Skip to content

chore(deps): bump esbuild, vite and @vitejs/plugin-react#161

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/multi-5ea19b96cb
Open

chore(deps): bump esbuild, vite and @vitejs/plugin-react#161
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/multi-5ea19b96cb

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 14, 2026
edited by cubic-dev-ai Bot
Loading

Copy link
Copy Markdown

Removes esbuild. It's no longer used after updating ancestor dependencies esbuild, vite and @vitejs/plugin-react. These dependencies need to be updated together.

Removes esbuild

Updates vite from 6.4.2 to 8.0.16

Release notes

Sourced from vite's releases.

v8.0.16

Please refer to CHANGELOG.md for details.

v8.0.15

Please refer to CHANGELOG.md for details.

v8.0.14

Please refer to CHANGELOG.md for details.

v8.0.13

Please refer to CHANGELOG.md for details.

v8.0.12

Please refer to CHANGELOG.md for details.

v8.0.11

Please refer to CHANGELOG.md for details.

v8.0.10

Please refer to CHANGELOG.md for details.

v8.0.9

Please refer to CHANGELOG.md for details.

v8.0.8

Please refer to CHANGELOG.md for details.

v8.0.7

Please refer to CHANGELOG.md for details.

v8.0.6

Please refer to CHANGELOG.md for details.

v8.0.5

Please refer to CHANGELOG.md for details.

v8.0.4

Please refer to CHANGELOG.md for details.

create-vite@8.0.3

Please refer to CHANGELOG.md for details.

v8.0.3

Please refer to CHANGELOG.md for details.

create-vite@8.0.2

Please refer to CHANGELOG.md for details.

v8.0.2

Please refer to CHANGELOG.md for details.

... (truncated)

Changelog

Sourced from vite's changelog.

8.0.16 (2026-06-01)

Bug Fixes

8.0.15 (2026-06-01)

Features

Bug Fixes

  • capitalize error messages and remove spurious space in parse error (#22488) (85a0eff)
  • deps: update all non-major dependencies (#22511) (2686d7d)
  • dev: fix html-proxy cache key mismatch for /@fs/ HTML paths (#21762) (47c4213)
  • glob: error on relative glob in virtual module when no files match (#22497) (5c8e98f)
  • optimizer: close the rolldown bundle when write() rejects (#22528) (e3cfb9d)
  • resolve: provide onWarn for viteResolvePlugin in JS plugin containers (#22509) (40985f1)

Miscellaneous Chores

Code Refactoring

8.0.14 (2026-05-21)

Features

Bug Fixes

  • deps: update all non-major dependencies (#22471) (98b8163)
  • dev: handle errors when sending messages to vite server (#22450) (e8e9a34)
  • html: handle trailing slash paths in transformIndexHtml (#22480) (5d94d1b)
  • optimizer: pass oxc jsx options to transformSync in dependency scan (#22342) (b3132da)

Miscellaneous Chores

  • deps: update rolldown-related dependencies (#22470) (7cb728e)
  • remove irrelevant commits from changelog (2c69495)

Code Refactoring

  • glob: do not rewrite import path for absolute base (#22310) (0ae2844)

... (truncated)

Commits

Updates @vitejs/plugin-react from 4.7.0 to 6.0.2

Release notes

Sourced from @​vitejs/plugin-react's releases.

plugin-react@6.0.2

Allow all options in reactCompilerPreset (#1189)

This is a type only change. Only compilationMode and target options were available for reactCompilerPreset.

plugin-react@6.0.1

Expand @rolldown/plugin-babel peer dep range (#1146)

Expanded @rolldown/plugin-babel peer dep range to include ^0.2.0.

plugin-react@6.0.0

Remove Babel Related Features (#1123)

Vite 8+ can handle React Refresh Transform by Oxc and doesn't need Babel for it. With that, there are no transform applied that requires Babel. To reduce the installation size of this plugin, babel is no longer a dependency of this plugin and the related features are removed.

If you are using Babel, you can use @rolldown/plugin-babel together with this plugin:

 import { defineConfig } from 'vite'
 import react from '@vitejs/plugin-react'
+import babel from '@rolldown/plugin-babel'
export default defineConfig({
plugins: [


react({



  babel: {



    plugins: ['@babel/plugin-proposal-throw-expressions'],



  },



}),





react(),



babel({



  plugins: ['@babel/plugin-proposal-throw-expressions'],



}),

]
})

For React compiler users, you can use reactCompilerPreset for easier setup with preconfigured filter to improve build performance:

 import { defineConfig } from 'vite'
-import react from '@vitejs/plugin-react'
+import react, { reactCompilerPreset } from '@vitejs/plugin-react'
+import babel from '@rolldown/plugin-babel'
export default defineConfig({
plugins: [

react({

 babel: {



   plugins: ['babel-plugin-react-compiler'],



</tr></table>

... (truncated)

Changelog

Sourced from @​vitejs/plugin-react's changelog.

6.0.2 (2026-05-14)

Allow all options in reactCompilerPreset (#1189)

This is a type only change. Only compilationMode and target options were available for reactCompilerPreset.

6.0.1 (2026-03-13)

Expand @rolldown/plugin-babel peer dep range (#1146)

Expanded @rolldown/plugin-babel peer dep range to include ^0.2.0.

6.0.0 (2026-03-12)

6.0.0-beta.0 (2026-03-03)

Remove Babel Related Features (#1123)

Vite 8+ can handle React Refresh Transform by Oxc and doesn't need Babel for it. With that, there are no transform applied that requires Babel. To reduce the installation size of this plugin, babel is no longer a dependency of this plugin and the related features are removed.

If you are using Babel, you can use @rolldown/plugin-babel together with this plugin:

 import { defineConfig } from 'vite'
 import react from '@vitejs/plugin-react'
+import babel from '@rolldown/plugin-babel'
export default defineConfig({
plugins: [


react({



  babel: {



    plugins: ['@babel/plugin-proposal-throw-expressions'],



  },



}),





react(),



babel({



  plugins: ['@babel/plugin-proposal-throw-expressions'],



}),

]
})

For React compiler users, you can use reactCompilerPreset for easier setup with preconfigured filter to improve build performance:

 import { defineConfig } from 'vite'
-import react from '@vitejs/plugin-react'
+import react, { reactCompilerPreset } from '@vitejs/plugin-react'
+import babel from '@rolldown/plugin-babel'
</tr></table>

... (truncated)

Commits
Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for @​vitejs/plugin-react since your current version.


Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    You can disable automated security fix PRs for this repo from the Security Alerts page.

Summary by cubic

Upgrade build tooling to Vite 8 and @vitejs/plugin-react 6, and remove direct esbuild usage for a leaner setup and faster builds.

  • Dependencies

    • Update vite to ^8.0.16 (uses Rolldown; requires Node ≥ 20.19).
    • Update @vitejs/plugin-react to ^6.0.2 (Babel-related features removed).
    • Remove esbuild as a direct dependency.

  • Migration

    • Ensure Node is ^20.19 or >=22.12.
    • If you rely on Babel transforms, add @rolldown/plugin-babel (optional).

Written for commit c513c84. Summary will update on new commits.

Review in cubic

@dependabot
chore(deps): bump esbuild, vite and @vitejs/plugin-react
c513c84 
Removes [esbuild](https://github.com/evanw/esbuild). It's no longer used after updating ancestor dependencies [esbuild](https://github.com/evanw/esbuild), [vite](https://github.com/vitejs/vite/tree/HEAD/packages/vite) and [@vitejs/plugin-react](https://github.com/vitejs/vite-plugin-react/tree/HEAD/packages/plugin-react). These dependencies need to be updated together.


Removes `esbuild`

Updates `vite` from 6.4.2 to 8.0.16
- [Release notes](https://github.com/vitejs/vite/releases)
- [Changelog](https://github.com/vitejs/vite/blob/main/packages/vite/CHANGELOG.md)
- [Commits](https://github.com/vitejs/vite/commits/v8.0.16/packages/vite)

Updates `@vitejs/plugin-react` from 4.7.0 to 6.0.2
- [Release notes](https://github.com/vitejs/vite-plugin-react/releases)
- [Changelog](https://github.com/vitejs/vite-plugin-react/blob/main/packages/plugin-react/CHANGELOG.md)
- [Commits](https://github.com/vitejs/vite-plugin-react/commits/plugin-react@6.0.2/packages/plugin-react)

---
updated-dependencies:
- dependency-name: esbuild
  dependency-version:
  dependency-type: indirect
- dependency-name: vite
  dependency-version: 8.0.16
  dependency-type: direct:development
- dependency-name: "@vitejs/plugin-react"
  dependency-version: 6.0.2
  dependency-type: direct:development
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies javascript Pull requests that update javascript code labels Jun 14, 2026
sovri[bot]
sovri Bot reviewed Jun 14, 2026
View reviewed changes

@sovri sovri Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sovri code review

❌ Request changes

3 findings — 2 major, 1 minor

Review assessment

Effort: ●●●●● 5/5
Metrics: 3 findings · 1 file touched · 2 blocker plus major findings

Severity distribution:
Total: 3 findings
Bar: ███

  • 🔴 major: 2 findings
  • 🟡 minor: 1 finding

TL;DR

This pull request updates Vite from 6.4.2 to 8.0.16, @vitejs/plugin-react from 4.7.0 to 6.0.2, and removes the unused esbuild dependency. The changes align with Vite 8's shift to Rolldown for bundling and the plugin's removal of Babel-related features. No functional code changes were made, but the updates introduce breaking changes that require attention.

Findings

Severity Location Title Details
🔴 package.json:12 Babel-related features removed in @vitejs/plugin-react 6.0.0 The @vitejs/plugin-react update from 4.7.0 to 6.0.2 removes Babel-related features, including the babel configuration option. This is a breaking change as Vite 8+ now uses Oxc for React Refresh transforms, eliminating the need for Babel. Any existing Babel plugins or configurations will no longer work.
🔴 package.json:14 Vite 8.0.0+ replaces Rollup with Rolldown The Vite update from 6.4.2 to 8.0.16 replaces Rollup with Rolldown as the default bundler. This is a breaking change that may affect custom Rollup plugins, configuration, or build scripts that rely on Rollup-specific APIs or behaviors.
🟡 package.json:14 Unused esbuild dependency removed The esbuild dependency was removed as it is no longer used after updating Vite and its related dependencies. While this is a cleanup, it may affect scripts or tools that implicitly relied on esbuild being present in the project.

File-by-file

package.json

3 findings

  • package.json:12 Babel-related features removed in @vitejs/plugin-react 6.0.0
  • package.json:14 Unused esbuild dependency removed
  • package.json:14 Vite 8.0.0+ replaces Rollup with Rolldown
Compliance & provenance

Compliance & audit

Model: mistral / mistral-large-latest
Prompt sha256: d589da86d2b960a2b8d7882b28332d8d946e2d543e3cd1967246b1ecd01485ae
No signed audit trail is attached

Babel-related features removed in @vitejs/plugin-react 6.0.0 — package.json:12

🔍 Audit Reference: SOVRI-MT-2EE7-D069

Vite 8.0.0+ replaces Rollup with Rolldown — package.json:14

🔍 Audit Reference: SOVRI-MT-7D53-85BD

Unused esbuild dependency removed — package.json:14

🔍 Audit Reference: SOVRI-MT-0384-4334

Tokens: 42987 in / 1204 out · Estimated cost: $0.0233 (mistral mistral-large-latest)

Sovri

@socket-security

socket-security Bot commented Jun 14, 2026

Copy link
Copy Markdown

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security		 Vulnerability Quality Maintenance License
Updatednpm/​vite@​6.4.2 ⏵ 8.0.1699 +51008296100
Updatednpm/​@​vitejs/​plugin-react@​4.7.0 ⏵ 6.0.2100 +110010092100

View full report

@codspeed-hq

codspeed-hq Bot commented Jun 14, 2026

Copy link
Copy Markdown
Contributor

Merging this PR will improve performance by 16.74%

⚠️ Different runtime environments detected

Some benchmarks with significant performance changes were compared across different runtime environments,
which may affect the accuracy of the results.

Open the report in CodSpeed to investigate

⚡ 1 improved benchmark
✅ 25 untouched benchmarks

Performance Changes

Benchmark BASE HEAD Efficiency
reject_invalid 610.3 ns 522.8 ns +16.74%

Tip

Curious why this is faster? Comment @codspeedbot explain why this is faster on this PR, or directly use the CodSpeed MCP with your agent.

Comparing dependabot/npm_and_yarn/multi-5ea19b96cb (c513c84) with main (46d16cb)

Open in CodSpeed

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@sovri sovri[bot] sovri[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

configuration dependencies javascript Pull requests that update javascript code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants