chore(deps): update dependency vite to v6.0.9 [security] (#1094)

This PR contains the following updates:

| Package | Change | Age | Adoption | Passing | Confidence |
|---|---|---|---|---|---|
| [vite](https://vite.dev) ([source](https://github.com/vitejs/vite/tree/HEAD/packages/vite)) | [`6.0.2` -> `6.0.9`](https://renovatebot.com/diffs/npm/vite/6.0.2/6.0.9) | [![age](https://developer.mend.io/api/mc/badges/age/npm/vite/6.0.9?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![adoption](https://developer.mend.io/api/mc/badges/adoption/npm/vite/6.0.9?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![passing](https://developer.mend.io/api/mc/badges/compatibility/npm/vite/6.0.2/6.0.9?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/vite/6.0.2/6.0.9?slim=true)](https://docs.renovatebot.com/merge-confidence/) |

### GitHub Vulnerability Alerts

#### [CVE-2025-24010](https://github.com/vitejs/vite/security/advisories/GHSA-vg6x-rcgg-rjx6)

### Summary
Vite allowed any websites to send any requests to the development server and read the response due to default CORS settings and lack of validation on the Origin header for WebSocket connections.

### Upgrade Path
Users that does not match either of the following conditions should be able to upgrade to a newer version of Vite that fixes the vulnerability without any additional configuration.

- Using the backend integration feature
- Using a reverse proxy in front of Vite
- Accessing the development server via a domain other than `localhost` or `*.localhost`
- Using a plugin / framework that connects to the WebSocket server on their own from the browser

#### Using the backend integration feature
If you are using the backend integration feature and not setting [`server.origin`](https://vite.dev/config/server-options.html#server-origin), you need to add the origin of the backend server to the [`server.cors.origin`](https://github.com/expressjs/cors#configuration-options) option. Make sure to set a specific origin rather than `*`, otherwise any origin can access your development server.

#### Using a reverse proxy in front of Vite
If you are using a reverse proxy in front of Vite and sending requests to Vite with a hostname other than `localhost` or `*.localhost`, you need to add the hostname to the new [`server.allowedHosts`](https://vite.dev/config/server-options.html#server-allowedhosts) option. For example, if the reverse proxy is sending requests to `http://vite:5173`, you need to add `vite` to the `server.allowedHosts` option.

#### Accessing the development server via a domain other than `localhost` or `*.localhost`
You need to add the hostname to the new [`server.allowedHosts`](https://vite.dev/config/server-options.html#server-allowedhosts) option. For example, if you are accessing the development server via `http://foo.example.com:8080`, you need to add `foo.example.com` to the `server.allowedHosts` option.

#### Using a plugin / framework that connects to the WebSocket server on their own from the browser
If you are using a plugin / framework, try upgrading to a newer version of Vite that fixes the vulnerability. If the WebSocket connection appears not to be working, the plugin / framework may have a code that connects to the WebSocket server on their own from the browser.

In that case, you can either:

- fix the plugin / framework code to the make it compatible with the new version of Vite
- set `legacy.skipWebSocketTokenCheck: true` to opt-out the fix for [2] while the plugin / framework is incompatible with the new version of Vite
  - When enabling this option, **make sure that you are aware of the security implications** described in the impact section of [2] above.

### Mitigation without upgrading Vite

#### [1]: Permissive default CORS settings
Set `server.cors` to `false` or limit `server.cors.origin` to trusted origins.

#### [2]: Lack of validation on the Origin header for WebSocket connections
There aren't any mitigations for this.

#### [3]: Lack of validation on the Host header for HTTP requests
Use Chrome 94+ or use HTTPS for the development server.

### Details

There are three causes that allowed malicious websites to send any requests to the development server:

#### [1]: Permissive default CORS settings

Vite sets the [`Access-Control-Allow-Origin`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin) header depending on [`server.cors`](https://vite.dev/config/server-options.html#server-cors) option. The default value was `true` which sets `Access-Control-Allow-Origin: *`. This allows websites on any origin to `fetch` contents served on the development server.

Attack scenario:

1. The attacker serves a malicious web page (`http://malicious.example.com`).
2. The user accesses the malicious web page.
3. The attacker sends a `fetch('http://127.0.0.1:5173/main.js')` request by JS in that malicious web page. This request is normally blocked by same-origin policy, but that's not the case for the reasons above.
4. The attacker gets the content of `http://127.0.0.1:5173/main.js`.

#### [2]: Lack of validation on the Origin header for WebSocket connections

Vite starts a WebSocket server to handle HMR and other functionalities. This WebSocket server [did not perform validation on the Origin header](https://github.com/vitejs/vite/blob/v6.0.7/packages/vite/src/node/server/ws.ts#L145-L157) and was vulnerable to Cross-Site WebSocket Hijacking (CSWSH) attacks. With that attack, an attacker can read and write messages on the WebSocket connection. Vite only sends some information over the WebSocket connection ([list of the file paths that changed, the file content where the errored happened, etc.](https://github.com/vitejs/vite/blob/v6.0.7/packages/vite/types/hmrPayload.d.ts#L12-L72)), but plugins can send arbitrary messages and may include more sensitive information.

Attack scenario:

1. The attacker serves a malicious web page (`http://malicious.example.com`).
2. The user accesses the malicious web page.
3. The attacker runs `new WebSocket('http://127.0.0.1:5173', 'vite-hmr')` by JS in that malicious web page.
4. The user edits some files.
5. Vite sends some HMR messages over WebSocket.
6. The attacker gets the content of the HMR messages.

#### [3]: Lack of validation on the Host header for HTTP requests

Unless [`server.https`](https://vite.dev/config/server-options.html#server-https) is set, Vite starts the development server on HTTP. Non-HTTPS servers are vulnerable to DNS rebinding attacks without validation on the Host header. But Vite did not perform validation on the Host header. By exploiting this vulnerability, an attacker can send arbitrary requests to the development server bypassing the same-origin policy.

1. The attacker serves a malicious web page that is served on **HTTP** (`http://malicious.example.com:5173`) (HTTPS won't work).
2. The user accesses the malicious web page.
3. The attacker changes the DNS to point to 127.0.0.1 (or other private addresses).
4. The attacker sends a `fetch('/main.js')` request by JS in that malicious web page.
5. The attacker gets the content of `http://127.0.0.1:5173/main.js` bypassing the same origin policy.

### Impact

#### [1]: Permissive default CORS settings
Users with the default `server.cors` option may:

- get the source code stolen by malicious websites
- give the attacker access to functionalities that are not supposed to be exposed externally
  - Vite core does not have any functionality that causes changes somewhere else when receiving a request, but plugins may implement those functionalities and servers behind `server.proxy` may have those functionalities.

#### [2]: Lack of validation on the Origin header for WebSocket connections
All users may get the file paths of the files that changed and the file content where the error happened be stolen by malicious websites.

For users that is using a plugin that sends messages over WebSocket, that content may be stolen by malicious websites.

For users that is using a plugin that has a functionality that is triggered by messages over WebSocket, that functionality may be exploited by malicious websites.

#### [3]: Lack of validation on the Host header for HTTP requests
Users using HTTP for the development server and using a browser that is not Chrome 94+ may:

- get the source code stolen by malicious websites
- give the attacker access to functionalities that are not supposed to be exposed externally
  - Vite core does not have any functionality that causes changes somewhere else when receiving a request, but plugins may implement those functionalities and servers behind `server.proxy` may have those functionalities.

Chrome 94+ users are not affected for [3], because [sending a request to a private network page from public non-HTTPS page is forbidden](https://developer.chrome.com/blog/private-network-access-update#chrome_94) since Chrome 94.

### Related Information
Safari has [a bug that blocks requests to loopback addresses from HTTPS origins](https://bugs.webkit.org/show_bug.cgi?id=171934). This means when the user is using Safari and Vite is listening on lookback addresses, there's another condition of "the malicious web page is served on HTTP" to make [1] and [2] to work.

### PoC

#### [2]: Lack of validation on the Origin header for WebSocket connections
1. I used the `react` template which utilizes HMR functionality.

```
npm create vite@latest my-vue-app-react -- --template react
```

2. Then on a malicious server, serve the following POC html:
```html
<!doctype html>
<html lang="en">
    <head>
        <meta charset="utf-8" />
        <title>vite CSWSH</title>
    </head>
    <body>
        <div id="logs"></div>
        <script>
            const div = document.querySelectorAll('#logs')[0];
            const ws = new WebSocket('ws://localhost:5173','vite-hmr');
            ws.onmessage = event => {
                const logLine = document.createElement('p');
                logLine.innerHTML = event.data;
                div.append(logLine);
            };
        </script>
    </body>
</html>
```

3. Kick off Vite 

```
npm run dev
```

4. Load the development server (open `http://localhost:5173/`) as well as the malicious page in the browser. 
5. Edit `src/App.jsx` file and intentionally place a syntax error
6. Notice how the malicious page can view the websocket messages and a snippet of the source code is exposed

Here's a video demonstrating the POC:

https://github.com/user-attachments/assets/a4ad05cd-0b34-461c-9ff6-d7c8663d6961

---

### Release Notes

<details>
<summary>vitejs/vite (vite)</summary>

### [`v6.0.9`](https://github.com/vitejs/vite/blob/HEAD/packages/vite/CHANGELOG.md#small609-2025-01-20-small)

[Compare Source](https://github.com/vitejs/vite/compare/v6.0.8...v6.0.9)

-   fix!: check host header to prevent DNS rebinding attacks and introduce `server.allowedHosts` ([bd896fb](https://github.com/vitejs/vite/commit/bd896fb5f312fc0ff1730166d1d142fc0d34ba6d))
-   fix!: default `server.cors: false` to disallow fetching from untrusted origins ([b09572a](https://github.com/vitejs/vite/commit/b09572acc939351f4e4c50ddf793017a92c678b1))
-   fix: verify token for HMR WebSocket connection ([029dcd6](https://github.com/vitejs/vite/commit/029dcd6d77d3e3ef10bc38e9a0829784d9760fdb))

### [`v6.0.8`](https://github.com/vitejs/vite/blob/HEAD/packages/vite/CHANGELOG.md#small608-2025-01-20-small)

[Compare Source](https://github.com/vitejs/vite/compare/v6.0.7...v6.0.8)

-   fix: avoid SSR HMR for HTML files ([#&#8203;19193](https://github.com/vitejs/vite/issues/19193)) ([3bd55bc](https://github.com/vitejs/vite/commit/3bd55bcb7e831d2c4f66c90d7bbb3e1fbf7a02b6)), closes [#&#8203;19193](https://github.com/vitejs/vite/issues/19193)
-   fix: build time display 7m 60s ([#&#8203;19108](https://github.com/vitejs/vite/issues/19108)) ([cf0d2c8](https://github.com/vitejs/vite/commit/cf0d2c8e232a1af716c71cdd2218d180f7ecc02b)), closes [#&#8203;19108](https://github.com/vitejs/vite/issues/19108)
-   fix: don't resolve URL starting with double slash ([#&#8203;19059](https://github.com/vitejs/vite/issues/19059)) ([35942cd](https://github.com/vitejs/vite/commit/35942cde11fd8a68fa89bf25f7aa1ddb87d775b2)), closes [#&#8203;19059](https://github.com/vitejs/vite/issues/19059)
-   fix: ensure `server.close()` only called once ([#&#8203;19204](https://github.com/vitejs/vite/issues/19204)) ([db81c2d](https://github.com/vitejs/vite/commit/db81c2dada961f40c0882b5182adf2f34bb5c178)), closes [#&#8203;19204](https://github.com/vitejs/vite/issues/19204)
-   fix: resolve.conditions in ResolvedConfig was `defaultServerConditions` ([#&#8203;19174](https://github.com/vitejs/vite/issues/19174)) ([ad75c56](https://github.com/vitejs/vite/commit/ad75c56dce5618a3a416e18f9a5c3880d437a107)), closes [#&#8203;19174](https://github.com/vitejs/vite/issues/19174)
-   fix: tree shake stringified JSON imports ([#&#8203;19189](https://github.com/vitejs/vite/issues/19189)) ([f2aed62](https://github.com/vitejs/vite/commit/f2aed62d0bf1b66e870ee6b4aab80cd1702793ab)), closes [#&#8203;19189](https://github.com/vitejs/vite/issues/19189)
-   fix: use shared sigterm callback ([#&#8203;19203](https://github.com/vitejs/vite/issues/19203)) ([47039f4](https://github.com/vitejs/vite/commit/47039f4643179be31a8d7c7fbff83c5c13deb787)), closes [#&#8203;19203](https://github.com/vitejs/vite/issues/19203)
-   fix(deps): update all non-major dependencies ([#&#8203;19098](https://github.com/vitejs/vite/issues/19098)) ([8639538](https://github.com/vitejs/vite/commit/8639538e6498d1109da583ad942c1472098b5919)), closes [#&#8203;19098](https://github.com/vitejs/vite/issues/19098)
-   fix(optimizer): use correct default install state path for yarn PnP ([#&#8203;19119](https://github.com/vitejs/vite/issues/19119)) ([e690d8b](https://github.com/vitejs/vite/commit/e690d8bb1e5741e81df5b7a6a5c8c3c1c971fa41)), closes [#&#8203;19119](https://github.com/vitejs/vite/issues/19119)
-   fix(types): improve `ESBuildOptions.include / exclude` type to allow `readonly (string | RegExp)[]`  ([ea53e70](https://github.com/vitejs/vite/commit/ea53e7095297ea4192490fd58556414cc59a8975)), closes [#&#8203;19146](https://github.com/vitejs/vite/issues/19146)
-   chore(deps): update dependency pathe to v2 ([#&#8203;19139](https://github.com/vitejs/vite/issues/19139)) ([71506f0](https://github.com/vitejs/vite/commit/71506f0a8deda5254cb49c743cd439dfe42859ce)), closes [#&#8203;19139](https://github.com/vitejs/vite/issues/19139)

### [`v6.0.7`](https://github.com/vitejs/vite/blob/HEAD/packages/vite/CHANGELOG.md#small607-2025-01-02-small)

[Compare Source](https://github.com/vitejs/vite/compare/v6.0.6...v6.0.7)

-   fix: fix `minify` when `builder.sharedPlugins: true` ([#&#8203;19025](https://github.com/vitejs/vite/issues/19025)) ([f7b1964](https://github.com/vitejs/vite/commit/f7b1964d3a93a21f80b61638fa6ae9606d0a6f4f)), closes [#&#8203;19025](https://github.com/vitejs/vite/issues/19025)
-   fix: skip the plugin if it has been called before with the same id and importer ([#&#8203;19016](https://github.com/vitejs/vite/issues/19016)) ([b178c90](https://github.com/vitejs/vite/commit/b178c90c7d175ea31f8b67dccad3918f820357a4)), closes [#&#8203;19016](https://github.com/vitejs/vite/issues/19016)
-   fix(html): error while removing `vite-ignore` attribute for inline script ([#&#8203;19062](https://github.com/vitejs/vite/issues/19062)) ([a492253](https://github.com/vitejs/vite/commit/a4922537a8d705da7769d30626a0d846511fc124)), closes [#&#8203;19062](https://github.com/vitejs/vite/issues/19062)
-   fix(ssr): fix semicolon injection by ssr transform ([#&#8203;19097](https://github.com/vitejs/vite/issues/19097)) ([1c102d5](https://github.com/vitejs/vite/commit/1c102d517de52531faf5765632703977a17de65a)), closes [#&#8203;19097](https://github.com/vitejs/vite/issues/19097)
-   perf: skip globbing for static path in warmup ([#&#8203;19107](https://github.com/vitejs/vite/issues/19107)) ([677508b](https://github.com/vitejs/vite/commit/677508bf8268a7b8661e5557a3d0a2a76cab8bd1)), closes [#&#8203;19107](https://github.com/vitejs/vite/issues/19107)
-   feat(css): show lightningcss warnings ([#&#8203;19076](https://github.com/vitejs/vite/issues/19076)) ([b07c036](https://github.com/vitejs/vite/commit/b07c036faf6849fe5ffd03125f25dc00f460f8ba)), closes [#&#8203;19076](https://github.com/vitejs/vite/issues/19076)

### [`v6.0.6`](https://github.com/vitejs/vite/blob/HEAD/packages/vite/CHANGELOG.md#small606-2024-12-26-small)

[Compare Source](https://github.com/vitejs/vite/compare/v6.0.5...v6.0.6)

-   fix: replace runner-side path normalization with `fetchModule`-side resolve ([#&#8203;18361](https://github.com/vitejs/vite/issues/18361)) ([9f10261](https://github.com/vitejs/vite/commit/9f10261e7609098b832fd0fb23a64840b3a0d1a0)), closes [#&#8203;18361](https://github.com/vitejs/vite/issues/18361)
-   fix(css): resolve style tags in HTML files correctly for lightningcss ([#&#8203;19001](https://github.com/vitejs/vite/issues/19001)) ([afff05c](https://github.com/vitejs/vite/commit/afff05c03266fc76d5ab8928215c89f5992f40f8)), closes [#&#8203;19001](https://github.com/vitejs/vite/issues/19001)
-   fix(css): show correct error when unknown placeholder is used for CSS modules pattern in lightningcs ([9290d85](https://github.com/vitejs/vite/commit/9290d85b5d2ad64991bd296157cb3bcb959c341d)), closes [#&#8203;19070](https://github.com/vitejs/vite/issues/19070)
-   fix(resolve): handle package.json with UTF-8 BOM ([#&#8203;19000](https://github.com/vitejs/vite/issues/19000)) ([902567a](https://github.com/vitejs/vite/commit/902567ac5327e915ce65d090045fa4922ef9f2b5)), closes [#&#8203;19000](https://github.com/vitejs/vite/issues/19000)
-   fix(ssrTransform): preserve line offset when transforming imports ([#&#8203;19004](https://github.com/vitejs/vite/issues/19004)) ([1aa434e](https://github.com/vitejs/vite/commit/1aa434e8017012bf0939b2ff1a3a66b4bd12b76d)), closes [#&#8203;19004](https://github.com/vitejs/vite/issues/19004)
-   chore: fix typo in comment ([#&#8203;19067](https://github.com/vitejs/vite/issues/19067)) ([eb06ec3](https://github.com/vitejs/vite/commit/eb06ec30bb02ced66274f0fc6e90aff2bb20c632)), closes [#&#8203;19067](https://github.com/vitejs/vite/issues/19067)
-   chore: update comment about `build.target` ([#&#8203;19047](https://github.com/vitejs/vite/issues/19047)) ([0e9e81f](https://github.com/vitejs/vite/commit/0e9e81f622f13d78ee238c0fa72ba920e23419f4)), closes [#&#8203;19047](https://github.com/vitejs/vite/issues/19047)
-   revert: unpin esbuild version ([#&#8203;19043](https://github.com/vitejs/vite/issues/19043)) ([8bfe247](https://github.com/vitejs/vite/commit/8bfe247511517c631a26f3931bb3c93a7b0b7446)), closes [#&#8203;19043](https://github.com/vitejs/vite/issues/19043)
-   test(ssr): test virtual module with query ([#&#8203;19044](https://github.com/vitejs/vite/issues/19044)) ([a1f4b46](https://github.com/vitejs/vite/commit/a1f4b46896cb4b442b54a8336db8eca6df9ee02d)), closes [#&#8203;19044](https://github.com/vitejs/vite/issues/19044)

### [`v6.0.5`](https://github.com/vitejs/vite/blob/HEAD/packages/vite/CHANGELOG.md#small605-2024-12-20-small)

[Compare Source](https://github.com/vitejs/vite/compare/v6.0.4...v6.0.5)

-   fix: esbuild regression (pin to 0.24.0) ([#&#8203;19027](https://github.com/vitejs/vite/issues/19027)) ([4359e0d](https://github.com/vitejs/vite/commit/4359e0d5b33afd6259a4dcef787cc2670e963126)), closes [#&#8203;19027](https://github.com/vitejs/vite/issues/19027)

### [`v6.0.4`](https://github.com/vitejs/vite/blob/HEAD/packages/vite/CHANGELOG.md#small604-2024-12-19-small)

[Compare Source](https://github.com/vitejs/vite/compare/v6.0.3...v6.0.4)

-   fix: `this.resolve` skipSelf should not skip for different `id` or `import` ([#&#8203;18903](https://github.com/vitejs/vite/issues/18903)) ([4727320](https://github.com/vitejs/vite/commit/472732057cb2273908e1fca8aa7dc18a7e1f7c74)), closes [#&#8203;18903](https://github.com/vitejs/vite/issues/18903)
-   fix: fallback terser to main thread when function options are used ([#&#8203;18987](https://github.com/vitejs/vite/issues/18987)) ([12b612d](https://github.com/vitejs/vite/commit/12b612d8be2a18456fd94a2f0291d32d1ffb29d4)), closes [#&#8203;18987](https://github.com/vitejs/vite/issues/18987)
-   fix: merge client and ssr values for `pluginContainer.getModuleInfo` ([#&#8203;18895](https://github.com/vitejs/vite/issues/18895)) ([258cdd6](https://github.com/vitejs/vite/commit/258cdd637d1ee80a3c4571685135e89fe283f3a6)), closes [#&#8203;18895](https://github.com/vitejs/vite/issues/18895)
-   fix(css): escape double quotes in `url()` when lightningcss is used ([#&#8203;18997](https://github.com/vitejs/vite/issues/18997)) ([3734f80](https://github.com/vitejs/vite/commit/3734f8099e3922c189497ce404fe7ff2f8929ae1)), closes [#&#8203;18997](https://github.com/vitejs/vite/issues/18997)
-   fix(css): root relative import in sass modern API on Windows ([#&#8203;18945](https://github.com/vitejs/vite/issues/18945)) ([c4b532c](https://github.com/vitejs/vite/commit/c4b532cc900bf988073583511f57bd581755d5e3)), closes [#&#8203;18945](https://github.com/vitejs/vite/issues/18945)
-   fix(css): skip non css in custom sass importer ([#&#8203;18970](https://github.com/vitejs/vite/issues/18970)) ([21680bd](https://github.com/vitejs/vite/commit/21680bdf9ca7c12f677136b56e47f46469db8be2)), closes [#&#8203;18970](https://github.com/vitejs/vite/issues/18970)
-   fix(deps): update all non-major dependencies ([#&#8203;18967](https://github.com/vitejs/vite/issues/18967)) ([d88d000](https://github.com/vitejs/vite/commit/d88d0004a8e891ca6026d356695e0b319caa7fce)), closes [#&#8203;18967](https://github.com/vitejs/vite/issues/18967)
-   fix(deps): update all non-major dependencies ([#&#8203;18996](https://github.com/vitejs/vite/issues/18996)) ([2b4f115](https://github.com/vitejs/vite/commit/2b4f115129fb3fbd730a92078acb724f8527b7f7)), closes [#&#8203;18996](https://github.com/vitejs/vite/issues/18996)
-   fix(optimizer): keep NODE_ENV as-is when keepProcessEnv is `true` ([#&#8203;18899](https://github.com/vitejs/vite/issues/18899)) ([8a6bb4e](https://github.com/vitejs/vite/commit/8a6bb4e11d5c1b61511ae1e5ed3ae3c65a33b2dc)), closes [#&#8203;18899](https://github.com/vitejs/vite/issues/18899)
-   fix(ssr): recreate ssrCompatModuleRunner on restart ([#&#8203;18973](https://github.com/vitejs/vite/issues/18973)) ([7d6dd5d](https://github.com/vitejs/vite/commit/7d6dd5d1d655d173668192509f63ac4ebf7af299)), closes [#&#8203;18973](https://github.com/vitejs/vite/issues/18973)
-   chore: better validation error message for dts build ([#&#8203;18948](https://github.com/vitejs/vite/issues/18948)) ([63b82f1](https://github.com/vitejs/vite/commit/63b82f1e29a00d06a82144fd03ea8d6eff114290)), closes [#&#8203;18948](https://github.com/vitejs/vite/issues/18948)
-   chore(deps): update all non-major dependencies ([#&#8203;18916](https://github.com/vitejs/vite/issues/18916)) ([ef7a6a3](https://github.com/vitejs/vite/commit/ef7a6a35e6827b92445e5a0c2c0022616efc80dd)), closes [#&#8203;18916](https://github.com/vitejs/vite/issues/18916)
-   chore(deps): update dependency [@&#8203;rollup/plugin-node-resolve](https://github.com/rollup/plugin-node-resolve) to v16 ([#&#8203;18968](https://github.com/vitejs/vite/issues/18968)) ([62fad6d](https://github.com/vitejs/vite/commit/62fad6d79f83daf916dde866909a2a3dd0c79583)), closes [#&#8203;18968](https://github.com/vitejs/vite/issues/18968)
-   refactor: make internal invoke event to use the same interface with `handleInvoke` ([#&#8203;18902](https://github.com/vitejs/vite/issues/18902)) ([27f691b](https://github.com/vitejs/vite/commit/27f691b0c7dca2259108fe6b79583b459429bf7f)), closes [#&#8203;18902](https://github.com/vitejs/vite/issues/18902)
-   refactor: simplify manifest plugin code ([#&#8203;18890](https://github.com/vitejs/vite/issues/18890)) ([1bfe21b](https://github.com/vitejs/vite/commit/1bfe21b9440f318c940f90e425a18588595225fd)), closes [#&#8203;18890](https://github.com/vitejs/vite/issues/18890)
-   test: test `ModuleRunnerTransport` `invoke` API ([#&#8203;18865](https://github.com/vitejs/vite/issues/18865)) ([e5f5301](https://github.com/vitejs/vite/commit/e5f5301924b775837b2a1253c37f76555bce3e3e)), closes [#&#8203;18865](https://github.com/vitejs/vite/issues/18865)
-   test: test output hash changes ([#&#8203;18898](https://github.com/vitejs/vite/issues/18898)) ([bfbb130](https://github.com/vitejs/vite/commit/bfbb130fccefbe7e3880f09defb4fceacce39481)), closes [#&#8203;18898](https://github.com/vitejs/vite/issues/18898)

### [`v6.0.3`](https://github.com/vitejs/vite/blob/HEAD/packages/vite/CHANGELOG.md#small603-2024-12-05-small)

[Compare Source](https://github.com/vitejs/vite/compare/v6.0.2...v6.0.3)

-   fix: handle postcss load unhandled rejections ([#&#8203;18886](https://github.com/vitejs/vite/issues/18886)) ([d5fb653](https://github.com/vitejs/vite/commit/d5fb653c15903ccf84a093f212da86f0327a9a6f)), closes [#&#8203;18886](https://github.com/vitejs/vite/issues/18886)
-   fix: make handleInvoke interface compatible with invoke ([#&#8203;18876](https://github.com/vitejs/vite/issues/18876)) ([a1dd396](https://github.com/vitejs/vite/commit/a1dd396da856401a12c921d0cd2c4e97cb63f1b5)), closes [#&#8203;18876](https://github.com/vitejs/vite/issues/18876)
-   fix: make result interfaces for `ModuleRunnerTransport#invoke` more explicit ([#&#8203;18851](https://github.com/vitejs/vite/issues/18851)) ([a75fc31](https://github.com/vitejs/vite/commit/a75fc3193d5e8d8756dfb3a046873e9c222bb6c8)), closes [#&#8203;18851](https://github.com/vitejs/vite/issues/18851)
-   fix: merge `environments.ssr.resolve` with root `ssr` config ([#&#8203;18857](https://github.com/vitejs/vite/issues/18857)) ([3104331](https://github.com/vitejs/vite/commit/310433106e1e8a0c39dc397e3eace8a71a2416c2)), closes [#&#8203;18857](https://github.com/vitejs/vite/issues/18857)
-   fix: no permission to create vite config file ([#&#8203;18844](https://github.com/vitejs/vite/issues/18844)) ([ff47778](https://github.com/vitejs/vite/commit/ff47778004d609dbeef7f192783e6f253dd66237)), closes [#&#8203;18844](https://github.com/vitejs/vite/issues/18844)
-   fix: remove CSS import in CJS correctly in some cases ([#&#8203;18885](https://github.com/vitejs/vite/issues/18885)) ([690a36f](https://github.com/vitejs/vite/commit/690a36ffdb7d6f6568f35a304b4904e7aa475f17)), closes [#&#8203;18885](https://github.com/vitejs/vite/issues/18885)
-   fix(config): bundle files referenced with imports field ([#&#8203;18887](https://github.com/vitejs/vite/issues/18887)) ([2b5926a](https://github.com/vitejs/vite/commit/2b5926a0e79ce47d22536d38eed2629d326caca0)), closes [#&#8203;18887](https://github.com/vitejs/vite/issues/18887)
-   fix(config): make stacktrace path correct when sourcemap is enabled ([#&#8203;18833](https://github.com/vitejs/vite/issues/18833)) ([20fdf21](https://github.com/vitejs/vite/commit/20fdf210ee0ac0824b2db74876527cb7f378a9e8)), closes [#&#8203;18833](https://github.com/vitejs/vite/issues/18833)
-   fix(css): rewrite url when image-set and url exist at the same time ([#&#8203;18868](https://github.com/vitejs/vite/issues/18868)) ([d59efd8](https://github.com/vitejs/vite/commit/d59efd8dfd1c5bf2e7c45c7cdb1c0abc2a05ba02)), closes [#&#8203;18868](https://github.com/vitejs/vite/issues/18868)
-   fix(deps): update all non-major dependencies ([#&#8203;18853](https://github.com/vitejs/vite/issues/18853)) ([5c02236](https://github.com/vitejs/vite/commit/5c0223636fa277d5daeb4d93c3f32d9f3cd69fc5)), closes [#&#8203;18853](https://github.com/vitejs/vite/issues/18853)
-   fix(html): allow unexpected question mark in tag name ([#&#8203;18852](https://github.com/vitejs/vite/issues/18852)) ([1b54e50](https://github.com/vitejs/vite/commit/1b54e506a44420d0c8a9e000cf45b1c4f5e33026)), closes [#&#8203;18852](https://github.com/vitejs/vite/issues/18852)
-   fix(module-runner): decode uri for file url passed to import ([#&#8203;18837](https://github.com/vitejs/vite/issues/18837)) ([88e49aa](https://github.com/vitejs/vite/commit/88e49aa0418cb3f6b579b744ba59daeda68432f3)), closes [#&#8203;18837](https://github.com/vitejs/vite/issues/18837)
-   refactor: fix logic errors found by no-unnecessary-condition rule ([#&#8203;18891](https://github.com/vitejs/vite/issues/18891)) ([ea802f8](https://github.com/vitejs/vite/commit/ea802f8f8bcf3771a35c1eaf687378613fbabb24)), closes [#&#8203;18891](https://github.com/vitejs/vite/issues/18891)
-   chore: fix duplicate attributes issue number in comment ([#&#8203;18860](https://github.com/vitejs/vite/issues/18860)) ([ffee618](https://github.com/vitejs/vite/commit/ffee61893cfe9f2b0db4aecf9ddb62ca79c80458)), closes [#&#8203;18860](https://github.com/vitejs/vite/issues/18860)

</details>

---

### Configuration

📅 **Schedule**: Branch creation - "" (UTC), Automerge - "every weekend" (UTC).

🚦 **Automerge**: Enabled.

♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update again.

---

 - [ ] If you want to rebase/retry this PR, check this box

---

This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/technifit/tasker).

apps/web/package.json

@@ -76,7 +76,7 @@
     "tailwindcss": "3.4.16",
     "typescript": "5.7.2",
     "typescript-remix-routes-plugin": "1.0.1",
-    "vite": "6.0.2",
+    "vite": "6.0.9",
     "vite-tsconfig-paths": "5.1.3",
     "vitest": "3.0.2"
   }