chore(deps): update npm packages#1779
Merged
Merged
Conversation
Contributor
Author
|
✅ Deploy Preview for viteplus-preview ready!
To edit notification comments on pull requests, go to your Netlify project configuration. |
|
Review the following changes in direct dependencies. Learn more about Socket for GitHub.
|
|
Warning Review the following alerts detected in dependencies. According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.
|
Contributor
|
✅ Staging deployment successful! Preview: https://viteplus-staging.void.app/ |
renovate
Bot
force-pushed
the
renovate/npm-packages
branch
from
c332f66 to
8463529
Compare
Renovate cannot update lockfile artifacts in this repo: pnpm-workspace.yaml and Cargo.toml reference the gitignored vite/ and rolldown/ checkouts, so pnpm and cargo fail in Renovate's clone. Add a workflow that checks out the vendored repos at their pinned hashes and regenerates the lockfiles on renovate/** branch pushes, disable npm lockfile updates in Renovate, and ignore the workflow's commits via gitIgnoredAuthors so Renovate keeps managing the branches.
The workflow's own lockfile push retriggers it in the same concurrency group, and cancel-in-progress cancelled the effective run at its final step, leaving a misleading cancelled conclusion.
This comment was marked as outdated.
This comment was marked as outdated.
Dependency bumps are exactly what these suites should cover, but the job gates only fired for labeled PRs, deps/upstream-update, or related source changes, so Renovate PRs skipped them.
This comment was marked as off-topic.
This comment was marked as off-topic.
Member
|
@codex review |
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 6cad03072f
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
Contributor
Author
Edited/Blocked NotificationRenovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR. You can manually request rebase by checking the rebase/retry box above. |
Keep the mechanism description in the npm block only; the packageRule description restated it.
updateLockFiles is npm-only and deprecated (it migrates to skipArtifactsUpdate); the cross-manager option also stops cargo artifact-update failures on rust crate branches, which the renovate-lockfiles workflow regenerates as well.
Member
|
@codex review |
|
Codex Review: Didn't find any major issues. 👍 ℹ️ About Codex in GitHubYour team has set up Codex to review pull requests in this repo. Reviews are triggered when you
If Codex has suggestions, it will comment; otherwise it will react with 👍. Codex can also answer questions or update the PR. Try commenting "@codex address that feedback". |
fengmk2
approved these changes
Jun 10, 2026
Merged
fengmk2
added a commit
that referenced
this pull request
Jun 17, 2026
Release vite-plus v0.2.0. Vite+ now consumes upstream Vitest directly (no wrapper), raises the minimum supported Node.js version to 22.18.0, and ships corepack and devEngines support. ### Highlights - **`vp test` now runs upstream Vitest directly (breaking)**: Vite+ used to ship `@voidzero-dev/vite-plus-test`, a rebundled copy of Vitest that lagged upstream releases. That package is removed; `vp test` now runs the real upstream `vitest`, which is installed automatically as a dependency of `vite-plus` (you no longer add `vitest` or `@vitest/*` yourself, and `vite` still resolves to `@voidzero-dev/vite-plus-core` via package-manager overrides). Your `import ... from 'vite-plus/test'` code keeps working unchanged and `vp migrate` updates existing projects ([#1588](#1588)), by @Brooooooklyn - **Minimum supported Node.js version raised to `^22.18.0 || >=24.11.0` (breaking)**: Node 20 reached end-of-life and the bundled tsdown already required `^22.18.0`, so the published engines range now matches what `vp pack` can actually deliver; `vp exec` / `vp run` / `vp dlx` reject projects resolving an older Node with the existing incompatibility error ([#1813](#1813)), by @fengmk2 - **Corepack now works under Vite+**: `corepack` is a default `vp env setup` shim, resolved managed-global, then Node-bundled (Node <= 24), then auto-installed (Node 25+, which dropped corepack); `corepack enable` / `disable` land their pnpm/yarn launchers on PATH and Vite+-owned shims are restored if corepack replaces them ([#1808](#1808)), by @fengmk2 - **devEngines support for runtime and package-manager selection**: Vite+ reads `devEngines.runtime` (ranked above `engines.node`) and `devEngines.packageManager`; auto-pin and `vp migrate` write `devEngines.packageManager`, `vp env pin` / `unpin` target `devEngines.runtime`, and `vp env doctor` reports conflicts instead of silently resolving them ([#1760](#1760)), by @fengmk2 ### Features - `vp pm approve-builds`: forward to npm's new `approve-scripts` / `deny-scripts` (npm >= 11.16.0) instead of the previous no-op, matching `pnpm approve-builds` / `bun pm trust`; mixed approve+deny is rejected with actionable guidance and npm's advisory-only caveat is surfaced ([#1733](#1733)), by @fengmk2 - `vp create`: support local monorepo templates declared in `create.templates` in `vite.config.ts`; `vp create vite:generator` scaffolds a Bingo generator and auto-registers it in the picker, replacing the old package.json-keyword inference ([#1777](#1777)), by @fengmk2 - `vp create`: detect direct dependencies whose build scripts the package manager gated (e.g. native builds like `better-sqlite3`) and act on them; prompt to approve each (default off) interactively, point at `vp pm approve-builds` non-interactively, or build them with `--approve-builds` ([#1828](#1828)), by @fengmk2 - `vp config`: add `--no-hooks` and `--no-agent` opt-outs to skip git-hook installation and coding-agent instruction updates ([#1842](#1842)), by @leno23 - `vp list -g`: sort the global package list output so entries appear in a stable order ([#1748](#1748)), by @liangmiQwQ - Upgrade upstream dependencies: rolldown `1.0.3 -> 1.1.1`, tsdown `0.22.1 -> 0.22.3`, oxlint `1.67.0 -> 1.70.0`, oxfmt `0.52.0 -> 0.55.0`, vitest `4.1.8 -> 4.1.9`, and the oxc toolchain `0.133.0 -> 0.136.0` ([#1749](#1749), [#1767](#1767), [#1812](#1812), [#1834](#1834), [#1855](#1855)), by @voidzero-guard[bot] ### Fixes & Enhancements - Security: resolve open Rust Dependabot advisories by bumping transitive `openssl` `0.10.76 -> 0.10.80` (`openssl-sys` `0.9.112 -> 0.9.116`), fixing five high-severity rust-openssl issues (buffer overflows in key derivation, AES key wrap, and digest finalization; an unchecked PSK/cookie trampoline length leaking adjacent memory; and OCSP-responder undefined behavior: [GHSA-pqf5-4pqq-29f5](GHSA-pqf5-4pqq-29f5), [GHSA-8c75-8mhr-p7r9](GHSA-8c75-8mhr-p7r9), [GHSA-ghm9-cr32-g9qj](GHSA-ghm9-cr32-g9qj), [GHSA-hppc-g8h3-xhp3](GHSA-hppc-g8h3-xhp3), [GHSA-xp3w-r5p5-63rr](GHSA-xp3w-r5p5-63rr)), and drop the unmaintained, unsound `libyml` ([GHSA-gfxp-f68g-8x78](GHSA-gfxp-f68g-8x78), high) by removing dead `serde_yml` code ([#1742](#1742)), by @fengmk2 - Security (docs site): update `mermaid` `11.13.0 -> 11.15.0` to fix improper `classDef` sanitization in state diagrams that allowed HTML injection ([CVE-2026-41149](https://nvd.nist.gov/vuln/detail/CVE-2026-41149) / [GHSA-ghcm-xqfw-q4vr](GHSA-ghcm-xqfw-q4vr), medium severity; `<script>` tags are stripped so it does not reach XSS) ([#1745](#1745)), by @renovate[bot] - `vp check --fix` / `vp staged`: create/migrate now wrap inline Vite `plugins: [...]` arrays with `lazyPlugins(...)` so plugin factories aren't eagerly executed (and don't hang on open handles) during lint/format/check config loading ([#1752](#1752)), by @jong-kyung - `vp migrate`: complete pending migration work for projects that already have `vite-plus` installed (scripts, imports, tsconfig types, ESLint/Prettier, legacy hooks, package-manager settings) instead of treating `vite-plus` as migration-complete; fully migrated projects stay idempotent ([#1821](#1821)), by @jong-kyung - `vp create` / `vp migrate`: detect shorthand `fmt,` / `lint,` config keys so a duplicate inline block is no longer injected ([#1843](#1843)), by @fengmk2 - IDE oxlint/oxfmt wrappers: set `VP_COMMAND` so `lazyPlugins()` skips framework plugins during LSP config reads, preventing a stray `.svelte-kit` (and similar) directory at the monorepo root ([#1764](#1764)), by @jong-kyung - `vp lint` / `vp run -r lint` on Windows: keep the absolute `tsgolint` path for workspace lint runs instead of downgrading it to a wrong cwd-relative path ([#1758](#1758)), by @semimikoh - oxlint wrapper: set the `tsgolint` path so type-aware lint resolves it ([#1811](#1811)), by @jong-kyung - `vp install -g`: use a unique backup directory and treat stale-backup cleanup as best-effort so a locked Windows binary no longer fails an otherwise successful reinstall ([#1753](#1753)), by @fengmk2 - `vp install -g`: remove stale managed binary shims when a reinstalled package drops a bin from its `package.json#bin` ([#1765](#1765)), by @liangmiQwQ - `vp create --git`: surface git's actual stdout/stderr when the initial commit fails instead of always blaming `user.name` / `user.email` ([#1819](#1819)), by @fengmk2 - `vp create vite:generator`: reject `--git` / `--no-git`, since adding a generator to an existing monorepo does not initialize git ([#1788](#1788)), by @jong-kyung - Global CLI: harden `find_system_tool` against a self-exec loop (skip the running executable's own bin directory) and fix two `vite_global_cli` tests that could hang ([#1820](#1820)), by @fengmk2 - CLI help: unify alias display ([#1832](#1832)), show supported `run` options ([#1797](#1797)), show `--fail-if-no-match` in `exec` help ([#1798](#1798)), add the `implode` documentation link ([#1796](#1796)), and handle nested-command typo help ([#1803](#1803)), by @jong-kyung ### Docs - Document `vp create` opt-out options ([#1790](#1790)), by @jong-kyung - Document `vp upgrade` options ([#1847](#1847)), by @jong-kyung - Align the config overview with the sidebar ([#1846](#1846)), by @jong-kyung - Sync the documented command lists with the help output ([#1850](#1850)), by @jong-kyung - Clarify lazy plugin side effects ([#1841](#1841)), by @leno23 - Add JongKyung's X profile ([#1844](#1844)) and update Christoph's X profile ([#1845](#1845)) on the team page, by @jong-kyung ### Refactor - Remove the CLI tips system; the shortcuts it printed on `vp install` are already covered by the help system and added unnecessary complexity ([#1799](#1799)), by @cpojer ### Chore - Re-enable Renovate dependency updates with a targeted ignore-list ([#1744](#1744)), by @fengmk2 - Keep generated NAPI bindings during upgrade-deps ([#1759](#1759)), by @fengmk2 - Remove the `vite_glob` dependency from vite-plus ([#1763](#1763)), by @wan9chi - Keep `sync-remote` from churning `pnpm-workspace.yaml` (dedupe `minimumReleaseAgeExclude`, preserve comments) ([#1787](#1787)), by @fengmk2 - Make unix `just test` runnable ([#1755](#1755)), by @situ2001 - CI: reuse `just lint` and `just test` as the single source of truth ([#1809](#1809)), pin `cargo-zigbuild` to a git rev to fix the aarch64-musl link failure ([#1815](#1815)), and keep upgrade-deps green when rolldown bumps oxc ([#1833](#1833)), by @fengmk2 - Update Rust to nightly-2026-06-10 ([#1725](#1725)), typos to v1.47.1 / v1.47.2 ([#1772](#1772), [#1775](#1775)), GitHub Actions ([#1778](#1778), [#1829](#1829)), and npm packages ([#1779](#1779)), by @renovate[bot] - Bump `oxc-project/setup-node` to v1.3.1 ([#1792](#1792)), by @Boshen - Refresh trusted stack stats on the docs homepage ([#1786](#1786), [#1837](#1837)), by @voidzero-guard[bot] ### Bundled Versions | Tool | Version | Source | | --- | --- | --- | | vite | `8.0.16` | [`f94df87`](vitejs/vite@f94df87) | | rolldown | `1.1.1` | [`d7f919c`](rolldown/rolldown@d7f919c) | | tsdown | `0.22.3` | [npm](https://npmx.dev/package/tsdown/v/0.22.3) | | vitest | `4.1.9` | [npm](https://npmx.dev/package/vitest/v/4.1.9) | | oxlint | `1.70.0` | [npm](https://npmx.dev/package/oxlint/v/1.70.0) | | oxlint-tsgolint | `0.23.0` | [npm](https://npmx.dev/package/oxlint-tsgolint/v/0.23.0) | | oxfmt | `0.55.0` | [npm](https://npmx.dev/package/oxfmt/v/0.55.0) | ### Upgrading from 0.1.24 to 0.2.0 This release has two breaking changes. For most projects the upgrade is `vp upgrade`, bump the project's `vite-plus`, then `vp migrate`. #### 1. Update the CLI ```bash vp upgrade ``` #### 2. Node.js 20 is no longer supported The minimum supported Node.js version is now `^22.18.0 || >=24.11.0` (Node 20 reached end-of-life). If you are still on Node 20: - Check your version: `node --version` (or `vp env doctor`) - Move to a supported release: `vp env pin 22.18.0` (or a newer LTS), or update your `.node-version` / `devEngines.runtime` `vp exec` / `vp run` / `vp dlx` now refuse to run against a project that resolves Node < 22.18.0. #### 3. Vitest is now upstream (the wrapper is gone) `@voidzero-dev/vite-plus-test` has been removed; Vite+ consumes upstream `vitest` directly. Bump `vite-plus` first, then migrate: ```bash vp update vite-plus --latest # project's vite-plus -> 0.2.0 (ignores the old range, updates the lockfile); monorepo: add -r vp migrate # local vite-plus is now 0.2.0, so the new migration runs ``` `vp update --latest` re-resolves `vite-plus` to the newest release regardless of the old semver range, so the lockfile cannot pin you back to 0.1.24. The project's local `vite-plus` is then 0.2.0, and since the global `vp` delegates `migrate` to the project's local install, `vp migrate` runs the new migration. - Your `import { vi, ... } from 'vite-plus/test'` code is unchanged. `vp migrate` rewrites any leftover `vitest` / `@vitest/*` imports and normalizes stale `vitest: npm:@voidzero-dev/vite-plus-test@*` aliases. - You no longer add `vitest` or `@vitest/*` yourself; they arrive transitively through `vite-plus`. ### New Contributors Welcome to our new contributor @situ2001! 🎉 **Full Changelog**: v0.1.24...v0.2.0 --- Merging this PR will trigger the release workflow. --------- Co-authored-by: voidzero-guard[bot] <278573678+voidzero-guard[bot]@users.noreply.github.com> Co-authored-by: MK <fengmk2@gmail.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
^0.42.1→^0.43.07.28.5→7.29.71.9.1→1.9.21.4.0→1.4.15.0.0→5.0.13.1.0→3.1.2=1.61.0→=1.68.029.0.0→29.0.37.0.0-dev.20260122.2→7.0.0-dev.20260605.14.8.3→4.8.43.1.4→3.1.50.9.2→0.9.3^0.7.0→^0.9.0^0.1.3→^0.2.011.3.2→11.3.513.0.0→13.0.610.2.4→10.2.511.7.5→11.7.62.1.1→2.1.27.1.0→7.2.02.3.0→2.3.11.57.0→1.60.019.2.0→19.2.719.2.0→19.2.72.9.2→2.9.92.34.1→2.37.04.60.4→4.61.17.8.1→7.8.22.2.0→2.2.14.0.0→4.1.04.2.1→4.3.06.0.0→6.0.26.0.2→6.0.32.0.0-alpha.15→2.0.0-alpha.171.12.2→1.13.13.5.30→3.5.35^0.16.0→^0.17.04.3.5→4.4.3Release Notes
ast-grep/ast-grep (@ast-grep/napi)
v0.43.0Compare Source
#2636#2632#2662#2639#2660#2656#2659#2634#2653#2651#2654#2644#2663#2657d0d0b30beacc9e2759fdav0.42.3Compare Source
#2631#2645#2635#2642#2641#2643#26304021ae0v0.42.2Compare Source
#2620#2623#2627#2624#2619#2621#2595#2600#2613#2615#2614#2610#2611#2604#2608#2609#2606#2607#2589#2605#2587#2602#2601#2591#2588#2599#2598#2593#2597#2596#2592#2594#2510#2568#2583#2580#2581#2582#2584#2585#2586#2579fbc5b9b6f09a5b945328ababel/babel (@babel/preset-typescript)
v7.29.7Compare Source
v7.29.7 (2026-05-25)
Re-release all packages with npm provenance attestations
teimurjan/blazediff (@blazediff/core)
v1.9.2Compare Source
Patch Changes
f0c3b78: Speed up core with single pass on no outputbombshell-dev/clack (@clack/core)
v1.4.1Compare Source
Patch Changes
2356e97Thanks @43081j! - Remove sourcemaps and enable pretty-ish build output.rollup/plugins (@rollup/plugin-commonjs)
v29.0.32026-05-29
Bugfixes
v29.0.22026-03-06
Bugfixes
v29.0.12026-03-05
Bugfixes
microsoft/typescript-go (@typescript/native-preview)
v7.0.0-dev.20260605.1Compare Source
v7.0.0-dev.20260604.1Compare Source
v7.0.0-dev.20260603.1Compare Source
v7.0.0-dev.20260602.1Compare Source
v7.0.0-dev.20260601.1Compare Source
v7.0.0-dev.20260527.2Compare Source
v7.0.0-dev.20260527.1Compare Source
v7.0.0-dev.20260526.1Compare Source
v7.0.0-dev.20260525.1Compare Source
v7.0.0-dev.20260524.1Compare Source
v7.0.0-dev.20260523.1Compare Source
v7.0.0-dev.20260522.1Compare Source
v7.0.0-dev.20260521.1Compare Source
v7.0.0-dev.20260519.1Compare Source
v7.0.0-dev.20260518.1Compare Source
v7.0.0-dev.20260517.1Compare Source
v7.0.0-dev.20260516.1Compare Source
v7.0.0-dev.20260515.1Compare Source
v7.0.0-dev.20260514.1Compare Source
v7.0.0-dev.20260513.1Compare Source
v7.0.0-dev.20260512.1Compare Source
v7.0.0-dev.20260511.1Compare Source
v7.0.0-dev.20260510.1Compare Source
v7.0.0-dev.20260509.2Compare Source
v7.0.0-dev.20260508.1Compare Source
v7.0.0-dev.20260507.1Compare Source
v7.0.0-dev.20260506.1Compare Source
v7.0.0-dev.20260505.1Compare Source
v7.0.0-dev.20260504.1Compare Source
v7.0.0-dev.20260503.1Compare Source
v7.0.0-dev.20260502.1Compare Source
v7.0.0-dev.20260501.1Compare Source
v7.0.0-dev.20260430.1Compare Source
v7.0.0-dev.20260429.1Compare Source
v7.0.0-dev.20260428.1Compare Source
v7.0.0-dev.20260427.1Compare Source
v7.0.0-dev.20260426.1Compare Source
v7.0.0-dev.20260425.1Compare Source
v7.0.0-dev.20260424.2Compare Source
v7.0.0-dev.20260424.1Compare Source
v7.0.0-dev.20260423.1Compare Source
v7.0.0-dev.20260422.1Compare Source
v7.0.0-dev.20260421.2Compare Source
v7.0.0-dev.20260421.1Compare Source
v7.0.0-dev.20260420.1Compare Source
v7.0.0-dev.20260419.1Compare Source
v7.0.0-dev.20260418.1Compare Source
v7.0.0-dev.20260417.1Compare Source
v7.0.0-dev.20260416.2Compare Source
v7.0.0-dev.20260416.1Compare Source
v7.0.0-dev.20260415.1Compare Source
v7.0.0-dev.20260414.1Compare Source
v7.0.0-dev.20260413.1Compare Source
v7.0.0-dev.20260412.1Compare Source
v7.0.0-dev.20260411.1Compare Source
v7.0.0-dev.20260410.1Compare Source
v7.0.0-dev.20260409.1Compare Source
v7.0.0-dev.20260408.1Compare Source
v7.0.0-dev.20260407.1Compare Source
v7.0.0-dev.20260406.1Compare Source
v7.0.0-dev.20260405.1Compare Source
v7.0.0-dev.20260404.1Compare Source
v7.0.0-dev.20260403.1Compare Source
v7.0.0-dev.20260401.1Compare Source
v7.0.0-dev.20260331.1Compare Source
v7.0.0-dev.20260330.1[Compare Source](h
Configuration
📅 Schedule: (in timezone Asia/Shanghai)
🚦 Automerge: Enabled.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.
This PR was generated by Mend Renovate. View the repository job log.