Bump vite from 4.5.0 to 5.0.12

[dependabot]

Bumps vite from 4.5.0 to 5.0.12.

Release notes

Sourced from vite's releases.

create-vite@5.0.0

Please refer to CHANGELOG.md for details.

create-vite@5.0.0-beta.1

Please refer to CHANGELOG.md for details.

create-vite@5.0.0-beta.0

Please refer to CHANGELOG.md for details.

Changelog

Sourced from vite's changelog.

5.0.12 (2024-01-19)

• fix: await configResolved hooks of worker plugins (#15597) (#15605) (ef89f80), closes #15597 #15605
• fix: fs deny for case insensitive systems (#15653) (91641c4), closes #15653

5.0.11 (2024-01-05)

• fix: don't pretransform classic script links (#15361) (19e3c9a), closes #15361
• fix: inject __vite__mapDeps code before sourcemap file comment (#15483) (d2aa096), closes #15483
• fix(assets): avoid splitting , inside base64 value of srcset attribute (#15422) (8de7bd2), closes #15422
• fix(html): handle offset magic-string slice error (#15435) (5ea9edb), closes #15435
• chore(deps): update dependency strip-literal to v2 (#15475) (49d21fe), closes #15475
• chore(deps): update tj-actions/changed-files action to v41 (#15476) (2a540ee), closes #15476

5.0.10 (2023-12-15)

• fix: omit protocol does not require pre-transform (#15355) (d9ae1b2), closes #15355
• fix(build): use base64 for inline SVG if it contains both single and double quotes (#15271) (1bbff16), closes #15271

5.0.9 (2023-12-14)

• fix: htmlFallbackMiddleware for favicon (#15301) (c902545), closes #15301
• fix: more stable hash calculation for depsOptimize (#15337) (2b39fe6), closes #15337
• fix(scanner): catch all external files for glob imports (#15286) (129d0d0), closes #15286
• fix(server): avoid chokidar throttling on startup (#15347) (56a5740), closes #15347
• fix(worker): replace import.meta correctly for IIFE worker (#15321) (08d093c), closes #15321
• feat: log re-optimization reasons (#15339) (b1a6c84), closes #15339
• chore: temporary typo (#15329) (7b71854), closes #15329
• perf: avoid computing paths on each request (#15318) (0506812), closes #15318
• perf: temporary hack to avoid fs checks for /@​react-refresh (#15299) (b1d6211), closes #15299

5.0.8 (2023-12-12)

• perf: cached fs utils (#15279) (c9b61c4), closes #15279
• fix: missing warmupRequest in transformIndexHtml (#15303) (103820f), closes #15303
• fix: public files map will be updated on add/unlink in windows (#15317) (921ca41), closes #15317
• fix(build): decode urls in CSS files (fix #15109) (#15246) (ea6a7a6), closes #15109 #15246
• fix(deps): update all non-major dependencies (#15304) (bb07f60), closes #15304
• fix(ssr): check esm file with normal file path (#15307) (1597170), closes #15307

... (truncated)

Commits

• ee81e19 release: v5.0.12
• 91641c4 fix: fs deny for case insensitive systems (#15653)
• ef89f80 fix: await configResolved hooks of worker plugins (#15597) (#15605)
• b44c493 release: v5.0.11
• d2aa096 fix: inject __vite__mapDeps code before sourcemap file comment (#15483)
• 2a540ee chore(deps): update tj-actions/changed-files action to v41 (#15476)
• 5ea9edb fix(html): handle offset magic-string slice error (#15435)
• 49d21fe chore(deps): update dependency strip-literal to v2 (#15475)
• 8de7bd2 fix(assets): avoid splitting , inside base64 value of srcset attribute (#...
• 19e3c9a fix: don't pretransform classic script links (#15361)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[bolt-new-by-stackblitz]

Run & review this pull request in StackBlitz Codeflow.

[socket-security]

New dependencies detected. Learn more about Socket for GitHub ↗︎

Package	New capabilities	Transitives	Size	Publisher
npm/vite@5.0.12	Transitive: environment, filesystem, network, shell	+8	10 MB	antfu, patak, soda, ...2 more

View full report↗︎

[socket-security]

🚨 Potential security issues detected. Learn more about Socket for GitHub ↗︎

To accept the risk, merge this PR and you will not be notified again.

Alert	Package	Note	Source
Unpublished package	npm/vite@5.0.12	Version: Invalid Date	package.json pnpm-lock.yaml
Empty package	npm/@rollup/rollup-android-arm-eabi@4.9.6	Location: Package overview	orphan: npm/@rollup/rollup-android-arm-eabi@4.9.6
No tests	npm/@rollup/rollup-android-arm-eabi@4.9.6	Location: Package overview	orphan: npm/@rollup/rollup-android-arm-eabi@4.9.6
Unpublished package	npm/@rollup/rollup-android-arm-eabi@4.9.6	Version: 4/9/2006, 12:00:00 AM	orphan: npm/@rollup/rollup-android-arm-eabi@4.9.6
Empty package	npm/@rollup/rollup-android-arm64@4.9.6	Location: Package overview	orphan: npm/@rollup/rollup-android-arm64@4.9.6
No tests	npm/@rollup/rollup-android-arm64@4.9.6	Location: Package overview	orphan: npm/@rollup/rollup-android-arm64@4.9.6
Unpublished package	npm/@rollup/rollup-android-arm64@4.9.6	Version: 4/9/2006, 12:00:00 AM	orphan: npm/@rollup/rollup-android-arm64@4.9.6
Empty package	npm/@rollup/rollup-darwin-x64@4.9.6	Location: Package overview	orphan: npm/@rollup/rollup-darwin-x64@4.9.6
No tests	npm/@rollup/rollup-darwin-x64@4.9.6	Location: Package overview	orphan: npm/@rollup/rollup-darwin-x64@4.9.6
Unpublished package	npm/@rollup/rollup-darwin-x64@4.9.6	Version: 4/9/2006, 12:00:00 AM	orphan: npm/@rollup/rollup-darwin-x64@4.9.6
Empty package	npm/@rollup/rollup-linux-arm-gnueabihf@4.9.6	Location: Package overview	orphan: npm/@rollup/rollup-linux-arm-gnueabihf@4.9.6
No tests	npm/@rollup/rollup-linux-arm-gnueabihf@4.9.6	Location: Package overview	orphan: npm/@rollup/rollup-linux-arm-gnueabihf@4.9.6
Unpublished package	npm/@rollup/rollup-linux-arm-gnueabihf@4.9.6	Version: 4/9/2006, 12:00:00 AM	orphan: npm/@rollup/rollup-linux-arm-gnueabihf@4.9.6
Empty package	npm/@rollup/rollup-linux-riscv64-gnu@4.9.6	Location: Package overview	orphan: npm/@rollup/rollup-linux-riscv64-gnu@4.9.6
No tests	npm/@rollup/rollup-linux-riscv64-gnu@4.9.6	Location: Package overview	orphan: npm/@rollup/rollup-linux-riscv64-gnu@4.9.6
Unpublished package	npm/@rollup/rollup-linux-riscv64-gnu@4.9.6	Version: 4/9/2006, 12:00:00 AM	orphan: npm/@rollup/rollup-linux-riscv64-gnu@4.9.6
Empty package	npm/@rollup/rollup-linux-x64-gnu@4.9.6	Location: Package overview	orphan: npm/@rollup/rollup-linux-x64-gnu@4.9.6
No tests	npm/@rollup/rollup-linux-x64-gnu@4.9.6	Location: Package overview	orphan: npm/@rollup/rollup-linux-x64-gnu@4.9.6
Unpublished package	npm/@rollup/rollup-linux-x64-gnu@4.9.6	Version: 4/9/2006, 12:00:00 AM	orphan: npm/@rollup/rollup-linux-x64-gnu@4.9.6
Empty package	npm/@rollup/rollup-linux-x64-musl@4.9.6	Location: Package overview	orphan: npm/@rollup/rollup-linux-x64-musl@4.9.6
No tests	npm/@rollup/rollup-linux-x64-musl@4.9.6	Location: Package overview	orphan: npm/@rollup/rollup-linux-x64-musl@4.9.6
Unpublished package	npm/@rollup/rollup-linux-x64-musl@4.9.6	Version: 4/9/2006, 12:00:00 AM	orphan: npm/@rollup/rollup-linux-x64-musl@4.9.6
Empty package	npm/@rollup/rollup-win32-arm64-msvc@4.9.6	Location: Package overview	orphan: npm/@rollup/rollup-win32-arm64-msvc@4.9.6
No tests	npm/@rollup/rollup-win32-arm64-msvc@4.9.6	Location: Package overview	orphan: npm/@rollup/rollup-win32-arm64-msvc@4.9.6
Empty package	npm/@rollup/rollup-win32-ia32-msvc@4.9.6	Location: Package overview	orphan: npm/@rollup/rollup-win32-ia32-msvc@4.9.6
Unpublished package	npm/@rollup/rollup-win32-ia32-msvc@4.9.6	Version: 4/9/2006, 12:00:00 AM	orphan: npm/@rollup/rollup-win32-ia32-msvc@4.9.6
Mixed license	npm/rollup@4.9.6	License: ISC,MIT	package.json pnpm-lock.yaml
Unpublished package	npm/rollup@4.9.6	Version: 4/9/2006, 12:00:00 AM	package.json pnpm-lock.yaml
Filesystem access	npm/rollup@4.9.6	Module: fs Location: Package overview	package.json pnpm-lock.yaml
Environment variable access	npm/rollup@4.9.6	Env Vars: CHOKIDAR_PRINT_FSEVENTS_REQUIRE_ERROR Location: Package overview	package.json pnpm-lock.yaml
Environment variable access	npm/rollup@4.9.6	Env Vars: CHOKIDAR_USEPOLLING Location: Package overview	package.json pnpm-lock.yaml
Environment variable access	npm/rollup@4.9.6	Env Vars: CHOKIDAR_INTERVAL Location: Package overview	package.json pnpm-lock.yaml
Dynamic require	npm/rollup@4.9.6	Location: Package overview	package.json pnpm-lock.yaml
Manifest confusion	npm/rollup@4.9.6	Location: Package overview	package.json pnpm-lock.yaml
Manifest confusion	npm/rollup@4.9.6	Location: Package overview	package.json pnpm-lock.yaml
Manifest confusion	npm/rollup@4.9.6	Location: Package overview	package.json pnpm-lock.yaml
Manifest confusion	npm/rollup@4.9.6	Location: Package overview	package.json pnpm-lock.yaml
Manifest confusion	npm/rollup@4.9.6	Location: Package overview	package.json pnpm-lock.yaml
Manifest confusion	npm/rollup@4.9.6	Location: Package overview	package.json pnpm-lock.yaml
Manifest confusion	npm/rollup@4.9.6	Location: Package overview	package.json pnpm-lock.yaml
Manifest confusion	npm/rollup@4.9.6	Location: Package overview	package.json pnpm-lock.yaml
Manifest confusion	npm/rollup@4.9.6	Location: Package overview	package.json pnpm-lock.yaml
Manifest confusion	npm/rollup@4.9.6	Location: Package overview	package.json pnpm-lock.yaml
Manifest confusion	npm/rollup@4.9.6	Location: Package overview	package.json pnpm-lock.yaml
Manifest confusion	npm/rollup@4.9.6	Location: Package overview	package.json pnpm-lock.yaml
Manifest confusion	npm/rollup@4.9.6	Location: Package overview	package.json pnpm-lock.yaml
Manifest confusion	npm/rollup@4.9.6	Location: Package overview	package.json pnpm-lock.yaml
Manifest confusion	npm/rollup@4.9.6	Location: Package overview	package.json pnpm-lock.yaml
Empty package	npm/@rollup/rollup-linux-arm64-musl@4.9.6	Location: Package overview	orphan: npm/@rollup/rollup-linux-arm64-musl@4.9.6
No tests	npm/@rollup/rollup-linux-arm64-musl@4.9.6	Location: Package overview	orphan: npm/@rollup/rollup-linux-arm64-musl@4.9.6
Empty package	npm/@rollup/rollup-darwin-arm64@4.9.6	Location: Package overview	orphan: npm/@rollup/rollup-darwin-arm64@4.9.6
No tests	npm/@rollup/rollup-darwin-arm64@4.9.6	Location: Package overview	orphan: npm/@rollup/rollup-darwin-arm64@4.9.6
Empty package	npm/@rollup/rollup-linux-arm64-gnu@4.9.6	Location: Package overview	orphan: npm/@rollup/rollup-linux-arm64-gnu@4.9.6
No tests	npm/@rollup/rollup-linux-arm64-gnu@4.9.6	Location: Package overview	orphan: npm/@rollup/rollup-linux-arm64-gnu@4.9.6
Empty package	npm/@rollup/rollup-win32-x64-msvc@4.9.6	Location: Package overview	orphan: npm/@rollup/rollup-win32-x64-msvc@4.9.6
No tests	npm/@rollup/rollup-win32-x64-msvc@4.9.6	Location: Package overview	orphan: npm/@rollup/rollup-win32-x64-msvc@4.9.6

View full report↗︎

Next steps

What are unpublished packages?

Package version was not found on the registry. It may exist on a different registry and need to be configured to pull from that registry.

Packages can be removed from the registry by manually un-publishing, a security issue removal, or may simply never have been published to the registry. Reliance on these packages will cause problem when they are not found.

What is an empty package?

Package does not contain any code. It may be removed, is name squatting, or the result of a faulty package publish.

Remove dependencies that do not export any code or functionality and ensure the package version includes all of the files it is supposed to.

What does no tests mean?

Package does not have any tests. This is a strong signal of a poorly maintained or low quality package.

Add tests and publish a new version of the package. Consumers may look for an alternative package with better testing.

What is a mixed license?

(Experimental) Package contains multiple licenses.

A new version of the package should be published that includes a single license. Consumers may seek clarification from the package author. Ensure that the license details are consistent across the LICENSE file, package.json license field and license details mentioned in the README.

What is filesystem access?

Accesses the file system, and could potentially read sensitive data.

If a package must read the file system, clarify what it will read and ensure it reads only what it claims to. If appropriate, packages can leave file system access to consumers and operate on data passed to it instead.

What is environment variable access?

Package accesses environment variables, which may be a sign of credential stuffing or data theft.

Packages should be clear about which environment variables they access, and care should be taken to ensure they only access environment variables they claim to.

What is dynamic require?

Dynamic require can indicate the package is performing dangerous or unsafe dynamic code execution.

Packages should avoid dynamic imports when possible. Audit the use of dynamic require to ensure it is not executing malicious or vulnerable code.

What is manifest confusion?

This package has inconsistent metadata. This could be malicious or caused by an error when publishing the package.

Packages with inconsistent metadata may be corrupted or malicious.

Take a deeper look at the dependency

Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support [AT] socket [DOT] dev.

Remove the package

If you happen to install a dependency that Socket reports as Known Malware you should immediately remove it and select a different dependency. For other alert types, you may may wish to investigate alternative packages or consider if there are other ways to mitigate the specific risk posed by the dependency.

Mark a package as acceptable risk

To ignore an alert, reply with a comment starting with @SocketSecurity ignore followed by a space separated list of ecosystem/package-name@version specifiers. e.g. @SocketSecurity ignore npm/foo@1.0.0 or ignore all packages with @SocketSecurity ignore-all

• @SocketSecurity ignore npm/vite@5.0.12
• @SocketSecurity ignore npm/@rollup/rollup-android-arm-eabi@4.9.6
• @SocketSecurity ignore npm/@rollup/rollup-android-arm64@4.9.6
• @SocketSecurity ignore npm/@rollup/rollup-darwin-x64@4.9.6
• @SocketSecurity ignore npm/@rollup/rollup-linux-arm-gnueabihf@4.9.6
• @SocketSecurity ignore npm/@rollup/rollup-linux-riscv64-gnu@4.9.6
• @So

[pr-explainer-bot]

Pull Request Review

Hey there! 👋 Here's a summary of the previous tasks and their results:

Changes

1. Updated the version of vite from 4.5.0 to 5.0.12. You can find more details in the commit history.

Suggestions

1. In pnpm-lock.yaml, consider removing the optional: true flag for the peerDependenciesMeta section. It seems unnecessary.
2. In pnpm-lock.yaml, the dependencies section could be organized alphabetically for better readability.

Bugs

1. In pnpm-lock.yaml, there is a potential bug in the peerDependencies section. The version range for @types/node should be enclosed in quotes, like '^18.0.0' || '>20.0.0' instead of ^18.0.0 || >=20.0.0.

Improvements

In the code snippet below, the dependencies section in pnpm-lock.yaml could be refactored for better readability:

 dependencies:
-  '@types/node': 20.9.0
-  esbuild: 0.19.5
-  postcss: 8.4.33
-  rollup: 4.9.6
+  '@types/node': '^20.9.0',
+  esbuild: '^0.19.5',
+  postcss: '^8.4.33',
+  rollup: '^4.9.6'

This change ensures that the versions of the dependencies are specified using the caret (^) symbol, allowing for compatible updates in the future.

Rating

Overall code rating: 7.5 out of 10. The code seems to have some updates.

That's it for the summary! Feel free to review the details and make any necessary changes. 🚀