npmpackage.info

vite

Next generation frontend tooling. It's fast!

6.0.1

68,875

MIT

TypeScript

973,473,175 6.1

Installations

npm install vite

Pull Requests

Open

149

Total

6,432

Closed

1,393

Merged

4,890

Issues

Open

440

Total

7,488

Closed

7,048

Releases

496

create-vite@6.0.1

Published on 27 Nov 2024

v6.0.1

Published on 27 Nov 2024

create-vite@6.0.0

Published on 26 Nov 2024

plugin-legacy@6.0.0

Published on 26 Nov 2024

v6.0.0

Published on 26 Nov 2024

v6.0.0-beta.10

Published on 14 Nov 2024

View all 496 releases

Developer

vitejs

Developer Guide

BETA

Module System

ESM

Min. Node Version

^18.0.0 || ^20.0.0 || >=22.0.0

Typescript Support

Yes

Node Version

20.18.1

NPM Version

10.8.2 Statistics

68,875 Stars

7,323 Commits

6,228 Forks

426 Watching

45 Branches

1,043 Contributors

Updated on 28 Nov 2024

Languages

TypeScript (82.86%)

JavaScript (10.06%)

HTML (5.18%)

CSS (1.33%)

Vue (0.16%)

AppleScript (0.12%)

Svelte (0.11%)

SCSS (0.08%)

Less (0.04%)

Stylus (0.02%)

Shell (0.01%)

Pug (0.01%)

Sass (0.01%)

Astro (0.01%)

SugarSS (0.01%)

Total Downloads

Cumulative downloads

Total Downloads

973,473,175

Last day

2.6%

3,332,350

Compared to previous day

Last week

2.4%

17,038,136

Compared to previous week

Last month

11.8%

70,790,353

Compared to previous month

Last year

149%

647,379,365

Compared to previous year

Daily Downloads

Weekly Downloads

Monthly Downloads

Yearly Downloads

Dependencies

esbuild postcss rollup

Peer Dependencies

@types/node jiti less lightningcss sass sass-embedded stylus sugarss terser tsx yaml

Dev Dependencies

Optional Dependencies

fsevents

Versions

Vite ⚡

Next Generation Frontend Tooling

💡 Instant Server Start
⚡️ Lightning Fast HMR
🛠️ Rich Features
📦 Optimized Build
🔩 Universal Plugin Interface
🔑 Fully Typed APIs

Vite (French word for "quick", pronounced /vit/, like "veet") is a new breed of frontend build tooling that significantly improves the frontend development experience. It consists of two major parts:

A dev server that serves your source files over native ES modules, with rich built-in features and astonishingly fast Hot Module Replacement (HMR).
A build command that bundles your code with Rollup, pre-configured to output highly optimized static assets for production.

In addition, Vite is highly extensible via its Plugin API and JavaScript API with full typing support.

Read the Docs to Learn More.

Packages

Package	Version (click for changelogs)
vite
@vitejs/plugin-legacy
create-vite

Contribution

See Contributing Guide.

License

MIT.

6.0.1

HIGH

8.6/10

Summary

Vite before v2.9.13 vulnerable to directory traversal via crafted URL to victim's service

Affected Versions

>= 3.0.0-alpha.0, < 3.0.0-beta.4

Patched Versions

3.0.0-beta.4

HIGH

8.6/10

Summary

Vite before v2.9.13 vulnerable to directory traversal via crafted URL to victim's service

Affected Versions

< 2.9.13

Patched Versions

2.9.13

HIGH

7.5/10

Summary

Vite dev server option `server.fs.deny` can be bypassed when hosted on case-insensitive filesystem

Affected Versions

>= 5.0.0, <= 5.0.11

Patched Versions

5.0.12

HIGH

7.5/10

Summary

Vite dev server option `server.fs.deny` can be bypassed when hosted on case-insensitive filesystem

Affected Versions

>= 4.0.0, <= 4.5.1

Patched Versions

4.5.2

HIGH

7.5/10

Summary

Vite dev server option `server.fs.deny` can be bypassed when hosted on case-insensitive filesystem

Affected Versions

>= 3.0.0, <= 3.2.7

Patched Versions

3.2.8

HIGH

7.5/10

Summary

Vite dev server option `server.fs.deny` can be bypassed when hosted on case-insensitive filesystem

Affected Versions

>= 2.7.0, <= 2.9.16

Patched Versions

2.9.17

HIGH

7.5/10

Summary

Vite Server Options (server.fs.deny) can be bypassed using double forward-slash (//)

Affected Versions

>= 4.3.0, < 4.3.9

Patched Versions

4.3.9

HIGH

7.5/10

Summary

Vite Server Options (server.fs.deny) can be bypassed using double forward-slash (//)

Affected Versions

>= 4.2.0, < 4.2.3

Patched Versions

4.2.3

HIGH

7.5/10

Summary

Vite Server Options (server.fs.deny) can be bypassed using double forward-slash (//)

Affected Versions

>= 4.1.0, < 4.1.5

Patched Versions

4.1.5

HIGH

7.5/10

Summary

Vite Server Options (server.fs.deny) can be bypassed using double forward-slash (//)

Affected Versions

>= 4.0.0, < 4.0.5

Patched Versions

4.0.5

HIGH

7.5/10

Summary

Vite Server Options (server.fs.deny) can be bypassed using double forward-slash (//)

Affected Versions

>= 3.0.2, < 3.2.7

Patched Versions

3.2.7

HIGH

7.5/10

Summary

Vite Server Options (server.fs.deny) can be bypassed using double forward-slash (//)

Affected Versions

< 2.9.16

Patched Versions

2.9.16

MODERATE

5.3/10

Summary

Vite's `server.fs.deny` is bypassed when using `?import&raw`

Affected Versions

>= 5.0.0, <= 5.1.7

Patched Versions

5.1.8

MODERATE

5.3/10

Summary

Vite's `server.fs.deny` is bypassed when using `?import&raw`

Affected Versions

>= 5.2.0, < 5.2.14

Patched Versions

5.2.14

MODERATE

6.4/10

Summary

Vite DOM Clobbering gadget found in vite bundled scripts that leads to XSS

Affected Versions

>= 5.0.0, < 5.1.8

Patched Versions

5.1.8

MODERATE

6.4/10

Summary

Vite DOM Clobbering gadget found in vite bundled scripts that leads to XSS

Affected Versions

< 3.2.11

Patched Versions

3.2.11

MODERATE

6.4/10

Summary

Vite DOM Clobbering gadget found in vite bundled scripts that leads to XSS

Affected Versions

>= 5.2.0, < 5.2.14

Patched Versions

5.2.14

MODERATE

6.4/10

Summary

Vite DOM Clobbering gadget found in vite bundled scripts that leads to XSS

Affected Versions

>= 5.3.0, < 5.3.6

Patched Versions

5.3.6

MODERATE

6.4/10

Summary

Vite DOM Clobbering gadget found in vite bundled scripts that leads to XSS

Affected Versions

>= 5.4.0, < 5.4.6

Patched Versions

5.4.6

MODERATE

6.4/10

Summary

Vite DOM Clobbering gadget found in vite bundled scripts that leads to XSS

Affected Versions

>= 4.0.0, < 4.5.4

Patched Versions

4.5.4

MODERATE

5.3/10

Summary

Vite's `server.fs.deny` is bypassed when using `?import&raw`

Affected Versions

<= 3.2.10

Patched Versions

3.2.11

MODERATE

5.3/10

Summary

Vite's `server.fs.deny` is bypassed when using `?import&raw`

Affected Versions

>= 4.0.0, <= 4.5.3

Patched Versions

4.5.4

MODERATE

5.3/10

Summary

Vite's `server.fs.deny` is bypassed when using `?import&raw`

Affected Versions

>= 5.3.0, <= 5.3.5

Patched Versions

5.3.6

MODERATE

5.3/10

Summary

Vite's `server.fs.deny` is bypassed when using `?import&raw`

Affected Versions

>= 5.4.0, <= 5.4.5

Patched Versions

5.4.6

MODERATE

5.9/10

Summary

Vite's `server.fs.deny` did not deny requests for patterns with directories.

Affected Versions

>= 5.2.0, <= 5.2.5

Patched Versions

5.2.6

MODERATE

5.9/10

Summary

Vite's `server.fs.deny` did not deny requests for patterns with directories.

Affected Versions

>= 5.1.0, <= 5.1.6

Patched Versions

5.1.7

MODERATE

5.9/10

Summary

Vite's `server.fs.deny` did not deny requests for patterns with directories.

Affected Versions

>= 5.0.0, <= 5.0.12

Patched Versions

5.0.13

MODERATE

5.9/10

Summary

Vite's `server.fs.deny` did not deny requests for patterns with directories.

Affected Versions

>= 4.0.0, <= 4.5.2

Patched Versions

4.5.3

MODERATE

5.9/10

Summary

Vite's `server.fs.deny` did not deny requests for patterns with directories.

Affected Versions

>= 3.0.0, <= 3.2.8

Patched Versions

3.2.10

MODERATE

5.9/10

Summary

Vite's `server.fs.deny` did not deny requests for patterns with directories.

Affected Versions

>= 2.7.0, <= 2.9.17

Patched Versions

2.9.18

MODERATE

6.1/10

Summary

Vite XSS vulnerability in `server.transformIndexHtml` via URL payload

Affected Versions

>= 5.0.0, < 5.0.5

Patched Versions

5.0.5

MODERATE

6.1/10

Summary

Vite XSS vulnerability in `server.transformIndexHtml` via URL payload

Affected Versions

= 4.5.0

Patched Versions

4.5.1

MODERATE

6.1/10

Summary

Vite XSS vulnerability in `server.transformIndexHtml` via URL payload

Affected Versions

>= 4.4.0, < 4.4.12

Patched Versions

4.4.12

10

Maintained

Determines if the project is "actively maintained".

10

Dangerous-Workflow

Determines if the project's GitHub Action workflows avoid dangerous patterns.

10

License

Determines if the project has defined a license.

10

Security-Policy

Determines if the project has published a security policy.

10

Vulnerabilities

Determines if the project has open, known unfixed vulnerabilities.

9

Code-Review

Determines if the project requires human code review before pull requests (aka merge requests) are merged.

7

Binary-Artifacts

Determines if the project has generated executable (binary) artifacts in the source repository.

0

Token-Permissions

Determines if the project's workflows follow the principle of least privilege.

0

CII-Best-Practices

Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.

0

Pinned-Dependencies

Determines if the project has declared and pinned the dependencies of its build process.

Reason

dependency not pinned by hash detected -- score normalized to 0

Details

Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:44: update your workflow using https://app.stepsecurity.io/secureworkflow/vitejs/vite/ci.yml/main?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:80: update your workflow using https://app.stepsecurity.io/secureworkflow/vitejs/vite/ci.yml/main?enable=pin
Warn: third-party GitHubAction not pinned by hash: .github/workflows/ci.yml:83: update your workflow using https://app.stepsecurity.io/secureworkflow/vitejs/vite/ci.yml/main?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:86: update your workflow using https://app.stepsecurity.io/secureworkflow/vitejs/vite/ci.yml/main?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:109: update your workflow using https://app.stepsecurity.io/secureworkflow/vitejs/vite/ci.yml/main?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:153: update your workflow using https://app.stepsecurity.io/secureworkflow/vitejs/vite/ci.yml/main?enable=pin
Warn: third-party GitHubAction not pinned by hash: .github/workflows/ci.yml:156: update your workflow using https://app.stepsecurity.io/secureworkflow/vitejs/vite/ci.yml/main?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:159: update your workflow using https://app.stepsecurity.io/secureworkflow/vitejs/vite/ci.yml/main?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ecosystem-ci-trigger.yml:12: update your workflow using https://app.stepsecurity.io/secureworkflow/vitejs/vite/ecosystem-ci-trigger.yml/main?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ecosystem-ci-trigger.yml:48: update your workflow using https://app.stepsecurity.io/secureworkflow/vitejs/vite/ecosystem-ci-trigger.yml/main?enable=pin
Warn: third-party GitHubAction not pinned by hash: .github/workflows/ecosystem-ci-trigger.yml:64: update your workflow using https://app.stepsecurity.io/secureworkflow/vitejs/vite/ecosystem-ci-trigger.yml/main?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ecosystem-ci-trigger.yml:69: update your workflow using https://app.stepsecurity.io/secureworkflow/vitejs/vite/ecosystem-ci-trigger.yml/main?enable=pin
Warn: third-party GitHubAction not pinned by hash: .github/workflows/issue-close-require.yml:13: update your workflow using https://app.stepsecurity.io/secureworkflow/vitejs/vite/issue-close-require.yml/main?enable=pin
Warn: third-party GitHubAction not pinned by hash: .github/workflows/issue-labeled.yml:14: update your workflow using https://app.stepsecurity.io/secureworkflow/vitejs/vite/issue-labeled.yml/main?enable=pin
Warn: third-party GitHubAction not pinned by hash: .github/workflows/issue-labeled.yml:23: update your workflow using https://app.stepsecurity.io/secureworkflow/vitejs/vite/issue-labeled.yml/main?enable=pin
Warn: third-party GitHubAction not pinned by hash: .github/workflows/issue-labeled.yml:32: update your workflow using https://app.stepsecurity.io/secureworkflow/vitejs/vite/issue-labeled.yml/main?enable=pin
Warn: third-party GitHubAction not pinned by hash: .github/workflows/issue-labeled.yml:41: update your workflow using https://app.stepsecurity.io/secureworkflow/vitejs/vite/issue-labeled.yml/main?enable=pin
Warn: third-party GitHubAction not pinned by hash: .github/workflows/lock-closed-issues.yml:15: update your workflow using https://app.stepsecurity.io/secureworkflow/vitejs/vite/lock-closed-issues.yml/main?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/preview-release.yml:26: update your workflow using https://app.stepsecurity.io/secureworkflow/vitejs/vite/preview-release.yml/main?enable=pin
Warn: third-party GitHubAction not pinned by hash: .github/workflows/preview-release.yml:29: update your workflow using https://app.stepsecurity.io/secureworkflow/vitejs/vite/preview-release.yml/main?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/publish.yml:21: update your workflow using https://app.stepsecurity.io/secureworkflow/vitejs/vite/publish.yml/main?enable=pin
Warn: third-party GitHubAction not pinned by hash: .github/workflows/publish.yml:24: update your workflow using https://app.stepsecurity.io/secureworkflow/vitejs/vite/publish.yml/main?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/publish.yml:27: update your workflow using https://app.stepsecurity.io/secureworkflow/vitejs/vite/publish.yml/main?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release-tag.yml:17: update your workflow using https://app.stepsecurity.io/secureworkflow/vitejs/vite/release-tag.yml/main?enable=pin
Warn: third-party GitHubAction not pinned by hash: .github/workflows/release-tag.yml:42: update your workflow using https://app.stepsecurity.io/secureworkflow/vitejs/vite/release-tag.yml/main?enable=pin
Warn: third-party GitHubAction not pinned by hash: .github/workflows/semantic-pull-request.yml:17: update your workflow using https://app.stepsecurity.io/secureworkflow/vitejs/vite/semantic-pull-request.yml/main?enable=pin
Warn: downloadThenRun not pinned by hash: .github/workflows/ci.yml:185
Info: 0 out of 13 GitHub-owned GitHubAction dependencies pinned
Info: 1 out of 14 third-party GitHubAction dependencies pinned
Info: 0 out of 1 downloadThenRun dependencies pinned

0

Fuzzing

Determines if the project uses fuzzing.

0

SAST

Determines if the project uses static code analysis.

Score

6.1

/10

Last Scanned on 2024-11-18

The Open Source Security Foundation is a cross-industry collaboration to improve the security of open source software (OSS). The Scorecard provides security health metrics for open source projects.

Learn More

Other packages similar to vite

vite-node

2.1.6

Vite as Node.js runtime

vite-tsconfig-paths

5.1.3

Vite resolver for TypeScript compilerOptions.paths

@sentry/vite-plugin

2.22.6

Official Sentry Vite plugin

vite-plugin-eslint

1.8.1

ESLint plugin for vite.

vite

Installations

Pull Requests

149

6,432

1,393

4,890

Issues

440

7,488

7,048

Releases

Developer

Developer Guide

ESM

^18.0.0 || ^20.0.0 || >=22.0.0

Yes

20.18.1

10.8.2

Statistics

Languages

Total Downloads

973,473,175

Daily Downloads

Weekly Downloads

Monthly Downloads

Yearly Downloads

Dependencies

Peer Dependencies

Dev Dependencies

Optional Dependencies

Vite ⚡

Packages

Contribution

License

Sponsors

Stable Version

6.0.1

HIGH

MODERATE

10

10

10

10

10

9

7

0

0

0

0

0

6.1

/10

Other packages similar to vite