Skip to content

vp migrate beta test#4

Draft
fengmk2 wants to merge 1 commit into
mainfrom
vp-migrate-test
Draft

vp migrate beta test#4
fengmk2 wants to merge 1 commit into
mainfrom
vp-migrate-test

Conversation

@fengmk2

@fengmk2 fengmk2 commented Jun 29, 2026

Copy link
Copy Markdown
Owner

No description provided.

@gemini-code-assist gemini-code-assist Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request introduces a custom registry bridge in .npmrc, updates devDependencies in package.json, and modifies pnpm-workspace.yaml by commenting out the trustPolicy: no-downgrade setting and pinning catalog dependencies to transient commit-based versions. Feedback highlights security and stability concerns, specifically advising against committing the custom registry bridge, disabling downgrade protection, and using transient commit-based versions for catalog dependencies.

Important

The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.

Comment thread .npmrc
Comment on lines +1 to +2
# pkg.pr.new registry bridge (added by test-pkg-pr-new-migrate.sh)
registry=https://pkg-pr-registry-bridge.void.app/

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

security-high high

The .npmrc file contains a custom registry bridge that was automatically added by test-pkg-pr-new-migrate.sh. Committing this file will force all developers and CI environments to route package installations through this bridge, which can lead to security concerns (e.g., dependency hijacking) or build failures if the bridge is offline. This file should be removed from the PR and added to .gitignore if it is generated during local testing.

Comment thread pnpm-workspace.yaml

verifyDepsBeforeRun: install
trustPolicy: no-downgrade
# trustPolicy: no-downgrade

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

security-medium medium

Commenting out trustPolicy: no-downgrade disables downgrade protection in pnpm. This can expose the project to security risks such as dependency downgrade attacks or accidental installation of older, vulnerable versions of packages. If this was done temporarily for testing, please revert it before merging.

trustPolicy: no-downgrade

Comment thread pnpm-workspace.yaml
Comment on lines +16 to +18
vite: npm:@voidzero-dev/vite-plus-core@0.0.0-commit.333e612a4d9d966e79724c336ba7bf422f79b442
vitest: 4.1.9
vite-plus: 0.0.0-commit.333e612a4d9d966e79724c336ba7bf422f79b442

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

medium

Pinning catalog dependencies to a specific transient commit-based version (0.0.0-commit.333e612a4d9d966e79724c336ba7bf422f79b442) is risky for main branch stability. These temporary packages are often pruned or deleted from registries, which would break future installations. Consider using a stable version or a proper pre-release tag (e.g., beta or alpha) instead of a specific commit hash.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant