Skip to content

chore(deps): update dependency vite to v7 [security]#9708

Open
renovate[bot] wants to merge 1 commit intomainfrom
renovate/npm-vite-vulnerability
Open

chore(deps): update dependency vite to v7 [security]#9708
renovate[bot] wants to merge 1 commit intomainfrom
renovate/npm-vite-vulnerability

Conversation

@renovate
Copy link
Contributor

@renovate renovate bot commented Sep 27, 2025
edited
Loading

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package Change Age Confidence
vite (source) ^4.5.14^7.3.1 age confidence

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

GitHub Vulnerability Alerts

CVE-2025-58752

Summary

Any HTML files on the machine were served regardless of the server.fs settings.

Impact

Only apps that match the following conditions are affected:

  • explicitly exposes the Vite dev server to the network (using --host or server.host config option)
  • appType: 'spa' (default) or appType: 'mpa' is used

This vulnerability also affects the preview server. The preview server allowed HTML files not under the output directory to be served.

Details

The serveStaticMiddleware function is in charge of serving static files from the server. It returns the viteServeStaticMiddleware function which runs the needed tests and serves the page. The viteServeStaticMiddleware function checks if the extension of the requested file is ".html". If so, it doesn't serve the page. Instead, the server will go on to the next middlewares, in this case htmlFallbackMiddleware, and then to indexHtmlMiddleware. These middlewares don't perform any test against allow or deny rules, and they don't make sure that the accessed file is in the root directory of the server. They just find the file and send back its contents to the client.

PoC

Execute the following shell commands:

npm  create  vite@latest
cd vite-project/
echo  "secret" > /tmp/secret.html
npm install
npm run dev

Then, in a different shell, run the following command:

curl -v --path-as-is 'http://localhost:5173/../../../../../../../../../../../tmp/secret.html'

The contents of /tmp/secret.html will be returned.

This will also work for HTML files that are in the root directory of the project, but are in the deny list (or not in the allow list). Test that by stopping the running server (CTRL+C), and running the following commands in the server's shell:

echo  'import path from "node:path"; import { defineConfig } from "vite"; export default defineConfig({server: {fs: {deny: [path.resolve(__dirname, "secret_files/*")]}}})'  >  [vite.config.js](http://vite.config.js)
mkdir secret_files
echo "secret txt" > secret_files/secret.txt
echo "secret html" > secret_files/secret.html
npm run dev

Then, in a different shell, run the following command:

curl -v --path-as-is 'http://localhost:5173/secret_files/secret.txt'

You will receive a 403 HTTP Response,  because everything in the secret_files directory is denied.

Now in the same shell run the following command:

curl -v --path-as-is 'http://localhost:5173/secret_files/secret.html'

You will receive the contents of secret_files/secret.html.

CVE-2025-58751

Summary

Files starting with the same name with the public directory were served bypassing the server.fs settings.

Impact

Only apps that match the following conditions are affected:

Details

The servePublicMiddleware function is in charge of serving public files from the server. It returns the viteServePublicMiddleware function which runs the needed tests and serves the page. The viteServePublicMiddleware function checks if the publicFiles variable is defined, and then uses it to determine if the requested page is public. In the case that the publicFiles is undefined, the code will treat the requested page as a public page, and go on with the serving function. publicFiles may be undefined if there is a symbolic link anywhere inside the public directory. In that case, every requested page will be passed to the public serving function. The serving function is based on the sirv library. Vite patches the library to add the possibility to test loading access to pages, but when the public page middleware disables this functionality since public pages are meant to be available always, regardless of whether they are in the allow or deny list.

In the case of public pages, the serving function is provided with the path to the public directory as a root directory. The code of the sirv library uses the join function to get the full path to the requested file. For example, if the public directory is "/www/public", and the requested file is "myfile", the code will join them to the string "/www/public/myfile". The code will then pass this string to the normalize function. Afterwards, the code will use the string's startsWith function to determine whether the created path is within the given directory or not. Only if it is, it will be served.

Since sirv trims the trailing slash of the public directory, the string's startsWith function may return true even if the created path is not within the public directory. For example, if the server's root is at "/www", and the public directory is at "/www/p", if the created path will be "/www/private.txt", the startsWith function will still return true, because the string "/www/private.txt" starts with  "/www/p". To achieve this, the attacker will use ".." to ask for the file "../private.txt". The code will then join it to the "/www/p" string, and will receive "/www/p/../private.txt". Then, the normalize function will return "/www/private.txt", which will then be passed to the startsWith function, which will return true, and the processing of the page will continue without checking the deny list (since this is the public directory middleware which doesn't check that).

PoC

Execute the following shell commands:

npm  create  vite@latest
cd vite-project/
mkdir p
cd p
ln -s a b
cd ..
echo  'import path from "node:path"; import { defineConfig } from "vite"; export default defineConfig({publicDir: path.resolve(__dirname, "p/"), server: {fs: {deny: [path.resolve(__dirname, "private.txt")]}}})' > vite.config.js
echo  "secret" > private.txt
npm install
npm run dev

Then, in a different shell, run the following command:

curl -v --path-as-is 'http://localhost:5173/private.txt'

You will receive a 403 HTTP Response,  because private.txt is denied.

Now in the same shell run the following command:

curl -v --path-as-is 'http://localhost:5173/../private.txt'

You will receive the contents of private.txt.

Related links

CVE-2025-62522

Summary

Files denied by server.fs.deny were sent if the URL ended with \ when the dev server is running on Windows.

Impact

Only apps that match the following conditions are affected:

  • explicitly exposes the Vite dev server to the network (using --host or server.host config option)
  • running the dev server on Windows

Details

server.fs.deny can contain patterns matching against files (by default it includes .env, .env.*, *.{crt,pem} as such patterns). These patterns were able to bypass by using a back slash(\). The root cause is that fs.readFile('/foo.png/') loads /foo.png.

PoC

npm create vite@latest
cd vite-project/
cat "secret" > .env
npm install
npm run dev
curl --request-target /.env\ http://localhost:5173
image

Release Notes

vitejs/vite (vite)

v7.3.1

Compare Source

Please refer to CHANGELOG.md for details.

v7.3.0

Compare Source

Please refer to CHANGELOG.md for details.

v7.2.7

Compare Source

v7.2.6

Compare Source

7.2.6 (2025-12-01)

v7.2.4

Compare Source

Bug Fixes

v7.2.3

Compare Source

Bug Fixes
Performance Improvements
Miscellaneous Chores

v7.2.2

Compare Source

Bug Fixes

v7.2.1

Compare Source

Bug Fixes
Code Refactoring

v7.2.0

Compare Source

Bug Fixes
  • css: fallback to sass when sass-embedded platform binary is missing (#​21002) (b1fd616)
  • module-runner: make getBuiltins response JSON serializable (#​21029) (ad5b3bf)
  • types: add undefined to optional properties for exactOptionalProperties type compatibility (#​21040) (2833c55)
Miscellaneous Chores

v7.1.12

Compare Source

Please refer to CHANGELOG.md for details.

v7.1.11

Compare Source

Bug Fixes
Miscellaneous Chores
Code Refactoring
Build System

v7.1.10

Compare Source

Bug Fixes
Documentation
Miscellaneous Chores

v7.1.9

Compare Source

Reverts

v7.1.8

Compare Source

Bug Fixes
Documentation
Miscellaneous Chores

v7.1.7

Compare Source

Bug Fixes
  • build: fix ssr environment emitAssets: true when sharedConfigBuild: true (#​20787) (4c4583c)
  • client: use CSP nonce when rendering error overlay (#​20791) (9bc9d12)
  • deps: update all non-major dependencies (#​20811) (9f2247c)
  • glob: handle glob imports from folders starting with dot (#​20800) (105abe8)
  • hmr: trigger prune event when import is removed from non hmr module (#​20768) (9f32b1d)
  • hmr: wait for import.meta.hot.prune callbacks to complete before running other HMRs (#​20698) (98a3484)

v7.1.6

Compare Source

Bug Fixes
  • deps: update all non-major dependencies (#​20773) (88af2ae)
  • esbuild: inject esbuild helper functions with minified $ variables correctly (#​20761) (7e8e004)
  • fallback terser to main thread when nameCache is provided (#​20750) (a679a64)
  • types: strict env typings fail when skipLibCheck is false (#​20755) (cc54e29)
Miscellaneous Chores

v7.1.5

Compare Source

Bug Fixes

v7.1.4

Compare Source

Bug Fixes
Miscellaneous Chores
Code Refactoring

v7.1.3

Compare Source

Features
Bug Fixes
Performance Improvements
Miscellaneous Chores
Code Refactoring
Tests

v7.1.2

Compare Source

Bug Fixes
Miscellaneous Chores

v7.1.1

Compare Source

Bug Fixes
Miscellaneous Chores
Code Refactoring
Build System

v7.1.0

Compare Source

Features
Bug Fixes
Performance Improvements
Miscellaneous Chores
Code Refactoring
Tests
Beta Changelogs
7.1.0-beta.1 (2025-08-05)

See 7.1.0-beta.1 changelog

7.1.0-beta.0 (2025-07-30)

See 7.1.0-beta.0 changelog

v7.0.8

Compare Source

Please refer to CHANGELOG.md for details.

v7.0.7

Compare Source

Please refer to CHANGELOG.md for details.

v7.0.6

Compare Source

Features
Bug Fixes
Performance Improvements
Miscellaneous Chores

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot added the dependencies Pull requests that update a dependency file label Sep 27, 2025
@changeset-bot
Copy link

changeset-bot bot commented Sep 27, 2025
edited
Loading

⚠️ No Changeset found

Latest commit: 660f346

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

@coderabbitai
Copy link
Contributor

coderabbitai bot commented Sep 27, 2025
edited
Loading

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

  • @coderabbitai resume to resume automatic reviews.
  • @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

  • ▶️ Resume reviews
  • 🔍 Trigger review
📝 Walkthrough

Walkthrough

Updated the devDependency vite from ^4.5.14 to ^7.3.1 in two Vue example package.json files; no other files, scripts, or exported/public declarations changed. (≤50 words)

Changes

Cohort / File(s) Summary of Changes
Vue examples: Vite bump
examples/vue/2.6-basic/package.json, examples/vue/2.7-basic/package.json		 Updated devDependency vite from ^4.5.14 to ^7.3.1. No other dependency, script, source file, or public export edits.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

Poem

I nibble a version line tonight,
two examples glow in softer light,
Vite leaps forward, fresh and spry,
builds hum softly as I sigh,
🐇✨

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name Status Explanation Resolution
Description check ⚠️ Warning The PR description is substantially complete with comprehensive details about the security vulnerabilities, PoCs, and release notes. However, it does not follow the required template structure with mandatory sections like '🎯 Changes', '✅ Checklist', and '🚀 Release Impact'. Add the required template sections: describe changes and motivation in '🎯 Changes' section, complete the '✅ Checklist' with testing confirmation, and specify in '🚀 Release Impact' whether this affects published code or is dev-only.
✅ Passed checks (2 passed)
Check name Status Explanation
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Title check ✅ Passed The PR title accurately describes the main change: updating the vite dependency to v7 for security purposes, addressing three CVEs (CVE-2025-58752, CVE-2025-58751, CVE-2025-62522).

