[Security] Bump vite from 6.0.3 to 6.1.0

Bumps vite from 6.0.3 to 6.1.0. This update includes a security fix.

Vulnerabilities fixed

Websites were able to send any requests to the development server and read the response in vite

Summary

Vite allowed any websites to send any requests to the development server and read the response due to default CORS settings and lack of validation on the Origin header for WebSocket connections.

[!WARNING] This vulnerability even applies to users that only run the Vite dev server on the local machine.

Upgrade Path

Users that does not match either of the following conditions should be able to upgrade to a newer version of Vite that fixes the vulnerability without any additional configuration.

• Using the backend integration feature
• Using a reverse proxy in front of Vite
• Accessing the development server via a domain other than localhost or *.localhost
• Using a plugin / framework that connects to the WebSocket server on their own from the browser

Using the backend integration feature

If you are using the backend integration feature and not setting server.origin, you need to add the origin of the backend server to the server.cors.origin option. Make sure to set a specific origin rather than *, otherwise any origin can access your development server.

Using a reverse proxy in front of Vite

If you are using a reverse proxy in front of Vite and sending requests to Vite with a hostname other than localhost or *.localhost, you need to add the hostname to the new server.allowedHosts option. For example, if the reverse proxy is sending requests to http://vite:5173, you need to add vite to the server.allowedHosts option.

... (truncated)

Patched versions: 4.5.6; 5.4.12; 6.0.9 Affected versions: = 6.0.0, <= 6.0.8

Release notes

Sourced from vite's releases.

create-vite@6.1.0

Please refer to CHANGELOG.md for details.

Changelog

Sourced from vite's changelog.

6.1.0 (2025-02-05)

Features

• feat: show hosts in cert in CLI (#19317) (a5e306f), closes #19317
• feat: support for env var for defining allowed hosts (#19325) (4d88f6c), closes #19325
• feat: use native runtime to import the config (#19178) (7c2a794), closes #19178
• feat: print port in the logged error message after failed WS connection with EADDRINUSE (#19212) (14027b0), closes #19212
• perf(css): only run postcss when needed (#19061) (30194fa), closes #19061
• feat: add support for .jxl (#18855) (57b397c), closes #18855
• feat: add the builtins environment resolve (#18584) (2c2d521), closes #18584
• feat: call Logger for plugin logs in build (#13757) (bf3e410), closes #13757
• feat: export defaultAllowedOrigins for user-land config and 3rd party plugins (#19259) (dc8946b), closes #19259
• feat: expose createServerModuleRunnerTransport (#18730) (8c24ee4), closes #18730
• feat: support async for proxy.bypass (#18940) (a6b9587), closes #18940
• feat: support log related functions in dev (#18922) (3766004), closes #18922
• feat: use module runner to import the config (#18637) (b7e0e42), closes #18637
• feat(css): add friendly errors for IE hacks that are not supported by lightningcss (#19072) (caad985), closes #19072
• feat(optimizer): support bun text lockfile (#18403) (05b005f), closes #18403
• feat(reporter): add wasm to the compressible assets regex (#19085) (ce84142), closes #19085
• feat(worker): support dynamic worker option fields (#19010) (d0c3523), closes #19010

Fixes

• fix: avoid builtStart during vite optimize (#19356) (fdb36e0), closes #19356
• fix(build): fix stale build manifest on watch rebuild (#19361) (fcd5785), closes #19361
• fix: allow expanding env vars in reverse order (#19352) (3f5f2bd), closes #19352
• fix: avoid packageJson without name in resolveLibCssFilename (#19324) (f183bdf), closes #19324
• fix(html): fix css disorder when building multiple entry html (#19143) (e7b4ba3), closes #19143
• fix: don't call buildStart hooks for vite optimize (#19347) (19ffad0), closes #19347
• fix: don't call next middleware if user sent response in proxy.bypass (#19318) (7e6364d), closes #19318
• fix: respect top-level server.preTransformRequests (#19272) (12aaa58), closes #19272
• fix: use nodeLikeBuiltins for ssr.target: 'webworker' without noExternal: true (#19313) (9fc31b6), closes #19313
• fix(css): less @plugin imports of JS files treated as CSS and rebased (fix #19268) (#19269) (602b373), closes #19268 #19269
• fix(deps): update all non-major dependencies (#19296) (2bea7ce), closes #19296
• fix(resolve): preserve hash/search of file url (#19300) (d1e1b24), closes #19300
• fix(resolve): warn if node-like builtin was imported when resolve.builtin is empty (#19312) (b7aba0b), closes #19312
• fix(ssr): fix transform error due to export all id scope (#19331) (e28bce2), closes #19331
• fix(ssr): pretty print plugin error in ssrLoadModule (#19290) (353c467), closes #19290
• fix: change ResolvedConfig type to interface to allow extending it (#19210) (bc851e3), closes #19210
• fix: correctly resolve hmr dep ids and fallback to url (#18840) (b84498b), closes #18840
• fix: make --force work for all environments (#18901) (51a42c6), closes #18901
• fix: use loc.file from rollup errors if available (#19222) (ce3fe23), closes #19222
• fix(deps): update all non-major dependencies (#19190) (f2c07db), closes #19190
• fix(hmr): register inlined assets as a dependency of CSS file (#18979) (eb22a74), closes #18979
• fix(resolve): support resolving TS files by JS extension specifiers in JS files (#18889) (612332b), closes #18889
• fix(ssr): combine empty source mappings (#19226) (ba03da2), closes #19226
• fix(utils): clone RegExp values with new RegExp instead of structuredClone (fix #19245, fix #1 (56ad2be), closes #19245 #18875 #19247

... (truncated)

Commits

• 3734f80 fix(css): escape double quotes in url() when lightningcss is used (#18997)
• 2b4f115 fix(deps): update all non-major dependencies (#18996)
• 12b612d fix: fallback terser to main thread when function options are used (#18987)
• d88d000 fix(deps): update all non-major dependencies (#18967)
• 21680bd fix(css): skip non css in custom sass importer (#18970)
• 62fad6d chore(deps): update dependency @​rollup/plugin-node-resolve to v16 (#18968)
• 8a6bb4e fix(optimizer): keep NODE_ENV as-is when keepProcessEnv is true (#18899)
• 7d6dd5d fix(ssr): recreate ssrCompatModuleRunner on restart (#18973)
• c4b532c fix(css): root relative import in sass modern API on Windows (#18945)
• 27f691b refactor: make internal invoke event to use the same interface with `handleIn...
• Additional commits viewable in compare view