5 Replies
Hi @InterestEmpire. I'm kapa.ai, your friendly support bot. I will try to answer your question by searching through the knowledge base. :wave:
----------------------
Upgrading Vite in a Wasp project is possible, but you should proceed with caution. Wasp manages the Vite configuration and merges your custom config with its own defaults. This means that upgrading Vite independently could introduce incompatibilities with Wasp’s build process or with the way Wasp expects the Vite config to be structured.
The official documentation does not provide a step-by-step guide for upgrading Vite, nor does it guarantee compatibility with newer Vite versions. However, you can see in the migration guide that Vite is listed as a devDependency in your project’s package.json, so you could try updating the version there and running an install. If you do this, you should carefully test your app, as changes in Vite or its plugins could break the Wasp client build process. The docs specifically warn: “Be careful with making changes to the Vite config, as it can break the Wasp's client build process” Custom Vite Config.
If you encounter issues, you may need to refer to the default Vite config used by Wasp and compare it with the requirements of the newer Vite version. There is no mention of an official Wasp command to upgrade Vite or to ensure compatibility with the latest Vite releases.
In summary:
- You can try upgrading Vite by updating your package.json, but there is a risk of breaking changes. - Always check the default Wasp Vite config and test thoroughly after upgrading. - There is no official, documented “safe upgrade” path for Vite in Wasp at this time. If you need to customize Vite, Wasp supports merging your custom config with its own, but again, be cautious with major version changes Custom Vite Config. ---------------------- Note: you can ask me a follow up question by @ mentioning me again :speech_balloon: ---------------------- Sorry @InterestEmpire, I seem to be having a bit of trouble. Don't worry though, I've pinged my support and they will try to fix me up! :technologist: Perhaps try again in 15mins?
- You can try upgrading Vite by updating your package.json, but there is a risk of breaking changes. - Always check the default Wasp Vite config and test thoroughly after upgrading. - There is no official, documented “safe upgrade” path for Vite in Wasp at this time. If you need to customize Vite, Wasp supports merging your custom config with its own, but again, be cautious with major version changes Custom Vite Config. ---------------------- Note: you can ask me a follow up question by @ mentioning me again :speech_balloon: ---------------------- Sorry @InterestEmpire, I seem to be having a bit of trouble. Don't worry though, I've pinged my support and they will try to fix me up! :technologist: Perhaps try again in 15mins?
Not right now but in our sights for the short term. What's your usecase for a newer Vite?
I'd love to update vite too, to address a couple critical vulnerabilities identified by npm audit. Looks like it's ultimately related to an old version of its axios dependency (v 1.4.0) https://github.com/advisories/GHSA-wf5p-g6vw-rhxx (?)
To address the vulnerability properly though, I thiiink Wasps' Sendgrid version might need to be bumped too - it still uses axios 0.26.0. I stopped poking around the details when I realised I couldn't update vite, so not sure what's involved there or if there are other factors.
So, some things:
- Vite only runs on build, so it is presupposed to run on a trusted environment with trusted input. You can usually disregard vulnerabilities there.
- Axios is only used for internal client-server communication, and the URLs are trusted. So axios vulnerabilities about untrusted URLs or headers are moot. It'd be important if it affected untrusted parameters but that doesn't seem to be the case.
- Even though, it sucks that we're stuck on old versions. One of our items for the roadmap to 1.0 is to upgrade all the dependencies now that our core has stabilized. Vite is already on the list: https://github.com/wasp-lang/wasp/issues/2867. I just created one for
axios: https://github.com/wasp-lang/wasp/issues/2935.
TL;DR: we're on it! In the meantime, there's no big worry to keep using the dependencies provided with Wasp.Thanks Carlos!