Security News
Research
Data Theft Repackaged: A Case Study in Malicious Wrapper Packages on npm
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
Integration of ViteJS in a Django project.
pip install django-vite
Add django_vite
to your INSTALLED_APPS
in your settings.py
(before your apps that are using it).
INSTALLED_APPS = [
...
'django_vite',
...
]
Follow instructions on https://vitejs.dev/guide/. And mostly the SSR part.
Then in your ViteJS config file :
base
options the same as your STATIC_URL
Django setting.build.outDir
path to where you want the assets to compiled.build.manifest
options to manifest.json
.index.html
that
ViteJS can use to determine which files to compile. You need to tell it
directly in build.rollupOptions.input
.export default defineConfig({
...
base: "/static/",
build: {
...
manifest: "manifest.json",
outDir: resolve("./assets"),
rollupOptions: {
input: {
<unique key>: '<path to your asset>'
}
}
}
})
As recommended on Vite's backend integration guide, your assets should include the modulepreload polyfill.
// Add this at the beginning of your app entry.
import 'vite/modulepreload-polyfill';
Define a default DJANGO_VITE
configuration in your settings.py
.
DJANGO_VITE = {
"default": {
"dev_mode": True
}
}
Or if you prefer to use the legacy module-level settings, you can use:
DJANGO_VITE_DEV_MODE = True
Be sure that the build.outDir
from vite.config.js
is included in STATICFILES_DIRS
.
STATICFILES_DIRS = [
BASE_DIR / "assets"
]
The dev_mode
/DJANGO_VITE_DEV_MODE
boolean defines if you want to include assets in development mode or production mode.
DEBUG
setting in
Django. But you can do what is good for your needs.Include this in your base HTML template file.
{% load django_vite %}
Then in your <head>
element add this :
{% vite_hmr_client %}
<script>
tag to include the ViteJS HMR client.DJANGO_VITE_DEV_MODE
is true,
otherwise this will do nothing.Then add this tag (in your <head>
element too) to load your scripts :
{% vite_asset '<path to your asset>' %}
This will add a <script>
tag including your JS/TS script :
[type=module]
).import
statements.manifest.json
file
generated by ViteJS and import all CSS files dependent of this script
(before importing the script).root
key inside your ViteJS config file.manifest.json
file
generated by ViteJS./
at the beginning
(follow your manifest.json
file).{% vite_asset_url '<path to your asset>' %}
This will generate only the URL to an asset with no tag surrounding it. Warning, this does not generate URLs for dependant assets of this one like the previous tag.
{% vite_react_refresh %}
If you're using React, this will generate the Javascript <script/>
needed to support React HMR.
{% vite_react_refresh nonce="{{ request.csp_nonce }}" %}
Any kwargs passed to vite_react_refresh will be added to its generated <script/>
tag. For example, if your site is configured with a Content Security Policy using django-csp you'll want to add this value for nonce
.
By default, all script tags are generated with a type="module"
and crossorigin=""
attributes just like ViteJS do by default if you are building a single-page app.
You can override this behavior by adding or overriding this attributes like so :
{% vite_asset '<path to your asset>' foo="bar" hello="world" data_turbo_track="reload" %}
This line will add foo="bar"
, hello="world"
, and data-turbo-track="reload"
attributes.
You can also use context variables to fill attributes values :
{% vite_asset '<path to your asset>' foo=request.GET.bar %}
If you want to overrides default attributes just add them like new attributes :
{% vite_asset '<path to your asset>' crossorigin="anonymous" %}
Although it's recommended to keep the default type="module"
attribute as ViteJS build scripts as ES6 modules.
If you want to consider legacy browsers that don't support ES6 modules loading
you may use @vitejs/plugin-legacy.
Django Vite supports this plugin. You must add stuff in complement of other script imports in the <head>
tag.
Just before your <body>
closing tag add this :
{% vite_legacy_polyfills %}
This tag will do nothing in development, but in production it will loads the polyfills generated by ViteJS.
And so next to this tag you need to add another import to all the scripts you have in the head but the 'legacy' version generated by ViteJS like so :
{% vite_legacy_asset '<path to your asset>' %}
Like the previous tag, this will do nothing in development but in production,
Django Vite will add a script tag with a nomodule
attribute for legacy browsers.
The path to your asset must contain de pattern -legacy
in the file name (ex : main-legacy.js
).
This tag accepts overriding and adding custom attributes like the default vite_asset
tag.
If you would like to use django-vite with multiple vite configurations you can specify them in your settings.
DJANGO_VITE = {
"default": {
"dev_mode": True,
},
"external_app_1": {
...
},
"external_app_2": {
...
}
}
Specify the app in each django-tag tag that you use in your templates. If no app is provided, it will default to using the "default" app.
{% vite_asset '<path to your asset>' %}
{% vite_asset '<path to another asset>' app="external_app_1" %}
{% vite_asset '<path to a third asset>' app="external_app_2" %}
You can see an example project here.
You can redefine these values for each app config in DJANGO_VITE
in settings.py
.
bool
False
DJANGO_VITE_DEV_MODE
Indicates whether to serve assets via the ViteJS development server or from compiled production assets.
Read more: Dev Mode
str
"http"
DJANGO_VITE_DEV_SERVER_PROTOCOL
The protocol used by the ViteJS webserver.
str
"localhost"
DJANGO_VITE_DEV_SERVER_HOST
The server.host
in vite.config.js
for the ViteJS development server.
int
5173
DJANGO_VITE_DEV_SERVER_PORT
The server.port
in vite.config.js
for the ViteJS development server.
str
""
DJANGO_VITE_STATIC_URL_PREFIX
The directory prefix for static files built by ViteJS.
base
.build.outDir
.Example:
# settings.py
DJANGO_VITE_STATIC_URL_PREFIX = 'bundler'
STATICFILES_DIRS = (('bundler', '/srv/app/bundler/dist'),)
// vite.config.js
export default defineConfig({
base: '/static/bundler/',
...
})
str | Path
Path(settings.STATIC_ROOT) / static_url_prefix / "manifest.json"
DJANGO_VITE_MANIFEST_PATH
The absolute path, including the filename, to the ViteJS manifest file located in build.outDir
.
str
"legacy-polyfills"
DJANGO_VITE_LEGACY_POLYFILLS_MOTIF
The motif used to identify assets for polyfills in the manifest.json
. This is only applicable if you are using @vitejs/plugin-legacy.
str
"@vite/client"
DJANGO_VITE_WS_CLIENT_URL
The path to the HMR (Hot Module Replacement) client used in the vite_hmr_client
tag.
str
"@react-refresh""
DJANGO_VITE_REACT_REFRESH_URL
If you're using React, this will generate the Javascript needed to support React HMR.
STATIC_URL
setting of Django.If you are serving your static files with whitenoise, by default your files compiled by vite will not be considered immutable and a bad cache-control will be set. To fix this you will need to set a custom test like so:
import re
# http://whitenoise.evans.io/en/stable/django.html#WHITENOISE_IMMUTABLE_FILE_TEST
def immutable_file_test(path, url):
# Match vite (rollup)-generated hashes, à la, `some_file-CSliV9zW.js`
return re.match(r"^.+[.-][0-9a-zA-Z_-]{8,12}\..+$", url)
WHITENOISE_IMMUTABLE_FILE_TEST = immutable_file_test
For examples of how to setup the project in v3, please see django-vite-examples.
For another example that uses the module-level legacy settings, please see this example project here.
Thanks to Evan You for the ViteJS library.
FAQs
Integration of Vite in a Django project.
We found that django-vite demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Research
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
Research
Security News
Attackers used a malicious npm package typosquatting a popular ESLint plugin to steal sensitive data, execute commands, and exploit developer systems.
Security News
The Ultralytics' PyPI Package was compromised four times in one weekend through GitHub Actions cache poisoning and failure to rotate previously compromised API tokens.