Skip to content

Update vite versions#218

Merged
lucperkins merged 3 commits intomainfrom
fix-js-vuln
Nov 7, 2025
Merged

Update vite versions#218
lucperkins merged 3 commits intomainfrom
fix-js-vuln

Conversation

@lucperkins
Copy link
Copy Markdown
Member

@lucperkins lucperkins commented Nov 7, 2025
edited by coderabbitai bot
Loading

Fixes a Dependabot issue

Summary by CodeRabbit

  • Chores
    • Optimized build tool dependency management to ensure compatibility and stability across different development environments.

@coderabbitai
Copy link
Copy Markdown

coderabbitai bot commented Nov 7, 2025
edited
Loading

Warning

Rate limit exceeded

@lucperkins has exceeded the limit for the number of commits or files that can be reviewed per hour. Please wait 9 minutes and 1 seconds before requesting another review.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

📥 Commits

Reviewing files that changed from the base of the PR and between e623f0d and 2d794d0.

⛔ Files ignored due to path filters (2)
  • dist/index.js is excluded by !**/dist/**
  • pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml
📒 Files selected for processing (1)
  • pnpm-workspace.yaml (1 hunks)

Walkthrough

Modifies pnpm-workspace.yaml to introduce vite version overrides, constraining vite installations to specific minimum versions (>=7.1.11 for versions 7.1.0-7.1.10, and >=7.1.5 for versions 7.1.0-7.1.4) to address compatibility or stability issues.

Changes

Cohort / File(s) Change Summary
Vite version constraint overrides
pnpm-workspace.yaml		 Added vite version overrides in pnpm workspace configuration to enforce minimum version requirements: vite@>=7.1.0 <7.1.11 now resolves to >=7.1.11, and vite@>=7.1.0 <7.1.5 now resolves to >=7.1.5

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

Suggested reviewers

  • grahamc

Poem

🐰 A hoppy fix for versions too,
Vite constraints, through and through!
Seven-point-one, now locked up tight,
Dependency chaos—gone from sight! ✨

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title 'Update vite versions' accurately summarizes the main change - introducing version overrides for vite in pnpm-workspace.yaml to address security vulnerabilities.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

coderabbitai[bot]
coderabbitai bot reviewed Nov 7, 2025
View reviewed changes
Copy link
Copy Markdown

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 0

🧹 Nitpick comments (1)
pnpm-workspace.yaml (1)

1-3: Restructure overlapping version ranges to follow pnpm best practices.

pnpm documentation explicitly advises to "avoid overlapping version ranges" and recommends explicitly excluding sub-ranges from broader ranges when specialization is needed. The current configuration violates this: both vite@>=7.1.0 <=7.1.10 and vite@>=7.1.0 <=7.1.4 match versions 7.1.0–7.1.4, creating ambiguity.

The intent is clear: vite >=7.1.0 and <7.1.11 contains CVE-2025-62522 (fixed in 7.1.11), and earlier 7.1.x releases contain additional issues fixed in 7.1.5. However, line 3 becomes dead code because line 2 already forces >=7.1.11 (which exceeds the 7.1.5 target in line 3).

Restructure to use non-overlapping ranges:

overrides:
  vite@>=7.1.5 <=7.1.10: '>=7.1.11'
  vite@>=7.1.0 <=7.1.4: '>=7.1.5'

This ensures each range is mutually exclusive and both vulnerability fixes apply correctly.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between ab3e850 and e623f0d.

📒 Files selected for processing (1)
  • pnpm-workspace.yaml (1 hunks)

@lucperkins lucperkins enabled auto-merge November 7, 2025 15:59
@lucperkins lucperkins merged commit 8bb6def into main Nov 7, 2025
3 checks passed
@lucperkins lucperkins deleted the fix-js-vuln branch November 7, 2025 16:01
@coderabbitai coderabbitai bot mentioned this pull request Apr 1, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@coderabbitai coderabbitai[bot] coderabbitai[bot] left review comments

@cole-h cole-h cole-h approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@lucperkins @cole-h