[Vue] Update dev dependency @vitejs/plugin-vue
#2977
Merged
+14
−8
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
There was a problem hiding this comment.
Pull Request Overview
This PR updates the @vitejs/plugin-vue dependency to address security vulnerabilities in the esbuild dependency chain. The change upgrades the plugin from version ^4.4.0 to ^5.1.5 to ensure compatibility with Vite 6+ which requires esbuild 0.25.0+ to resolve known security issues.
- Updates
@vitejs/plugin-vuefrom ^4.4.0 to ^5.1.5 in package.json
src/Vue/assets/package.json
Outdated
| @@ -49,7 +49,7 @@ | |||
| "@testing-library/jest-dom": "^6.6.3", | |||
| "@testing-library/user-event": "^14.6.1", | |||
| "@types/webpack-env": "^1.16", | |||
| "@vitejs/plugin-vue": "^4.4.0", | |||
| "@vitejs/plugin-vue": "^5.1.5", | |||
There was a problem hiding this comment.
This is a major version upgrade (4.x to 5.x) that may introduce breaking changes. Consider reviewing the plugin-vue migration guide and testing thoroughly to ensure compatibility with existing Vue components and build configurations.
Copilot uses AI. Check for mistakes.
Kocal
approved these changes
Aug 6, 2025
carsonbot
added
Status: Reviewed
carsonbot
changed the title
Kocal
changed the title
@vitejs/plugin-vue
esbuild 0.21.5 require by vite 5.4.19, require by plugin-vue 4.6.2 contain security vulnerabilities It's necessary to upgrade to esbuild 0.25.0+, so plugin-vue must be in 5.1.5+ in order to have vite 6+
Kocal
changed the title
@vitejs/plugin-vue@vitejs/plugin-vue
|
Thank you @neothone. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
esbuild 0.21.5 require by vite 5.4.19, require by plugin-vue 4.6.2 contains security vulnerabilities
It's necessary to upgrade to esbuild to 0.25.0+, so plugin-vue must be in 5.1.5+ in order to have vite 6+ which is the first version that require esbuild 0.25.0+
It's a recurring dependabot alerts for me, example : https://github.com/fastfony/fastfony/security/dependabot/1
I have tested this upgrade on Fastfony with a fork of ux-vue repo and seems to no BC appears.