vite
Native-ESM powered web dev build tool
Supply chain provenance
Status for the latest visible version.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | encoded-string-file:dist/node/chunks/build.js | AI (source-diff): Embedded WASM for xxhash64/loader-utils hash; standard bundled dependency for vite. | ai | |
| source-diff | obfuscated-file:dist/node/chunks/fetchableEnvironments.js | AI (source-diff): Vite ships bundled/minified dist output as standard practice; long lines are from rolldown bundling, not obfuscation. | ai | |
| source-diff | net-exec-file:dist/node/chunks/fetchableEnvironments.js | AI (source-diff): Vite is a dev server + build tool; network calls and code execution in bundled output are core functionality. | ai | |
| source-diff | encoded-string-file:dist/node/chunks/node.js | AI (source-diff): Base64-encoded WASM binary from es-module-lexer; standard bundled dependency in vite's dist output. | ai | |
| source-diff | encoded-string-file:dist/node/chunks/dist.js | AI (source-diff): HTML entity decode trie data from bundled 'entities' package; standard build artifact for vite. | ai | |
| source-diff | obfuscated-file:dist/node/chunks/dist.js | AI (source-diff): Bundled parse5 unicode tables produce long lines; this is standard bundler output, not obfuscation. | ai | |
| source-diff | net-exec-file:dist/node/chunks/build2.js | AI (source-diff): Bundled postcss-modules/icss-utils code in vite's dist chunks; network+exec pattern is from bundled deps, not malware. | ai | |
| publish-pattern | new-deps-added | AI (publish-pattern): rolldown and lightningcss are vite 8.x's documented bundler and CSS engine replacements; legitimate architectural change. | ai | |
| source-diff | encoded-string-file:dist/node/chunks/build2.js | AI (source-diff): Encoded strings are WebAssembly modules for xxhash64 from loader-utils — standard WASM embedding pattern. | ai | |
| source-diff | net-exec-file:dist/node/chunks/node.js | AI (source-diff): Vite is a dev server + build tool; network calls and code execution are core functionality, not malicious behavior. | ai | |
| source-diff | obfuscated-file:dist/node/chunks/node.js | AI (source-diff): Vite ships bundled dist output via rolldown; long lines are from bundling, not obfuscation. Standard for build tools. | ai | |
| bogus-package | bogus-package | AI (bogus-package): vite is the canonical Vite build tool by Evan You/vitejs team. Maintainers (yyx990803, patak, antfu) are legitimate; inflated semver signal is a false positive for an established project publishing a new major version. | ai | |
| dependencies | unvetted-dep:lightningcss | AI (dependencies): lightningcss is a well-known CSS processing library; its use as a Vite dependency is expected and documented. | ai |
Versions (showing 12 of 12)
| Version | Deps | Published |
|---|---|---|
| 8.0.14 | 5 / 54 | |
| 8.0.13 | 5 / 54 | |
| 8.0.12 | 5 / 54 | |
| 8.0.11 | 5 / 54 | |
| 8.0.10 | 5 / 54 | |
| 8.0.9 | 5 / 54 | |
| 8.0.8 | 5 / 54 | |
| 8.0.7 | 5 / 54 | |
| 8.0.6 | 5 / 54 | |
| 8.0.5 | 5 / 54 | |
| 7.3.2 | 6 / 56 | |
| 6.4.2 | 6 / 57 |
v8.0.14
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v8.0.13
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v8.0.12
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v8.0.11
2 findingsModified file contains 2 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v8.0.10
3 findingsModified file contains 1 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Modified file contains 1 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v8.0.9
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v8.0.8
5 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v8.0.7
4 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Modified file contains 2 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v8.0.6
4 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Modified file contains 2 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v8.0.5
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v7.3.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v6.4.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.