chore(deps-dev): bump vite from 5.4.21 to 6.4.3#34
Conversation
Bumps [vite](https://github.com/vitejs/vite/tree/HEAD/packages/vite) from 5.4.21 to 6.4.3. - [Release notes](https://github.com/vitejs/vite/releases) - [Changelog](https://github.com/vitejs/vite/blob/v6.4.3/packages/vite/CHANGELOG.md) - [Commits](https://github.com/vitejs/vite/commits/v6.4.3/packages/vite) --- updated-dependencies: - dependency-name: vite dependency-version: 6.4.3 dependency-type: direct:development ... Signed-off-by: dependabot[bot] <support@github.com>
dependabot
Bot
added
dependencies
![meroreviewer[bot]](https://avatars.githubusercontent.com/in/2793509?s=60&v=4){kind=small}
There was a problem hiding this comment.
🤖 AI Code Reviewer
Reviewed by 3 agents | Quality score: 78% | Review time: 53.6s
🟡 Warning (2)
1. vite@5.4.21 snapshot still present with updated dependencies
File: pnpm-lock.yaml (line 7401-7408) | Consensus: 1/3 agents
The snapshot for vite@5.4.21 (still used by vitest@1.6.1 and vite-node@1.6.1) now lists postcss: 8.5.15 and rollup: 4.62.0 as its resolved dependencies, even though vite 5.x was originally resolved against postcss@8.5.6 and rollup@4.56.0. This means the old vite 5 instance is now silently using newer transitive versions that it was never tested against. The root cause is that vitest@1.6.1 still peer-depends on vite 5, so both vite 5 and vite 6 coexist. If vitest is not upgraded to a version that supports vite 6, the two vite instances will continue to diverge. Consider upgrading vitest to a version compatible with vite 6 (e.g. ^2.0.0) to eliminate the dual-vite situation and the implicit dependency mismatch.
Suggested fix:
Upgrade `vitest` in package.json from `^1.0.0` to `^2.0.0` (or the latest vite-6-compatible release) so that only a single vite instance is resolved in the lockfile.
Found by: patterns-reviewer
2. vite@5.4.21 snapshot uses updated rollup/postcss but vitest still depends on it
File: pnpm-lock.yaml (line 7401-7408) | Consensus: 1/3 agents
The snapshot for vite@5.4.21 (which vitest@1.6.1 depends on via vite-node@1.6.1) has been updated in-place to use rollup@4.62.0 and postcss@8.5.15 instead of the original rollup@4.56.0 and postcss@8.5.6. This means the locked snapshot for vite 5.x no longer reflects the originally resolved dependency graph for that version. While pnpm deduplicates these packages and it may work in practice, mutating the snapshot of an existing pinned version is unusual and could mask incompatibilities — vite 5.4.21 was originally tested/released against rollup 4.56.x, not 4.62.x. The correct approach would be to keep the vite@5.4.21 snapshot unchanged (with its original rollup/postcss) and let the new vite@6.4.3 entry use the newer versions.
Suggested fix:
Restore the vite@5.4.21 snapshot to use its original dependencies: `rollup: 4.56.0` and `postcss: 8.5.6`. The new vite@6.4.3 snapshot should use `rollup: 4.62.0` and `postcss: 8.5.15`. This avoids silently upgrading transitive deps for the pinned vite 5 entry that vitest still relies on.
Found by: logic-reviewer
🤖 Generated by AI Code Reviewer | Review ID: review-e380c098
Documentation ReviewThe following documentation may need updates based on the changes in this PR:
|
Bumps vite from 5.4.21 to 6.4.3.
Release notes
Sourced from vite's releases.
Changelog
Sourced from vite's changelog.
... (truncated)
Commits
6c2c881release: v6.4.396b0c10fix: backport #22572, reject windows alternate paths (#22576)8fed5cffix(deps): backport #22571, reject UNC paths for launch-editor-middleware (#2...6b3fad0release: v6.4.2ca4da5dfix: avoid path traversal with optimize deps sourcemap handler (#22161)fe28e47fix: apply server.fs check to env transport (#22159) (#22163)5487f4frelease: v6.4.11114b5dfix(dev): trim trailing slash beforeserver.fs.denycheck (#20968) (#20969)f12697crelease: v6.4.0ca6455efeat: allow passing down resolved config to vite's createServer (#20932)Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)You can disable automated security fix PRs for this repo from the Security Alerts page.
Note
Medium Risk
Major-version dev-tooling bump can break Storybook or Vitest CI without touching runtime SDK code; Vite 6.x also tightens dev-server path handling, which is positive for security but worth validating locally.
Overview
Upgrades the devDependency
vitefrom 5.4.21 to 6.4.3 and refreshespnpm-lock.yamlso Storybook (@storybook/react-vite),@vitejs/plugin-react, and related tooling resolve against Vite 6.The lockfile also picks up Vite 6’s toolchain (e.g. esbuild 0.25.12, rollup 4.62.0) and minor transitive bumps (postcss, nanoid, picomatch). No library source or published
distbuild path changes—buildstill runs viatsup; Vite mainly affects Storybook and the Vite-based dev/test stack.Reviewed by Cursor Bugbot for commit 7d81469. Bugbot is set up for automated code reviews on this repo. Configure here.