Vite is the build tool behind most of the modern JavaScript ecosystem. React, Vue, Svelte, Astro, Nuxt, SolidStart all default to it. The package gets 140 million npm installs per week. It shipped 740 versions.
Every one of those versions published in the last five years came from a single npm account: vitebot.
The publisher lifecycle
Vite has had four npm publishers over its lifetime. Two had their access revoked: antfu (53 months inactive, 22 versions) and patak (32 months inactive, 72 versions). The third, yyx990803 (Evan You, who created Vite) published 195 versions. His last publish was October 7, 2021. That was 57 months ago. His access was never revoked.
The fourth, vitebot, is the sole active publisher.
| Package | Weekly Downloads | Active Publisher | Risk |
|---|---|---|---|
| vite | 140M | vitebot | CRITICAL |
| vitest | 70M | 1 active, 2 dormant | CRITICAL |
| @vitejs/plugin-react | 65M | vitebot | CRITICAL |
| @vitejs/plugin-vue | 7.3M | vitebot | HIGH |
| @vitejs/plugin-legacy | 0.7M | vitebot | WARN |
283 million weekly downloads across the Vite ecosystem, published by one bot account with zero public GitHub repos.
Bot publishers are better. Until they aren't.
Publishing from a CI bot is actually a better practice than publishing from a human account. Bot tokens live in CI secrets, not in someone's .npmrc on a personal laptop. They can be scoped, rotated, and audited. The Vite team gets credit for this.
The problem isn't that vitebot exists. The problem is that vitebot is the only gate. If the CI pipeline is compromised by a GitHub Actions workflow injection, a stolen repo secret, or a forked workflow with a poisoned build step, one push reaches 140 million weekly installs.
This is what happened to Red Hat in June 2026. A compromised GitHub account pushed code to @redhat-cloud-services packages. The CI pipeline published the malware. The packages had valid SLSA provenance. Provenance just signed the attack.
Vite publishes with OIDC provenance too. That's a plus. But provenance proves the build came from a pipeline. It does not prove a human reviewed the release.
Evan You's dormant access
yyx990803 published 195 versions of Vite. His last publish was October 2021, 57 months ago. He still has publish access to both vite and @vitejs/plugin-react.
The Vite team already revoked access for antfu and patak. Whoever did that cleanup missed the creator's own account. Revoking one dormant account while leaving another is the exact pattern we found in debug, ws, and cliui.
One npm owner rm yyx990803 vite closes this gap in two seconds. Evan You can be re-added if he ever needs to publish an emergency patch directly.
The missing gate: staged publishing
npm's Staged Publishing feature adds a waiting period between npm publish and the version going live. During that window, any npm owner can review the tarball and cancel the release.
Hono adopted it after we flagged them as CRITICAL. PostCSS is in progress. Vite hasn't.
With staged publishing enabled, a compromised vitebot push would still trigger a staging period. A human on the team would see it. They'd have time to cancel before 140 million weekly installs pull the poisoned version.
Without it, the path from compromised token to production is a single npm publish.
What frameworks ship through vitebot
Vite isn't just one package in one project. It's the build layer for the frameworks that most new projects start with:
- Next.js uses Vite for its Turbopack-compatible dev server path
- Nuxt bundles @vitejs/plugin-vue
- SvelteKit uses @sveltejs/vite-plugin
- Astro depends on Vite at its core
- SolidStart, Remix, Qwik — all Vite-based
A single compromise reaches not just Vite users, but every framework that depends on Vite transitively. That's most of the modern frontend.
What you can do
If you're on the Vite team:
- Revoke
yyx990803's dormant publish access (npm owner rm yyx990803 vite) - Enable staged publishing on
viteand@vitejs/plugin-react - Consider adding a second active human publisher for emergency review
If you depend on Vite:
- Pin versions in your lockfile and review lockfile diffs in PRs
- Run
npx proof-of-commitment --file package-lock.jsonto check your full dependency tree - Add a CI gate:
npx proof-of-commitment --fail-on=critical
How we found this
Commit scores every npm package on behavioral signals — publisher depth, dormant access, release patterns, and provenance status. The publisher lifecycle analysis was added in v1.35.0 and flagged vitebot as the sole active publisher across the Vite ecosystem.
Data pulled June 27, 2026 from the npm registry and Commit API.
npx proof-of-commitment vite vitest @vitejs/plugin-react
Returns the same publisher-depth verdict in 30 seconds, zero install.
Originally published at getcommit.dev. Commit scores npm, PyPI, Cargo, and Go packages on behavioral commitment: signals harder to fake than stars, READMEs, or download counts.
Top comments (0)