https://app.stepsecurity.io/secureworkflow/vitejs/vite-plugin-react/release-continuous.yml/main?enable=pin
- Info: 0 out of 9 GitHub-owned GitHubAction dependencies pinned
- Info: 11 out of 11 third-party GitHubAction dependencies pinned
Reason
SAST tool is not run on all commits -- score normalized to 7
Details
- Warn: 15 commits out of 19 are checked with a SAST tool
Reason
4 existing vulnerabilities detected
Details
- Warn: Project is vulnerable to: GHSA-968p-4wvh-cqc8
- Warn: Project is vulnerable to: GHSA-v6h2-p8h4-qcjw
- Warn: Project is vulnerable to: GHSA-67mh-4wv8-2f99
- Warn: Project is vulnerable to: GHSA-859w-5945-r5v3
Reason
Found 11/24 approved changesets -- score normalized to 4
Reason
no effort to earn an OpenSSF best practices badge detected
Reason
project is not fuzzed
Details
- Warn: no fuzzer integrations found
Score
7.4
/10
Last Scanned on 2025-06-23
The Open Source Security Foundation is a cross-industry collaboration to improve the security of open source software (OSS). The Scorecard provides security health metrics for open source projects.
Learn More