Bump vite from 5.4.14 to 5.4.21

[dependabot]

Bumps vite from 5.4.14 to 5.4.21.

Release notes

Sourced from vite's releases.

v5.4.21

Please refer to CHANGELOG.md for details.

v5.4.20

Please refer to CHANGELOG.md for details.

v5.4.19

Please refer to CHANGELOG.md for details.

v5.4.18

Please refer to CHANGELOG.md for details.

v5.4.17

Please refer to CHANGELOG.md for details.

v5.4.16

Please refer to CHANGELOG.md for details.

v5.4.15

Please refer to CHANGELOG.md for details.

Changelog

Sourced from vite's changelog.

5.4.21 (2025-10-20)

• fix(dev): trim trailing slash before server.fs.deny check (#20968) (#20970) (cad1d31), closes #20968 #20970
• chore: update CHANGELOG (ca88ed7)

5.4.20 (2025-09-08)

• fix: apply fs.strict check to HTML files (#20736) (482000f), closes #20736
• fix: port sirv@3.0.2 changes to sirv@2.0.4 (#20737) (4f1c35b), closes #20737

5.4.19 (2025-04-30)

• fix: backport #19965, check static serve file inside sirv (#19966) (766947e), closes #19965 #19966

5.4.18 (2025-04-10)

• fix: backport #19830, reject requests with # in request-target (#19831) (823675b), closes #19830 #19831

5.4.17 (2025-04-03)

• fix: backport #19782, fs check with svg and relative paths (#19784) (84b2b46), closes #19782 #19784

5.4.16 (2025-03-31)

• fix: backport #19761, fs check in transform middleware (#19762) (b627c50), closes #19761 #19762

5.4.15 (2025-03-24)

• fix: backport #19702, fs raw query with query separators (#19703) (807d7f0), closes #19702 #19703

Commits

• adce3c2 release: v5.4.21
• cad1d31 fix(dev): trim trailing slash before server.fs.deny check (#20968) (#20970)
• ca88ed7 chore: update CHANGELOG
• 997700f release: v5.4.20
• 482000f fix: apply fs.strict check to HTML files (#20736)
• 80a333a release: v5.4.19
• 766947e fix: backport #19965, check static serve file inside sirv (#19966)
• 731b77d release: v5.4.18
• 823675b fix: backport #19830, reject requests with # in request-target (#19831)
• 0a2518a release: v5.4.17
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.

---

Summary by cubic

Upgrade Vite from 5.4.14 to 5.4.21 to pick up dev server security hardening and file system check fixes. Improves stability and tightens path access; no app code changes expected.

• Bug Fixes
  • Tightened dev server file system checks (HTML, SVG, relative paths, transform middleware).
  • Rejects requests with “#” in the target and trims trailing slashes before fs.deny checks.
  • Backports sirv static file handling protections for safer path resolution.

---

EntelligenceAI PR Summary

This PR updates Vite from version 5.4.14 to 5.4.21, addressing several security vulnerabilities including DNS rebinding attack prevention, host header validation, and CORS security hardening. The update is particularly important for this project's development server configuration which binds to all interfaces.

[bolt-new-by-stackblitz]

Run & review this pull request in StackBlitz Codeflow.

[jazzberry-ai]

This repository is associated with RectiFlex whose free trial has ended. Subscribe at jazzberry.ai.
_{If this is an error contact us at support@jazzberry.ai.}

[ellipsis-dev]

Important

Looks good to me! 👍

Reviewed everything up to 84c41ac in 52 seconds. Click for details.

• Reviewed 13 lines of code in 1 files
• Skipped 1 files when reviewing.
• Skipped posting 1 draft comments. View those below.
• Modify your settings and rules to customize what types of comments Ellipsis leaves. And don't forget to react with 👍 or 👎 to teach Ellipsis.

1. package.json:91

• Draft comment:
  Bump Vite version from ^5.4.14 to ^5.4.21. Verify that the trailing slash fix (server.fs.deny update) doesn’t introduce issues in your fs configuration or plugin integrations.
• Reason this comment was not posted:
  Comment looked like it was already resolved.

Workflow ID: wflow_vDejx4MpHREGlaBm

^{You can customize by changing your verbosity settings, reacting with 👍 or 👎, replying to comments, or adding code review rules.}

[openzeppelin-code]

Bump vite from 5.4.14 to 5.4.21

Generated at commit: 84c41ac45c80a69942a3bd73af385a9d0b14331d

🚨 Report Summary

	Severity Level	Results
Contracts	Critical High Medium Low Note Total	0 0 0 0 0 0
Dependencies	Critical High Medium Low Note Total	0 0 0 0 0 0

---

For more details view the full report in OpenZeppelin Code Inspector

[entelligence-ai-pr-reviews]

📝 Walkthrough

This PR updates the Vite dependency from version 5.4.14 to 5.4.21. This is a security-focused update that addresses multiple vulnerabilities in the development server, including DNS rebinding attack prevention, host header validation, and CORS security hardening.

The update is particularly important for this project since the Vite configuration binds to all interfaces (host: "::") which increases exposure to potential security issues. The changes are minimal, affecting only the version specifications in package files, but provide significant security benefits.

📊 Changes

File	Change
package.json	Updated Vite from ^5.4.14 to ^5.4.21
package-lock.json	Updated lock file with new version and integrity hash

🔒 Security Highlights

• ✅ DNS rebinding attack prevention through host header validation
• ✅ Introduction of server.allowedHosts configuration
• ✅ CORS security hardening (default server.cors: false)
• ✅ HMR WebSocket connection token verification
• ✅ File system access bypass vulnerability fixes
• ✅ Prevents arbitrary websites from accessing development server
• ✅ Blocks malicious requests with # characters from bypassing file system checks

---

The update maintains full compatibility with existing code and follows best practices for dependency management. No breaking changes were identified in the Vite 5.4.x series.

Sequence Diagram

This diagram shows the interactions between components:

sequenceDiagram
    title Vite Package Update Process
    
    participant Dev as "Developer"
    participant PM as "Package Manager"
    participant Deps as "Dependencies"
    participant App as "Application"
    
    Dev->>PM: Update Vite from 5.4.14 to 5.4.21
    Note over Dev,PM: Changes package.json and package-lock.json
    
    PM->>Deps: Install updated Vite package
    Deps-->>PM: Installation complete
    
    Note over Deps,App: Application continues to use Vite<br/>but with newer version (5.4.21)
    
    PM-->>Dev: Update complete
    
    Note over Dev,App: No functional changes to application code<br/>Only dependency version has been updated

Loading

🔒 Security Analysis

• Vulnerabilities: 0
• Bugs: 0
• Code Smells: 0
• Security Hotspots: 0

Caution

2 comments are outside the diff range and can't be posted inline due to platform limitations.

⚠️ View Outside Diff Range Comments (2)

🟡 Medium Medium Priority  ·  1 issue

vite.config.js  ·  1 comment

1. Lines unknown · Security

Development server configured to bind to all interfaces (host: '::') without proper security settings like allowedHosts

🟢 Minor Low Priority  ·  1 issue

package.json  ·  1 comment

1. Lines unknown · Security

Lack of automated dependency updates (like Dependabot) to catch security updates faster

▶️ ⚡ AI Code Reviews for VS Code, Cursor, Windsurf
Install the extension

Note for Windsurf

Please change the default marketplace provider to the following in the windsurf settings:

Marketplace Extension Gallery Service URL: https://marketplace.visualstudio.com/_apis/public/gallery

Marketplace Gallery Item URL: https://marketplace.visualstudio.com/items

Entelligence.ai can learn from your feedback. Simply add 👍 / 👎 emojis to teach it your preferences. More shortcuts below

Emoji Descriptions:

• ⚠️ Potential Issue - May require further investigation.
• 🔒 Security Vulnerability - Fix to ensure system safety.
• 💻 Code Improvement - Suggestions to enhance code quality.
• 🔨 Refactor Suggestion - Recommendations for restructuring code.
• ℹ️ Others - General comments and information.

Interact with the Bot:

• Send a message or request using the format:
  @entelligenceai + *your message*

Example: @entelligenceai Can you suggest improvements for this code?

• Help the Bot learn by providing feedback on its responses.
  @entelligenceai + *feedback*

Example: @entelligenceai Do not comment on `save_auth` function !

Also you can trigger various commands with the bot by doing
@entelligenceai command

The current supported commands are

1. config - shows the current config
2. retrigger_review - retriggers the review

More commands to be added soon.

[entelligence-ai-pr-reviews]

Security: Outdated Vite version with security vulnerabilities including DNS rebinding attack vectors, lack of host header validation, and CORS security issues

📝 Committable Code Suggestion

‼️ Ensure you review the code suggestion before committing it to the branch. Make sure it replaces the highlighted code, contains no missing lines, and has no issues with indentation.

Suggested change

	"tailwindcss": "^3.4.11",
	"typescript": "^5.5.3",
	"typescript-eslint": "^8.0.1",
	"vite": "^5.4.14",
	"vite": "^5.4.21",
	"tailwindcss": "^3.4.11",
	"typescript": "^5.5.3",
	"typescript-eslint": "^8.0.1",
	"vite": "^5.4.21",
	"nanoid": ">=3.3.8"

[entelligence-ai-pr-reviews]

Security: Outdated Vite version reference in package-lock.json

[entelligence-ai-pr-reviews]

Security: Outdated Vite version, resolved URL and integrity hash in package-lock.json

📝 Committable Code Suggestion

‼️ Ensure you review the code suggestion before committing it to the branch. Make sure it replaces the highlighted code, contains no missing lines, and has no issues with indentation.

Suggested change

	}
	},
	"node_modules/vite": {
	"version": "5.4.14",
	"resolved": "https://registry.npmjs.org/vite/-/vite-5.4.14.tgz",
	"integrity": "sha512-EK5cY7Q1D8JNhSaPKVK4pwBFvaTmZxEnoKXLG/U9gmdDcihQGNzFlgIvaxezFR4glP1LsuiedwMBqCXH3wZccA==",
	"version": "5.4.21",
	"resolved": "https://registry.npmjs.org/vite/-/vite-5.4.21.tgz",
	"integrity": "sha512-o5a9xKjbtuhY6Bi5S3+HvbRERmouabWbyUcpXXUA1u+GNUKoROi9byOJ8M0nHbHYHkYICiMlqxkg1KkYmm25Sw==",
	"node_modules/vite": {
	"version": "5.4.21",
	"resolved": "https://registry.npmjs.org/vite/-/vite-5.4.21.tgz",
	"integrity": "sha512-o5a9xKjbtuhY6Bi5S3+HvbRERmouabWbyUcpXXUA1u+GNUKoROi9byOJ8M0nHbHYHkYICiMlqxkg1KkYmm25Sw==",
	"dev": true,
	"license": "MIT",

[cubic-dev-ai]

No issues found across 2 files