fix: upgrade vite to 7.3.1 to resolve esbuild vulnerability

[smoreinis]

Summary

• Upgrades vite from 7.1.12 to 7.3.1 and @vitejs/plugin-react from 5.1.0 to 5.1.4
• Resolves esbuild vulnerability by upgrading the transitive dependency from 0.25.11 to 0.27.3 (>= 0.27.2 required)

Test plan

• Verify npm ls esbuild shows >= 0.27.2
• Run npm run build to confirm no build regressions
• Run npm run dev to confirm dev server works

Greptile Summary

This PR upgrades vite from 7.1.12 to 7.3.1 and @vitejs/plugin-react from 5.1.0 to 5.1.4 to resolve an esbuild vulnerability (upgrading from 0.25.11 to 0.27.3). The security fix is valid and the version bumps look correct.

• Issue: vite added to production dependencies instead of devDependencies — This is a Next.js app that only uses vite through vitest for testing. Adding vite as a production dependency causes esbuild and ~26 platform-specific binary packages to be installed in production, increasing image size and attack surface. It should be moved to devDependencies.
• The @vitejs/plugin-react upgrade from 5.1.0 to 5.1.4 in devDependencies is correctly placed.

Confidence Score: 2/5

• This PR is functionally safe but introduces unnecessary production bloat by misplacing vite in dependencies.
• The core goal (upgrading esbuild to fix a vulnerability) is sound, but placing vite in production dependencies instead of devDependencies is a meaningful error for a Next.js app. It won't break anything, but it will unnecessarily include vite, esbuild, and dozens of platform binaries in production installs, increasing image size and attack surface — counterproductive for a security-motivated PR.
• agentex-ui/package.json — vite needs to be moved from dependencies to devDependencies

Important Files Changed

Filename	Overview
agentex-ui/package.json	Upgrades @vitejs/plugin-react to 5.1.4, but incorrectly adds vite to production dependencies instead of devDependencies, causing esbuild and its platform binaries to be marked as production dependencies.
agentex-ui/package-lock.json	Lockfile reflects the vite upgrade from 7.1.12 to 7.3.1 and esbuild from 0.25.11 to 0.27.3. Multiple @esbuild/* packages lost their "dev": true flag because vite was added as a production dependency.

Flowchart

flowchart TD
    A[package.json] -->|dependencies| B[vite ^7.3.1]
    B -->|requires| C[esbuild ^0.27.0]
    C -->|installs| D["@esbuild/* platform binaries (26 packages)"]
    A -->|devDependencies| E["@vitejs/plugin-react ^5.1.4"]
    A -->|devDependencies| F[vitest ^4.0.6]
    F -->|peer dependency| B

    style B fill:#ff9999,stroke:#cc0000
    style C fill:#ff9999,stroke:#cc0000
    style D fill:#ff9999,stroke:#cc0000
    style E fill:#99ff99,stroke:#00cc00
    style F fill:#99ff99,stroke:#00cc00

Loading

_{Last reviewed commit: fe5ee1a}

[danielmillerp]

yeah sure why not

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	npm/​vite@​7.1.12 ⏵ 7.3.1
	npm/​@​vitejs/​plugin-react@​5.1.0 ⏵ 5.1.4	+1

View full report

[greptile-apps]

_{2 files reviewed, 1 comment}

_{Edit Code Review Agent Settings | Greptile}

[greptile-apps]

vite should be in devDependencies, not dependencies

This is a Next.js application — vite is not used at runtime (the build/dev scripts use next build / next dev --turbopack). Vite is only needed as a transitive dependency of vitest (which is already in devDependencies). Placing it in production dependencies causes esbuild and all its platform-specific binaries (~26 packages) to lose their "dev": true flag in the lockfile, unnecessarily bloating production installs.

Move vite to devDependencies alongside vitest and @vitejs/plugin-react:

Suggested change

	"vite": "^7.3.1"
	"uuid": "^11.1.0"
	},
	"devDependencies": {
	"@eslint/eslintrc": "^3.3.1",
	"@testing-library/jest-dom": "^6.9.1",
	"@testing-library/react": "^16.3.0",
	"@testing-library/user-event": "^14.6.1",
	"@types/node": "^20",
	"@types/react": "^19",
	"@types/react-dom": "^19",
	"@types/react-syntax-highlighter": "^15.5.13",
	"@vitejs/plugin-react": "^5.1.4",
	"@vitest/coverage-v8": "^4.0.6",
	"@vitest/ui": "^4.0.6",
	"eslint": "9.32.0",

Prompt To Fix With AI

This is a comment left during a code review.
Path: agentex-ui/package.json
Line: 54:54

Comment:
**`vite` should be in `devDependencies`, not `dependencies`**

This is a Next.js application — `vite` is not used at runtime (the build/dev scripts use `next build` / `next dev --turbopack`). Vite is only needed as a transitive dependency of `vitest` (which is already in `devDependencies`). Placing it in production `dependencies` causes `esbuild` and all its platform-specific binaries (~26 packages) to lose their `"dev": true` flag in the lockfile, unnecessarily bloating production installs.

Move `vite` to `devDependencies` alongside `vitest` and `@vitejs/plugin-react`:

```suggestion
    "uuid": "^11.1.0"
  },
  "devDependencies": {
    "@eslint/eslintrc": "^3.3.1",
    "@testing-library/jest-dom": "^6.9.1",
    "@testing-library/react": "^16.3.0",
    "@testing-library/user-event": "^14.6.1",
    "@types/node": "^20",
    "@types/react": "^19",
    "@types/react-dom": "^19",
    "@types/react-syntax-highlighter": "^15.5.13",
    "@vitejs/plugin-react": "^5.1.4",
    "@vitest/coverage-v8": "^4.0.6",
    "@vitest/ui": "^4.0.6",
    "eslint": "9.32.0",
```

How can I resolve this? If you propose a fix, please make it concise.