Gathering detailed insights and metrics for vite
Gathering detailed insights and metrics for vite
Installations
npm install viteDeveloper Guide
BETA
Typescript
Yes
Module System
ESM
Min. Node Version
^18.0.0 || ^20.0.0 || >=22.0.0
Node Version
20.18.1
NPM Version
10.8.2
Score
70.9
Supply Chain
66.8
Quality
96.8
Maintenance
100
Vulnerability
88.5
License
Releases
516
Contributors
1,067
Languages
15
TypeScript
JavaScript
HTML
CSS
Vue
AppleScript
Svelte
SCSS
Less
Stylus
Shell
Pug
Sass
SugarSS
Astro
TypeScript (83.42%)
JavaScript (9.73%)
HTML (5.01%)
CSS (1.28%)
Vue (0.15%)
AppleScript (0.11%)
Svelte (0.11%)
SCSS (0.08%)
Less (0.04%)
Stylus (0.02%)
Shell (0.01%)
Pug (0.01%)
Sass (0.01%)
SugarSS (0.01%)
Developer
Download Statistics
Total Downloads
1,117,354,102
Last Day
3,580,709
Last Week
16,643,874
Last Month
71,679,572
Last Year
713,868,361
GitHub Statistics
70,357 Stars
7,488 Commits
6,397 Forks
432 Watching
48 Branches
1,067 Contributors
Sponsor this package
Maintainers
5
Package Meta Information
Latest Version
6.0.11
Package Id
vite@6.0.11
Unpacked Size
2.70 MB
Size
658.36 kB
File Count
34
NPM Version
10.8.2
Node Version
20.18.1
Publised On
21 Jan 2025
Total Downloads
Cumulative downloads
Total Downloads
1,117,354,102
Last day
-8.1%
3,580,709
Compared to previous day
Last week
-14.8%
16,643,874
Compared to previous week
Last month
12.5%
71,679,572
Compared to previous month
Last year
126.7%
713,868,361
Compared to previous year
Daily Downloads
Weekly Downloads
Monthly Downloads
Yearly Downloads
Peer Dependencies
11
Dev Dependencies
59
@ampproject/remapping@babel/parser@jridgewell/trace-mapping@polka/compression@rollup/plugin-alias@rollup/plugin-commonjs@rollup/plugin-dynamic-import-vars@rollup/plugin-json@rollup/plugin-node-resolve@rollup/pluginutils@types/escape-html@types/pnpapiartichokiecacchokidarconnectconvert-source-mapcorscross-spawndebugdep-typesdotenvdotenv-expandes-module-lexerescape-htmlestree-walkeretaghttp-proxylaunch-editor-middlewarelightningcssmagic-stringmllymrmimenanoidopenparse5patheperiscopicpicocolorspicomatchpostcss-importpostcss-load-configpostcss-modulesresolve.exportsrollup-plugin-dtsrollup-plugin-esbuildrollup-plugin-licensesasssass-embeddedsirvsource-map-supportstrip-literaltersertinyglobbytsconfcktslibtypesufows
Optional Dependencies
1
Versions
vite ⚡
Next Generation Frontend Tooling
- 💡 Instant Server Start
- ⚡️ Lightning Fast HMR
- 🛠️ Rich Features
- 📦 Optimized Build
- 🔩 Universal Plugin Interface
- 🔑 Fully Typed APIs
Vite (French word for "fast", pronounced /vit/) is a new breed of frontend build tool that significantly improves the frontend development experience. It consists of two major parts:
-
A dev server that serves your source files over native ES modules, with rich built-in features and astonishingly fast Hot Module Replacement (HMR).
-
A build command that bundles your code with Rollup, pre-configured to output highly optimized static assets for production.
In addition, Vite is highly extensible via its Plugin API and JavaScript API with full typing support.
Stable Version
Stable Version
6.0.11
HIGH
12
HIGH
8.6/10
Summary
Vite before v2.9.13 vulnerable to directory traversal via crafted URL to victim's service
Affected Versions
>= 3.0.0-alpha.0, < 3.0.0-beta.4
Patched Versions
3.0.0-beta.4
HIGH
8.6/10
Summary
Vite before v2.9.13 vulnerable to directory traversal via crafted URL to victim's service
Affected Versions
< 2.9.13
Patched Versions
2.9.13
HIGH
7.5/10
Summary
Vite dev server option `server.fs.deny` can be bypassed when hosted on case-insensitive filesystem
Affected Versions
>= 5.0.0, <= 5.0.11
Patched Versions
5.0.12
HIGH
7.5/10
Summary
Vite dev server option `server.fs.deny` can be bypassed when hosted on case-insensitive filesystem
Affected Versions
>= 4.0.0, <= 4.5.1
Patched Versions
4.5.2
HIGH
7.5/10
Summary
Vite dev server option `server.fs.deny` can be bypassed when hosted on case-insensitive filesystem
Affected Versions
>= 3.0.0, <= 3.2.7
Patched Versions
3.2.8
HIGH
7.5/10
Summary
Vite dev server option `server.fs.deny` can be bypassed when hosted on case-insensitive filesystem
Affected Versions
>= 2.7.0, <= 2.9.16
Patched Versions
2.9.17
HIGH
7.5/10
Summary
Vite Server Options (server.fs.deny) can be bypassed using double forward-slash (//)
Affected Versions
>= 4.3.0, < 4.3.9
Patched Versions
4.3.9
HIGH
7.5/10
Summary
Vite Server Options (server.fs.deny) can be bypassed using double forward-slash (//)
Affected Versions
>= 4.2.0, < 4.2.3
Patched Versions
4.2.3
HIGH
7.5/10
Summary
Vite Server Options (server.fs.deny) can be bypassed using double forward-slash (//)
Affected Versions
>= 4.1.0, < 4.1.5
Patched Versions
4.1.5
HIGH
7.5/10
Summary
Vite Server Options (server.fs.deny) can be bypassed using double forward-slash (//)
Affected Versions
>= 4.0.0, < 4.0.5
Patched Versions
4.0.5
HIGH
7.5/10
Summary
Vite Server Options (server.fs.deny) can be bypassed using double forward-slash (//)
Affected Versions
>= 3.0.2, < 3.2.7
Patched Versions
3.2.7
HIGH
7.5/10
Summary
Vite Server Options (server.fs.deny) can be bypassed using double forward-slash (//)
Affected Versions
< 2.9.16
Patched Versions
2.9.16
MODERATE
24
MODERATE
6.5/10
Summary
Websites were able to send any requests to the development server and read the response in vite
Affected Versions
<= 4.5.5
Patched Versions
4.5.6
MODERATE
6.5/10
Summary
Websites were able to send any requests to the development server and read the response in vite
Affected Versions
>= 5.0.0, <= 5.4.11
Patched Versions
5.4.12
MODERATE
6.5/10
Summary
Websites were able to send any requests to the development server and read the response in vite
Affected Versions
>= 6.0.0, <= 6.0.8
Patched Versions
6.0.9
MODERATE
5.3/10
Summary
Vite's `server.fs.deny` is bypassed when using `?import&raw`
Affected Versions
>= 5.0.0, <= 5.1.7
Patched Versions
5.1.8
MODERATE
5.3/10
Summary
Vite's `server.fs.deny` is bypassed when using `?import&raw`
Affected Versions
>= 5.2.0, < 5.2.14
Patched Versions
5.2.14
MODERATE
6.4/10
Summary
Vite DOM Clobbering gadget found in vite bundled scripts that leads to XSS
Affected Versions
>= 5.0.0, < 5.1.8
Patched Versions
5.1.8
MODERATE
6.4/10
Summary
Vite DOM Clobbering gadget found in vite bundled scripts that leads to XSS
Affected Versions
< 3.2.11
Patched Versions
3.2.11
MODERATE
6.4/10
Summary
Vite DOM Clobbering gadget found in vite bundled scripts that leads to XSS
Affected Versions
>= 5.2.0, < 5.2.14
Patched Versions
5.2.14
MODERATE
6.4/10
Summary
Vite DOM Clobbering gadget found in vite bundled scripts that leads to XSS
Affected Versions
>= 5.3.0, < 5.3.6
Patched Versions
5.3.6
MODERATE
6.4/10
Summary
Vite DOM Clobbering gadget found in vite bundled scripts that leads to XSS
Affected Versions
>= 5.4.0, < 5.4.6
Patched Versions
5.4.6
MODERATE
6.4/10
Summary
Vite DOM Clobbering gadget found in vite bundled scripts that leads to XSS
Affected Versions
>= 4.0.0, < 4.5.4
Patched Versions
4.5.4
MODERATE
5.3/10
Summary
Vite's `server.fs.deny` is bypassed when using `?import&raw`
Affected Versions
<= 3.2.10
Patched Versions
3.2.11
MODERATE
5.3/10
Summary
Vite's `server.fs.deny` is bypassed when using `?import&raw`
Affected Versions
>= 4.0.0, <= 4.5.3
Patched Versions
4.5.4
MODERATE
5.3/10
Summary
Vite's `server.fs.deny` is bypassed when using `?import&raw`
Affected Versions
>= 5.3.0, <= 5.3.5
Patched Versions
5.3.6
MODERATE
5.3/10
Summary
Vite's `server.fs.deny` is bypassed when using `?import&raw`
Affected Versions
>= 5.4.0, <= 5.4.5
Patched Versions
5.4.6
MODERATE
5.9/10
Summary
Vite's `server.fs.deny` did not deny requests for patterns with directories.
Affected Versions
>= 5.2.0, <= 5.2.5
Patched Versions
5.2.6
MODERATE
5.9/10
Summary
Vite's `server.fs.deny` did not deny requests for patterns with directories.
Affected Versions
>= 5.1.0, <= 5.1.6
Patched Versions
5.1.7
MODERATE
5.9/10
Summary
Vite's `server.fs.deny` did not deny requests for patterns with directories.
Affected Versions
>= 5.0.0, <= 5.0.12
Patched Versions
5.0.13
MODERATE
5.9/10
Summary
Vite's `server.fs.deny` did not deny requests for patterns with directories.
Affected Versions
>= 4.0.0, <= 4.5.2
Patched Versions
4.5.3
MODERATE
5.9/10
Summary
Vite's `server.fs.deny` did not deny requests for patterns with directories.
Affected Versions
>= 3.0.0, <= 3.2.8
Patched Versions
3.2.10
MODERATE
5.9/10
Summary
Vite's `server.fs.deny` did not deny requests for patterns with directories.
Affected Versions
>= 2.7.0, <= 2.9.17
Patched Versions
2.9.18
MODERATE
6.1/10
Summary
Vite XSS vulnerability in `server.transformIndexHtml` via URL payload
Affected Versions
>= 5.0.0, < 5.0.5
Patched Versions
5.0.5
MODERATE
6.1/10
Summary
Vite XSS vulnerability in `server.transformIndexHtml` via URL payload
Affected Versions
= 4.5.0
Patched Versions
4.5.1
MODERATE
6.1/10
Summary
Vite XSS vulnerability in `server.transformIndexHtml` via URL payload
Affected Versions
>= 4.4.0, < 4.4.12
Patched Versions
4.4.12
Reason
30 commit(s) and 13 issue activity found in the last 90 days -- score normalized to 10
Reason
no dangerous workflow patterns detected
Reason
license file detected
Details
- Info: project has a license file: LICENSE:0
- Info: FSF or OSI recognized license: MIT License: LICENSE:0
Reason
security policy file detected
Details
- Info: security policy file detected: github.com/vitejs/.github/SECURITY.md:1
- Info: Found linked content: github.com/vitejs/.github/SECURITY.md:1
- Info: Found disclosure, vulnerability, and/or timelines in security policy: github.com/vitejs/.github/SECURITY.md:1
- Info: Found text in security policy: github.com/vitejs/.github/SECURITY.md:1
Reason
Found 25/26 approved changesets -- score normalized to 9
Reason
1 existing vulnerabilities detected
Details
- Warn: Project is vulnerable to: GHSA-c76h-2ccp-4975
Reason
binaries present in source code
Details
- Warn: binary detected: playground/wasm/add.wasm:1
- Warn: binary detected: playground/wasm/heavy.wasm:1
- Warn: binary detected: playground/wasm/light.wasm:1
Reason
detected GitHub workflow tokens with excessive permissions
Details
- Info: jobLevel 'contents' permission set to 'read': .github/workflows/publish.yml:16
- Info: found token with 'none' permissions: .github/workflows/ci.yml:1
- Warn: no topLevel permission defined: .github/workflows/ecosystem-ci-trigger.yml:1
- Warn: no topLevel permission defined: .github/workflows/issue-close-require.yml:1
- Warn: no topLevel permission defined: .github/workflows/issue-labeled.yml:1
- Warn: no topLevel permission defined: .github/workflows/publish.yml:1
- Warn: no topLevel permission defined: .github/workflows/release-tag.yml:1
- Warn: no topLevel permission defined: .github/workflows/semantic-pull-request.yml:1
- Info: no jobLevel write permissions found
Reason
no effort to earn an OpenSSF best practices badge detected
Reason
dependency not pinned by hash detected -- score normalized to 0
Details
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:44: update your workflow using https://app.stepsecurity.io/secureworkflow/vitejs/vite/ci.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:80: update your workflow using https://app.stepsecurity.io/secureworkflow/vitejs/vite/ci.yml/main?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/ci.yml:83: update your workflow using https://app.stepsecurity.io/secureworkflow/vitejs/vite/ci.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:86: update your workflow using https://app.stepsecurity.io/secureworkflow/vitejs/vite/ci.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:109: update your workflow using https://app.stepsecurity.io/secureworkflow/vitejs/vite/ci.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:153: update your workflow using https://app.stepsecurity.io/secureworkflow/vitejs/vite/ci.yml/main?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/ci.yml:156: update your workflow using https://app.stepsecurity.io/secureworkflow/vitejs/vite/ci.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:159: update your workflow using https://app.stepsecurity.io/secureworkflow/vitejs/vite/ci.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ecosystem-ci-trigger.yml:13: update your workflow using https://app.stepsecurity.io/secureworkflow/vitejs/vite/ecosystem-ci-trigger.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ecosystem-ci-trigger.yml:54: update your workflow using https://app.stepsecurity.io/secureworkflow/vitejs/vite/ecosystem-ci-trigger.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ecosystem-ci-trigger.yml:73: update your workflow using https://app.stepsecurity.io/secureworkflow/vitejs/vite/ecosystem-ci-trigger.yml/main?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/ecosystem-ci-trigger.yml:97: update your workflow using https://app.stepsecurity.io/secureworkflow/vitejs/vite/ecosystem-ci-trigger.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ecosystem-ci-trigger.yml:105: update your workflow using https://app.stepsecurity.io/secureworkflow/vitejs/vite/ecosystem-ci-trigger.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ecosystem-ci-trigger.yml:124: update your workflow using https://app.stepsecurity.io/secureworkflow/vitejs/vite/ecosystem-ci-trigger.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ecosystem-ci-trigger.yml:191: update your workflow using https://app.stepsecurity.io/secureworkflow/vitejs/vite/ecosystem-ci-trigger.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ecosystem-ci-trigger.yml:210: update your workflow using https://app.stepsecurity.io/secureworkflow/vitejs/vite/ecosystem-ci-trigger.yml/main?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/issue-close-require.yml:13: update your workflow using https://app.stepsecurity.io/secureworkflow/vitejs/vite/issue-close-require.yml/main?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/issue-labeled.yml:14: update your workflow using https://app.stepsecurity.io/secureworkflow/vitejs/vite/issue-labeled.yml/main?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/issue-labeled.yml:23: update your workflow using https://app.stepsecurity.io/secureworkflow/vitejs/vite/issue-labeled.yml/main?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/issue-labeled.yml:32: update your workflow using https://app.stepsecurity.io/secureworkflow/vitejs/vite/issue-labeled.yml/main?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/issue-labeled.yml:41: update your workflow using https://app.stepsecurity.io/secureworkflow/vitejs/vite/issue-labeled.yml/main?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/lock-closed-issues.yml:15: update your workflow using https://app.stepsecurity.io/secureworkflow/vitejs/vite/lock-closed-issues.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/preview-release.yml:26: update your workflow using https://app.stepsecurity.io/secureworkflow/vitejs/vite/preview-release.yml/main?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/preview-release.yml:29: update your workflow using https://app.stepsecurity.io/secureworkflow/vitejs/vite/preview-release.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/publish.yml:21: update your workflow using https://app.stepsecurity.io/secureworkflow/vitejs/vite/publish.yml/main?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/publish.yml:24: update your workflow using https://app.stepsecurity.io/secureworkflow/vitejs/vite/publish.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/publish.yml:27: update your workflow using https://app.stepsecurity.io/secureworkflow/vitejs/vite/publish.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release-tag.yml:17: update your workflow using https://app.stepsecurity.io/secureworkflow/vitejs/vite/release-tag.yml/main?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/release-tag.yml:42: update your workflow using https://app.stepsecurity.io/secureworkflow/vitejs/vite/release-tag.yml/main?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/semantic-pull-request.yml:17: update your workflow using https://app.stepsecurity.io/secureworkflow/vitejs/vite/semantic-pull-request.yml/main?enable=pin
- Warn: downloadThenRun not pinned by hash: .github/workflows/ci.yml:185
- Info: 0 out of 17 GitHub-owned GitHubAction dependencies pinned
- Info: 1 out of 14 third-party GitHubAction dependencies pinned
- Info: 0 out of 1 downloadThenRun dependencies pinned
Reason
project is not fuzzed
Details
- Warn: no fuzzer integrations found
Reason
SAST tool is not run on all commits -- score normalized to 0
Details
- Warn: 0 commits out of 29 are checked with a SAST tool
Score
6
/10
Last Scanned on 2025-01-27
The Open Source Security Foundation is a cross-industry collaboration to improve the security of open source software (OSS). The Scorecard provides security health metrics for open source projects.
Learn More