Bump vite from 6.4.1 to 6.4.2

[dependabot]

Bumps vite from 6.4.1 to 6.4.2.

Release notes

Sourced from vite's releases.

v6.4.2

Please refer to CHANGELOG.md for details.

Changelog

Sourced from vite's changelog.

6.4.2 (2026-04-06)

• fix: apply server.fs check to env transport (#22159) (#22163) (fe28e47), closes #22159 #22163
• fix: avoid path traversal with optimize deps sourcemap handler (#22161) (ca4da5d), closes #22161

Commits

• 6b3fad0 release: v6.4.2
• ca4da5d fix: avoid path traversal with optimize deps sourcemap handler (#22161)
• fe28e47 fix: apply server.fs check to env transport (#22159) (#22163)
• 5487f4f release: v6.4.1
• 1114b5d fix(dev): trim trailing slash before server.fs.deny check (#20968) (#20969)
• f12697c release: v6.4.0
• ca6455e feat: allow passing down resolved config to vite's createServer (#20932)
• 0e173d8 release: v6.3.7
• c59a222 fix(esbuild): inject esbuild helpers correctly for esbuild 0.25.9+ (#20940)
• 3f337c5 release: v6.3.6
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.

[cloudflare-workers-and-pages]

Deploying with    Cloudflare Workers

The latest updates on your project. Learn more about integrating Git with Workers.

Status	Name	Latest Commit	Preview URL	Updated (UTC)
✅ Deployment successful! View logs	astro-blog-starter-template	3b052b7	Commit Preview URL Branch Preview URL	Apr 07 2026, 05:14 AM

[devin-ai-integration]

Code Review: 🟡 Safe but Likely Redundant

Summary

This PR bumps vite from 6.4.1 → 6.4.2, a patch-level security fix.

Changes

The diff is minimal — only package-lock.json changes (version, resolved URL, integrity hash). No package.json change because vite is a transitive dependency (resolved through @astrojs/cloudflare's dependencies).

Security Fixes (v6.4.2)

Both fixes are security-relevant:

1. fe28e47 — Apply server.fs check to env transport (fixes #22159) — prevents unauthorized file access via the env transport
2. ca4da5d — Avoid path traversal with optimize deps sourcemap handler (fixes #22161) — prevents path traversal attacks through sourcemaps

Edge Case

These are dev-server vulnerabilities. They only matter if you run astro dev on a network-accessible machine. For local development only, the risk is low.

Redundancy with PR #22

PR #22 upgrades Astro to v6, which brings Vite 7. If PR #22 is merged, this PR becomes completely obsolete — Vite 7 includes all security fixes from 6.4.2 and more.

Recommendation

• If you plan to merge PR Bump astro, @astrojs/cloudflare and @astrojs/mdx #22 soon: Skip this PR, close it after PR Bump astro, @astrojs/cloudflare and @astrojs/mdx #22 merges.
• If PR Bump astro, @astrojs/cloudflare and @astrojs/mdx #22 will take time: Merge this PR as a quick security fix for the interim. It's a safe, low-risk patch bump.