Skip to content

build(deps): bump vite from 6.4.2 to 6.4.3#880

Open
dependabot[bot] wants to merge 1 commit into
masterfrom
dependabot/npm_and_yarn/vite-6.4.3
Open

build(deps): bump vite from 6.4.2 to 6.4.3#880
dependabot[bot] wants to merge 1 commit into
masterfrom
dependabot/npm_and_yarn/vite-6.4.3

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 18, 2026

Copy link
Copy Markdown
Contributor

Bumps vite from 6.4.2 to 6.4.3.

Release notes

Sourced from vite's releases.

v6.4.3

Please refer to CHANGELOG.md for details.

Changelog

Sourced from vite's changelog.

6.4.3 (2026-06-01)

Commits

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    You can disable automated security fix PRs for this repo from the Security Alerts page.

@dependabot
build(deps): bump vite from 6.4.2 to 6.4.3
9be4257 
Bumps [vite](https://github.com/vitejs/vite/tree/HEAD/packages/vite) from 6.4.2 to 6.4.3.
- [Release notes](https://github.com/vitejs/vite/releases)
- [Changelog](https://github.com/vitejs/vite/blob/v6.4.3/packages/vite/CHANGELOG.md)
- [Commits](https://github.com/vitejs/vite/commits/v6.4.3/packages/vite)

---
updated-dependencies:
- dependency-name: vite
  dependency-version: 6.4.3
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update Javascript code labels Jun 18, 2026
@greptile-apps

greptile-apps Bot commented Jun 18, 2026

Copy link
Copy Markdown
Contributor

Greptile Summary

This PR bumps vite from 6.4.2 to 6.4.3, a patch-level security release that backports two path-traversal fixes for the dev server.

  • Windows alternate data stream / alternate path rejection (#22572): Vite's dev server now rejects requests using Windows alternate path syntax that could bypass path-validation checks.
  • UNC path rejection for launch-editor-middleware (#22571): The __open-in-editor middleware no longer accepts UNC paths (\\server\share\...), closing a path-traversal vector on Windows dev machines.

Confidence Score: 5/5

Safe to merge — this is a patch-level Vite update that only closes two dev-server path-traversal holes on Windows.

The only changes are to package.json and package-lock.json, bumping Vite by one patch version. Both upstream fixes are security hardening for the dev server (Windows alternate paths and UNC paths in launch-editor-middleware) with no API or behaviour changes that could affect production builds.

No files require special attention.

Important Files Changed

Filename Overview
package.json Bumps vite devDependency from ^6.4.2 to ^6.4.3 — patch-level security fix update
package-lock.json Lockfile updated to reflect vite 6.4.3 with new resolved URL and integrity hash; no other dependency changes

Sequence Diagram

%%{init: {'theme': 'neutral'}}%%
sequenceDiagram
    participant Dependabot
    participant package.json
    participant package-lock.json
    participant ViteDevServer

    Dependabot->>package.json: Bump vite ^6.4.2 → ^6.4.3
    Dependabot->>package-lock.json: Update resolved URL + integrity hash
    Note over ViteDevServer: 6.4.3 patches:<br/>- Reject Windows alternate paths<br/>- Reject UNC paths in launch-editor-middleware
Loading 
%%{init: {'theme': 'base', 'themeVariables': {"darkMode": true, "background": "#0d1117", "primaryColor": "#21262d", "primaryTextColor": "#e6edf3", "primaryBorderColor": "#8b949e", "lineColor": "#8b949e", "textColor": "#e6edf3", "edgeLabelBackground": "#161b22", "actorBkg": "#21262d", "actorBorder": "#8b949e", "actorTextColor": "#e6edf3", "actorLineColor": "#8b949e", "signalColor": "#8b949e", "signalTextColor": "#e6edf3", "noteBkgColor": "#373320", "noteBorderColor": "#d4a72c", "noteTextColor": "#f0e6c0", "labelBoxBkgColor": "#21262d", "labelBoxBorderColor": "#8b949e", "labelTextColor": "#e6edf3", "loopTextColor": "#e6edf3", "activationBkgColor": "#30363d", "activationBorderColor": "#8b949e"}}}%%
sequenceDiagram
    participant Dependabot
    participant package.json
    participant package-lock.json
    participant ViteDevServer

    Dependabot->>package.json: Bump vite ^6.4.2 → ^6.4.3
    Dependabot->>package-lock.json: Update resolved URL + integrity hash
    Note over ViteDevServer: 6.4.3 patches:<br/>- Reject Windows alternate paths<br/>- Reject UNC paths in launch-editor-middleware
Loading

Reviews (1): Last reviewed commit: "build(deps): bump vite from 6.4.2 to 6.4..." | Re-trigger Greptile

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update Javascript code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants