chore(deps): update dependency vite [security] #9708

coderabbitai · 2026-01-13T19:54:17Z

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🌐 Web query:

vite-plugin-vue2 compatibility vite 5.x 6.x 7.x

💡 Result:

Short answer: use @vitejs/plugin-vue2 (official) for Vue 2.7 — the older community package vite-plugin-vue2 (underfin) is legacy/maintenance-EOL and not recommended for recent Vite major releases. The official @vitejs/plugin-vue2 is the supported plugin for Vue 2.7 and is what you should use with current Vite versions; some third‑party Vue2 ecosystem plugins may still have strict peerDependencies and need updates for Vite 7 (peer‑dep conflicts have been reported). [1][2][3]

References:

@vitejs/plugin-vue2 README (official plugin for Vue 2.7). [1]

Vite docs / migration notes: recommends @vitejs/plugin-vue2 for Vue 2.7 and notes vite-plugin-vue2 is superseded. [2]

Vite GitHub issue showing ecosystem peer-dependency problems with Vite 7 (example of plugins needing updates). [3]

🏁 Script executed:

# Search for PR context or comments about vite version choice cd /tmp && find . -type f -name "*.md" -o -name "*.json" | head -20 git ls-files | grep -E "(CHANGELOG|README|PR|\.github)" | head -20

Repository: TanStack/query

Length of output: 126

🏁 Script executed:

# Check if there are any CVE references in the repository rg -i "cve|security|vulnerability" --type md --type json | head -30

Repository: TanStack/query

Length of output: 2043

🏁 Script executed:

# Check the actual package.json file and its git history for context cat -n examples/vue/2.7-basic/package.json

Repository: TanStack/query

Length of output: 645

Replace vite-plugin-vue2 with the official @vitejs/plugin-vue2.

The package uses [email protected], which is a legacy community plugin that is no longer maintained. The official plugin is @vitejs/plugin-vue2 from the Vite team, which is the recommended choice for Vue 2.7 projects. The Vite 5.x constraint appears intentional for compatibility with the legacy plugin, but you should migrate to the official plugin instead to ensure long-term support and compatibility with current and future Vite versions.

🤖 Prompt for AI Agents

In @examples/vue/2.7-basic/package.json at line 17, Update the dependency in package.json to replace the legacy "vite-plugin-vue2" with the official "@vitejs/plugin-vue2"; then update any Vite config files (e.g., vite.config.js or vite.config.ts) to change imports and plugin usage from "vite-plugin-vue2" to "@vitejs/plugin-vue2" (replace import/require and the plugin() invocation), run npm/yarn install to refresh lockfile, and verify the project builds with Vite 5.x.

coderabbitai · 2026-01-11T08:51:00Z

CVE-2025-31486

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🌐 Web query:

CVE-2025-31486 CVE-2025-32395 CVE-2025-46565 Vite vulnerability fix versions

💡 Result:

CVE-2025-31486 — fixed in Vite 4.5.12, 5.4.17, 6.0.14, 6.1.4, and 6.2.5. [1]

CVE-2025-32395 — fixed in Vite 4.5.13, 5.4.18, 6.0.15, 6.1.5, and 6.2.6. [2]

CVE-2025-46565 — fixed in Vite 4.5.14, 5.4.19, 6.1.6, 6.2.7, and 6.3.4. [3]

Sources: [1] NVD/GitHub advisory for CVE-2025-31486. [2] Vite/GitHub advisory summaries for CVE-2025-32395. [3] CVE details/GitHub advisory for CVE-2025-46565.

🌐 Web query:

vite-plugin-vue2 compatibility Vite 5 6 7

💡 Result:

Short answer: don't use the old community "vite-plugin-vue2" for Vite 5/6/7 — use the official @vitejs/plugin-vue2 (for Vue 2.7+) which is the supported plugin for Vite's modern releases. [1][2][3][4]

Notes:

vite-plugin-vue2 has been deprecated/put into maintenance and only supports older Vue 2.6-era setups. [1][4]

@vitejs/plugin-vue2 is the official plugin for Vue 2.7+ and is the one referenced in Vite docs; JSX/TSX for Vue 2 is handled by a separate plugin. Use @vitejs/plugin-vue2 with Vite 5/6/7. [2][3]

Sources:

vite-plugin-vue2 deprecation/maintenance notice. [1]

@vitejs/plugin-vue2 GitHub / npm (official plugin for Vue 2.7+). [2][3]

Vite plugins documentation listing @vitejs/plugin-vue2. [4]

🏁 Script executed:

# Check if there are other package.json files or lock files in the repo that might provide context git ls-files | grep -E "(package\.json|pnpm-lock|yarn\.lock|package-lock)" | head -20

Repository: TanStack/query

Length of output: 939

🌐 Web query:

CVE-2025-58751 CVE-2025-58752 Vite vulnerability fix

💡 Result:

Short answer — what happened and what to do:

Two Vite dev-server vulnerabilities (CVE-2025-58751 and CVE-2025-58752) allow the dev/preview server to serve HTML or public files outside the intended root (path traversal / public-file serving bypass) when the dev server is exposed to the network and the public dir / symlink conditions are met. [1][2]

Affected versions (examples): 7.1.0–7.1.4, 7.0.0–7.0.6, 6.0.0–6.3.5, and <=5.4.19 (see advisories for full ranges). [1][2]

Patched versions: 7.1.5, 7.0.7, 6.3.6, and 5.4.20. Upgrade to one of these or any later release. Example: npm install [email protected] (or update your package.json and run your package manager). [1][2]

Short mitigations until you can upgrade: do NOT expose the Vite dev server to untrusted networks (avoid --host / server.host), remove symlinks in the public directory, and avoid enabling the preview server to untrusted networks. [1][3]

Sources:

GitHub Security Advisory (vite): GHSA-g4jq-h2w9-997c (patch/patched versions).

NVD entries for CVE-2025-58751 and CVE-2025-58752 (details and fixed versions).

Vendor/third‑party writeups summarizing impact and mitigations.

🌐 Web query:

CVE-2025-62522 Vite vulnerability

💡 Result:

Short summary — CVE-2025-62522 (published Oct 20, 2025): a path-handling bug in the Vite dev server on Windows that lets an attacker bypass server.fs.deny by requesting a URL that ends with a backslash, causing denied files (e.g., .env, *.pem) to be served if the dev server is exposed to the network. Affects multiple Vite release ranges (see below). [1][2][3]

Affected versions (per advisories): Vite 2.9.18 → <3.0.0, 3.2.9 → <4.0.0, 4.5.3 → <5.0.0, 5.2.6 → <5.4.21, 6.0.0 → <6.4.1, 7.0.0 → <7.0.8, 7.1.0 → <7.1.11. Published/confirmed Oct 20, 2025. [1][2]

Impact: medium severity (CVSS v4.0 = 6.0). Only exploitable when the Vite dev server is intentionally exposed to the network and running on Windows; it can disclose sensitive files normally blocked by server.fs.deny. [1][3]

Mitigation:

Upgrade Vite to a patched release: 5.4.21, 6.4.1, 7.0.8, or 7.1.11 (or later). [1][2]

As a workaround, do not expose the dev server to external networks (bind to localhost / block with firewall) and ensure sensitive files aren’t served by the project. [2][3]

References:
[1] GitHub / Vite advisory & fixes (commit/advisory referenced by vendor).
[2] NVD / CVE-2025-62522 summary.
[3] Positive Technologies / dbugs advisory (technical details and recommendations).

🏁 Script executed:

# Check for lockfiles in the vue example directory and parent cd examples/vue/2.7-basic && ls -la

Repository: TanStack/query

Length of output: 581

🏁 Script executed:

# Also check the current full package.json to see dependencies context cat examples/vue/2.7-basic/package.json

Repository: TanStack/query

Length of output: 505

🏁 Script executed:

# Check if there are comments or PR description in nearby files git log --oneline -n 20 -- examples/vue/2.7-basic/package.json 2>/dev/null | head -5

Repository: TanStack/query

Length of output: 113

Replace deprecated vite-plugin-vue2 with the official @vitejs/plugin-vue2.

The vite version bump to ^5.4.21 is correct and does address all five CVEs mentioned in the PR (CVE-2025-31486, CVE-2025-32395, CVE-2025-46565, CVE-2025-58751/58752, and CVE-2025-62522—which is specifically fixed in 5.4.21).

However, [email protected] is deprecated and not recommended for modern Vite versions. For Vue 2.7+, use the official @vitejs/plugin-vue2 plugin instead. Update the devDependency accordingly.

🤖 Prompt for AI Agents

In @examples/vue/2.7-basic/package.json around lines 15 - 19, Replace the deprecated devDependency "vite-plugin-vue2" with the official "@vitejs/plugin-vue2" in package.json's devDependencies (remove "vite-plugin-vue2": "2.0.3" and add "@vitejs/plugin-vue2" at a compatible version), then run install; also update any imports/usages in your Vite config (e.g., change import from "vite-plugin-vue2" to "@vitejs/plugin-vue2" and ensure the plugin is passed to defineConfig/plugins in vite.config.js) so the project uses the official Vue 2.7+ Vite plugin compatible with Vite ^5.4.21.

-Original file line number
+Diff line change
@@ Expand Up / @@ -15,7 +15,7 @@ @@
       },
       "devDependencies": {
         "typescript": "5.8.3",
-        "vite": "^4.5.14",
+        "vite": "^5.4.21",
         "vite-plugin-vue2": "2.0.3"
       }
     }

-Original file line number
+Diff line change
@@ Expand Up / @@ -14,7 +14,7 @@ @@
       },
       "devDependencies": {
         "typescript": "5.8.3",
-        "vite": "^4.5.14",
+        "vite": "^5.4.21",
         "vite-plugin-vue2": "2.0.3"
       }
     }

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Uh oh!

chore(deps): update dependency vite [security] #9708

Diff view

Diff view

There are no files selected for viewing

coderabbitai bot Jan 13, 2026

Uh oh!

coderabbitai bot Jan 11, 2026

Uh oh!

Uh oh!

Uh oh!

Uh oh!

chore(deps): update dependency vite [security] #9708

Are you sure you want to change the base?

chore(deps): update dependency vite [security] #9708

Uh oh!

Uh oh!

Diff view

Diff view

There are no files selected for viewing

coderabbitai bot Jan 13, 2026

Choose a reason for hiding this comment

Uh oh!

coderabbitai bot Jan 11, 2026

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!