chore(deps): upgrade vite to v6 [security]

[dtoxvanilla1991]

Summary

Upgrades vite from ^5.4.11 → ^6.0.0 (resolved to 6.4.2).

This supersedes #87 (renovate PR) which had an unresolvable lock file conflict and only bumped to 5.4.20 in the lockfile despite claiming v6. This PR does the actual v6 upgrade with a clean lock file.

---

Security CVEs Addressed

CVE	GHSA	Severity	Description
CVE-2025-30208	GHSA-x574-m823-4x7w	Medium (5.3)	server.fs.deny bypass via ?raw?? suffix
CVE-2025-31125	GHSA-4r4m-qw57-chr8	Medium (5.3)	Bypass via ?inline&import
CVE-2025-31486	GHSA-xcj6-pq6g-qj4x	Medium (5.3)	Bypass via .svg or relative paths
CVE-2025-32395	GHSA-356w-63v5-8wf4	Medium (6.0)	Bypass via invalid request-target (# in URL)
CVE-2025-46565	GHSA-859w-5945-r5v3	Medium (6.0)	Bypass via /. for files under project root

All CVEs only affect apps explicitly exposing the dev server to the network via --host. This is a dev-only dependency, but upgrading is still the right call.

---

Migration Assessment (v5 → v6)

No migration changes required for this codebase. Here's the full audit:

Breaking Change	Applies?	Reason
resolve.conditions default changed	❌ No	No custom resolve.conditions configured
Sass modern API by default	❌ No	No Sass usage
CSS output filename in library mode changed (style.css → <name>.css)	❌ No	Library builds no CSS output
Environment API (SSR module updates)	❌ No	No SSR usage
Vite Runtime API → Module Runner API	❌ No	Not used
fs.cachedChecks removed	❌ No	Not configured
dotenv-expand variable order	❌ No	No dotenv interpolation
json.stringify new default 'auto'	❌ No	Not configured
@rollup/plugin-commonjs strictRequires: true	❌ No	No CJS entry points
Node 18+ required	✅ OK	CI runs on Node 20.x

---

Verification

• ✅ pnpm build - clean build, output size unchanged
• ✅ pnpm test - all 69 tests pass
• ✅ git diff --stat - only package.json + pnpm-lock.yaml changed (zero unintended changes)

[coderabbitai]

Important

Review skipped

Review was skipped due to path filters

⛔ Files ignored due to path filters (2)

• package.json is excluded by !**/*.json
• pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml, !**/*.yaml

CodeRabbit blocks several paths by default. You can override this behavior by explicitly including those paths in the path filters. For example, including **/dist/** will override the default block on the dist directory, by removing the pattern from both the lists.

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 38721dfb-c801-4262-b61c-c2a290098f3f

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch chore/vite-v6-upgrade

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!