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
  • 📝 Generate docstrings (stacked PR)
  • 📝 Generate docstrings (commit on current branch)
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Post copyable unit tests in a comment
  • Commit unit tests in branch renovate/npm-vite-vulnerability

Comment @coderabbitai help to get the list of available commands and usage tips.

@nx-cloud
Copy link

nx-cloud bot commented Sep 27, 2025
edited
Loading

View your CI Pipeline Execution ↗ for commit 660f346

Command Status Duration Result
nx run-many --target=build --exclude=examples/*... ✅ Succeeded <1s View ↗
nx affected --targets=test:sherif,test:knip,tes... ✅ Succeeded 13s View ↗

☁️ Nx Cloud last updated this comment at 2026-03-05 09:15:33 UTC

@pkg-pr-new
Copy link

pkg-pr-new bot commented Sep 27, 2025
edited
Loading

More templates

@tanstack/angular-query-experimental

npm i https://pkg.pr.new/@tanstack/angular-query-experimental@9708

@tanstack/eslint-plugin-query

npm i https://pkg.pr.new/@tanstack/eslint-plugin-query@9708

@tanstack/preact-query

npm i https://pkg.pr.new/@tanstack/preact-query@9708

@tanstack/preact-query-devtools

npm i https://pkg.pr.new/@tanstack/preact-query-devtools@9708

@tanstack/preact-query-persist-client

npm i https://pkg.pr.new/@tanstack/preact-query-persist-client@9708

@tanstack/query-async-storage-persister

npm i https://pkg.pr.new/@tanstack/query-async-storage-persister@9708

@tanstack/query-broadcast-client-experimental

npm i https://pkg.pr.new/@tanstack/query-broadcast-client-experimental@9708

@tanstack/query-core

npm i https://pkg.pr.new/@tanstack/query-core@9708

@tanstack/query-devtools

npm i https://pkg.pr.new/@tanstack/query-devtools@9708

@tanstack/query-persist-client-core

npm i https://pkg.pr.new/@tanstack/query-persist-client-core@9708

@tanstack/query-sync-storage-persister

npm i https://pkg.pr.new/@tanstack/query-sync-storage-persister@9708

@tanstack/react-query

npm i https://pkg.pr.new/@tanstack/react-query@9708

@tanstack/react-query-devtools

npm i https://pkg.pr.new/@tanstack/react-query-devtools@9708

@tanstack/react-query-next-experimental

npm i https://pkg.pr.new/@tanstack/react-query-next-experimental@9708

@tanstack/react-query-persist-client

npm i https://pkg.pr.new/@tanstack/react-query-persist-client@9708

@tanstack/solid-query

npm i https://pkg.pr.new/@tanstack/solid-query@9708

@tanstack/solid-query-devtools

npm i https://pkg.pr.new/@tanstack/solid-query-devtools@9708

@tanstack/solid-query-persist-client

npm i https://pkg.pr.new/@tanstack/solid-query-persist-client@9708

@tanstack/svelte-query

npm i https://pkg.pr.new/@tanstack/svelte-query@9708

@tanstack/svelte-query-devtools

npm i https://pkg.pr.new/@tanstack/svelte-query-devtools@9708

@tanstack/svelte-query-persist-client

npm i https://pkg.pr.new/@tanstack/svelte-query-persist-client@9708

@tanstack/vue-query

npm i https://pkg.pr.new/@tanstack/vue-query@9708

@tanstack/vue-query-devtools

npm i https://pkg.pr.new/@tanstack/vue-query-devtools@9708

commit: bffc9be

@github-actions
Copy link
Contributor

github-actions bot commented Sep 27, 2025
edited
Loading

Sizes for commit 1c5c5da:

Branch Bundle Size
Main
This PR

@renovate renovate bot force-pushed the renovate/npm-vite-vulnerability branch from 5c81be8 to c15730d Compare September 27, 2025 23:57
@renovate renovate bot changed the title chore(deps): update dependency vite to v5 [security] chore(deps): update dependency vite to v7 [security] Sep 27, 2025
@renovate renovate bot force-pushed the renovate/npm-vite-vulnerability branch from c15730d to 42e2d9c Compare September 28, 2025 00:00
@renovate renovate bot changed the title chore(deps): update dependency vite to v7 [security] chore(deps): update dependency vite to v5 [security] Sep 28, 2025
coderabbitai[bot]
coderabbitai bot reviewed Sep 28, 2025
View reviewed changes
Copy link
Contributor

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 2

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between dcc7bd9 and 42e2d9c.

📒 Files selected for processing (2)
  • examples/vue/2.6-basic/package.json (1 hunks)
  • examples/vue/2.7-basic/package.json (1 hunks)

examples/vue/2.6-basic/package.json
Comment on lines 17 to 19
"typescript": "5.8.3",
"vite": "^4.5.14",
"vite": "^5.4.20",
"vite-plugin-vue2": "2.0.3"
Copy link
Contributor

@coderabbitai coderabbitai bot Sep 28, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🔴 Critical

Upgrade blocked by Vue 2.6 plugin compatibility

Line 17 moves this example to Vite ^5.4.20 while retaining vite-plugin-vue2@2.0.3, but that plugin’s peer constraint is vite ^2 || ^3, so installation will fail and the tooling won’t run.(npmpeer.dev) Compounding that, the package is in maintenance mode and only supports Vue 2.6 or earlier with no Vite 5-ready release, so we either keep this example on Vite 4 or migrate it to Vue 2.7 plus @vitejs/plugin-vue2 before bumping Vite.(npm.io)

🤖 Prompt for AI Agents 
In examples/vue/2.6-basic/package.json around lines 17-19, Vite was bumped to
^5.4.20 but the project still depends on vite-plugin-vue2@2.0.3 which only
supports vite ^2 || ^3 and is not Vite 5 compatible; fix by either (A) pinning
Vite to a Vite-4-compatible version (e.g., ^4.x) so the existing
vite-plugin-vue2 remains valid, or (B) migrate the example to Vue 2.7 and
replace vite-plugin-vue2 with a Vite-5-compatible plugin (e.g.,
@vitejs/plugin-vue2), update package.json and any plugin-related config/code,
then run npm install and smoke-test the dev/build to ensure tooling works.

examples/vue/2.7-basic/package.json Outdated
Comment on lines 17 to 18
"vite": "^5.4.20",
"vite-plugin-vue2": "2.0.3"
Copy link
Contributor

@coderabbitai coderabbitai bot Sep 28, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🔴 Critical

Vite 5 breaks the current Vue 2 build

Line 17 upgrades Vite to ^5.4.20, but the example still depends on vite-plugin-vue2@2.0.3, whose peer dependency caps Vite at ^3.x; npm install/pnpm install will dead-stop with an ERESOLVE failure and the dev server won’t start.(npmpeer.dev) To land Vite 5 you need to swap over to the maintained @vitejs/plugin-vue2 (and update the config imports), because its peer range now covers Vite ^5 alongside Vue 2.7.(github.com)

-    "vite": "^5.4.20",
-    "vite-plugin-vue2": "2.0.3"
+    "vite": "^5.4.20",
+    "@vitejs/plugin-vue2": "^2.3.3"
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
"vite": "^5.4.20",
"vite-plugin-vue2": "2.0.3"
"vite": "^5.4.20",
"@vitejs/plugin-vue2": "^2.3.3"
🤖 Prompt for AI Agents 
In examples/vue/2.7-basic/package.json around lines 17-18, the project declares
"vite": "^5.4.20" but still depends on "vite-plugin-vue2": "2.0.3", which has a
peer range limited to Vite ^3 and causes ERESOLVE; replace "vite-plugin-vue2"
with the maintained "@vitejs/plugin-vue2" (use a current compatible version) in
package.json, run install to update lockfile, and then update any Vite
config/imports (e.g., vite.config.js or vite.config.ts) to import and use the
plugin from "@vitejs/plugin-vue2" instead of "vite-plugin-vue2" so the example
works with Vite 5.

@renovate renovate bot force-pushed the renovate/npm-vite-vulnerability branch from 42e2d9c to 8d1bd64 Compare September 28, 2025 00:44
@renovate renovate bot changed the title chore(deps): update dependency vite to v5 [security] chore(deps): update dependency vite to v7 [security] Sep 28, 2025
@renovate renovate bot force-pushed the renovate/npm-vite-vulnerability branch from 8d1bd64 to d00a37c Compare September 28, 2025 04:25
@renovate renovate bot changed the title chore(deps): update dependency vite to v7 [security] chore(deps): update dependency vite to v5 [security] Sep 28, 2025
@renovate renovate bot force-pushed the renovate/npm-vite-vulnerability branch from d00a37c to f89407a Compare September 29, 2025 04:34
@renovate renovate bot changed the title chore(deps): update dependency vite to v5 [security] chore(deps): update dependency vite to v7 [security] Sep 29, 2025
@renovate renovate bot force-pushed the renovate/npm-vite-vulnerability branch from f89407a to b66ddd4 Compare September 29, 2025 09:51
@renovate renovate bot changed the title chore(deps): update dependency vite to v7 [security] chore(deps): update dependency vite to v5 [security] Sep 29, 2025
@renovate renovate bot force-pushed the renovate/npm-vite-vulnerability branch from b66ddd4 to ed605e7 Compare September 29, 2025 15:13
@renovate renovate bot changed the title chore(deps): update dependency vite to v5 [security] chore(deps): update dependency vite to v7 [security] Sep 29, 2025
@renovate renovate bot force-pushed the renovate/npm-vite-vulnerability branch from ed605e7 to 78144d3 Compare September 29, 2025 17:43
@renovate renovate bot changed the title chore(deps): update dependency vite to v7 [security] chore(deps): update dependency vite to v5 [security] Sep 29, 2025
@renovate renovate bot force-pushed the renovate/npm-vite-vulnerability branch from 78144d3 to ec9eec7 Compare September 30, 2025 04:06
@renovate renovate bot changed the title chore(deps): update dependency vite to v5 [security] chore(deps): update dependency vite to v7 [security] Sep 30, 2025
@renovate renovate bot force-pushed the renovate/npm-vite-vulnerability branch from ec9eec7 to 01758f7 Compare September 30, 2025 05:07
@renovate renovate bot changed the title chore(deps): update dependency vite to v7 [security] chore(deps): update dependency vite to v5 [security] Sep 30, 2025
coderabbitai[bot]
coderabbitai bot reviewed Sep 30, 2025
View reviewed changes
Copy link
Contributor

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

♻️ Duplicate comments (1)
examples/vue/2.6-basic/package.json (1)

18-20: Blocker: vite-plugin-vue2 is incompatible with Vite 5+ here; install/build will break

This example bumps Vite to ^5.4.20 but keeps vite-plugin-vue2@2.0.3 (for Vue 2.6). That plugin’s peer range targets older Vite, so the toolchain won’t resolve or run. Either revert Vite here or migrate the example to Vue 2.7 + @vitejs/plugin-vue2 before taking Vite ≥5.

Minimal safe fix (Option A: keep Vue 2.6):

   "devDependencies": {
     "typescript": "5.8.3",
-    "vite": "^5.4.20",
+    "vite": "^4.5.14",
     "vite-plugin-vue2": "2.0.3"
   }

Preferred fix (Option B: upgrade path):

  • Move to Vue 2.7.x and align vue-template-compiler to the same 2.7.x.
  • Drop @vue/composition-api (built into 2.7).
  • Replace vite-plugin-vue2 with @vitejs/plugin-vue2 and then bump Vite to the target version (see next comment).
📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between ec9eec7 and 01758f7.

📒 Files selected for processing (2)
  • examples/vue/2.6-basic/package.json (1 hunks)
  • examples/vue/2.7-basic/package.json (1 hunks)
🚧 Files skipped from review as they are similar to previous changes (1)
  • examples/vue/2.7-basic/package.json
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)
  • GitHub Check: Test

@renovate renovate bot force-pushed the renovate/npm-vite-vulnerability branch from 01758f7 to ac77791 Compare September 30, 2025 05:32
@renovate renovate bot force-pushed the renovate/npm-vite-vulnerability branch from a8f397b to 69d79cf Compare October 15, 2025 08:33
@renovate renovate bot changed the title chore(deps): update dependency vite to v5 [security] chore(deps): update dependency vite to v7 [security] Oct 15, 2025
@renovate renovate bot force-pushed the renovate/npm-vite-vulnerability branch from 69d79cf to 05fedb2 Compare October 15, 2025 12:41
@renovate renovate bot changed the title chore(deps): update dependency vite to v7 [security] chore(deps): update dependency vite to v5 [security] Oct 15, 2025
@renovate renovate bot force-pushed the renovate/npm-vite-vulnerability branch from 05fedb2 to 54288d7 Compare October 16, 2025 08:28
@renovate renovate bot changed the title chore(deps): update dependency vite to v5 [security] chore(deps): update dependency vite to v7 [security] Oct 16, 2025
@renovate renovate bot force-pushed the renovate/npm-vite-vulnerability branch from 54288d7 to 5ed0b20 Compare October 16, 2025 10:49
@renovate renovate bot changed the title chore(deps): update dependency vite to v7 [security] chore(deps): update dependency vite to v5 [security] Oct 16, 2025
@renovate renovate bot force-pushed the renovate/npm-vite-vulnerability branch from 5ed0b20 to 33e4b66 Compare October 16, 2025 11:09
@renovate renovate bot changed the title chore(deps): update dependency vite to v5 [security] chore(deps): update dependency vite to v7 [security] Oct 16, 2025
@renovate renovate bot force-pushed the renovate/npm-vite-vulnerability branch from 33e4b66 to 9bb0864 Compare October 16, 2025 16:13
@renovate renovate bot changed the title chore(deps): update dependency vite to v7 [security] chore(deps): update dependency vite to v5 [security] Oct 16, 2025
@renovate renovate bot force-pushed the renovate/npm-vite-vulnerability branch 2 times, most recently from 1c5c5da to 0c93e41 Compare October 21, 2025 00:43
@renovate renovate bot changed the title chore(deps): update dependency vite to v5 [security] chore(deps): update dependency vite [security] Oct 21, 2025
@renovate renovate bot force-pushed the renovate/npm-vite-vulnerability branch from 0c93e41 to 36c3e4a Compare October 21, 2025 13:07
coderabbitai[bot]
coderabbitai bot reviewed Oct 25, 2025
View reviewed changes
Copy link
Contributor

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 5d0ae69 and 5b01d51.

⛔ Files ignored due to path filters (1)
  • pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml
📒 Files selected for processing (2)
  • examples/vue/2.6-basic/package.json (1 hunks)
  • examples/vue/2.7-basic/package.json (1 hunks)
🚧 Files skipped from review as they are similar to previous changes (1)
  • examples/vue/2.7-basic/package.json
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)
  • GitHub Check: Test

examples/vue/2.6-basic/package.json Outdated
Comment on lines 18 to 19
"vite": "^7.1.12",
"vite-plugin-vue2": "2.0.3"
Copy link
Contributor

@coderabbitai coderabbitai bot Oct 25, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🔴 Critical: Unmet peer dependency — vite-plugin-vue2@2.0.3 incompatible with Vite 7.1.12

vite-plugin-vue2@2.0.3 declares a peer constraint of vite ^2 || ^3 || ^4 (per past review verification), so bumping vite to ^7.1.12 breaks npm install with an unmet peer dependency error, rendering the dev server and build unusable. This issue was flagged in prior review cycles and marked as addressed, but the current code state still exhibits the conflict.

Solution A (recommended if staying on Vue 2.6): Revert vite to a compatible range:

-    "vite": "^7.1.12",
+    "vite": "^4.5.14",

Solution B (recommended for forward compatibility): Migrate this example to Vue 2.7 and @vitejs/plugin-vue2 (Vite-7-compatible), then update package.json:

-    "vue": "2.6.14",
-    "vue-template-compiler": "2.6.14",
+    "vue": "2.7.x",
+    "vue-template-compiler": "2.7.x",
-    "vite-plugin-vue2": "2.0.3"
+    "@vitejs/plugin-vue2": "latest"

Then update vite.config.js to use the new plugin, run npm install, and verify the dev build.

Verification script to confirm peer constraint:

🏁 Script executed:

#!/bin/bash
# Confirm the peer dependency range for vite-plugin-vue2@2.0.3
npm view vite-plugin-vue2@2.0.3 peerDependencies --json

Length of output: 79

🔴 Critical: Unmet peer dependency — vite-plugin-vue2@2.0.3 incompatible with Vite 7.1.12

vite-plugin-vue2@2.0.3 declares a peer dependency of vite ^2.0.0 || ^3.0.0 || ^4.0.0, so bumping vite to ^7.1.12 breaks npm install with an unmet peer dependency error, rendering the dev server and build unusable.

Choose one fix:

  • Revert vite to a compatible version (e.g., ^4.5.14) if staying on Vue 2.6
  • Migrate to Vue 2.7 with @vitejs/plugin-vue2 (Vite-7-compatible), then update package.json accordingly and verify the build succeeds
🤖 Prompt for AI Agents 
In examples/vue/2.6-basic/package.json around lines 18-19, the pinned
vite-plugin-vue2@2.0.3 has a peer dependency on Vite ^2 || ^3 || ^4 and is
incompatible with the current vite "^7.1.12", causing unmet peer dependency
errors; either revert vite to a compatible version (e.g., set vite to "^4.5.14")
or migrate to Vue 2.7 and replace the plugin with a Vite-7-compatible solution
(e.g., switch to @vitejs/plugin-vue2 and update Vue deps), then update
package.json accordingly and run npm install/build to verify that the peer
dependency conflict is resolved.

coderabbitai[bot]
coderabbitai bot reviewed Nov 8, 2025
View reviewed changes
Copy link
Contributor

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

♻️ Duplicate comments (1)
examples/vue/2.7-basic/package.json (1)

17-18: 🔴 Critical: vite-plugin-vue2@2.0.3 incompatible with vite 5 — peer constraint violation

vite-plugin-vue2@2.0.3 declares peer dependency vite ^2 || ^3 || ^4. Upgrading vite to ^5.4.21 (line 17) while keeping vite-plugin-vue2@2.0.3 (line 18) causes npm install to fail with an ERESOLVE error.

Migrate to @vitejs/plugin-vue2 (v2.3.4+), which supports vite ^3–7 and is maintained for Vue 2.7. Update vite.config.ts to import from @vitejs/plugin-vue2 instead.

Required changes:

  1. Update package.json:

    "devDependencies": {
  "typescript": "5.8.3",
  "vite": "^5.4.21",
- "vite-plugin-vue2": "2.0.3"
+ "@vitejs/plugin-vue2": "^2.3.4"
}

  2. Update vite.config.ts line 2:

    - import { createVuePlugin } from 'vite-plugin-vue2'
+ import { createVuePlugin } from '@vitejs/plugin-vue2'
📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 11d94de and e6f9b91.

⛔ Files ignored due to path filters (1)
  • pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml
📒 Files selected for processing (2)
  • examples/vue/2.6-basic/package.json (1 hunks)
  • examples/vue/2.7-basic/package.json (1 hunks)
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)
  • GitHub Check: Test
  • GitHub Check: Preview

examples/vue/2.6-basic/package.json Outdated
Comment on lines 18 to 19
"vite": "^5.4.21",
"vite-plugin-vue2": "2.0.3"
Copy link
Contributor

@coderabbitai coderabbitai bot Nov 8, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🔴 Critical: Unmet peer dependency — vite-plugin-vue2@2.0.3 incompatible with vite 5

vite-plugin-vue2@2.0.3 declares a peer constraint of vite ^2 || ^3 || ^4. Upgrading vite to ^5.4.21 (line 18) while keeping vite-plugin-vue2@2.0.3 (line 19) causes npm install to fail with an ERESOLVE error, breaking the dev server and build for this example.

This example is on Vue 2.6, which is incompatible with the maintained @vitejs/plugin-vue2. Choose one fix:

  • Revert vite to ^4.x if this example should remain on Vue 2.6
  • Upgrade to Vue 2.7, migrate to @vitejs/plugin-vue2, and optionally upgrade vite to ^7.2.2 per the PR objective

Option 1: Keep Vue 2.6 — revert vite to compatible version

  "devDependencies": {
    "typescript": "5.8.3",
-   "vite": "^5.4.21",
+   "vite": "^4.5.14",
    "vite-plugin-vue2": "2.0.3"
  }

Option 2: Migrate to Vue 2.7 and @vitejs/plugin-vue2 (aligns with PR objective of vite 7)

  "dependencies": {
    "@tanstack/vue-query": "^5.90.2",
    "@vue/composition-api": "1.7.2",
-   "vue": "2.6.14",
-   "vue-template-compiler": "2.6.14"
+   "vue": "2.7.16",
+   "vue-template-compiler": "2.7.16"
  },
  "devDependencies": {
    "typescript": "5.8.3",
-   "vite": "^5.4.21",
-   "vite-plugin-vue2": "2.0.3"
+   "vite": "^7.2.2",
+   "@vitejs/plugin-vue2": "^2.4.0"
  }

Then update vite.config.js to import and use @vitejs/plugin-vue2 instead of vite-plugin-vue2.

Please clarify whether this example should remain on Vue 2.6 or migrate to 2.7 to align with the PR security update goal.

[/web_search]

[/web_search]

[/run_scripts]

🏁 Script executed:

#!/bin/bash
# Check vite.config.js in this example
cat examples/vue/2.6-basic/vite.config.js 2>/dev/null || echo "File not found"

Length of output: 14

🏁 Script executed:

#!/bin/bash
# Check full package.json structure to understand dependencies
cat examples/vue/2.6-basic/package.json

Length of output: 459

🏁 Script executed:

#!/bin/bash
# Search for any Vue version upgrade notes or strategic comments in this example
find examples/vue/2.6-basic -type f \( -name "*.md" -o -name "*.txt" -o -name "README*" \) 2>/dev/null | head -5

Length of output: 32

🌐 Web query:

vite-plugin-vue2 2.0.3 peer dependencies vite

💡 Result:

vite-plugin-vue2@2.0.3 declares a peerDependency on vite >= 2.0.0. [1][2]

Sources:

  • Libraries.io package page for vite-plugin-vue2. [1]
  • Socket / npm package metadata listing (vite peer requirement). [2]

🌐 Web query:

@vitejs/plugin-vue2 vite 7 compatibility

💡 Result:

Short answer: Likely yes — @vitejs/plugin-vue2 works with Vue 2.7 and is listed as an official Vite plugin, and there’s no public documentation saying it’s incompatible with Vite 7. However the plugin targets Vue 2.7 and is no longer actively maintained, so you may hit peer-dependency or plugin-API breakages when upgrading to Vite 7; other official/community plugins have already needed updates for Vite 7. Test in a branch and pin versions (or use a patched fork) if you hit issues. [1][2][3][4]

Sources

  • @vitejs/plugin-vue2 (README / npm / GitHub): plugin for Vue 2.7 (official plugin, not actively maintained). [1][2]
  • Vite breaking-changes / plugins notes (Vite 7 introduced API/peer changes; other plugins needed updates — e.g. Tailwind plugin peer-dep issue). [3][4]

If you want I can:

  • check the plugin’s package.json for any strict vite peerDependency, or
  • run a quick compatibility checklist (common failure points) against Vite 7 for you.

[/web_search]

[/run_scripts]

🏁 Script executed:

#!/bin/bash
# Read the README for strategic context
cat examples/vue/2.6-basic/README.md

Length of output: 148

🏁 Script executed:

#!/bin/bash
# Check npm registry directly for vite-plugin-vue2@2.0.3 exact peer constraint
curl -s https://registry.npmjs.org/vite-plugin-vue2/2.0.3 | python3 -c "import sys, json; data=json.load(sys.stdin); print(json.dumps(data.get('peerDependencies', {}), indent=2))" 2>/dev/null || echo "Could not fetch from npm registry"

Length of output: 79

🌐 Web query:

@vitejs/plugin-vue2 2.4.0 peerDependencies vite version

💡 Result:

Do you want me to look up which Vite version is listed in the peerDependencies for @vitejs/plugin-vue2@2.4.0? (I can fetch the package.json and cite the source.)

[/run_scripts]

🏁 Script executed:

#!/bin/bash
# Fetch @vitejs/plugin-vue2 latest version info from npm registry
curl -s https://registry.npmjs.org/@vitejs/plugin-vue2 | python3 -c "import sys, json; data=json.load(sys.stdin); latest=data['dist-tags'].get('latest', ''); print(f'Latest version: {latest}'); pkg=data['versions'].get(latest, {}); print(json.dumps(pkg.get('peerDependencies', {}), indent=2))"

Length of output: 105

🏁 Script executed:

#!/bin/bash
# Verify Vue 2.7.16 compatibility with @tanstack/vue-query
curl -s https://registry.npmjs.org/@tanstack/vue-query/5.90.2 | python3 -c "import sys, json; data=json.load(sys.stdin); deps=data.get('peerDependencies', {}); print('Peer dependencies:'); print(json.dumps(deps, indent=2))"

Length of output: 86

🔴 Critical: Vite-plugin-vue2 incompatible with vite 5 — version error in Option 2, and vite.config.js must be created

vite-plugin-vue2@2.0.3 declares peer constraint "vite": "^2.0.0 || ^3.0.0 || ^4.0.0". Upgrading vite to ^5.4.21 (line 18) while keeping vite-plugin-vue2@2.0.3 (line 19) causes npm install to fail with an ERESOLVE error, breaking this example's dev server and build.

Two valid paths exist:

Option 1: Keep Vue 2.6 — revert vite to ^4.x

  "devDependencies": {
    "typescript": "5.8.3",
-   "vite": "^5.4.21",
+   "vite": "^4.5.14",
    "vite-plugin-vue2": "2.0.3"
  }

Option 2: Migrate to Vue 2.7 and @vitejs/plugin-vue2

@vitejs/plugin-vue2 latest (2.3.4) supports "vite": "^3.0.0 || ^4.0.0 || ^5.0.0 || ^6.0.0 || ^7.0.0", and @tanstack/vue-query@5.90.2 supports "vue": "^2.6.0", making Vue 2.7.16 compatible.

Update package.json:

  "dependencies": {
    "@tanstack/vue-query": "^5.90.2",
    "@vue/composition-api": "1.7.2",
-   "vue": "2.6.14",
-   "vue-template-compiler": "2.6.14"
+   "vue": "2.7.16",
+   "vue-template-compiler": "2.7.16"
  },
  "devDependencies": {
    "typescript": "5.8.3",
-   "vite": "^5.4.21",
-   "vite-plugin-vue2": "2.0.3"
+   "vite": "^7.2.2",
+   "@vitejs/plugin-vue2": "^2.3.4"
  }

Create vite.config.js (file does not currently exist):

import { defineConfig } from 'vite'
import createVuePlugin from '@vitejs/plugin-vue2'

export default defineConfig({
  plugins: [createVuePlugin()]
})

Clarify whether this example should remain on Vue 2.6 (requiring Option 1) or migrate to 2.7 (Option 2).

coderabbitai[bot]
coderabbitai bot reviewed Nov 22, 2025
View reviewed changes
Copy link
Contributor

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 8364d95 and 688b3ee.

⛔ Files ignored due to path filters (1)
  • pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml
📒 Files selected for processing (2)
  • examples/vue/2.6-basic/package.json (1 hunks)
  • examples/vue/2.7-basic/package.json (1 hunks)
🚧 Files skipped from review as they are similar to previous changes (1)
  • examples/vue/2.7-basic/package.json
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)
  • GitHub Check: Test

examples/vue/2.6-basic/package.json Outdated
Comment on lines 18 to 19
"vite": "^5.4.21",
"vite-plugin-vue2": "2.0.3"
Copy link
Contributor

@coderabbitai coderabbitai bot Nov 22, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🔴 Critical: Unmet peer dependency — vite-plugin-vue2@2.0.3 incompatible with vite ^5.4.21.

vite-plugin-vue2@2.0.3 declares a peer dependency on vite ^2 || ^3 || ^4. Upgrading vite to ^5.4.21 (line 18) while keeping vite-plugin-vue2@2.0.3 (line 19) causes npm install to fail with an ERESOLVE error, breaking the dev server and build for this example. This issue has been flagged in multiple past reviews; please address it by choosing one path:

Path A: Keep Vue 2.6 — revert vite to ^4.x (compatible range)

-   "vite": "^5.4.21",
+   "vite": "^4.5.14",

This preserves the existing Vue 2.6 setup but leaves the example on an older Vite version.

Path B: Migrate to Vue 2.7 and @vitejs/plugin-vue2 (aligns with PR security objective)

Update package.json:

  "dependencies": {
    "@tanstack/vue-query": "^5.90.2",
    "@vue/composition-api": "1.7.2",
-   "vue": "2.6.14",
-   "vue-template-compiler": "2.6.14"
+   "vue": "2.7.16",
+   "vue-template-compiler": "2.7.16"
  },
  "devDependencies": {
    "typescript": "5.8.3",
-   "vite": "^5.4.21",
-   "vite-plugin-vue2": "2.0.3"
+   "vite": "^7.2.2",
+   "@vitejs/plugin-vue2": "^2.3.4"
  }

Then create or update vite.config.js to use @vitejs/plugin-vue2:

import { defineConfig } from 'vite'
import createVuePlugin from '@vitejs/plugin-vue2'

export default defineConfig({
  plugins: [createVuePlugin()]
})

After choosing a path, run npm install and verify the dev/build succeeds.

I'll verify the key claims in this review comment. Let me start by checking the peer dependencies of the packages mentioned and inspecting the actual repository files.

Now let me inspect the actual files in the repository to verify the current state and look for vite.config.js:

🏁 Script executed:

#!/bin/bash
# Check actual package.json file content
cat examples/vue/2.6-basic/package.json

# Check if vite.config.js exists
ls -la examples/vue/2.6-basic/vite.config.* 2>/dev/null || echo "No vite.config files found"

Length of output: 545

Let me check the vite.config.ts file and verify the peer dependency claim more definitively:

🏁 Script executed:

#!/bin/bash
# Check vite.config.ts content
cat examples/vue/2.6-basic/vite.config.ts

# Try to get npm info on vite-plugin-vue2@2.0.3 peer dependencies
npm view vite-plugin-vue2@2.0.3 peerDependencies 2>/dev/null || echo "npm view failed"

Length of output: 230

Let me verify the compatibility of @vitejs/plugin-vue2 with vite@^7.x that's suggested in the review:

🌐 Web query:

@vitejs/plugin-vue2 compatibility vite 7 latest version

💡 Result:

Short answer: Yes — @vitejs/plugin-vue2 (for Vue 2.7) is an official Vite plugin and works with Vite 7, but watch Vite 7's newer Node.js requirements and some ecosystem plugins may still have strict peer deps that break with Vite 7. [1][2][3]

Sources:

  • @vitejs/plugin-vue2 (official repo / npm): supports Vue ^2.7.0. [1]
  • Vite 7 announcement (Vite 7 release / Node.js requirements). [2]
  • Known ecosystem peer-dep issues (example: @tailwindcss/vite peer dep not yet updated for vite@7). [3]

🔴 Critical: Unmet peer dependency — vite-plugin-vue2@2.0.3 incompatible with vite ^5.4.21.

vite-plugin-vue2@2.0.3 declares a peer dependency on vite ^2.0.0 || ^3.0.0 || ^4.0.0. Upgrading vite to ^5.4.21 (line 18) while keeping vite-plugin-vue2@2.0.3 (line 19) causes npm install to fail with an ERESOLVE error, breaking the dev server and build for this example. This issue has been flagged in multiple past reviews; please address it by choosing one path:

Path A: Keep Vue 2.6 — revert vite to ^4.x (compatible range)

-   "vite": "^5.4.21",
+   "vite": "^4.5.14",

This preserves the existing Vue 2.6 setup but leaves the example on an older Vite version.

Path B: Migrate to Vue 2.7 and @vitejs/plugin-vue2 (aligns with PR security objective)

Update package.json:

  "dependencies": {
    "@tanstack/vue-query": "^5.90.2",
    "@vue/composition-api": "1.7.2",
-   "vue": "2.6.14",
-   "vue-template-compiler": "2.6.14"
+   "vue": "2.7.16",
+   "vue-template-compiler": "2.7.16"
  },
  "devDependencies": {
    "typescript": "5.8.3",
-   "vite": "^5.4.21",
-   "vite-plugin-vue2": "2.0.3"
+   "vite": "^7.2.2",
+   "@vitejs/plugin-vue2": "^2.3.4"
  }

Then create or update vite.config.js to use @vitejs/plugin-vue2:

import { defineConfig } from 'vite'
import createVuePlugin from '@vitejs/plugin-vue2'

export default defineConfig({
  plugins: [createVuePlugin()]
})

After choosing a path, run npm install and verify the dev/build succeeds.

🤖 Prompt for AI Agents 
In examples/vue/2.6-basic/package.json around lines 18-19 the project sets
"vite": "^5.4.21" while keeping "vite-plugin-vue2": "2.0.3", which declares peer
deps incompatible with Vite 5 and causes npm ERESOLVE; fix by choosing one path:
Path A — revert the vite version to a 4.x compatible range (e.g. "^4.x") in
package.json so it satisfies vite-plugin-vue2's peer dependency, run npm install
and verify dev/build; OR Path B — migrate to Vue 2.7 by replacing
vite-plugin-vue2 with @vitejs/plugin-vue2 in package.json and updating
dependencies accordingly, add or update vite.config.js to import and use
@vitejs/plugin-vue2 as the plugin, run npm install and verify dev/build.

coderabbitai[bot]
coderabbitai bot reviewed Nov 29, 2025
View reviewed changes
Copy link
Contributor

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 2

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 78e27af and b35e63a.

⛔ Files ignored due to path filters (1)
  • pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml
📒 Files selected for processing (2)
  • examples/vue/2.6-basic/package.json (1 hunks)
  • examples/vue/2.7-basic/package.json (1 hunks)
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)
  • GitHub Check: Test
  • GitHub Check: Preview

examples/vue/2.6-basic/package.json Outdated
Comment on lines 18 to 19
"vite": "^7.2.4",
"vite-plugin-vue2": "2.0.3"
Copy link
Contributor

@coderabbitai coderabbitai bot Nov 29, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

# Check current package.json for 2.6-basic example
cat -n examples/vue/2.6-basic/package.json

Repository: TanStack/query

Length of output: 172

🏁 Script executed:

[skip_cloning]
# Check npm registry for vite-plugin-vue2@2.0.3 peer dependencies
npm view vite-plugin-vue2@2.0.3 peerDependencies

Repository: TanStack/query

Length of output: 205

🏁 Script executed:

[skip_cloning]
# Check npm registry for @vitejs/plugin-vue2 requirements
npm view @vitejs/plugin-vue2@2.3.4 peerDependencies
npm view @vitejs/plugin-vue2 engines

Repository: TanStack/query

Length of output: 241

🏁 Script executed:

[skip_cloning]
# Check Vue 2.7 compatibility with @vitejs/plugin-vue2
npm view @vitejs/plugin-vue2@latest | grep -A5 "vue"

Repository: TanStack/query

Length of output: 610

🔴 Critical: vite-plugin-vue2@2.0.3 incompatible with vite ^7.2.4 — npm install will fail.

vite-plugin-vue2@2.0.3 (line 19) declares a peer dependency on vite ^2.0.0 || ^3.0.0 || ^4.0.0. Bumping vite to ^7.2.4 (line 18) creates an unmet peer dependency that causes npm install to fail with ERESOLVE, blocking the dev server and build for this example.

Unlike the Vue 2.7 example, this example uses Vue 2.6.14 (line 13), which is not compatible with @vitejs/plugin-vue2 (requires Vue 2.7+). Choose one of two paths:

Option A: Keep Vue 2.6 — revert vite to ^4.x

  "devDependencies": {
    "typescript": "5.8.3",
-   "vite": "^7.2.4",
+   "vite": "^4.5.14",
    "vite-plugin-vue2": "2.0.3"
  }

This preserves the existing example but does not apply the Vite 7 security fixes.

Option B: Migrate to Vue 2.7 and use @vitejs/plugin-vue2 (recommended for security)

  "dependencies": {
    "@tanstack/vue-query": "^5.90.2",
    "@vue/composition-api": "1.7.2",
-   "vue": "2.6.14",
-   "vue-template-compiler": "2.6.14"
+   "vue": "2.7.16",
+   "vue-template-compiler": "2.7.16"
  },
  "devDependencies": {
    "typescript": "5.8.3",
    "vite": "^7.2.4",
-   "vite-plugin-vue2": "2.0.3"
+   "@vitejs/plugin-vue2": "^2.3.4"
  }

If choosing Option B, create or update vite.config.ts to use the new plugin:

import { defineConfig } from 'vite'
import createVuePlugin from '@vitejs/plugin-vue2'

export default defineConfig({
  plugins: [createVuePlugin()]
})

After applying either option, run npm install and verify the dev server starts and builds succeed.

examples/vue/2.7-basic/package.json Outdated
Comment on lines 17 to 18
"vite": "^7.2.4",
"vite-plugin-vue2": "2.0.3"
Copy link
Contributor

@coderabbitai coderabbitai bot Nov 29, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Check peer dependencies for vite-plugin-vue2@2.0.3
echo "=== vite-plugin-vue2@2.0.3 peer dependencies ==="
npm view vite-plugin-vue2@2.0.3 peerDependencies --json 2>/dev/null || echo "Failed to fetch vite-plugin-vue2@2.0.3"

echo ""
echo "=== @vitejs/plugin-vue2 latest peer dependencies ==="
npm view @vitejs/plugin-vue2 peerDependencies --json 2>/dev/null || echo "Failed to fetch @vitejs/plugin-vue2"

echo ""
echo "=== vite@7.2.4 version check ==="
npm view vite@7.2.4 version 2>/dev/null || echo "vite@7.2.4 not found"

Repository: TanStack/query

Length of output: 172

🏁 Script executed:

Now let me check the current state of the example project:
```shell
#!/bin/bash
# Check if vite.config.js exists in the 2.7-basic example
if [ -f "examples/vue/2.7-basic/vite.config.js" ]; then
  echo "=== vite.config.js exists ==="
  cat -n "examples/vue/2.7-basic/vite.config.js"
else
  echo "vite.config.js not found in examples/vue/2.7-basic/"
fi

echo ""
echo "=== Current package.json (relevant lines) ==="
sed -n '1,25p' "examples/vue/2.7-basic/package.json" | cat -n
```

Repository: TanStack/query

Length of output: 200

🏁 Script executed:

#!/bin/bash
# Query npm registry via JSON API for peer dependencies
echo "=== vite-plugin-vue2@2.0.3 peer dependencies ==="
curl -s https://registry.npmjs.org/vite-plugin-vue2/2.0.3 | jq '.peerDependencies // "No peer dependencies found"' 2>/dev/null

echo ""
echo "=== @vitejs/plugin-vue2 latest versions ==="
curl -s https://registry.npmjs.org/@vitejs/plugin-vue2 | jq '.versions | keys | .[-3:]' 2>/dev/null

echo ""
echo "=== @vitejs/plugin-vue2 latest peer dependencies ==="
curl -s https://registry.npmjs.org/@vitejs/plugin-vue2 | jq '.["dist-tags"].latest as $latest | .versions[$latest].peerDependencies // "No peer dependencies"' 2>/dev/null

echo ""
echo "=== vite@^7 compatibility check ==="
curl -s https://registry.npmjs.org/vite/7.2.4 | jq '.version' 2>/dev/null

Repository: TanStack/query

Length of output: 450

🏁 Script executed:

#!/bin/bash
cd /tmp && git clone --depth 1 https://github.com/TanStack/query.git 2>&1 | grep -E "(Cloning|fatal)" || echo "Clone started"
sleep 2

echo "=== Checking package.json in examples/vue/2.7-basic ==="
if [ -f "query/examples/vue/2.7-basic/package.json" ]; then
  sed -n '10,20p' "query/examples/vue/2.7-basic/package.json" | cat -n
else
  echo "File not found"
fi

echo ""
echo "=== Checking vite.config.js in examples/vue/2.7-basic ==="
if [ -f "query/examples/vue/2.7-basic/vite.config.js" ]; then
  cat -n "query/examples/vue/2.7-basic/vite.config.js"
else
  echo "vite.config.js not found"
fi

Repository: TanStack/query

Length of output: 531

🏁 Script executed:

#!/bin/bash
cd /tmp/query

echo "=== Git diff for package.json ==="
git diff HEAD examples/vue/2.7-basic/package.json || echo "No changes shown in diff"

echo ""
echo "=== Git log recent commits ==="
git log --oneline -5

echo ""
echo "=== Current branch ==="
git branch -a | head -10

Repository: TanStack/query

Length of output: 262

Perfect! I've completed the verification. Let me summarize what I found:

Verification Results:

  1. vite-plugin-vue2@2.0.3 peer dependencies: "vite": "^2.0.0 || ^3.0.0 || ^4.0.0" ✓ (matches review claim)
  2. vite@7.2.4 compatibility: Exists and is valid ✓
  3. @vitejs/plugin-vue2@2.3.4 peer dependencies: "vite": "^3.0.0 || ^4.0.0 || ^5.0.0 || ^6.0.0 || ^7.0.0" ✓ (supports vite ^7)
  4. Current project state:
    • Vue 2.7.16 ✓
    • vite-plugin-vue2@2.0.3 ✓
    • No vite.config.js currently exists ✓
  5. Technical assessment: The review's claim that vite-plugin-vue2@2.0.3 is incompatible with vite@^7.2.4 is correct – this would cause ERESOLVE during npm install
  6. Proposed solution: Migration to @vitejs/plugin-vue2@2.3.4 is correct and necessary

All technical claims in the review are verified as accurate. The blocker is real, and the proposed migration is the correct solution.

🔴 Critical: vite-plugin-vue2@2.0.3 incompatible with vite ^7.2.4 — npm install will fail.

vite-plugin-vue2@2.0.3 declares a peer dependency on vite ^2 || ^3 || ^4. Bumping vite to ^7.2.4 creates an unmet peer dependency that causes npm install to fail with ERESOLVE, blocking the dev server and build.

Since this example already uses Vue 2.7.16, migrate to the maintained @vitejs/plugin-vue2:

  "dependencies": {
    "@tanstack/vue-query": "^5.90.2",
    "vue": "2.7.16",
    "vue-template-compiler": "2.7.16"
  },
  "devDependencies": {
    "typescript": "5.8.3",
    "vite": "^7.2.4",
-   "vite-plugin-vue2": "2.0.3"
+   "@vitejs/plugin-vue2": "^2.3.4"
  }

Then create vite.config.js (currently missing):

import { defineConfig } from 'vite'
import createVuePlugin from '@vitejs/plugin-vue2'

export default defineConfig({
  plugins: [createVuePlugin()]
})

After updating, run npm install and verify the dev server starts.

🤖 Prompt for AI Agents 
In examples/vue/2.7-basic/package.json around lines 17-18, the project currently
uses "vite-plugin-vue2": "2.0.3" which is incompatible with "vite": "^7.2.4" and
will cause npm ERESOLVE errors; replace the dependency with the maintained
"@vitejs/plugin-vue2" at a compatible version (e.g., 2.3.4) in package.json and
add a new vite.config.js at project root that imports defineConfig from 'vite'
and the createVuePlugin from '@vitejs/plugin-vue2', then export defineConfig({
plugins: [createVuePlugin()] }) so the project works with vite ^7 and Vue 2.7.

coderabbitai[bot]
coderabbitai bot reviewed Dec 27, 2025
View reviewed changes
Copy link
Contributor

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

📜 Review details

Configuration used: defaults

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 7b3d8ea and 1609dea.

⛔ Files ignored due to path filters (1)
  • pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml
📒 Files selected for processing (2)
  • examples/vue/2.6-basic/package.json
  • examples/vue/2.7-basic/package.json
🚧 Files skipped from review as they are similar to previous changes (1)
  • examples/vue/2.7-basic/package.json
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)
  • GitHub Check: Preview
  • GitHub Check: Test

coderabbitai[bot]
coderabbitai bot reviewed Dec 28, 2025
View reviewed changes
Copy link
Contributor

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

♻️ Duplicate comments (1)
examples/vue/2.7-basic/package.json (1)

17-18: Plugin compatibility blocker (duplicate of previous reviews).

As extensively documented in previous review comments, vite-plugin-vue2@2.0.3 peers with vite ^2 || ^3 || ^4 and is incompatible with vite ^5.4.21 (or the target ^7.3.0). This causes ERESOLVE errors preventing npm install.

Required: Migrate to @vitejs/plugin-vue2 as detailed in the previous review comments, which includes peer support for Vite 5-7 and provides the necessary vite.config.js configuration.

📜 Review details

Configuration used: defaults

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 17ed780 and a08ac38.

⛔ Files ignored due to path filters (1)
  • pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml
📒 Files selected for processing (2)
  • examples/vue/2.6-basic/package.json
  • examples/vue/2.7-basic/package.json
🚧 Files skipped from review as they are similar to previous changes (1)
  • examples/vue/2.6-basic/package.json
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)
  • GitHub Check: Preview
  • GitHub Check: Test

coderabbitai[bot]
coderabbitai bot reviewed Jan 11, 2026
View reviewed changes
Copy link
Contributor

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Fix all issues with AI agents 
In @examples/vue/2.6-basic/package.json:
- Line 18: The package.json currently pins "vite": "^7.3.1" while still using
vite-plugin-vue2 (maintenance-only for Vue ≤2.6) which is incompatible with Vite
7; fix by either downgrading vite to a 6.x release that includes the
CVE-2025-31486 fixes (e.g., any >=6.0.14/6.1.4/6.2.5 per the CVE note) and keep
vite-plugin-vue2 for the 2.6-basic example, or upgrade the plugin to
@vitejs/plugin-vue2 if you intend to target Vite 7 and Vue 2.7+; also update
documentation/PR text to resolve the version discrepancy (6.4.1 vs 7.3.1) and
note Node.js minimums for Vite 7 (Node 20.19+ or 22.12+), and ensure the
CVE-2025-31486 version references are corrected.
📜 Review details

Configuration used: defaults

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 4c6cd85 and bc42c50.

⛔ Files ignored due to path filters (1)
  • pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml
📒 Files selected for processing (2)
  • examples/vue/2.6-basic/package.json
  • examples/vue/2.7-basic/package.json
🚧 Files skipped from review as they are similar to previous changes (1)
  • examples/vue/2.7-basic/package.json
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)
  • GitHub Check: Test
  • GitHub Check: Preview

coderabbitai[bot]
coderabbitai bot reviewed Jan 11, 2026
View reviewed changes
Copy link
Contributor

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Fix all issues with AI agents 
In @examples/vue/2.7-basic/package.json:
- Around line 15-19: Replace the deprecated devDependency "vite-plugin-vue2"
with the official "@vitejs/plugin-vue2" in package.json's devDependencies
(remove "vite-plugin-vue2": "2.0.3" and add "@vitejs/plugin-vue2" at a
compatible version), then run install; also update any imports/usages in your
Vite config (e.g., change import from "vite-plugin-vue2" to
"@vitejs/plugin-vue2" and ensure the plugin is passed to defineConfig/plugins in
vite.config.js) so the project uses the official Vue 2.7+ Vite plugin compatible
with Vite ^5.4.21.
📜 Review details

Configuration used: defaults

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between bc42c50 and a693558.

⛔ Files ignored due to path filters (1)
  • pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml
📒 Files selected for processing (2)
  • examples/vue/2.6-basic/package.json
  • examples/vue/2.7-basic/package.json
🚧 Files skipped from review as they are similar to previous changes (1)
  • examples/vue/2.6-basic/package.json
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)
  • GitHub Check: Test

examples/vue/2.7-basic/package.json
Comment on lines 15 to 19
"devDependencies": {
"typescript": "5.8.3",
"vite": "^4.5.14",
"vite": "^5.4.21",
"vite-plugin-vue2": "2.0.3"
}
Copy link
Contributor

@coderabbitai coderabbitai bot Jan 11, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🌐 Web query:

CVE-2025-31486 CVE-2025-32395 CVE-2025-46565 Vite vulnerability fix versions

💡 Result:

  • CVE-2025-31486 — fixed in Vite 4.5.12, 5.4.17, 6.0.14, 6.1.4, and 6.2.5. [1]

  • CVE-2025-32395 — fixed in Vite 4.5.13, 5.4.18, 6.0.15, 6.1.5, and 6.2.6. [2]

  • CVE-2025-46565 — fixed in Vite 4.5.14, 5.4.19, 6.1.6, 6.2.7, and 6.3.4. [3]

Sources: [1] NVD/GitHub advisory for CVE-2025-31486. [2] Vite/GitHub advisory summaries for CVE-2025-32395. [3] CVE details/GitHub advisory for CVE-2025-46565.

🌐 Web query:

vite-plugin-vue2 compatibility Vite 5 6 7

💡 Result:

Short answer: don't use the old community "vite-plugin-vue2" for Vite 5/6/7 — use the official @vitejs/plugin-vue2 (for Vue 2.7+) which is the supported plugin for Vite's modern releases. [1][2][3][4]

Notes:

  • vite-plugin-vue2 has been deprecated/put into maintenance and only supports older Vue 2.6-era setups. [1][4]
  • @vitejs/plugin-vue2 is the official plugin for Vue 2.7+ and is the one referenced in Vite docs; JSX/TSX for Vue 2 is handled by a separate plugin. Use @vitejs/plugin-vue2 with Vite 5/6/7. [2][3]

Sources:

  • vite-plugin-vue2 deprecation/maintenance notice. [1]
  • @vitejs/plugin-vue2 GitHub / npm (official plugin for Vue 2.7+). [2][3]
  • Vite plugins documentation listing @vitejs/plugin-vue2. [4]

🏁 Script executed:

# Check if there are other package.json files or lock files in the repo that might provide context
git ls-files | grep -E "(package\.json|pnpm-lock|yarn\.lock|package-lock)" | head -20

Repository: TanStack/query

Length of output: 939

🌐 Web query:

CVE-2025-58751 CVE-2025-58752 Vite vulnerability fix

💡 Result:

Short answer — what happened and what to do:

  • Two Vite dev-server vulnerabilities (CVE-2025-58751 and CVE-2025-58752) allow the dev/preview server to serve HTML or public files outside the intended root (path traversal / public-file serving bypass) when the dev server is exposed to the network and the public dir / symlink conditions are met. [1][2]

  • Affected versions (examples): 7.1.0–7.1.4, 7.0.0–7.0.6, 6.0.0–6.3.5, and <=5.4.19 (see advisories for full ranges). [1][2]

  • Patched versions: 7.1.5, 7.0.7, 6.3.6, and 5.4.20. Upgrade to one of these or any later release. Example: npm install vite@7.1.5 (or update your package.json and run your package manager). [1][2]

  • Short mitigations until you can upgrade: do NOT expose the Vite dev server to untrusted networks (avoid --host / server.host), remove symlinks in the public directory, and avoid enabling the preview server to untrusted networks. [1][3]

Sources:

  1. GitHub Security Advisory (vite): GHSA-g4jq-h2w9-997c (patch/patched versions).
  2. NVD entries for CVE-2025-58751 and CVE-2025-58752 (details and fixed versions).
  3. Vendor/third‑party writeups summarizing impact and mitigations.

🌐 Web query:

CVE-2025-62522 Vite vulnerability

💡 Result:

Short summary — CVE-2025-62522 (published Oct 20, 2025): a path-handling bug in the Vite dev server on Windows that lets an attacker bypass server.fs.deny by requesting a URL that ends with a backslash, causing denied files (e.g., .env, *.pem) to be served if the dev server is exposed to the network. Affects multiple Vite release ranges (see below). [1][2][3]

Affected versions (per advisories): Vite 2.9.18 → <3.0.0, 3.2.9 → <4.0.0, 4.5.3 → <5.0.0, 5.2.6 → <5.4.21, 6.0.0 → <6.4.1, 7.0.0 → <7.0.8, 7.1.0 → <7.1.11. Published/confirmed Oct 20, 2025. [1][2]

Impact: medium severity (CVSS v4.0 = 6.0). Only exploitable when the Vite dev server is intentionally exposed to the network and running on Windows; it can disclose sensitive files normally blocked by server.fs.deny. [1][3]

Mitigation:

  • Upgrade Vite to a patched release: 5.4.21, 6.4.1, 7.0.8, or 7.1.11 (or later). [1][2]
  • As a workaround, do not expose the dev server to external networks (bind to localhost / block with firewall) and ensure sensitive files aren’t served by the project. [2][3]

References:
[1] GitHub / Vite advisory & fixes (commit/advisory referenced by vendor).
[2] NVD / CVE-2025-62522 summary.
[3] Positive Technologies / dbugs advisory (technical details and recommendations).

🏁 Script executed:

# Check for lockfiles in the vue example directory and parent
cd examples/vue/2.7-basic && ls -la

Repository: TanStack/query

Length of output: 581

🏁 Script executed:

# Also check the current full package.json to see dependencies context
cat examples/vue/2.7-basic/package.json

Repository: TanStack/query

Length of output: 505

🏁 Script executed:

# Check if there are comments or PR description in nearby files
git log --oneline -n 20 -- examples/vue/2.7-basic/package.json 2>/dev/null | head -5

Repository: TanStack/query

Length of output: 113

Replace deprecated vite-plugin-vue2 with the official @vitejs/plugin-vue2.

The vite version bump to ^5.4.21 is correct and does address all five CVEs mentioned in the PR (CVE-2025-31486, CVE-2025-32395, CVE-2025-46565, CVE-2025-58751/58752, and CVE-2025-62522—which is specifically fixed in 5.4.21).

However, vite-plugin-vue2@2.0.3 is deprecated and not recommended for modern Vite versions. For Vue 2.7+, use the official @vitejs/plugin-vue2 plugin instead. Update the devDependency accordingly.

🤖 Prompt for AI Agents 
In @examples/vue/2.7-basic/package.json around lines 15 - 19, Replace the
deprecated devDependency "vite-plugin-vue2" with the official
"@vitejs/plugin-vue2" in package.json's devDependencies (remove
"vite-plugin-vue2": "2.0.3" and add "@vitejs/plugin-vue2" at a compatible
version), then run install; also update any imports/usages in your Vite config
(e.g., change import from "vite-plugin-vue2" to "@vitejs/plugin-vue2" and ensure
the plugin is passed to defineConfig/plugins in vite.config.js) so the project
uses the official Vue 2.7+ Vite plugin compatible with Vite ^5.4.21.

coderabbitai[bot]
coderabbitai bot reviewed Jan 13, 2026
View reviewed changes
Copy link
Contributor

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Fix all issues with AI agents 
In @examples/vue/2.6-basic/package.json:
- Around line 18-19: The dependency "vite-plugin-vue2" in package.json is
incompatible with Vite 7; replace the "vite-plugin-vue2" entry with
"@vitejs/plugin-vue2" and update the version to a Vite-7-compatible release
(e.g., ^2.3.3 or later), then update any import/usage in build config (where you
reference vite-plugin-vue2) to import from "@vitejs/plugin-vue2" instead so the
plugin name and version match Vite 7 requirements.
📜 Review details

Configuration used: defaults

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between a693558 and a1deb85.

⛔ Files ignored due to path filters (1)
  • pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml
📒 Files selected for processing (2)
  • examples/vue/2.6-basic/package.json
  • examples/vue/2.7-basic/package.json
🚧 Files skipped from review as they are similar to previous changes (1)
  • examples/vue/2.7-basic/package.json
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)
  • GitHub Check: Preview
  • GitHub Check: Test

examples/vue/2.6-basic/package.json
Comment on lines +18 to 19
"vite": "^7.3.1",
"vite-plugin-vue2": "2.0.3"
Copy link
Contributor

@coderabbitai coderabbitai bot Jan 13, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

cat -n examples/vue/2.6-basic/package.json

Repository: TanStack/query

Length of output: 663

🌐 Web query:

vite-plugin-vue2 vite 7 compatibility supported versions

💡 Result:

Short answer: The legacy community package vite-plugin-vue2 is NOT the recommended plugin for Vite 7. For Vue 2.7 + Vite 7 you should use the official @vitejs/plugin-vue2. The legacy vite-plugin-vue2 was put into maintenance/EOL and targets older Vue/Vite usage (pre‑2.7); @vitejs/plugin-vue2 is the supported plugin for Vue 2.7 and current Vite releases. [1][2][3]

Sources:

  • vite-plugin-vue2 (maintenance / older plugin notes). [1]
  • @vitejs/plugin-vue2 / Vite docs (Vue 2.7 support; official plugin). [2]
  • Vite 7 announcement / docs (Vite 7 release and ecosystem guidance). [3]

🏁 Script executed:

cd examples/vue/2.6-basic && git log --oneline -n 10 -- package.json

Repository: TanStack/query

Length of output: 113

🏁 Script executed:

git log --oneline -n 20 | head -20

Repository: TanStack/query

Length of output: 113

🌐 Web query:

@vitejs/plugin-vue2 npm package versions

💡 Result:

Latest published @vitejs/plugin-vue2 version: 2.3.3 (npm). [1]

Recent published versions (examples): 2.3.3, 2.3.2, 2.3.0, 2.2.0, 2.1.0, 2.0.1, 2.0.0, 1.1.2, ... . See full version history on the npm package page. [1][2]

Sources:
[1] npm package page for @vitejs/plugin-vue2.
[2] vitejs/vite-plugin-vue2 repository (plugin info).

🌐 Web query:

vite-plugin-vue2 2.0.3 supported vite versions requirements

💡 Result:

vite-plugin-vue2 v2.0.3 requires Vite v2 or newer (peer dependency: vite >= 2.0.0). [1][2]

Sources:

  • package listing / registry summaries for vite-plugin-vue2. [1]
  • example pnpm lock / package metadata showing peerDependencies vite: ">=2.0.0". [2]

Incompatible plugin for Vite 7: use @vitejs/plugin-vue2 instead.

vite-plugin-vue2 2.0.3 is a legacy, maintenance-only package that is not supported for Vite 7.x. The official plugin for Vite 7 is @vitejs/plugin-vue2 (version 2.3.3 or later).

Replace vite-plugin-vue2 with @vitejs/plugin-vue2 to resolve the breaking incompatibility.

🤖 Prompt for AI Agents 
In @examples/vue/2.6-basic/package.json around lines 18 - 19, The dependency
"vite-plugin-vue2" in package.json is incompatible with Vite 7; replace the
"vite-plugin-vue2" entry with "@vitejs/plugin-vue2" and update the version to a
Vite-7-compatible release (e.g., ^2.3.3 or later), then update any import/usage
in build config (where you reference vite-plugin-vue2) to import from
"@vitejs/plugin-vue2" instead so the plugin name and version match Vite 7
requirements.

coderabbitai[bot]
coderabbitai bot reviewed Jan 13, 2026
View reviewed changes
Copy link
Contributor

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Fix all issues with AI agents 
In @examples/vue/2.6-basic/package.json:
- Around line 18-19: The dependency combination is incompatible: replace
"vite-plugin-vue2" with the official "@vitejs/plugin-vue2" in package.json
(remove "vite-plugin-vue2": "2.0.3" and add "@vitejs/plugin-vue2" with a
compatible version), then update any plugin imports/usages in your Vite config
(e.g., change import from "vite-plugin-vue2" to "@vitejs/plugin-vue2" and call
the new plugin factory in the plugins array), and run a fresh install and build
to verify compatibility with Vite 5.4.21.
📜 Review details

Configuration used: defaults

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between a1deb85 and 1105f27.

⛔ Files ignored due to path filters (1)
  • pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml
📒 Files selected for processing (2)
  • examples/vue/2.6-basic/package.json
  • examples/vue/2.7-basic/package.json
🚧 Files skipped from review as they are similar to previous changes (1)
  • examples/vue/2.7-basic/package.json

examples/vue/2.6-basic/package.json Outdated
Comment on lines 18 to 19
"vite": "^5.4.21",
"vite-plugin-vue2": "2.0.3"
Copy link
Contributor

@coderabbitai coderabbitai bot Jan 13, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Check vite-plugin-vue2 peer dependencies for Vite compatibility
npm view vite-plugin-vue2@2.0.3 peerDependencies --json 2>/dev/null | jq . || echo "Failed to fetch peer dependencies"

echo "---"

# Check available versions of vite-plugin-vue2
npm view vite-plugin-vue2 versions --json 2>/dev/null | jq '.[-10:]' || echo "Failed to fetch versions"

Repository: TanStack/query

Length of output: 254

🌐 Web query:

vite-plugin-vue2 2.0.3 compatibility Vite 5

💡 Result:

Short answer: vite-plugin-vue2 (latest 2.0.3) is an older community plugin in maintenance/EOL and does not officially target Vite 5. For Vue 2.7+ use the official @vitejs/plugin-vue2 which supports modern Vite (including Vite 5). Sources: vite-plugin-vue2 package info (maintenance/EOL). [1] and @vitejs/plugin-vue2 docs/npm (supports Vue 2.7 and Vite). [2][3]

References

  • vite-plugin-vue2 (package / maintenance note). [1]
  • @vitejs/plugin-vue2 (official plugin — works with Vue 2.7 and Vite). [2][3]

Would you like exact install/upgrade steps to switch to @vitejs/plugin-vue2?

🌐 Web query:

Vite 5.4.21 CVE security vulnerabilities CVE-2025

💡 Result:

Short answer: Vite 5.4.21 contains the fix for a 2025 CVE (CVE-2025-62522). Upgrade to 5.4.21 or later and avoid exposing the dev server to the network.

Details:

  • CVE‑2025‑62522: a server.fs.deny bypass (Windows, trailing backslash) — patched in v5.4.21. See NVD and vendor advisories. [1][2]
  • Other related 2025 Vite dev-server information-disclosure CVEs were fixed in earlier 5.4.x releases (examples: CVE‑2025‑30208, CVE‑2025‑31486, CVE‑2025‑58752, CVE‑2025‑46565); many of these only affect Vite dev servers exposed to the network. If you run a dev server, do not bind it to public hosts and upgrade to the patched release. [3][4][5][6][7]

If you want, I can fetch the exact advisory/commit links and provide a brief upgrade checklist for your projects.

Sources:
[1] NVD — CVE-2025-62522.
[2] Positive Technologies / dbugs — PT advisory for CVE-2025-62522.
[3] CVE Details — CVE-2025-62522 summary.
[4] NVD — CVE-2025-30208.
[5] NVD — CVE-2025-31486.
[6] NVD — CVE-2025-58752.
[7] ResolvedSecurity / CVE-2025-46565.

This combination will fail: vite-plugin-vue2@2.0.3 does not support Vite 5.x.

The peer dependencies for vite-plugin-vue2@2.0.3 explicitly restrict it to "vite": "^2.0.0 || ^3.0.0 || ^4.0.0". Upgrading vite to 5.4.21 while keeping this plugin will cause build or runtime failures.

Replace with @vitejs/plugin-vue2, the official community plugin that supports Vite 5 and is actively maintained. Update the dependency in package.json and adjust any plugin imports/configuration accordingly if using this example.

Vite 5.4.21 does address the mentioned CVEs (including CVE-2025-62522 and earlier 2025 dev-server vulnerabilities).

🤖 Prompt for AI Agents 
In @examples/vue/2.6-basic/package.json around lines 18 - 19, The dependency
combination is incompatible: replace "vite-plugin-vue2" with the official
"@vitejs/plugin-vue2" in package.json (remove "vite-plugin-vue2": "2.0.3" and
add "@vitejs/plugin-vue2" with a compatible version), then update any plugin
imports/usages in your Vite config (e.g., change import from "vite-plugin-vue2"
to "@vitejs/plugin-vue2" and call the new plugin factory in the plugins array),
and run a fresh install and build to verify compatibility with Vite 5.4.21.

coderabbitai[bot]
coderabbitai bot reviewed Jan 13, 2026
View reviewed changes
Copy link
Contributor

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Fix all issues with AI agents 
In @examples/vue/2.7-basic/package.json:
- Line 17: The project currently lists "vite": "^7.3.1" which is incompatible
with the installed vite-plugin-vue2@2.0.3 (peer supports only ^5 || ^6); either
change the Vite dependency in package.json to a compatible version (e.g.,
"vite": "^6.x") or replace vite-plugin-vue2 with the official
@vitejs/plugin-vue2 and update any plugin configuration in the build setup
(e.g., where vite-plugin-vue2 is referenced) to use the new plugin API.
📜 Review details

Configuration used: defaults

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 1105f27 and 86384ca.

⛔ Files ignored due to path filters (1)
  • pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml
📒 Files selected for processing (2)
  • examples/vue/2.6-basic/package.json
  • examples/vue/2.7-basic/package.json
🚧 Files skipped from review as they are similar to previous changes (1)
  • examples/vue/2.6-basic/package.json
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)
  • GitHub Check: Test
  • GitHub Check: Preview

coderabbitai[bot]
coderabbitai bot reviewed Jan 13, 2026
View reviewed changes
Copy link
Contributor

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Fix all issues with AI agents 
In @examples/vue/2.7-basic/package.json:
- Line 17: Update the dependency in package.json to replace the legacy
"vite-plugin-vue2" with the official "@vitejs/plugin-vue2"; then update any Vite
config files (e.g., vite.config.js or vite.config.ts) to change imports and
plugin usage from "vite-plugin-vue2" to "@vitejs/plugin-vue2" (replace
import/require and the plugin() invocation), run npm/yarn install to refresh
lockfile, and verify the project builds with Vite 5.x.
📜 Review details

Configuration used: defaults

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 86384ca and 6ccf759.

⛔ Files ignored due to path filters (1)
  • pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml
📒 Files selected for processing (2)
  • examples/vue/2.6-basic/package.json
  • examples/vue/2.7-basic/package.json
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)
  • GitHub Check: Test
🔇 Additional comments (1)
examples/vue/2.6-basic/package.json (1)

18-18: Consistent with sibling example.

The vite version update aligns with examples/vue/2.7-basic/package.json. The compatibility and security verification concerns noted in the sibling file apply here as well.

examples/vue/2.7-basic/package.json Outdated
"devDependencies": {
"typescript": "5.8.3",
"vite": "^4.5.14",
"vite": "^5.4.21",
Copy link
Contributor

@coderabbitai coderabbitai bot Jan 13, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🌐 Web query:

vite-plugin-vue2 compatibility vite 5.x 6.x 7.x

💡 Result:

Short answer: use @vitejs/plugin-vue2 (official) for Vue 2.7 — the older community package vite-plugin-vue2 (underfin) is legacy/maintenance-EOL and not recommended for recent Vite major releases. The official @vitejs/plugin-vue2 is the supported plugin for Vue 2.7 and is what you should use with current Vite versions; some third‑party Vue2 ecosystem plugins may still have strict peerDependencies and need updates for Vite 7 (peer‑dep conflicts have been reported). [1][2][3]

References:

  • @vitejs/plugin-vue2 README (official plugin for Vue 2.7). [1]
  • Vite docs / migration notes: recommends @vitejs/plugin-vue2 for Vue 2.7 and notes vite-plugin-vue2 is superseded. [2]
  • Vite GitHub issue showing ecosystem peer-dependency problems with Vite 7 (example of plugins needing updates). [3]

🏁 Script executed:

# Search for PR context or comments about vite version choice
cd /tmp && find . -type f -name "*.md" -o -name "*.json" | head -20
git ls-files | grep -E "(CHANGELOG|README|PR|\.github)" | head -20

Repository: TanStack/query

Length of output: 126

🏁 Script executed:

# Check if there are any CVE references in the repository
rg -i "cve|security|vulnerability" --type md --type json | head -30

Repository: TanStack/query

Length of output: 2043

🏁 Script executed:

# Check the actual package.json file and its git history for context
cat -n examples/vue/2.7-basic/package.json

Repository: TanStack/query

Length of output: 645

Replace vite-plugin-vue2 with the official @vitejs/plugin-vue2.

The package uses vite-plugin-vue2@2.0.3, which is a legacy community plugin that is no longer maintained. The official plugin is @vitejs/plugin-vue2 from the Vite team, which is the recommended choice for Vue 2.7 projects. The Vite 5.x constraint appears intentional for compatibility with the legacy plugin, but you should migrate to the official plugin instead to ensure long-term support and compatibility with current and future Vite versions.

🤖 Prompt for AI Agents 
In @examples/vue/2.7-basic/package.json at line 17, Update the dependency in
package.json to replace the legacy "vite-plugin-vue2" with the official
"@vitejs/plugin-vue2"; then update any Vite config files (e.g., vite.config.js
or vite.config.ts) to change imports and plugin usage from "vite-plugin-vue2" to
"@vitejs/plugin-vue2" (replace import/require and the plugin() invocation), run
npm/yarn install to refresh lockfile, and verify the project builds with Vite
5.x.

@github-actions
Copy link
Contributor

github-actions bot commented Jan 18, 2026
edited
Loading

size-limit report 📦

Path Size
react full 11.92 KB (0%)
react minimal 8.95 KB (0%)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@coderabbitai coderabbitai[bot] coderabbitai[bot] left review comments

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants