Update dependency vite to v5.4.21

[renovate]

Note: This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Change	Age	Confidence
vite (source)	5.2.9 → 5.4.21

---

Release Notes

vitejs/vite (vite)

v5.4.21

Compare Source

Please refer to CHANGELOG.md for details.

v5.4.20

Compare Source

Please refer to CHANGELOG.md for details.

v5.4.19

Compare Source

Please refer to CHANGELOG.md for details.

v5.4.18

Compare Source

Please refer to CHANGELOG.md for details.

v5.4.17

Compare Source

Please refer to CHANGELOG.md for details.

v5.4.16

Compare Source

Please refer to CHANGELOG.md for details.

v5.4.15

Compare Source

Please refer to CHANGELOG.md for details.

v5.4.14

Compare Source

Please refer to CHANGELOG.md for details.

v5.4.13

Compare Source

Please refer to CHANGELOG.md for details.

v5.4.12

Compare Source

This version contains a breaking change due to security fixes. See GHSA-vg6x-rcgg-rjx6 for more details.

Please refer to CHANGELOG.md for details.

v5.4.11

Compare Source

Today, we're taking another big step in Vite's story. The Vite team, contributors, and ecosystem partners are excited to announce the release of the next Vite major:

• Vite 6.0 announcement blog post
• Docs
• Translations: 简体中文, 日本語, Español, Português, 한국어, Deutsch
• Migration Guide

We want to thank the more than 1K contributors to Vite Core and the maintainers and contributors of Vite plugins, integrations, tools, and translations that have helped us craft this new major. We invite you to get involved and help us improve Vite for the whole ecosystem. Learn more at our Contributing Guide.

⚠ BREAKING CHANGES

• drop node 21 support in version ranges (#​18729)
• deps: update dependency dotenv-expand to v12 (#​18697)
• resolve: allow removing conditions (#​18395)
• html: support more asset sources (#​11138)
• remove fs.cachedChecks option (#​18493)
• proxy bypass with WebSocket (#​18070)
• css: remove default import in ssr dev (#​17922)
• lib: use package name for css output file name (#​18488)
• update to chokidar v4 (#​18453)
• support file:// resolution (#​18422)
• deps: update postcss-load-config to v6 (#​15235)
• css: change default sass api to modern/modern-compiler (#​17937)
• css: load postcss config within workspace root only (#​18440)
• default build.cssMinify to 'esbuild' for SSR (#​15637)
• json: add json.stringify: 'auto' and make that the default (#​18303)
• bump minimal terser version to 5.16.0 (#​18209)
• deps: migrate fast-glob to tinyglobby (#​18243)

Features

• add support for .cur type (#​18680) (5ec9eed)
• drop node 21 support in version ranges (#​18729) (a384d8f)
• enable HMR by default on ModuleRunner side (#​18749) (4d2abc7)
• support module-sync condition when loading config if enabled (#​18650) (cf5028d)
• add isSsrTargetWebWorker flag to configEnvironment hook (#​18620) (3f5fab0)
• add ssr.resolve.mainFields option (#​18646) (a6f5f5b)
• expose default mainFields/conditions (#​18648) (c12c653)
• extended applyToEnvironment and perEnvironmentPlugin (#​18544) (8fa70cd)
• optimizer: allow users to specify their esbuild platform option (#​18611) (0924879)
• show error when accessing variables not exposed in CJS build (#​18649) (87c5502)
• asset: add ?inline and ?no-inline queries to control inlining (#​15454) (9162172)
• asset: inline svg in dev if within limit (#​18581) (f08b146)
• use a single transport for fetchModule and HMR support (#​18362) (78dc490)
• html: support more asset sources (#​11138) (8a7af50)
• resolve: allow removing conditions (#​18395) (d002e7d)
• html: support vite-ignore attribute to opt-out of processing (#​18494) (d951310)
• lib: use package name for css output file name (#​18488) (61cbf6f)
• log complete config in debug mode (#​18289) (04f6736)
• proxy bypass with WebSocket (#​18070) (3c9836d)
• support file:// resolution (#​18422) (6a7e313)
• update to chokidar v4 (#​18453) (192d555)
• allow custom console in createLogger (#​18379) (0c497d9)
• css: add more stricter typing of lightningcss (#​18460) (b9b925e)
• css: change default sass api to modern/modern-compiler (#​17937) (d4e0442)
• read sec-fetch-dest header to detect JS in transform (#​9981) (e51dc40)
• css: load postcss config within workspace root only (#​18440) (d23a493)
• json: add json.stringify: 'auto' and make that the default (#​18303) (b80daa7)
• add .git to deny list by default (#​18382) (105ca12)
• add environment::listen (#​18263) (4d5f51d)
• enable dependencies discovery and pre-bundling in ssr environments (#​18358) (9b21f69)
• restrict characters useable for environment name (#​18255) (9ab6180)
• support arbitrary module namespace identifier imports from cjs deps (#​18236) (4389a91)
• introduce RunnableDevEnvironment (#​18190) (fb292f2)
• support this.environment in options and onLog hook (#​18142) (7722c06)
• css: support es2023 build target for lightningcss (#​17998) (1a76300)
• Environment API (#​16471) (242f550)
• expose EnvironmentOptions type (#​18080) (35cf59c)

Bug Fixes

• createRunnableDevEnvironment returns RunnableDevEnvironment, not DevEnvironment (#​18673) (74221c3)
• getModulesByFile should return a serverModule (#​18715) (b80d5ec)
• catch error in full reload handler (#​18713) (a10e741)
• client: overlay not appearing when multiple vite clients were loaded (#​18647) (27d70b5)
• deps: update all non-major dependencies (#​18691) (f005461)
• deps: update dependency dotenv-expand to v12 (#​18697) (0c658de)
• display pre-transform error details (#​18764) (554f45f)
• exit code on SIGTERM (#​18741) (cc55e36)
• expose missing InterceptorOptions type (#​18766) (6252c60)
• html: fix inline proxy modules invalidation (#​18696) (8ab04b7)
• log error when send in module runner failed (#​18753) (ba821bb)
• module-runner: make evaluator optional (#​18672) (fd1283f)
• optimizer: detect npm / yarn / pnpm dependency changes correctly (#​17336) (#​18560) (818cf3e)
• optimizer: trigger onCrawlEnd after manual included deps are registered (#​18733) (dc60410)
• optimizer: workaround firefox's false warning for no sources source map (#​18665) (473424e)
• ssr: replace __vite_ssr_identity__ with (0, ...) and inject ; between statements (#​18748) (94546be)
• cjs build for perEnvironmentState et al (#​18656) (95c4b3c)
• html: externalize rollup.external scripts correctly (#​18618) (55461b4)
• include more modules to prefix-only module list (#​18667) (5a2103f)
• ssr: format ssrTransform parse error (#​18644) (d9be921)
• ssr: preserve fetchModule error details (#​18626) (866a433)
• browser field should not be included by default for consumer: 'server' (#​18575) (87b2347)
• client: detect ws close correctly (#​18548) (637d31b)
• resolve: run ensureVersionQuery for SSR (#​18591) (63207e5)
• use server.perEnvironmentStartEndDuringDev (#​18549) (fe30349)
• allow nested dependency selector to be used for optimizeDeps.include for SSR (#​18506) (826c81a)
• asset new URL(,import.meta.url) match (#​18194) (5286a90)
• close watcher if it's disabled (#​18521) (85bd0e9)
• config: write temporary vite config to node_modules (#​18509) (72eaef5)
• css: cssCodeSplit uses the current environment configuration (#​18486) (eefe895)
• json: don't json.stringify arrays (#​18541) (fa50b03)
• less: prevent rebasing [@import](https://redirect.github.com/import) url(...) (#​17857) (aec5fdd)
• lib: only resolve css bundle name if have styles (#​18530) (5d6dc49)
• scss: improve error logs (#​18522) (3194a6a)
• define in environment config was not working (#​18515) (052799e)
• build: apply resolve.external/noExternal to server environments (#​18495) (5a967cb)
• config: remove error if require resolve to esm (#​18437) (f886f75)
• consider URLs with any protocol to be external (#​17369) (a0336bd)
• css: remove default import in ssr dev (#​17922) (eccf663)
• use picomatch to align with tinyglobby (#​18503) (437795d)
• css: cssCodeSplit in environments.xxx.build is invalid (#​18464) (993e71c)
• css: make sass types work with sass-embedded (#​18459) (89f8303)
• deps: update all non-major dependencies (#​18484) (2ec12df)
• handle warmup glob hang (#​18462) (409fa5c)
• manifest: non entry CSS chunk src was wrong (#​18133) (c148676)
• module-runner: delay function eval until module runner instantiation (#​18480) (472afbd)
• plugins: noop if config hook returns same config reference (#​18467) (bd540d5)
• return the same instance of ModuleNode for the same EnvironmentModuleNode (#​18455) (5ead461)
• set scripts imported by HTML moduleSideEffects=true (#​18411) (2ebe4b4)
• use websocket to test server liveness before client reload (#​17891) (7f9f8c6)
• add typing to CSSOptions.preprocessorOptions (#​18001) (7eeb6f2)
• default build.cssMinify to 'esbuild' for SSR (#​15637) (f1d3bf7)
• dev: prevent double URL encoding in server.open on macOS (#​18443) (56b7176)
• preview: set resolvedUrls null after close (#​18445) (65014a3)
• ssr: inject identity function at the top (#​18449) (0ab20a3)
• ssr: preserve source maps for hoisted imports (fix #​16355) (#​16356) (8e382a6)
• augment hash for CSS files to prevent chromium erroring by loading previous files (#​18367) (a569f42)
• cli: --watch should not override build.watch options (#​18390) (b2965c8)
• css: don't transform sass function calls with namespace (#​18414) (dbb2604)
• deps: update open dependency to 10.1.0 (#​18349) (5cca4bf)
• deps: update all non-major dependencies (#​18345) (5552583)
• more robust plugin.sharedDuringBuild (#​18351) (47b1270)
• ssr: this in exported function should be undefined (#​18329) (bae6a37)
• worker: rewrite rollup output.format with worker.format on worker build error (#​18165) (dc82334)
• injectQuery double encoding (#​18246) (2c5f948)
• add position to import analysis resolve exception (#​18344) (0fe95d4)
• assets: make srcset parsing HTML spec compliant (#​16323) (#​18242) (0e6d4a5)
• css: dont remove JS chunk for pure CSS chunk when the export is used (#​18307) (889bfc0)
• deps: bump tsconfck (#​18322) (67783b2)
• deps: update all non-major dependencies (#​18292) (5cac054)
• destroy the runner when runnable environment is closed (#​18282) (5212d09)
• handle yarn command fail when root does not exist (#​18141) (460aaff)
• hmr: don't try to rewrite imports for direct CSS soft invalidation (#​18252) (a03bb0e)
• make it easier to configure environment runner (#​18273) (fb35a78)
• middleware-mode: call all hot.listen when server restart (#​18261) (007773b)
• optimizer: don't externalize transitive dep package name with asset extension (#​18152) (fafc7e2)
• resolve: fix resolve cache key for external conditions (#​18332) (93d286c)
• resolve: fix resolve cache to consider conditions and more (#​18302) (2017a33)
• types: add more overload to defineConfig (#​18299) (94e34cf)
• asset import should skip handling data URIs (#​18163) (70813c7)
• cache the runnable environment module runner (#​18215) (95020ab)
• call this.hot.close for non-ws HotChannel (#​18212) (bad0ccc)
• close HotChannel on environment close (#​18206) (2d148e3)
• config: treat all files as ESM on deno (#​18081) (c1ed8a5)
• css: ensure sass compiler initialized only once (#​18128) (4cc5322)
• css: fix lightningcss dep url resolution with custom root (#​18125) (eb08f60)
• css: fix missing source file warning with sass modern api custom importer (#​18113) (d7763a5)
• data-uri: only match ids starting with data: (#​18241) (ec0efe8)
• deps: update all non-major dependencies (#​18170) (c8aea5a)
• deps: upgrade rollup 4.22.4+ to ensure avoiding XSS (#​18180) (ea1d0b9)
• html: make build-html plugin work with sharedPlugins (#​18214) (34041b9)
• mixedModuleGraph: handle undefined id in getModulesByFile (#​18201) (768a50f)
• optimizer: re-optimize when changing config webCompatible (#​18221) (a44b0a2)
• require serialization for HMRConnection.send on implementation side (#​18186) (9470011)
• ssr: fix source map remapping with multiple sources (#​18150) (e003a2c)
• use config.consumer instead of options?.ssr / config.build.ssr (#​18140) (21ec1ce)
• vite: refactor "module cache" to "evaluated modules", pass down module to "runInlinedModule" (#​18092) (e83beff)
• avoid DOM Clobbering gadget in getRelativeUrlFromDocument (#​18115) (ade1d89)
• fs raw query (#​18112) (9d2413c)
• preload: throw error preloading module as well (#​18098) (ba56cf4)
• allow scanning exports from script module in svelte (#​18063) (7d699aa)
• build: declare preload-helper has no side effects (#​18057) (587ad7b)
• css: fallback to mainthread if logger or pkgImporter option is set for sass (#​18071) (d81dc59)
• dynamicImportVars: correct glob pattern for paths with parentheses (#​17940) (2a391a7)
• ensure req.url matches moduleByEtag URL to avoid incorrect 304 (#​17997) (abf04c3)
• html: escape html attribute (#​18067) (5983f36)
• incorrect environment consumer option resolution (#​18079) (0e3467e)
• preload: allow ignoring dep errors (#​18046) (3fb2889)
• store backwards compatible ssrModule and ssrError (#​18031) (cf8ced5)

Performance Improvements

• reduce bundle size for Object.keys(import.meta.glob(...)) / Object.values(import.meta.glob(...)) (#​18666) (ed99a2c)
• worker: inline worker without base64 (#​18752) (90c66c9)
• remove strip-ansi for a node built-in (#​18630) (5182272)
• css: skip style.css extraction if code-split css (#​18470) (34fdb6b)
• call module.enableCompileCache() (#​18323) (18f1dad)
• use crypto.hash when available (#​18317) (2a14884)

Documentation

• rename HotUpdateContext to HotUpdateOptions (#​18718) (824c347)
• add jsdocs to flags in BuilderOptions (#​18516) (1507068)
• missing changes guides (#​18491) (5da78a6)
• update fs.deny default in JSDoc (#​18514) (1fcc83d)
• update homepage (#​18274) (a99a0aa)
• fix typo in proxy.ts (#​18162) (49087bd)

Reverts

• use chokidar v3 (#​18659) (49783da)

Miscellaneous Chores

• add 5.4.x changelogs (#​18768) (26b58c8)
• add some comments about mimes (#​18705) (f07e9b9)
• deps: update all non-major dependencies (#​18746) (0ad16e9)
• deps: update all non-major dependencies (#​18634) (e2231a9)
• deps: update transitive deps (#​18602) (0c8b152)
• tweak build config (#​18622) (2a88f71)
• add warning for / mapping in resolve.alias (#​18588) (a51c254)
• deps: update all non-major dependencies (#​18562) (fb227ec)
• remove unused ssr variable (#​18594) (23c39fc)
• fix moduleSideEffects in build script on Windows (#​18518) (25fe9e3)
• use premove instead of rimraf (#​18499) (f97a578)
• deps: update postcss-load-config to v6 (#​15235) (3a27f62)
• deps: update dependency picomatch to v4 (#​15876) (3774881)
• combine deps license with same text (#​18356) (b5d1a05)
• create-vite: mark template files as CC0 (#​18366) (f6b9074)
• deps: bump TypeScript to 5.6 (#​18254) (57a0e85)
• deps: migrate fast-glob to tinyglobby (#​18243) (6f74a3a)
• deps: update all non-major dependencies (#​18404) (802839d)
• deps: update dependency sirv to v3 (#​18346) (5ea4b00)
• fix grammar (#​18385) (8030231)
• mark builder api experimental (#​18436) (b57321c)
• tiny typo (#​18374) (7d97a9b)
• update moduleResolution value casing (#​18409) (ff018dc)
• deps: update dependency @​rollup/plugin-commonjs to v28 (#​18231) (78e749e)
• point deprecation error URLs to main branch docs (#​18321) (11c0fb1)
• update all url references of vitejs.dev to vite.dev (#​18276) (7052c8f)
• update built LICENSE (69b6764)
• update license copyright (#​18278) (56eb869)
• deps: update all non-major dependencies (#​18108) (a73bbaa)
• deps: update all non-major dependencies (#​18230) (c0edd26)
• deps: update esbuild (#​18173) (e59e2ca)
• escape template tag in CHANGELOG.md (#​18126) (caaa683)
• optimizer: fix typo in comment (#​18239) (b916ab6)
• deps: update all non-major dependencies (#​18050) (7cac03f)
• enable some eslint rules (#​18084) (e9a2746)
• remove npm-run-all2 (#​18083) (41180d0)
• silence unnecessary logs during test (#​18052) (a3ef052)

Code Refactoring

• first character judgment replacement regexp (#​18658) (58f1df3)
• introduce mergeWithDefaults and organize how default values for config options are set (#​18550) (0e1f437)
• resolve: remove allowLinkedExternal parameter from tryNodeResolve (#​18670) (b74d363)
• resolve: remove environmentsOptions parameter (#​18590) (3ef0bf1)
• client-only top-level warmup (#​18524) (a50ff60)
• remove fs.cachedChecks option (#​18493) (94b0857)
• separate tsconfck caches per config in a weakmap (#​17317) (b9b01d5)
• css: hide internal preprocessor types and expose types used for options (#​18458) (c32837c)
• optimizeDeps back to top level (#​18465) (1ac22de)
• top-level createEnvironment is client-only (#​18475) (6022fc2)
• use originalFileNames/names (#​18240) (f2957c8)
• bump minimal terser version to 5.16.0 (#​18209) (19ce525)
• resolve: remove tryEsmOnly flag (#​18394) (7cebe38)
• use builder in build (#​18432) (cc61d16)
• rename runner.destroy() to runner.close() (#​18304) (cd368f9)
• break circular dependencies to fix test-unit (#​18237) (a577828)
• remove _onCrawlEnd (#​18207) (bea0272)
• remove the need for "processSourceMap" (#​18187) (08ff233)
• replace parse with splitFileAndPostfix (#​18185) (6f030ec)
• use resolvePackageData to get rollup version (#​18208) (220d6ec)
• create-vite: use picocolors (#​18085) (ba37df0)
• remove custom resolveOptions from pre-alias plugin (#​18041) (6f60adc)
• remove unnecessary escape (#​18044) (8062d36)

Build System

• ignore cjs warning (#​18660) (33b0d5a)
• reduce package size (#​18517) (b83f60b)

Tests

• simplify playground/json/__tests__/ssr (#​18701) (f731ca2)
• update filename regex (#​18593) (dd25c1a)
• fix test conflict (#​18446) ([94cd1e6](https://red

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Review	Updated (UTC)
standup-timer	Ready	Preview, Comment	Jan 8, 2026 8:33pm

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	vite@​5.2.9 ⏵ 5.4.21	+3	+31		+2

View full report

[socket-security]

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action	Severity	Alert  (click "▶" to expand/collapse)
Warn		Obfuscated code: npm vite is 91.0% likely obfuscated Confidence: 0.91 Location: Package overview From: package.json → npm/[email protected] ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at [email protected]. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/[email protected]. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report