vite-securitylisted
Install: claude install-skill hlsitechio/claude-skills-security
# Vite Security Audit
Audit a Vite-based project for security issues specific to Vite's dev server, build pipeline, environment-variable model, and plugin ecosystem. Covers Vite 3 / 4 / 5 / 6.
## When this skill applies
- Reviewing `vite.config.ts/js/mjs` for misconfigurations
- Auditing the env var setup (`VITE_` prefix model)
- Checking Vite plugins for known issues
- Reviewing build output for accidentally-shipped secrets or dev-only code
- Auditing Vite dev server exposure (local network, tunnel, demo deployments)
- Confirming production build settings match security expectations
Use other skills for: React/Vue/Svelte component-level issues (`react-security`, `vue-nuxt-security`, `svelte-sveltekit-security`), backend code, deployment platform (`vercel-platform-security`, `cloudflare-workers-security`).
## Workflow
Follow `../_shared/audit-workflow.md`. Vite-specific notes below.
### Phase 1: Stack detection
```bash
# Detect Vite version
grep -E '"vite":' package.json
# Detect framework template (React/Vue/Svelte/Solid/Qwik)
grep -E '@vitejs/plugin-(react|vue|svelte)|vite-plugin-solid|vite-plugin-qwik' package.json
# Find config
ls vite.config.* vitest.config.* 2>/dev/null
```
### Phase 2: Inventory
```bash
# Plugin chain
grep -E 'plugins:|VitePlugin' vite.config.*
# Env var usage
grep -rn 'import\.meta\.env\.' src/ | head -30
# Define / replace patterns (often used to inject values at build time)
grep -nE 'define:\s*{|process\.env' vite.config.*
# Dev serv