Skip to content

vp migrate beta test#5

Draft
fengmk2 wants to merge 2 commits into
mainfrom
vp-migrate-test
Draft

vp migrate beta test#5
fengmk2 wants to merge 2 commits into
mainfrom
vp-migrate-test

Conversation

@fengmk2

@fengmk2 fengmk2 commented Jun 27, 2026

Copy link
Copy Markdown
Owner

No description provided.

@gemini-code-assist gemini-code-assist Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request introduces configuration files for Vite+ integration, including VS Code settings, a local registry bridge in .npmrc, and documentation in AGENTS.md. It also updates dependency catalogs in package.json and pnpm-workspace.yaml. However, two critical issues were identified: overriding the global registry in .npmrc to a third-party bridge poses a security risk, and the specified vitest version 4.1.9 in pnpm-workspace.yaml does not exist on the npm registry, which will cause installation failures.

Important

The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.

Comment thread .npmrc
Comment on lines +1 to +2
# pkg.pr.new registry bridge (added by test-pkg-pr-new-migrate.sh)
registry=https://pkg-pr-registry-bridge.render.vip/

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

security-high high

Overriding the global registry in .npmrc to a third-party bridge (https://pkg-pr-registry-bridge.render.vip/) routes all package installations (including public dependencies like react, typescript, zod, etc.) through this endpoint. This poses a significant security risk (potential MITM or dependency hijacking) and can cause performance/reliability issues if the bridge goes down.

If this bridge is only needed for @voidzero-dev packages, consider scoping it instead. If it is also needed for the unscoped vite-plus package, please ensure this temporary configuration is not merged into the main production branch.

# pkg.pr.new registry bridge (added by test-pkg-pr-new-migrate.sh)
@voidzero-dev:registry=https://pkg-pr-registry-bridge.render.vip/

Comment thread pnpm-workspace.yaml
vitest: npm:@voidzero-dev/vite-plus-test@latest
vite: npm:@voidzero-dev/vite-plus-core@0.0.0-commit.d5c8d9e163733881a841c16ca1778868d65fe7ef
vite-plus: 0.0.0-commit.d5c8d9e163733881a841c16ca1778868d65fe7ef
vitest: 4.1.9

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

high

The version 4.1.9 for vitest does not exist on the npm registry (the current major version of Vitest is 3.x). This will cause installation failures during pnpm install.

If you intended to use the vite-plus test package (as was previously configured with npm:@voidzero-dev/vite-plus-test@latest), you should point it to the corresponding commit-specific version, or use a valid Vitest version (e.g., 3.0.5 or 2.1.9).

  vitest: npm:@voidzero-dev/vite-plus-test@0.0.0-commit.d5c8d9e163733881a841c16ca1778868d65fe7ef

@github-actions

Copy link
Copy Markdown

🤖 Build Bot

✅ Successful build

⬇️ Download: notero-1.2.4-11

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant