Skip to content

feat(deps): upgrade upstream dependencies#1989

Merged
fengmk2 merged 14 commits into
mainfrom
deps/upstream-update
Jun 30, 2026
Merged

feat(deps): upgrade upstream dependencies#1989
fengmk2 merged 14 commits into
mainfrom
deps/upstream-update

Conversation

@voidzero-guard

Copy link
Copy Markdown
Contributor

Summary

  • Automated upgrade of upstream dependencies.
  • Bumps rolldown to v1.1.3 (e0d0b1b -> e77f7c7) and the oxc toolchain (oxlint 1.71.0 -> 1.72.0, oxfmt 0.56.0 -> 0.57.0, oxc-*/@oxc-project/* 0.137.0 -> 0.138.0).
  • Bumps build-tooling catalog deps @napi-rs/wasm-runtime and rolldown-plugin-dts.
  • Regenerates the NAPI bindings to match the new rolldown; no hand-written code changes.

Dependency updates

Package From To
rolldown e0d0b1b v1.1.3 (e77f7c7)
oxfmt 0.56.0 0.57.0
oxlint 1.71.0 1.72.0
@oxc-project/runtime 0.137.0 0.138.0
@oxc-project/types 0.137.0 0.138.0
oxc-minify 0.137.0 0.138.0
oxc-parser 0.137.0 0.138.0
oxc-transform 0.137.0 0.138.0
@napi-rs/wasm-runtime ^1.1.5 ^1.1.6
rolldown-plugin-dts ^0.25.2 ^0.26.0

Code changes

  • Regenerated NAPI bindings (packages/cli/binding/index.d.cts): added onAdditionalAssets to BindingDevOptions; removed BindingViteBuildImportAnalysisPluginV2Config and the isEnableV2 field.
  • Updated bundledVersions.rolldown 1.1.2 -> 1.1.3 (packages/core/package.json).
  • Added vitepress-plugin-feedback-tracker@0.2.0-alpha.1 to minimumReleaseAgeExclude (pnpm-workspace.yaml).
  • Lockfile and upstream-version metadata updates (Cargo.lock, pnpm-lock.yaml, packages/tools/.upstream-versions.json).

Build status

  • sync-remote-and-build: success
  • build-upstream: success

- rolldown: e0d0b1b -> v1.1.3 (e77f7c7)
- oxfmt: 0.56.0 -> 0.57.0
- oxlint: 1.71.0 -> 1.72.0
- @oxc-project/runtime: 0.137.0 -> 0.138.0
- @oxc-project/types: 0.137.0 -> 0.138.0
- oxc-minify: 0.137.0 -> 0.138.0
- oxc-parser: 0.137.0 -> 0.138.0
- oxc-transform: 0.137.0 -> 0.138.0
- @napi-rs/wasm-runtime: ^1.1.5 -> ^1.1.6
- rolldown-plugin-dts: ^0.25.2 -> ^0.26.0

Code changes:
- Regenerated NAPI bindings: added onAdditionalAssets to BindingDevOptions,
  dropped BindingViteBuildImportAnalysisPluginV2Config and isEnableV2
  (packages/cli/binding/index.d.cts)
- Bumped bundledVersions.rolldown 1.1.2 -> 1.1.3 (packages/core/package.json)
- Added vitepress-plugin-feedback-tracker@0.2.0-alpha.1 to
  minimumReleaseAgeExclude (pnpm-workspace.yaml)
@netlify

netlify Bot commented Jun 30, 2026

Copy link
Copy Markdown

Deploy Preview for viteplus-preview canceled.

Name Link
🔨 Latest commit b52764b
🔍 Latest deploy log https://app.netlify.com/projects/viteplus-preview/deploys/6a43e89994275c000830eb13

@socket-security

socket-security Bot commented Jun 30, 2026

Copy link
Copy Markdown

@socket-security

socket-security Bot commented Jun 30, 2026

Copy link
Copy Markdown

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action Severity Alert  (click "▶" to expand/collapse)
Warn High
Obfuscated code: npm oxfmt is 90.0% likely obfuscated

Confidence: 0.90

Location: Package overview

From: package.jsonnpm/oxfmt@0.57.0

ℹ Read more on: This package | This alert | What is obfuscated code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/oxfmt@0.57.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
Obfuscated code: npm oxfmt is 90.0% likely obfuscated

Confidence: 0.90

Location: Package overview

From: package.jsonnpm/oxfmt@0.57.0

ℹ Read more on: This package | This alert | What is obfuscated code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/oxfmt@0.57.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

@fengmk2 fengmk2 self-assigned this Jun 30, 2026
@fengmk2

fengmk2 commented Jun 30, 2026

Copy link
Copy Markdown
Member

CI failure root-cause analysis (updated)

main's E2E workflow is green, so all failures here are introduced by this bump (oxlint 1.71.0 -> 1.72.0, oxfmt 0.56.0 -> 0.57.0, rolldown 1.1.2 -> 1.1.3). 5 failures, 4 root causes. All are now fixed or worked around.

1. CLI snap test (1/3) + CLI E2E (Linux x64 musl): FIXED (781ca2b)

Both failed on a one-byte diff in packages/cli/snap-tests/check-oxlint-env/snap.txt: the error text is identical, only a trailing newline was added. oxlint 1.72.0 now emits a trailing \n on the tsgolint-not-found error; the committed snapshot ended without one. Regenerated the snapshot (the new blob hash matches exactly what CI expected).

2. bun-vite-template E2E (ubuntu + windows): worked around (d250225)

vp fmt now errors: Syntax error: expect token \{`, but found `(`onsrc/components/Welcome/Welcome.module.cssat@media (max-width: $mantine-breakpoint-md). oxfmt 0.57.0 swapped its CSS formatter onto the new oxc-css-parser (oxc-project/oxc#23920), which rejects mantine's postcss-simple-vars syntax in CSS Modules that 0.56.0 accepted. Temporarily tolerated (vp fmt || true`) with a FIXME until postcss-simple-vars is supported.

3. dify E2E: FIXED (b365d0e)

Two layers here. First it hit ERR_PNPM_NO_MATURE_MATCHING_VERSION (@oxlint/migrate@1.72.0 published ~1h47m before the run, inside pnpm's 24h minimumReleaseAge), so I set pnpm_config_minimum_release_age=0 on the migrate step (ac2cd17). That made it worse: dify then crashed with ERR_PNPM_RESOLUTION_POLICY_VIOLATIONS_UNHANDLED (43 violations).

Root cause: dify sets resolutionMode: time-based, and ecosystem-ci/patch-project.ts deliberately removes dify's minimumReleaseAge: key to keep pnpm's resolution policy inactive. Defining pnpm_config_minimum_release_age (even as 0, and verified even as empty '') re-activates that policy, defeating the patch. The local file: tgz overrides have no publish timestamp so they produce violations, and vp's bundled pnpm has no handleResolutionPolicyViolations callback, so it aborts.

Fix: export the gate-disabling var only for non-dify projects (the var must be fully unset, not empty, for dify; dify relies on its key-removal patch instead). Reproduced the whole dify E2E locally: with the var set it crashes; with the fix, migrate + install, vp run type-check, vp run build, and the targeted tests (41 passed) all pass.

4. Security Analysis: FIXED (243bcd0)

Not a deny.toml / serde_yml issue. The actual failure is error[unsound]: RUSTSEC-2026-0190, an unsoundness in anyhow 1.0.102's Error::downcast_mut(). The serde_yml advisory-not-detected line is only a warning and does not fail the check (verified locally: "advisories ok" with that warning present). Fixed by updating anyhow 1.0.102 -> 1.0.103; cargo-deny advisories then pass.

5. vinext E2E: worked around (e411edf), needs upstream rolldown fix

Not a flake or timeout. The suite finished 6956 passed | 31 skipped; one test file (ecosystem fixture dev servers) failed because every fixture's vite.config.ts failed to load with:

SyntaxError: Export 'aBeeZee' is not defined in module

Root cause: vinext's fallback-metrics.ts does import data from "./fallback-metrics-data.json" (keys like aBeeZee). Under preserveModules, rolldown 1.1.3 now emits named exports for each JSON key (export { aBeeZee, Abel, ... }) without declaring those bindings, so Node's ESM linker fails when the built vinext module is loaded.

Reproduced minimally (rolldown 1.1.2 links fine; 1.1.3 throws): filed rolldown/rolldown#10020 with a minimal repro. Introduced by rolldown PR rolldown/rolldown#9934 ("preserve used re-exports under preserveModules", in 1.1.3), which emits each preserved module's full declared interface. This is a rolldown bug, not a vinext bug: vinext's latest main commit still has the same JSON import, and no consumer-project change fixes a bundler bug. Temporarily tolerated (vp run test || true) with a FIXME; drop the || true once a fixed rolldown ships.

Status

Relevant upstream links

fengmk2 added 4 commits June 30, 2026 10:46
anyhow 1.0.102 has an unsoundness in Error::downcast_mut() (RUSTSEC-2026-0190),
which fails the Security Analysis cargo-deny advisories check. Fixed in 1.0.103.
oxfmt 0.57.0 (oxc-css-parser, oxc-project/oxc#23920) rejects mantine's
postcss-simple-vars syntax in CSS Modules. Allow vp fmt to fail until
postcss-simple-vars is supported.
E2E intentionally installs just-published toolchain packages (e.g.
@oxlint/migrate during vp migrate). Set pnpm_config_minimum_release_age=0
so a same-day publish does not fail with ERR_PNPM_NO_MATURE_MATCHING_VERSION
(seen on the dify migrate).
@fengmk2

fengmk2 commented Jun 30, 2026

Copy link
Copy Markdown
Member

rolldown/rolldown#10020

fengmk2 added 9 commits June 30, 2026 20:57
rolldown 1.1.3 emits undeclared named exports for default-imported JSON
modules under preserveModules (rolldown/rolldown#10020), breaking vinext's
ecosystem fixture dev servers. Allow vp run test to fail until rolldown
ships a fix.
The dify project uses resolutionMode: time-based and patch-project.ts
removes its minimumReleaseAge key to keep pnpm's resolution policy
inactive. Defining pnpm_config_minimum_release_age (even as 0 or empty)
re-activates that policy, and vp's bundled pnpm has no
handleResolutionPolicyViolations callback, so the local file: tgz
overrides crash it with ERR_PNPM_RESOLUTION_POLICY_VIOLATIONS_UNHANDLED.

Export the gate-disabling var only for non-dify projects, which still
need it to avoid ERR_PNPM_NO_MATURE_MATCHING_VERSION on same-day
publishes.
The tracking issue for the oxfmt postcss-simple-vars regression is
oxc-project/oxc#23969 (a maintainer is planning the fix); previously the
comment linked oxc#23920, the parser-switch PR that caused it. Watch
#23969 to drop the `vp fmt || true`.
dify was stuck between two failures: with pnpm_config_minimum_release_age
set, vp migrate's auto-install crashed
(ERR_PNPM_RESOLUTION_POLICY_VIOLATIONS_UNHANDLED, from resolutionMode:
time-based + local file: tgz overrides); with it unset, vp migrate's
@oxlint/migrate dlx failed on a same-day publish
(ERR_PNPM_NO_MATURE_MATCHING_VERSION).

Resolve both: patch-project.ts sets the gate var only on dify's vp migrate
subprocess (so the dlx installs the fresh toolchain package) and tolerates
the auto-install crash, since migrate still emits the config and import
rewrites. The workflow's follow-up vp install runs without the var, so
dify's resolution policy stays inactive and the real install succeeds.

Verified locally end to end: migrate + install, type-check, build, and the
targeted tests all pass.
Collapse the if/else (which copied the full execSync invocation into both
branches) into a single call: set the dify-only gate var conditionally, run
migrate once, and gate only the try/catch on dify (rethrowing for other
projects). Behavior unchanged.
…w conditional

The gate only matters for vp migrate's @oxlint/migrate dlx, which runs
inside patch-project.ts, so set it on the migrate subprocess env for all
projects and remove the workflow's dify name-check. dify still tolerates
the resulting auto-install crash; the follow-up vp install runs without
the gate so dify's time-based resolution policy stays inactive.

Also add the curly braces the lint config requires on the dify rethrow.
…-age gate

Moving the gate handling fully into the script (per review) dropped the
disabled gate from the workflow's standalone vp install, so viteplus-ws-repro
failed its lockfile supply-chain check
(ERR_PNPM_MINIMUM_RELEASE_AGE_VIOLATION) on the freshly published bumped
deps. Run vp install from patch-project.ts instead, disabling the gate for
every project except dify (whose time-based policy would crash vp's bundled
pnpm; its workspace key is already removed so the policy stays inactive
without the var). The workflow step is now a single script invocation.

Verified locally: viteplus-ws-repro and dify both install cleanly.
@fengmk2 fengmk2 merged commit 3d49d4d into main Jun 30, 2026
93 checks passed
@fengmk2 fengmk2 deleted the deps/upstream-update branch June 30, 2026 16:36
fengmk2 added a commit that referenced this pull request Jul 2, 2026
Release vite-plus v0.2.2: the Vite+ Beta release.

**Vite+ is now in Beta**: stable and ready for production adoption,
fully open source under MIT. Read the announcement to see what Vite+ is
about and where it is headed: [Announcing Vite+
Beta](https://voidzero.dev/posts/announcing-vite-plus-beta).

On top of the Beta milestone, this release brings cross-version upgrades
via `vp migrate`, an official Docker toolchain image on GHCR,
zero-config runner-aware `vp build` caching, and PGP-verified managed
Node.js downloads.

### Highlights

- **`vp migrate` upgrades existing Vite+ projects across versions**:
previous release notes told users not to run `vp migrate` for upgrades.
It now runs from the global CLI when the local one is older, re-pins
`vite-plus` and the `vite` -> `@voidzero-dev/vite-plus-core` alias
across dependencies, overrides/resolutions, and catalogs in every
workspace package, aligns `vitest` / `@vitest/*` by actual usage, and
defaults to a version-only upgrade (pass `--full` to also run the
first-time setup bucket: hooks, editor, agent files, lint migration)
([#1891](#1891)), by
@fengmk2
- **Official Vite+ Docker toolchain image**:
`ghcr.io/voidzero-dev/vite-plus` bundles `vp` plus a native build
toolchain on `debian:bookworm-slim` (amd64/arm64, non-root). Since `vp`
provisions the exact Node.js from `.node-version`, one image builds any
project, and a documented multi-stage build copies the resolved Node.js
into a small vp-free runtime stage
([#1944](#1944)), by
@fengmk2
- **Zero-config `vp build` caching via runner-aware Vite**: Vite reports
its inputs, outputs, and tracked env reads to the `vp` runner over the
new `@voidzero-dev/vite-task-client` IPC
([vite#22453](vitejs/vite#22453)), so `vp build`
caches correctly with no hand-written cache config: outputs are tracked
and restored automatically, and a changed `VITE_*` env var invalidates
the cache and is named in the cache-miss message
([#1774](#1774)), by
@wan9chi
- **PGP-verified Node.js downloads**: installing a managed Node.js now
verifies the release's clearsigned `SHASUMS256.txt.asc` against the
vendored Node.js release keyring (pure Rust, no `gpg` required) before
trusting any checksum, so a tampered archive is rejected before install;
unsigned sources (musl builds, custom mirrors) fall back to
checksum-only verification
([#1848](#1848)), by
@fengmk2

### Features

- `vp check`: a `check` block in `vite.config.ts` (`check.fmt` /
`check.lint`) can make plain `vp check` skip formatting or linting by
default, mirroring `--no-fmt` / `--no-lint`; standalone `vp fmt` / `vp
lint` and git hooks are unaffected, and a `note:` line keeps the
config-based skip discoverable
([#1981](#1981)), by
@fengmk2
- `vp env list-remote`: highlight installed versions (color, or a `*`
prefix when piped) and label the project-resolved `current` and global
`default` versions; `--json` gains `installed` / `current` / `default`
fields ([#1907](#1907)),
by @semimikoh
- `vpr` ships as a `vite-plus` package bin, so the `vp run` shorthand
works on clean installs without global PATH shims (Vercel build image,
generic CI runners)
([#1988](#1988)), by
@kvnwolf
- Vite Task: `dependsOn` can select tasks from dependency packages, e.g.
`dependsOn: [{ "task": "build", "from": "dependencies" }]`
([vite-task#479](voidzero-dev/vite-task#479)),
by @wan9chi
- Vite Task: a task's `env` / `untrackedEnv` glob patterns support `!`
negation (e.g. `["VITE_*", "!VITE_SECRET"]`)
([vite-task#425](voidzero-dev/vite-task#425)),
and an env-caused cache miss now names the variable inline, e.g. `cache
miss: env 'NODE_ENV' changed`
([vite-task#438](voidzero-dev/vite-task#438)),
by @wan9chi
- Upgrade upstream dependencies: vite `8.0.16 -> 8.1.2`, rolldown `1.1.1
-> 1.1.4`, oxlint `1.70.0 -> 1.72.0`, oxfmt `0.55.0 -> 0.57.0`,
oxlint-tsgolint `0.23.0 -> 0.24.0`, and the oxc toolchain `0.136.0 ->
0.138.0` ([#1924](#1924),
[#1989](#1989),
[#2000](#2000),
[#2009](#2009)), by
@voidzero-guard[bot]

### Fixes & Enhancements

- Windows: `vp run` no longer hangs CI when a `node_modules/.bin` `.cmd`
shim is routed through PowerShell; the npm/pnpm/yarn `.ps1` wrappers
read stdin and block forever on a non-TTY pipe, so the PowerShell
rewrite is now skipped when stdin is not an interactive terminal
([vite-task#491](voidzero-dev/vite-task#491),
via [#1973](#1973)), by
@fengmk2
- Vite Task: the task cache is stored in a per-schema-version directory
(e.g. `node_modules/.vite/task-cache/v13/`), so switching between
branches that pin different Vite+ versions no longer fails with
`Unrecognized database version`
([vite-task#433](voidzero-dev/vite-task#433)),
by @fengmk2
- Vite Task: env values in cache fingerprints are stored only as SHA-256
digests and env cache-miss details report names without values
([vite-task#455](voidzero-dev/vite-task#455));
prefix env assignments like `PATH=... command` now affect executable
lookup during planning
([vite-task#440](voidzero-dev/vite-task#440));
`package.json` / `pnpm-workspace.yaml` files with a UTF-8 BOM parse
correctly
([vite-task#424](voidzero-dev/vite-task#424)),
by @wan9chi
- `vp upgrade`: run the pinned pnpm with a managed Node.js LTS directly
instead of re-entering `vp install`, so an incompatible
session/project/system runtime can no longer make pnpm skip optional
native binaries and leave the upgraded CLI broken
([#1900](#1900)), by
@liangmiQwQ
- Global package installs: each install writes to an immutable
`packages/<name>#<uuid>` prefix that is activated via metadata after npm
succeeds, so an interrupted reinstall can no longer leave the active
package unavailable
([#1906](#1906)), and
stale interrupted-install directories are swept with file-lock
protection for concurrent installs
([#1945](#1945)), by
@liangmiQwQ
- `lazyPlugins()`: skip plugin factories only while config metadata is
being resolved instead of keying off `VP_COMMAND`, so builds spawned
under `vp run` / `vp exec` keep the user's plugins and `vp format` no
longer loads them
([#1939](#1939)), by
@fengmk2
- `vp migrate` (pnpm): add a direct `vite` devDep aliased to the core
override wherever `vite-plus` is depended on, so vitest's `vite` peer
binds to `@voidzero-dev/vite-plus-core` instead of pulling in a second
upstream vite that broke the `vp test` cache
([#1933](#1933)), by
@fengmk2
- `vp pack`: bundle `@tsdown/exe` and `@tsdown/css` into core so `--exe`
and CSS bundling work without a resolvable top-level `tsdown`; the
native `lightningcss` becomes an optional peer loaded lazily with an
actionable error
([#1919](#1919)), by
@fengmk2
- `vp env`: invalidate stale shim resolve cache entries when the
project's Node.js version source changes
([#1951](#1951)), by
@jong-kyung
- Node shim: when the project declares npm via `packageManager` /
`devEngines.packageManager`, child processes spawned from `node` resolve
the managed npm instead of the Node-bundled one
([#1938](#1938)); `vp env
which` reports bins linked by an intercepted `npm install -g` (e.g.
`tsc`) instead of "not found"
([#1968](#1968)); bins
with uppercase names (e.g. `vitePlus`) dispatch correctly
([#1963](#1963)), by
@liangmiQwQ
- `vp-setup`: pass the configured npm registry to the inner pnpm install
so setup works behind custom registries
([#1795](#1795)), by
@daflyinbed
- Native binding: declare the platform packages' true ABI floor
`engines.node >=20.0.0` so engine-strict package managers (pnpm) no
longer skip the optional native dependency and fail with `Cannot find
native binding` when a consumer's Node floor lands in a product-policy
gap ([#1993](#1993)), by
@fengmk2
- `vp create`: run `git init` without creating an initial commit, so
commitlint-configured templates no longer reject the hardcoded message
and template placeholders are not baked into history
([#2008](#2008)), by
@forehalo
- `vp staged --debug`: inline the bundled lint-staged version so debug
logging no longer crashes reading a `package.json` that does not exist
in the bundle
([#1925](#1925)), by
@rokuosan
- Installer: retry downloads truncated mid-body in
`HttpClient::get_bytes` (the platform-tarball path for `vp upgrade` and
the standalone installer)
([#1940](#1940)), and
clean up the temp dir when a package-manager install fails instead of
leaking `.tmpXXXX` directories
([#1949](#1949)), by
@shulaoda
- Windows/msys: normalize backslashes in the `env.fish` fallback path
([#1954](#1954)), by
@Aalivexy
- `install.ps1`: detect the missing VC++ runtime (`0xC0000135`) and
print VC++ Redistributable guidance instead of a generic failure;
interactive `irm | iex` installs keep the shell open
([#1962](#1962)), by
@cheezone
- `vp migrate`: preserve comments, key order, and trailing commas in
existing `.vscode` / `.zed` JSONC configs by patching the original text
instead of re-serializing it
([#1956](#1956)), by
@fengmk2
- Migration: link the git hook warning to the migration guide
([#1902](#1902)), by
@naokihaba
- `vp info` / `vp view`: use package-manager-native commands (`pnpm
view`, `bun info`, `yarn npm info`) instead of routing every lookup
through `npm view`
([#1895](#1895)), by
@jong-kyung
- Correct overused `ErrorConfig` error types across the codebase
([#1934](#1934)), by
@liangmiQwQ

### Refactor

- `vite_install`: centralize Yarn v1/berry branching with
`is_yarn_berry`
([#1897](#1897)), by
@jong-kyung

### Docs

- Document Vite Task automatic tracking (fs tracking and cache-reporting
tools), reusing the task cache with GitHub Actions cache, and
`dependsOn: [{ task, from: "dependencies" }]`
([#1992](#1992)), by
@wan9chi
- Rewrite the "Upgrading Vite+" guide: preview builds install through
the registry bridge as ordinary `0.0.0-commit.<sha>` npm versions, and
`vp migrate` is the recommended way to upgrade a project or move it onto
a preview build
([#1965](#1965)), by
@fengmk2
- Describe how to switch back to the release version from nightly
([#1887](#1887)), by
@situ2001
- Clarify Git hook tool migration
([#1901](#1901)), by
@naokihaba
- Add a global installation explanation
([#1915](#1915)), update
the `vp env` help output
([#1969](#1969)), and add
liangmiQwQ as a team member
([#1911](#1911)), by
@liangmiQwQ
- Fix package manager command examples
([#1937](#1937)) and the
`dependsOn` guide link
([#1883](#1883)), by
@jong-kyung
- Remove Fathom analytics from the uninstall docs
([#1946](#1946)), by
@mdong1909
- Center the README logo and fix its size
([#1878](#1878)), by @hyf0

### Chore

- Prevent Vite beta upgrades in the upstream-deps script
([#1879](#1879)),
stabilize flaky network-dependent tests
([#1923](#1923)), and bump
the ecosystem-ci bun-vite-template to the oxlint jsx-a11y fix
([#1898](#1898)), by
@fengmk2
- Pin snap-test install fixtures to a published `vite-plus` version so
release-branch CI can pass before the new version is published
([#2017](#2017)), by
@fengmk2
- Update the deprecated `VITE_PLUS_` env var prefixes to `VP_` in the
RFCs ([#1984](#1984)), by
@liangmiQwQ
- CI: skip full CI for docs-only PRs
([#1991](#1991)) and for
the docs deploy config
([#2015](#2015)), by
@wan9chi
- Update GitHub Actions
([#1904](#1904),
[#1977](#1977)),
claude-code-action to v1.0.158
([#1979](#1979)), and pnpm
to v10.34.4
([#1996](#1996)), by
@renovate[bot]
- Update oxc-project/security-action to v1.0.8
([#1918](#1918)), by
@fengmk2
- Refresh trusted stack stats on the docs homepage
([#1913](#1913),
[#1982](#1982)), by
@voidzero-guard[bot]

### Bundled Versions

| Tool | Version | Source |
| --- | --- | --- |
| vite | `8.1.2` |
[`ba31193`](vitejs/vite@ba31193)
|
| rolldown | `1.1.4` |
[`6cbd233`](rolldown/rolldown@6cbd233)
|
| tsdown | `0.22.3` | [npm](https://npmx.dev/package/tsdown/v/0.22.3) |
| vitest | `4.1.9` | [npm](https://npmx.dev/package/vitest/v/4.1.9) |
| oxlint | `1.72.0` | [npm](https://npmx.dev/package/oxlint/v/1.72.0) |
| oxlint-tsgolint | `0.24.0` |
[npm](https://npmx.dev/package/oxlint-tsgolint/v/0.24.0) |
| oxfmt | `0.57.0` | [npm](https://npmx.dev/package/oxfmt/v/0.57.0) |

### Upgrade

```bash
vp upgrade
```

New to Vite+? Start with the [Beta
announcement](https://voidzero.dev/posts/announcing-vite-plus-beta),
then create a project with `vp create` or bring an existing one over
with `vp migrate`.

### New Contributors

Welcome to our new contributors @rokuosan, @Aalivexy, @cheezone,
@daflyinbed, @forehalo, @kvnwolf! 🎉

**Full Changelog**:
v0.2.1...v0.2.2

---

Merging this PR will trigger the release workflow.

---------

Co-authored-by: voidzero-guard[bot] <278573678+voidzero-guard[bot]@users.noreply.github.com>
Co-authored-by: MK <fengmk2@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant