Vp migrate test#9
Conversation
commit: |
There was a problem hiding this comment.
Code Review
This pull request integrates the Vite+ toolchain into the workspace by updating dependency catalogs, adding VS Code configurations, and introducing a custom registry bridge. The review feedback highlights several critical issues: configuring a global custom registry bridge poses security risks, disabling the trustPolicy: no-downgrade policy weakens protection against downgrade attacks, and pinning catalog dependencies to volatile commit-based pre-release versions may lead to future installation failures.
Important
The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.
| @@ -0,0 +1,2 @@ | |||
| # pkg.pr.new registry bridge (added by test-pkg-pr-new-migrate.sh) | |||
| registry=https://pkg-pr-registry-bridge.void.app/ | |||
There was a problem hiding this comment.
Configuring the global registry to a custom bridge routes all package installation requests (including public npm packages) through a third-party service. This introduces security risks such as dependency hijacking, credential leakage, and potential service availability issues. If this registry is only required for specific scoped packages, scope the registry configuration instead of applying it globally.
| ignoreWorkspaceRootCheck: true | ||
| shellEmulator: true | ||
| trustPolicy: no-downgrade | ||
| # trustPolicy: no-downgrade |
There was a problem hiding this comment.
No description provided.