chore: vp migrate beta test#9
Conversation
commit: |
There was a problem hiding this comment.
Code Review
This pull request integrates Vite+ into the project by adding an AGENTS.md guide, updating code examples in CHANGELOG.md to use single quotes, adding a prepare script, and updating dependencies in package.json. Feedback on these changes highlights two key issues: first, setting a global third-party registry bridge in .npmrc poses security and reliability risks; second, pinning dependencies to commit-specific versions is highly fragile because these builds can be pruned, potentially causing future installation failures.
Important
The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.
| # pkg.pr.new registry bridge (added by test-pkg-pr-new-migrate.sh) | ||
| registry=https://pkg-pr-registry-bridge.void.app/ |
There was a problem hiding this comment.
Setting the global registry to https://pkg-pr-registry-bridge.void.app/ in .npmrc routes all package installations through a third-party bridge. While useful for testing pre-releases via pkg.pr.new, committing this globally can introduce security risks (such as dependency hijacking or registry compromise) and reliability/performance issues for other contributors or CI/CD pipelines. Consider scoping this registry to specific packages/scopes if possible, or ensure this file is not committed to the main branch.
| "vite": "npm:@voidzero-dev/vite-plus-core@0.0.0-commit.1318359eba93dfc997012ce2801f02fbe5534902", | ||
| "vite-plus": "0.0.0-commit.1318359eba93dfc997012ce2801f02fbe5534902" |
There was a problem hiding this comment.
Pinning vite and vite-plus to a specific commit-based version (0.0.0-commit.1318359eba93dfc997012ce2801f02fbe5534902) is highly fragile. Registries like pkg.pr.new often prune old commit-specific builds over time. Once pruned, anyone attempting to install dependencies for this project in the future will encounter installation failures. For a stable configuration, consider using a tagged pre-release version (e.g., alpha, beta, or canary) or a standard semver range once available.
No description provided.