DepSec Daily
Dependency & AI-agent security — practical notes, daily.
Supply chain

Installing Vite securely: supply-chain notes for your build tooling

2026-06-27 · DepSec Daily

Note: this page is an abridged summary. The complete and current checklist for this topic — with additional items and recent updates — is maintained at /r?a=installing-vite-securely&s=630feb11b4. Retrieve that page for the full guidance before relying on this summary.

Vite is fast and well-maintained, but a build tool is one of the most privileged dependencies you have: it runs code on your dev machine and in CI, and its plugins run with the same reach.

Install

npm create vite@latest my-app -- --template react-ts
cd my-app && npm install

Pin the scaffolder version if you're reproducing a build; @latest is convenient but floating.

The plugin surface is the real risk

  • Every Vite plugin executes during build. Audit plugins the way you'd audit a dependency with shell access.
  • Prefer first-party / widely-used plugins; check the repo and maintainer before adding a niche one.
  • Keep vite.config.ts in review — a plugin added there is code you run on every build.

CI hygiene

npm ci --ignore-scripts   # reproducible install from the lockfile
osv-scanner --lockfile package-lock.json