chore: upgrade vite

[briantstephan]

This newer Vite version is using rollup 4.59.0 which is safe from the vulnerability described here: https://nvd.nist.gov/vuln/detail/CVE-2026-27606

Confirmed in platform that the editor and live page still work as expected.

[pkg-pr-new]

• pages-visual-editor-starter

  npm i https://pkg.pr.new/@yext/visual-editor@1080
  

commit: 8a0ecad

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: 889b1d59-5c9f-47c1-856a-32f14d83a3ff

📥 Commits

Reviewing files that changed from the base of the PR and between a33d255 and 8a0ecad.

📒 Files selected for processing (1)

• starter/package.json

🚧 Files skipped from review as they are similar to previous changes (1)

• starter/package.json

---

Walkthrough

This pull request updates the Vite build tool dependency across the monorepo. In packages/visual-editor/package.json, Vite is upgraded from version ^5.3.5 to ^5.4.21. In starter/package.json, Vite is upgraded from version ^5.1.6 to ^5.4.21 and the Rollup wasm-node override is set to npm:@rollup/wasm-node@^4.59.0. Both updates align Vite versions to 5.4.21; no other dependencies, scripts, or runtime behavior modifications are introduced.

🚥 Pre-merge checks | ✅ 2

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'chore: upgrade vite' clearly and directly summarizes the main change in the pull request, which is upgrading Vite across multiple package.json files.
Description check	✅ Passed	The description is directly related to the changeset, providing context about the Vite upgrade, the specific Rollup version involved, and confirmation of testing.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch upgrade-rollup

Tip

Try Coding Plans. Let us write the prompt for your AI agent so you can ship faster (with fewer bugs).
Share your feedback on Discord.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

starter/package.json (1)

64-70: ⚠️ Potential issue | 🟡 Minor

The CVE is addressed, but explicitly pin the @rollup/wasm-node version for clarity.

CVE-2026-27606 is a confirmed critical path traversal vulnerability in Rollup that's fixed in version 4.59.0+. The current lockfile shows rollup@4.59.0 installed, which addresses the CVE. However, the override on lines 66-70 specifies "rollup": "npm:@rollup/wasm-node" without pinning a version.

While @rollup/wasm-node@4.59.0 exists and includes the fix, making the version constraint explicit prevents accidental downgrades and ensures future clarity:

Suggested update

"overrides": {
  "vite": {
    "rollup": "npm:`@rollup/wasm-node`@^4.59.0"
  }
}

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@starter/package.json` around lines 64 - 70, The overrides entry currently
maps rollup to the package alias "npm:`@rollup/wasm-node`" without a version;
update the overrides for "vite" so the "rollup" override explicitly pins a
secure Rollup package version (e.g., change the value to include the
`@rollup/wasm-node`@^4.59.0 semver spec) to ensure CVE-2026-27606 fix is enforced
and prevent accidental downgrades.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Outside diff comments:
In `@starter/package.json`:
- Around line 64-70: The overrides entry currently maps rollup to the package
alias "npm:`@rollup/wasm-node`" without a version; update the overrides for "vite"
so the "rollup" override explicitly pins a secure Rollup package version (e.g.,
change the value to include the `@rollup/wasm-node`@^4.59.0 semver spec) to ensure
CVE-2026-27606 fix is enforced and prevent accidental downgrades.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: a0ae9d59-ce92-40aa-8ee7-33db3452d65d

📥 Commits

Reviewing files that changed from the base of the PR and between 3fa23f7 and a33d255.

⛔ Files ignored due to path filters (1)

• pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml

📒 Files selected for processing (2)

• packages/visual-editor/package.json
• starter/package.json