chore(deps): update dependency vite to v6.3.4 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
vite (source)	6.3.2 -> 6.3.4

GitHub Vulnerability Alerts

CVE-2025-46565

Summary

The contents of files in the project root that are denied by a file matching pattern can be returned to the browser.

Impact

Only apps explicitly exposing the Vite dev server to the network (using --host or server.host config option) are affected.
Only files that are under project root and are denied by a file matching pattern can be bypassed.

• Examples of file matching patterns: .env, .env.*, *.{crt,pem}, **/.env
• Examples of other patterns: **/.git/**, .git/**, .git/**/*

Details

server.fs.deny can contain patterns matching against files (by default it includes .env, .env.*, *.{crt,pem} as such patterns).
These patterns were able to bypass for files under root by using a combination of slash and dot (/.).

PoC

npm create vite@latest
cd vite-project/
cat "secret" > .env
npm install
npm run dev
curl --request-target /.env/. http://localhost:5173

---

Release Notes

vitejs/vite (vite)

v6.3.4

Compare Source

• fix: check static serve file inside sirv (#​19965) (c22c43d), closes #​19965
• fix(optimizer): return plain object when using require to import externals in optimized dependenci (efc5eab), closes #​19940
• refactor: remove duplicate plugin context type (#​19935) (d6d01c2), closes #​19935

v6.3.3

Compare Source

• fix: ignore malformed uris in tranform middleware (#​19853) (e4d5201), closes #​19853
• fix(assets): ensure ?no-inline is not included in the asset url in the production environment (#​1949 (16a73c0), closes #​19496
• fix(css): resolve relative imports in sass properly on Windows (#​19920) (ffab442), closes #​19920
• fix(deps): update all non-major dependencies (#​19899) (a4b500e), closes #​19899
• fix(ssr): fix execution order of re-export (#​19841) (ed29dee), closes #​19841
• fix(ssr): fix live binding of default export declaration and hoist exports getter (#​19842) (80a91ff), closes #​19842
• perf: skip sourcemap generation for renderChunk hook of import-analysis-build plugin (#​19921) (55cfd04), closes #​19921
• test(ssr): test ssrTransform re-export deps and test stacktrace with first line (#​19629) (9399cda), closes #​19629

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[codesandbox]

Review or Edit in CodeSandbox

Open the branch in Web Editor • VS Code • Insiders

Open Preview

[github-actions]

Apollo Federation Subgraph Compatibility Results

Federation 1 Support	Federation 2 Support
_service 🟢 @key (single) 🟢 @key (multi) 🟢 @key (composite) 🟢 repeatable @key 🟢 @requires 🟢 @provides 🟢 federated tracing 🟢	@link 🟢 @shareable 🟢 @tag 🟢 @override 🟢 @inaccessible 🟢 @composeDirective 🟢 @interfaceObject 🟢

Learn more:

• Apollo Federation Subgraph Specification
• Compatibility Tests

[github-actions]

💻 Website Preview

The latest changes are available as preview in: https://pr-4021.graphql-yoga.pages.dev

[github-actions]

✅ Benchmark Results

     ✓ no_errors{mode:graphql}
     ✓ expected_result{mode:graphql}
     ✓ no_errors{mode:graphql-jit}
     ✓ expected_result{mode:graphql-jit}
     ✓ no_errors{mode:graphql-response-cache}
     ✓ expected_result{mode:graphql-response-cache}
     ✓ no_errors{mode:graphql-no-parse-validate-cache}
     ✓ expected_result{mode:graphql-no-parse-validate-cache}
     ✓ no_errors{mode:uws}
     ✓ expected_result{mode:uws}

     checks.......................................: 100.00% ✓ 424604      ✗ 0     
     data_received................................: 1.7 GB  12 MB/s
     data_sent....................................: 85 MB   568 kB/s
     http_req_blocked.............................: avg=1.53µs   min=1µs      med=1.33µs   max=307.56µs p(90)=2µs      p(95)=2.19µs  
     http_req_connecting..........................: avg=3ns      min=0s       med=0s       max=143.27µs p(90)=0s       p(95)=0s      
     http_req_duration............................: avg=486.12µs min=276.84µs med=446.81µs max=18.57ms  p(90)=629.52µs p(95)=654.1µs 
       { expected_response:true }.................: avg=486.12µs min=276.84µs med=446.81µs max=18.57ms  p(90)=629.52µs p(95)=654.1µs 
     ✓ { mode:graphql-jit }.......................: avg=445.55µs min=345.02µs med=405.7µs  max=18.57ms  p(90)=446.28µs p(95)=467.19µs
     ✓ { mode:graphql-no-parse-validate-cache }...: avg=675.1µs  min=560.01µs med=631.56µs max=8.81ms   p(90)=673.1µs  p(95)=703.38µs
     ✓ { mode:graphql-response-cache }............: avg=504.63µs min=396.24µs med=465.43µs max=14.51ms  p(90)=503µs    p(95)=518.24µs
     ✓ { mode:graphql }...........................: avg=531.63µs min=403.75µs med=478.9µs  max=18.41ms  p(90)=547.5µs  p(95)=625.12µs
     ✓ { mode:uws }...............................: avg=352.33µs min=276.84µs med=331.99µs max=7.42ms   p(90)=364.14µs p(95)=381.32µs
     http_req_failed..............................: 0.00%   ✓ 0           ✗ 212302
     http_req_receiving...........................: avg=33.65µs  min=16.63µs  med=33.01µs  max=4.36ms   p(90)=39.36µs  p(95)=42.31µs 
     http_req_sending.............................: avg=8.96µs   min=5.99µs   med=7.9µs    max=1.99ms   p(90)=11.36µs  p(95)=12.65µs 
     http_req_tls_handshaking.....................: avg=0s       min=0s       med=0s       max=0s       p(90)=0s       p(95)=0s      
     http_req_waiting.............................: avg=443.5µs  min=247.13µs med=404.95µs max=18.46ms  p(90)=586.45µs p(95)=609.59µs
     http_reqs....................................: 212302  1415.332712/s
     iteration_duration...........................: avg=701.52µs min=446.39µs med=658.28µs max=19.19ms  p(90)=847.48µs p(95)=874.26µs
     iterations...................................: 212302  1415.332712/s
     vus..........................................: 1       min=1         max=1   
     vus_max......................................: 2       min=2         max=2