Skip to content

vp migrate beta test#8

Draft
fengmk2 wants to merge 1 commit into
mainfrom
vp-migrate-test
Draft

vp migrate beta test#8
fengmk2 wants to merge 1 commit into
mainfrom
vp-migrate-test

Conversation

@fengmk2

@fengmk2 fengmk2 commented Jun 29, 2026

Copy link
Copy Markdown
Owner

No description provided.

@gemini-code-assist gemini-code-assist Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request migrates the workspace to use vite-plus and configures a shared dependency catalog in pnpm-workspace.yaml. It updates test scripts, configuration files, and test imports across multiple packages to use vite-plus instead of vitest. The primary feedback concerns a security risk in .npmrc, where overriding the global registry to a temporary bridge could expose the project to dependency confusion; using a scoped registry configuration is recommended instead.

Important

The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.

Comment thread .npmrc
Comment on lines +4 to +5
# pkg.pr.new registry bridge (added by test-pkg-pr-new-migrate.sh)
registry=https://pkg-pr-registry-bridge.void.app/

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

security-high high

Overriding the global registry to a temporary/test registry bridge (https://pkg-pr-registry-bridge.void.app/) routes all package installations through this third-party service. This poses security risks (such as dependency confusion) and potential reliability/performance issues for public packages. If this registry is only needed for specific scoped packages (like @voidzero-dev), consider using a scoped registry configuration instead: @voidzero-dev:registry=https://pkg-pr-registry-bridge.void.app/. If unscoped packages like vite-plus also need to be fetched from this registry, ensure this override is temporary and removed before merging to production/main branches.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant