chore(deps): update dependency vite to v5 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
vite (source)	4.5.5 -> 5.4.21

GitHub Vulnerability Alerts

CVE-2025-24010

Summary

Vite allowed any websites to send any requests to the development server and read the response due to default CORS settings and lack of validation on the Origin header for WebSocket connections.

Warning

This vulnerability even applies to users that only run the Vite dev server on the local machine and does not expose the dev server to the network.

Upgrade Path

Users that does not match either of the following conditions should be able to upgrade to a newer version of Vite that fixes the vulnerability without any additional configuration.

• Using the backend integration feature
• Using a reverse proxy in front of Vite
• Accessing the development server via a domain other than localhost or *.localhost
• Using a plugin / framework that connects to the WebSocket server on their own from the browser

Using the backend integration feature

If you are using the backend integration feature and not setting server.origin, you need to add the origin of the backend server to the server.cors.origin option. Make sure to set a specific origin rather than *, otherwise any origin can access your development server.

Using a reverse proxy in front of Vite

If you are using a reverse proxy in front of Vite and sending requests to Vite with a hostname other than localhost or *.localhost, you need to add the hostname to the new server.allowedHosts option. For example, if the reverse proxy is sending requests to http://vite:5173, you need to add vite to the server.allowedHosts option.

Accessing the development server via a domain other than localhost or *.localhost

You need to add the hostname to the new server.allowedHosts option. For example, if you are accessing the development server via http://foo.example.com:8080, you need to add foo.example.com to the server.allowedHosts option.

Using a plugin / framework that connects to the WebSocket server on their own from the browser

If you are using a plugin / framework, try upgrading to a newer version of Vite that fixes the vulnerability. If the WebSocket connection appears not to be working, the plugin / framework may have a code that connects to the WebSocket server on their own from the browser.

In that case, you can either:

• fix the plugin / framework code to the make it compatible with the new version of Vite
• set legacy.skipWebSocketTokenCheck: true to opt-out the fix for [2] while the plugin / framework is incompatible with the new version of Vite
  • When enabling this option, make sure that you are aware of the security implications described in the impact section of [2] above.

Mitigation without upgrading Vite

[1]: Permissive default CORS settings

Set server.cors to false or limit server.cors.origin to trusted origins.

[2]: Lack of validation on the Origin header for WebSocket connections

There aren't any mitigations for this.

[3]: Lack of validation on the Host header for HTTP requests

Use Chrome 94+ or use HTTPS for the development server.

Details

There are three causes that allowed malicious websites to send any requests to the development server:

[1]: Permissive default CORS settings

Vite sets the Access-Control-Allow-Origin header depending on server.cors option. The default value was true which sets Access-Control-Allow-Origin: *. This allows websites on any origin to fetch contents served on the development server.

Attack scenario:

1. The attacker serves a malicious web page (http://malicious.example.com).
2. The user accesses the malicious web page.
3. The attacker sends a fetch('http://127.0.0.1:5173/main.js') request by JS in that malicious web page. This request is normally blocked by same-origin policy, but that's not the case for the reasons above.
4. The attacker gets the content of http://127.0.0.1:5173/main.js.

[2]: Lack of validation on the Origin header for WebSocket connections

Vite starts a WebSocket server to handle HMR and other functionalities. This WebSocket server did not perform validation on the Origin header and was vulnerable to Cross-Site WebSocket Hijacking (CSWSH) attacks. With that attack, an attacker can read and write messages on the WebSocket connection. Vite only sends some information over the WebSocket connection (list of the file paths that changed, the file content where the errored happened, etc.), but plugins can send arbitrary messages and may include more sensitive information.

Attack scenario:

1. The attacker serves a malicious web page (http://malicious.example.com).
2. The user accesses the malicious web page.
3. The attacker runs new WebSocket('http://127.0.0.1:5173', 'vite-hmr') by JS in that malicious web page.
4. The user edits some files.
5. Vite sends some HMR messages over WebSocket.
6. The attacker gets the content of the HMR messages.

[3]: Lack of validation on the Host header for HTTP requests

Unless server.https is set, Vite starts the development server on HTTP. Non-HTTPS servers are vulnerable to DNS rebinding attacks without validation on the Host header. But Vite did not perform validation on the Host header. By exploiting this vulnerability, an attacker can send arbitrary requests to the development server bypassing the same-origin policy.

1. The attacker serves a malicious web page that is served on HTTP (http://malicious.example.com:5173) (HTTPS won't work).
2. The user accesses the malicious web page.
3. The attacker changes the DNS to point to 127.0.0.1 (or other private addresses).
4. The attacker sends a fetch('/main.js') request by JS in that malicious web page.
5. The attacker gets the content of http://127.0.0.1:5173/main.js bypassing the same origin policy.

Impact

[1]: Permissive default CORS settings

Users with the default server.cors option may:

• get the source code stolen by malicious websites
• give the attacker access to functionalities that are not supposed to be exposed externally
  • Vite core does not have any functionality that causes changes somewhere else when receiving a request, but plugins may implement those functionalities and servers behind server.proxy may have those functionalities.

[2]: Lack of validation on the Origin header for WebSocket connections

All users may get the file paths of the files that changed and the file content where the error happened be stolen by malicious websites.

For users that is using a plugin that sends messages over WebSocket, that content may be stolen by malicious websites.

For users that is using a plugin that has a functionality that is triggered by messages over WebSocket, that functionality may be exploited by malicious websites.

[3]: Lack of validation on the Host header for HTTP requests

Users using HTTP for the development server and using a browser that is not Chrome 94+ may:

• get the source code stolen by malicious websites
• give the attacker access to functionalities that are not supposed to be exposed externally
  • Vite core does not have any functionality that causes changes somewhere else when receiving a request, but plugins may implement those functionalities and servers behind server.proxy may have those functionalities.

Chrome 94+ users are not affected for [3], because sending a request to a private network page from public non-HTTPS page is forbidden since Chrome 94.

Related Information

Safari has a bug that blocks requests to loopback addresses from HTTPS origins. This means when the user is using Safari and Vite is listening on lookback addresses, there's another condition of "the malicious web page is served on HTTP" to make [1] and [2] to work.

PoC

[2]: Lack of validation on the Origin header for WebSocket connections

1. I used the react template which utilizes HMR functionality.

npm create vite@latest my-vue-app-react -- --template react

2. Then on a malicious server, serve the following POC html:

<!doctype html>
<html lang="en">
    <head>
        <meta charset="utf-8" />
        <title>vite CSWSH</title>
    </head>
    <body>
        <div id="logs"></div>
        <script>
            const div = document.querySelectorAll('#logs')[0];
            const ws = new WebSocket('ws://localhost:5173','vite-hmr');
            ws.onmessage = event => {
                const logLine = document.createElement('p');
                logLine.innerHTML = event.data;
                div.append(logLine);
            };
        </script>
    </body>
</html>

3. Kick off Vite

npm run dev

4. Load the development server (open http://localhost:5173/) as well as the malicious page in the browser.
5. Edit src/App.jsx file and intentionally place a syntax error
6. Notice how the malicious page can view the websocket messages and a snippet of the source code is exposed

Here's a video demonstrating the POC:

vite-cswsh.mov

CVE-2025-30208

Summary

The contents of arbitrary files can be returned to the browser.

Impact

Only apps explicitly exposing the Vite dev server to the network (using --host or server.host config option) are affected.

Details

@fs denies access to files outside of Vite serving allow list. Adding ?raw?? or ?import&raw?? to the URL bypasses this limitation and returns the file content if it exists. This bypass exists because trailing separators such as ? are removed in several places, but are not accounted for in query string regexes.

PoC

$ npm create vite@latest
$ cd vite-project/
$ npm install
$ npm run dev

$ echo "top secret content" > /tmp/secret.txt

# expected behaviour
$ curl "http://localhost:5173/@​fs/tmp/secret.txt"

    <body>
      <h1>403 Restricted</h1>
      <p>The request url &quot;/tmp/secret.txt&quot; is outside of Vite serving allow list.

# security bypassed
$ curl "http://localhost:5173/@&#8203;fs/tmp/secret.txt?import&raw??"
export default "top secret content\n"
//# sourceMappingURL=data:application/json;base64,eyJ2...

CVE-2025-62522

Summary

Files denied by server.fs.deny were sent if the URL ended with \ when the dev server is running on Windows.

Impact

Only apps that match the following conditions are affected:

• explicitly exposes the Vite dev server to the network (using --host or server.host config option)
• running the dev server on Windows

Details

server.fs.deny can contain patterns matching against files (by default it includes .env, .env.*, *.{crt,pem} as such patterns). These patterns were able to bypass by using a back slash(\). The root cause is that fs.readFile('/foo.png/') loads /foo.png.

PoC

npm create vite@latest
cd vite-project/
cat "secret" > .env
npm install
npm run dev
curl --request-target /.env\ http://localhost:5173

---

Release Notes

vitejs/vite (vite)

v5.4.21

Compare Source

Please refer to CHANGELOG.md for details.

v5.4.20

Compare Source

Please refer to CHANGELOG.md for details.

v5.4.19

Compare Source

Please refer to CHANGELOG.md for details.

v5.4.18

Compare Source

Please refer to CHANGELOG.md for details.

v5.4.17

Compare Source

Please refer to CHANGELOG.md for details.

v5.4.16

Compare Source

Please refer to CHANGELOG.md for details.

v5.4.15

Compare Source

Please refer to CHANGELOG.md for details.

v5.4.14

Compare Source

Please refer to CHANGELOG.md for details.

v5.4.13

Compare Source

Please refer to CHANGELOG.md for details.

v5.4.12

Compare Source

This version contains a breaking change due to security fixes. See GHSA-vg6x-rcgg-rjx6 for more details.

Please refer to CHANGELOG.md for details.

v5.4.11

Compare Source

Today, we're taking another big step in Vite's story. The Vite team, contributors, and ecosystem partners are excited to announce the release of the next Vite major:

• Vite 6.0 announcement blog post
• Docs
• Translations: 简体中文, 日本語, Español, Português, 한국어, Deutsch
• Migration Guide

We want to thank the more than 1K contributors to Vite Core and the maintainers and contributors of Vite plugins, integrations, tools, and translations that have helped us craft this new major. We invite you to get involved and help us improve Vite for the whole ecosystem. Learn more at our Contributing Guide.

⚠ BREAKING CHANGES

• drop node 21 support in version ranges (#​18729)
• deps: update dependency dotenv-expand to v12 (#​18697)
• resolve: allow removing conditions (#​18395)
• html: support more asset sources (#​11138)
• remove fs.cachedChecks option (#​18493)
• proxy bypass with WebSocket (#​18070)
• css: remove default import in ssr dev (#​17922)
• lib: use package name for css output file name (#​18488)
• update to chokidar v4 (#​18453)
• support file:// resolution (#​18422)
• deps: update postcss-load-config to v6 (#​15235)
• css: change default sass api to modern/modern-compiler (#​17937)
• css: load postcss config within workspace root only (#​18440)
• default build.cssMinify to 'esbuild' for SSR (#​15637)
• json: add json.stringify: 'auto' and make that the default (#​18303)
• bump minimal terser version to 5.16.0 (#​18209)
• deps: migrate fast-glob to tinyglobby (#​18243)

Features

• add support for .cur type (#​18680) (5ec9eed)
• drop node 21 support in version ranges (#​18729) (a384d8f)
• enable HMR by default on ModuleRunner side (#​18749) (4d2abc7)
• support module-sync condition when loading config if enabled (#​18650) (cf5028d)
• add isSsrTargetWebWorker flag to configEnvironment hook (#​18620) (3f5fab0)
• add ssr.resolve.mainFields option (#​18646) (a6f5f5b)
• expose default mainFields/conditions (#​18648) (c12c653)
• extended applyToEnvironment and perEnvironmentPlugin (#​18544) (8fa70cd)
• optimizer: allow users to specify their esbuild platform option (#​18611) (0924879)
• show error when accessing variables not exposed in CJS build (#​18649) (87c5502)
• asset: add ?inline and ?no-inline queries to control inlining (#​15454) (9162172)
• asset: inline svg in dev if within limit (#​18581) (f08b146)
• use a single transport for fetchModule and HMR support (#​18362) (78dc490)
• html: support more asset sources (#​11138) (8a7af50)
• resolve: allow removing conditions (#​18395) (d002e7d)
• html: support vite-ignore attribute to opt-out of processing (#​18494) (d951310)
• lib: use package name for css output file name (#​18488) (61cbf6f)
• log complete config in debug mode (#​18289) (04f6736)
• proxy bypass with WebSocket (#​18070) (3c9836d)
• support file:// resolution (#​18422) (6a7e313)
• update to chokidar v4 (#​18453) (192d555)
• allow custom console in createLogger (#​18379) (0c497d9)
• css: add more stricter typing of lightningcss (#​18460) (b9b925e)
• css: change default sass api to modern/modern-compiler (#​17937) (d4e0442)
• read sec-fetch-dest header to detect JS in transform (#​9981) (e51dc40)
• css: load postcss config within workspace root only (#​18440) (d23a493)
• json: add json.stringify: 'auto' and make that the default (#​18303) (b80daa7)
• add .git to deny list by default (#​18382) (105ca12)
• add environment::listen (#​18263) (4d5f51d)
• enable dependencies discovery and pre-bundling in ssr environments (#​18358) (9b21f69)
• restrict characters useable for environment name (#​18255) (9ab6180)
• support arbitrary module namespace identifier imports from cjs deps (#​18236) (4389a91)
• introduce RunnableDevEnvironment (#​18190) (fb292f2)
• support this.environment in options and onLog hook (#​18142) (7722c06)
• css: support es2023 build target for lightningcss (#​17998) (1a76300)
• Environment API (#​16471) (242f550)
• expose EnvironmentOptions type (#​18080) (35cf59c)

Bug Fixes

• createRunnableDevEnvironment returns RunnableDevEnvironment, not DevEnvironment (#​18673) (74221c3)
• getModulesByFile should return a serverModule (#​18715) (b80d5ec)
• catch error in full reload handler (#​18713) (a10e741)
• client: overlay not appearing when multiple vite clients were loaded (#​18647) (27d70b5)
• deps: update all non-major dependencies (#​18691) (f005461)
• deps: update dependency dotenv-expand to v12 (#​18697) (0c658de)
• display pre-transform error details (#​18764) (554f45f)
• exit code on SIGTERM (#​18741) (cc55e36)
• expose missing InterceptorOptions type (#​18766) (6252c60)
• html: fix inline proxy modules invalidation (#​18696) (8ab04b7)
• log error when send in module runner failed (#​18753) (ba821bb)
• module-runner: make evaluator optional (#​18672) (fd1283f)
• optimizer: detect npm / yarn / pnpm dependency changes correctly (#​17336) (#​18560) (818cf3e)
• optimizer: trigger onCrawlEnd after manual included deps are registered (#​18733) (dc60410)
• optimizer: workaround firefox's false warning for no sources source map (#​18665) (473424e)
• ssr: replace __vite_ssr_identity__ with (0, ...) and inject ; between statements (#​18748) (94546be)
• cjs build for perEnvironmentState et al (#​18656) (95c4b3c)
• html: externalize rollup.external scripts correctly (#​18618) (55461b4)
• include more modules to prefix-only module list (#​18667) (5a2103f)
• ssr: format ssrTransform parse error (#​18644) (d9be921)
• ssr: preserve fetchModule error details (#​18626) (866a433)
• browser field should not be included by default for consumer: 'server' (#​18575) (87b2347)
• client: detect ws close correctly (#​18548) (637d31b)
• resolve: run ensureVersionQuery for SSR (#​18591) (63207e5)
• use server.perEnvironmentStartEndDuringDev (#​18549) (fe30349)
• allow nested dependency selector to be used for optimizeDeps.include for SSR (#​18506) (826c81a)
• asset new URL(,import.meta.url) match (#​18194) (5286a90)
• close watcher if it's disabled (#​18521) (85bd0e9)
• config: write temporary vite config to node_modules (#​18509) (72eaef5)
• css: cssCodeSplit uses the current environment configuration (#​18486) (eefe895)
• json: don't json.stringify arrays (#​18541) (fa50b03)
• less: prevent rebasing [@import](https://redirect.github.com/import) url(...) (#​17857) (aec5fdd)
• lib: only resolve css bundle name if have styles (#​18530) (5d6dc49)
• scss: improve error logs (#​18522) (3194a6a)
• define in environment config was not working (#​18515) (052799e)
• build: apply resolve.external/noExternal to server environments (#​18495) (5a967cb)
• config: remove error if require resolve to esm (#​18437) (f886f75)
• consider URLs with any protocol to be external (#​17369) (a0336bd)
• css: remove default import in ssr dev (#​17922) (eccf663)
• use picomatch to align with tinyglobby (#​18503) (437795d)
• css: cssCodeSplit in environments.xxx.build is invalid (#​18464) (993e71c)
• css: make sass types work with sass-embedded (#​18459) (89f8303)
• deps: update all non-major dependencies (#​18484) (2ec12df)
• handle warmup glob hang (#​18462) (409fa5c)
• manifest: non entry CSS chunk src was wrong (#​18133) (c148676)
• module-runner: delay function eval until module runner instantiation (#​18480) (472afbd)
• plugins: noop if config hook returns same config reference (#​18467) (bd540d5)
• return the same instance of ModuleNode for the same EnvironmentModuleNode (#​18455) (5ead461)
• set scripts imported by HTML moduleSideEffects=true (#​18411) (2ebe4b4)
• use websocket to test server liveness before client reload (#​17891) (7f9f8c6)
• add typing to CSSOptions.preprocessorOptions (#​18001) (7eeb6f2)
• default build.cssMinify to 'esbuild' for SSR (#​15637) (f1d3bf7)
• dev: prevent double URL encoding in server.open on macOS (#​18443) (56b7176)
• preview: set resolvedUrls null after close (#​18445) (65014a3)
• ssr: inject identity function at the top (#​18449) (0ab20a3)
• ssr: preserve source maps for hoisted imports (fix #​16355) (#​16356) (8e382a6)
• augment hash for CSS files to prevent chromium erroring by loading previous files (#​18367) (a569f42)
• cli: --watch should not override build.watch options (#​18390) (b2965c8)
• css: don't transform sass function calls with namespace (#​18414) (dbb2604)
• deps: update open dependency to 10.1.0 (#​18349) (5cca4bf)
• deps: update all non-major dependencies (#​18345) (5552583)
• more robust plugin.sharedDuringBuild (#​18351) (47b1270)
• ssr: this in exported function should be undefined (#​18329) (bae6a37)
• worker: rewrite rollup output.format with worker.format on worker build error (#​18165) (dc82334)
• injectQuery double encoding (#​18246) (2c5f948)
• add position to import analysis resolve exception (#​18344) (0fe95d4)
• assets: make srcset parsing HTML spec compliant (#​16323) (#​18242) (0e6d4a5)
• css: dont remove JS chunk for pure CSS chunk when the export is used (#​18307) (889bfc0)
• deps: bump tsconfck (#​18322) (67783b2)
• deps: update all non-major dependencies (#​18292) (5cac054)
• destroy the runner when runnable environment is closed (#​18282) (5212d09)
• handle yarn command fail when root does not exist (#​18141) (460aaff)
• hmr: don't try to rewrite imports for direct CSS soft invalidation (#​18252) (a03bb0e)
• make it easier to configure environment runner (#​18273) (fb35a78)
• middleware-mode: call all hot.listen when server restart (#​18261) (007773b)
• optimizer: don't externalize transitive dep package name with asset extension (#​18152) (fafc7e2)
• resolve: fix resolve cache key for external conditions (#​18332) (93d286c)
• resolve: fix resolve cache to consider conditions and more (#​18302) (2017a33)
• types: add more overload to defineConfig (#​18299) (94e34cf)
• asset import should skip handling data URIs (#​18163) (70813c7)
• cache the runnable environment module runner (#​18215) (95020ab)
• call this.hot.close for non-ws HotChannel (#​18212) (bad0ccc)
• close HotChannel on environment close (#​18206) (2d148e3)
• config: treat all files as ESM on deno (#​18081) (c1ed8a5)
• css: ensure sass compiler initialized only once (#​18128) (4cc5322)
• css: fix lightningcss dep url resolution with custom root (#​18125) (eb08f60)
• css: fix missing source file warning with sass modern api custom importer (#​18113) (d7763a5)
• data-uri: only match ids starting with data: (#​18241) (ec0efe8)
• deps: update all non-major dependencies (#​18170) (c8aea5a)
• deps: upgrade rollup 4.22.4+ to ensure avoiding XSS (#​18180) (ea1d0b9)
• html: make build-html plugin work with sharedPlugins (#​18214) (34041b9)
• mixedModuleGraph: handle undefined id in getModulesByFile (#​18201) (768a50f)
• optimizer: re-optimize when changing config webCompatible (#​18221) (a44b0a2)
• require serialization for HMRConnection.send on implementation side (#​18186) (9470011)
• ssr: fix source map remapping with multiple sources (#​18150) (e003a2c)
• use config.consumer instead of options?.ssr / config.build.ssr (#​18140) (21ec1ce)
• vite: refactor "module cache" to "evaluated modules", pass down module to "runInlinedModule" (#​18092) (e83beff)
• avoid DOM Clobbering gadget in getRelativeUrlFromDocument (#​18115) (ade1d89)
• fs raw query (#​18112) (9d2413c)
• preload: throw error preloading module as well (#​18098) (ba56cf4)
• allow scanning exports from script module in svelte (#​18063) (7d699aa)
• build: declare preload-helper has no side effects (#​18057) (587ad7b)
• css: fallback to mainthread if logger or pkgImporter option is set for sass (#​18071) (d81dc59)
• dynamicImportVars: correct glob pattern for paths with parentheses (#​17940) (2a391a7)
• ensure req.url matches moduleByEtag URL to avoid incorrect 304 (#​17997) (abf04c3)
• html: escape html attribute (#​18067) (5983f36)
• incorrect environment consumer option resolution (#​18079) (0e3467e)
• preload: allow ignoring dep errors (#​18046) (3fb2889)
• store backwards compatible ssrModule and ssrError (#​18031) (cf8ced5)

Performance Improvements

• reduce bundle size for Object.keys(import.meta.glob(...)) / Object.values(import.meta.glob(...)) (#​18666) (ed99a2c)
• worker: inline worker without base64 (#​18752) (90c66c9)
• remove strip-ansi for a node built-in (#​18630) (5182272)
• css: skip style.css extraction if code-split css (#​18470) (34fdb6b)
• call module.enableCompileCache() (#​18323) (18f1dad)
• use crypto.hash when available (#​18317) (2a14884)

Documentation

• rename HotUpdateContext to HotUpdateOptions (#​18718) (824c347)
• add jsdocs to flags in BuilderOptions (#​18516) (1507068)
• missing changes guides (#​18491) (5da78a6)
• update fs.deny default in JSDoc (#​18514) (1fcc83d)
• update homepage (#​18274) (a99a0aa)
• fix typo in proxy.ts (#​18162) (49087bd)

Reverts

• use chokidar v3 (#​18659) (49783da)

Miscellaneous Chores

• add 5.4.x changelogs (#​18768) (26b58c8)
• add some comments about mimes (#​18705) (f07e9b9)
• deps: update all non-major dependencies (#​18746) (0ad16e9)
• deps: update all non-major dependencies (#​18634) (e2231a9)
• deps: update transitive deps (#​18602) (0c8b152)
• tweak build config (#​18622) (2a88f71)
• add warning for / mapping in resolve.alias (#​18588) (a51c254)
• deps: update all non-major dependencies ([

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

Branch automerge failure

This PR was configured for branch automerge. However, this is not possible, so it has been raised as a PR instead.

---

• Branch has one or more failed status checks

[renovate]

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

• any of the package files in this branch needs updating, or
• the branch becomes conflicted, or
• you click the rebase/retry checkbox if found above, or
• you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: package-lock.json

npm warn Unknown env config "store". This will stop working in the next major version of npm.
npm error code ERESOLVE
npm error ERESOLVE could not resolve
npm error
npm error While resolving: @vitejs/[email protected]
npm error Found: [email protected]
npm error node_modules/vite
npm error   dev vite@"5.4.21" from the root project
npm error
npm error Could not resolve dependency:
npm error peer vite@"^4.1.0-beta.0" from @vitejs/[email protected]
npm error node_modules/@vitejs/plugin-react
npm error   dev @vitejs/plugin-react@"3.1.0" from the root project
npm error
npm error Conflicting peer dependency: [email protected]
npm error node_modules/vite
npm error   peer vite@"^4.1.0-beta.0" from @vitejs/[email protected]
npm error   node_modules/@vitejs/plugin-react
npm error     dev @vitejs/plugin-react@"3.1.0" from the root project
npm error
npm error Fix the upstream dependency conflict, or retry
npm error this command with --force or --legacy-peer-deps
npm error to accept an incorrect (and potentially broken) dependency resolution.
npm error
npm error
npm error For a full report see:
npm error /runner/cache/others/npm/_logs/2025-10-21T10_04_49_165Z-eresolve-report.txt
npm error A complete log of this run can be found in: /runner/cache/others/npm/_logs/2025-10-21T10_04_49_165Z-debug-0.log