Vite

registrynpm

package namevite

maintainerVite Contributors

Vite is the dominant JavaScript build tool and dev server for React, Vue, Svelte, and other frontend frameworks. It handles module transformation, hot module replacement, and production bundling. Vite plugins can transform every module in the project during the build process.

api usage

Checking Vite

vite 5.4.0 is a clean version with no known supply chain compromise. The response returns compromised: false with an empty sources array.

bash

curl "https://api.attestd.io/v1/check?product=vite&version=5.4.0" \
  -H "Authorization: Bearer YOUR_API_KEY"

json

{
  "product": "vite",
  "version": "5.4.0",
  "supported": true,
  "risk_state": "none",
  "supply_chain": {
    "compromised": false,
    "sources": [],
    "malware_type": null,
    "description": null,
    "advisory_url": null,
    "compromised_at": null,
    "removed_at": null
  },
  "last_updated": "2026-05-01T00:00:00Z"
}

attack surface

Why this package is monitored

Build tool packages run during development and CI/CD builds with access to all source files and environment variables used in the build. A backdoored build tool can modify bundle output in memory, injecting JavaScript that runs in production browsers without any trace in source files.

Attestd monitors vite using the following detection sources:

registry

Manually curated advisories in the Attestd registry, verified by a human analyst. Confidence 1.0.

osv

OSV.dev malicious-package advisories with IDs prefixed MAL-. Confidence 0.95.

npm_deprecation

npm package versions with deprecation messages containing targeted attack language such as malicious, backdoor, or compromised. Confidence 0.80.

Supply chain overview All npm packages TypeScript ESLint TanStack Router Vite Plugin Response fields