chore(deps): update dependency vite to v6.3.4 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
vite (source)	6.3.1 -> 6.3.4

GitHub Vulnerability Alerts

CVE-2025-46565

Summary

The contents of files in the project root that are denied by a file matching pattern can be returned to the browser.

Impact

Only apps explicitly exposing the Vite dev server to the network (using --host or server.host config option) are affected.
Only files that are under project root and are denied by a file matching pattern can be bypassed.

• Examples of file matching patterns: .env, .env.*, *.{crt,pem}, **/.env
• Examples of other patterns: **/.git/**, .git/**, .git/**/*

Details

server.fs.deny can contain patterns matching against files (by default it includes .env, .env.*, *.{crt,pem} as such patterns).
These patterns were able to bypass for files under root by using a combination of slash and dot (/.).

PoC

npm create vite@latest
cd vite-project/
cat "secret" > .env
npm install
npm run dev
curl --request-target /.env/. http://localhost:5173

---

Release Notes

vitejs/vite (vite)

v6.3.4

Compare Source

• fix: check static serve file inside sirv (#​19965) (c22c43d), closes #​19965
• fix(optimizer): return plain object when using require to import externals in optimized dependenci (efc5eab), closes #​19940
• refactor: remove duplicate plugin context type (#​19935) (d6d01c2), closes #​19935

v6.3.3

Compare Source

• fix: ignore malformed uris in tranform middleware (#​19853) (e4d5201), closes #​19853
• fix(assets): ensure ?no-inline is not included in the asset url in the production environment (#​1949 (16a73c0), closes #​19496
• fix(css): resolve relative imports in sass properly on Windows (#​19920) (ffab442), closes #​19920
• fix(deps): update all non-major dependencies (#​19899) (a4b500e), closes #​19899
• fix(ssr): fix execution order of re-export (#​19841) (ed29dee), closes #​19841
• fix(ssr): fix live binding of default export declaration and hoist exports getter (#​19842) (80a91ff), closes #​19842
• perf: skip sourcemap generation for renderChunk hook of import-analysis-build plugin (#​19921) (55cfd04), closes #​19921
• test(ssr): test ssrTransform re-export deps and test stacktrace with first line (#​19629) (9399cda), closes #​19629

v6.3.2

Compare Source

• fix: match default asserts case insensitive (#​19852) (cbdab1d), closes #​19852
• fix: open first url if host does not match any urls (#​19886) (6abbdce), closes #​19886
• fix(css): respect css.lightningcss option in css minification process (#​19879) (b5055e0), closes #​19879
• fix(deps): update all non-major dependencies (#​19698) (bab4cb9), closes #​19698
• feat(css): improve lightningcss messages (#​19880) (c713f79), closes #​19880

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[changeset-bot]

⚠️ No Changeset found

Latest commit: dc2a46c

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR