chore(deps-dev): bump vite from 6.4.1 to 6.4.2

[dependabot]

Bumps vite from 6.4.1 to 6.4.2.

Release notes

Sourced from vite's releases.

v6.4.2

Please refer to CHANGELOG.md for details.

Changelog

Sourced from vite's changelog.

6.4.2 (2026-04-06)

• fix: apply server.fs check to env transport (#22159) (#22163) (fe28e47), closes #22159 #22163
• fix: avoid path traversal with optimize deps sourcemap handler (#22161) (ca4da5d), closes #22161

Commits

• 6b3fad0 release: v6.4.2
• ca4da5d fix: avoid path traversal with optimize deps sourcemap handler (#22161)
• fe28e47 fix: apply server.fs check to env transport (#22159) (#22163)
• 5487f4f release: v6.4.1
• 1114b5d fix(dev): trim trailing slash before server.fs.deny check (#20968) (#20969)
• f12697c release: v6.4.0
• ca6455e feat: allow passing down resolved config to vite's createServer (#20932)
• 0e173d8 release: v6.3.7
• c59a222 fix(esbuild): inject esbuild helpers correctly for esbuild 0.25.9+ (#20940)
• 3f337c5 release: v6.3.6
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
handout-powerpoint-addin	Ready	Preview, Comment	Apr 17, 2026 10:35am

[greptile-apps]

Greptile Summary

This PR is an automated dependabot security patch that bumps vite from 6.4.1 to 6.4.2 in the apps/powerpoint-addin workspace. The update addresses two security/correctness fixes in Vite's dev server.

Key changes:

• apps/powerpoint-addin/package.json: version specifier updated from ^6.3.1 → ^6.4.2
• pnpm-lock.yaml: resolved version updated to 6.4.2, along with transitive dependency bumps (postcss 8.5.8 → 8.5.10, tinyglobby 0.2.15 → 0.2.16)
• pnpm-lock.yaml: Widespread removal of libc fields from platform-specific optional packages (@img/sharp-*, @next/swc-*, @rollup/rollup-linux-*) — this is an unexpected side-effect beyond the vite bump itself

Security fixes included in 6.4.2:

• Path traversal vulnerability in the optimize deps sourcemap handler (#22161)
• server.fs deny-list not applied to the env transport endpoint (#22159)

Confidence Score: 5/5

Safe to merge — patches two dev-server security vulnerabilities with no breaking changes.

This is a patch-level security update to a dev-only dependency. Both fixes address dev server path-traversal / file-system restriction issues that only affect local development servers, not production builds. The transitive dep bumps (postcss, tinyglobby) are minor and low-risk. The libc field removals in the lock file are cosmetic/format-level and do not affect runtime behaviour. No API or build-output changes are expected.

The pnpm-lock.yaml libc removal is worth a quick sanity check, but is not a blocker.

Important Files Changed

Filename	Overview
apps/powerpoint-addin/package.json	Version specifier for vite updated from ^6.3.1 to ^6.4.2 to pin the security patch baseline
pnpm-lock.yaml	Lock file resolved to vite 6.4.2; also removes libc fields from many platform-specific packages — an unexpected change unrelated to the vite bump that may indicate lock file was regenerated with a different pnpm version

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A["vite 6.4.1\n(dev dependency)"] -->|dependabot bump| B["vite 6.4.2"]
    B --> C["Security fix #1\nPath traversal in optimize deps\nsourcemap handler (#22161)"]
    B --> D["Security fix #2\nserver.fs check not applied\nto env transport (#22159)"]
    C --> E["Dev server no longer\nserves arbitrary files\nvia sourcemap requests"]
    D --> F["Env transport now respects\nserver.fs.deny allow-list"]

Loading

_{Reviews (1): Last reviewed commit: "chore(deps-dev): bump vite from 6.4.1 to..." | Re-trigger Greptile}

[greptile-apps]

Unexpected removal of libc fields across platform packages

This PR removes the libc field from dozens of platform-specific optional packages in the lock file — including @img/sharp-*, @next/swc-*, and @rollup/rollup-linux-* — even though those packages are unrelated to the vite bump.

For example, entries like @img/sharp-linux-arm64 previously carried:

libc: [glibc]

and @img/sharp-linuxmusl-arm64 carried:

libc: [musl]

These fields are used by pnpm to select the correct binary for the host's C runtime (glibc vs musl/Alpine). Removing them means pnpm falls back to matching only on cpu and os, which is typically fine but could theoretically install both variants or skip the correct one on edge-case platforms.

This is a strong indicator that the lock file was regenerated with a different version of pnpm than what produced the original. The change itself is likely benign in practice, but it's worth confirming that the pnpm version used locally/in CI is consistent across the team to avoid a noisy diff on the next pnpm install.