vp migrate beta test#4
Conversation
There was a problem hiding this comment.
Code Review
This pull request introduces a custom registry bridge in .npmrc, updates devDependencies in package.json, and modifies pnpm-workspace.yaml by commenting out the trustPolicy: no-downgrade setting and pinning catalog dependencies to transient commit-based versions. Feedback highlights security and stability concerns, specifically advising against committing the custom registry bridge, disabling downgrade protection, and using transient commit-based versions for catalog dependencies.
Important
The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.
| # pkg.pr.new registry bridge (added by test-pkg-pr-new-migrate.sh) | ||
| registry=https://pkg-pr-registry-bridge.void.app/ |
There was a problem hiding this comment.
The .npmrc file contains a custom registry bridge that was automatically added by test-pkg-pr-new-migrate.sh. Committing this file will force all developers and CI environments to route package installations through this bridge, which can lead to security concerns (e.g., dependency hijacking) or build failures if the bridge is offline. This file should be removed from the PR and added to .gitignore if it is generated during local testing.
|
|
||
| verifyDepsBeforeRun: install | ||
| trustPolicy: no-downgrade | ||
| # trustPolicy: no-downgrade |
There was a problem hiding this comment.
Commenting out trustPolicy: no-downgrade disables downgrade protection in pnpm. This can expose the project to security risks such as dependency downgrade attacks or accidental installation of older, vulnerable versions of packages. If this was done temporarily for testing, please revert it before merging.
trustPolicy: no-downgrade| vite: npm:@voidzero-dev/vite-plus-core@0.0.0-commit.333e612a4d9d966e79724c336ba7bf422f79b442 | ||
| vitest: 4.1.9 | ||
| vite-plus: 0.0.0-commit.333e612a4d9d966e79724c336ba7bf422f79b442 |
There was a problem hiding this comment.
Pinning catalog dependencies to a specific transient commit-based version (0.0.0-commit.333e612a4d9d966e79724c336ba7bf422f79b442) is risky for main branch stability. These temporary packages are often pruned or deleted from registries, which would break future installations. Consider using a stable version or a proper pre-release tag (e.g., beta or alpha) instead of a specific commit hash.
No description provided.